Vinayak Rao - Qualys, Inc. Philippe F. Courtot - Qualys, Inc. Joo Mi Kim - Qualys, Inc..
Erik Suppiger - JMP Securities LLC Shebly Seyrafi - FBN Securities, Inc. Alex Henderson - Needham & Co. LLC Yun Kim - Rosenblatt Securities, Inc. Hamza Fodderwala - Morgan Stanley & Co. LLC Brian Essex - Goldman Sachs & Co. LLC Gur Yehudah Talpaz - Stifel, Nicolaus & Co., Inc.
Matthew Hedberg - RBC Capital Markets LLC Sterling Auty - JPMorgan Securities LLC.
Ladies and gentlemen, thank you for standing by, and welcome to Qualys Incorporated's Second Quarter 2020 Investor Call. At this time, all participants are in a listen-only mode. After the speaker's presentation, there will be a question-and-answer session. I will now hand the conference over to your speaker today, Vin Rao..
Good afternoon and welcome to Qualys' second quarter 2020 earnings call. Joining me today to discuss the results are Philippe Courtot, our Chairman and CEO; and Joo Mi Kim, our CFO.
Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements.
Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10-Q and 10-K.
Any forward-looking statement that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures.
A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks, investor presentation, and supplemental historical financial spreadsheet are available on our website. With that, I would like to turn the call over to Philippe..
Thank you, Vinayak, and welcome, everyone, to our Q2 earnings call. We hope that you and your families are healthy and safe. Our priority remains the health and well-being of our employees, while continuing to address and support the changing security needs of our customers.
Since mid-March, we have seen at Qualys, a seamless transition to a remote workforce environment and have continued to effectively deliver on all aspects of our business, including product development, operation and support services.
The unprecedented environment with the ongoing COVID-19 pandemic has created uncertainties for individuals and organizations across the globe. As companies are experiencing a never-before-seen explosion of remote endpoints connecting to critical assets of their organization, security of these endpoints is paramount.
IT team are responding to the challenge of ensuring that employees are able to work productively and securely from remote location, and it is becoming eminently clear that traditional enterprise security solutions deployed inside organizations' networks are ineffective for protecting these remote endpoints.
We believe that Qualys is one of the few companies well-positioned in this security market evolution due to our priority of investing in the expansibility and capabilities of our platform and our cloud-based architecture.
Upon the onset of COVID-19, we addressed the needs of our existing customers by promptly releasing a remote endpoint protection service that will help them quickly address the challenge of securing these proliferating endpoints.
This service, which we are providing at no cost for 60 days, leverages the Qualys Cloud Agent and its cloud-based architecture to deliver instant and continuous visibility of remote computers, as well as their installed applications, obtain real-time view of all critical vulnerabilities and misconfigurations, and remotely deploy missing patches for critical vulnerabilities.
These patches are delivered securely and directly from vendor website and content delivery network, ensuring there is little to no impact on external VPN bandwidth. In Q2, we added malware detection capabilities to the solution, and customers that were already using the service could extend their free 60-day license for an additional 30 days.
Malware detection uses file reputation and threat classification to detect known malicious files on endpoints, servers and cloud workloads. In addition, this service is now available to US federal agencies with a no-cost 60-day pilot. We currently have over 650 companies, including nearly 300 customer prospects actively using this free offering.
The Remote Endpoint Protection service is based on the multifunction Qualys Cloud Agent, which instantly provide visibility to remote endpoints, detects vulnerabilities, manages their security hygiene proactively and patches them quickly at no cost.
Our Cloud Agent is the technology platform for seven of our security compliance and IT solutions, Vulnerability Management, Policy Compliance, File Integrity Monitoring, Indication of Compromise, Patch Management, Asset Inventory and the upcoming, Certificate Management, and we have more to come.
In Q2, we continued to see strong growth in our paid Cloud Agent subscription, with almost 43 million now, representing 81% growth from the prior-year quarter. We have continued to make strong progress on our goal of achieving ubiquity for our Cloud Agent.
After organizations download our Cloud Agent once, it's frictionless for them to subscribe to our paid applications because no additional infrastructure is required to expand the solution with additional products.
Furthermore, this multi-product adoption naturally increases the stickiness of our platform, and helps makes us impenetrable to our competitors. We do not offer the same – our competitors do not offer the same breadth of solution or ease of adoption.
This is demonstrated by the fact that the growth dollar retention rate of enterprise customers who have adopted five solutions or more stands at 99%.
Our Cloud – our Qualys Cloud Platform, combined with the capabilities of the powerful lightweight Cloud Agent, virtual scanners and network analysis passive scanning, allowed us to create an effective and seamless Vulnerability Management solution that incorporates the four key elements of discovery, assessment, prioritization and patch management into a single application called VMDR, Vulnerability Management, Detection and Response, which went into general availability in April.
The solution has been a huge success with our customers, and it's also driving further penetration of our Cloud Agent.
VMDR takes Vulnerability Management to the next level, by providing the power to continuously detect vulnerability and misconfiguration across the entire global hybrid IT environment and respond in real-time to remediate assets that are vulnerable or already compromised on a single platform with building orchestration.
Currently, 600 customers have adopted VMDR, which includes approximately 200 new customers. In fact, 8 million out of our roughly 43 million paid Cloud Agent subscriptions have come from the VMDR, of which 5.8 million were new agent subscription.
VMDR has not only helped proliferate Cloud Agent, but also sets a foundation for further upsell of our other paid applications. We continue to see good adoption of our free Global IT Asset Inventory, with almost 14,000 companies signed up and over 1,350 companies actively using the service.
In term of our other newer solution, we have continued to see strong customer adoption of our Patch Management solution, both in the mid-market segment, as well as with large customers.
In Q2, a large IT service firm selected our Patch Management application over several competing solutions, given its ability to easily and effectively patch remote endpoints without using limited bandwidth available on VPN gateways.
This quarter, we also saw robust growth again for our Container Security application with a major enterprise video communication provider that has already deployed VMDR across its infrastructure, adopting the solutions.
In addition, our File Integrity Monitoring, FIM, application, continues to see solid momentum with a large Asian airline, having selected our FIM solution over a competing point solution in order to effortlessly leverage the Qualys Cloud Agent they had already deployed for Vulnerability Management.
Now diving deeper, we are also early to recognize – we were also early to recognize the importance of capturing all of the necessary telemetry via our sensors and the Internet while building the back-end with scale and computing capabilities needed to handle such a large volume of data.
Today, we handled more than 9 petabytes of data, indexing more than 7 trillion data points on our elastic search clusters, moving 14 billion messages a day on our Kafka bus, storing 400 million objects in our Ceph clusters and pumping 1 million writes per second in our Cassandra log analysis engine.
As a result, our highly scalable cloud-based platform enable us to address all four new market segments, Large Enterprise, Cloud Providers, next generation of Managed Security Service Providers and OT and IoT environment, providing a single-pane-of-glass view across on-premise assets, endpoints, cloud and mobile environment.
Last month, we introduced our Multi-Vector EDR solution that goes well beyond the endpoints and not only allows for the reduction of false positive, but also makes it easier to activate the response and greatly reduce the response times and costs.
As an app, built natively on the Qualys Cloud Platform, our Multi-Vector EDR leverages power, scale and accuracy to provide unprecedented visibility and telemetry by collecting security data from endpoints, adding context and correlating billions of global events with threats intelligence, analytics and machine learning.
To strengthen our entrance into the EDR market, we acquired a software asset of Spell Security, a very innovative security startup in India, and all security employees have joined now Qualys in Pune. The team has unique expertise in threat hunting and malware research, as well as deep understanding of the multi-vector attacks.
They also have threat hunting products that will be fully integrated into the Qualys platform. Traditional EDR solutions singularly focused on hunting and investigating endpoints, malicious activities, and cyberattacks.
Qualys Multi-Vector approach provides critical context and full visibility into the entire attack chain by providing a faster, more automated, and comprehensive response to protect against those attacks.
We are delighted with the strong adoption of VMDR by both our customers and managed security service providers, and now by the interest in Multi-Vector – by the interest Multi-Vector EDR is generating with them.
Moving from VMDR to Multi-Vector EDR is almost instantaneous as it only requires an update of our Cloud Agent, which is automatically done by our platform once the application is enabled. We're also pleased to announce that Infosys managed security services has now adopted both VMDR and Multi-Vector EDR.
And here's a quote from Vishal Salvi, CISO and Head of Infosys Cyber Practice. We are pleased to partner with Qualys to deliver VMDR and Multi-Vector EDR solutions via our globally distributed network of Infosys Cyber Defense Center.
The highly scalable Qualys Cloud Platform will be displaced (00:13:29) with agents and sensors and its forthcoming incident response capabilities provides us with the intelligence, analytics we need to effectively protect our clients and allows us to consolidate our security stack.
At Black Hat, we also discussed our upcoming Data Lake/SIEM solution that we expect to have in early beta at the end of 2020.
This is an important new milestone and new opportunity for our company as current incident response solutions have become quite complex and costly, requiring organizations to use multiple vendors to collect the data needed and bring it into their SIEM with fully contextual information.
Qualys' unique advantage is that we can leverage our robust scalable back-end and its array of sensors, which collect, enrich, normalize and correlate trillions of data points across on-premise, endpoints, cloud, mobile, and soon OT and IoT environments.
On the hiring front, we are pleased to welcome back Joo Mi Kim as Chief Financial Officer of Qualys. Her extensive finance, strategic planning and investor expertise will be instrumental as we continue to expand the Qualys Cloud Platform and grow the company. We are also delighted that Ben Carr has joined Qualys as Chief Information Security Officer.
Ben is a proven information and risk executive and thought leader with more than 25 years of experience in executing long-term security strategy. At Qualys, he is responsible of providing cybersecurity guidance and security strategies to Qualys' customers, leading the CIO/CISO Interchange and securing our IT infrastructure.
Finally, we are also honored to welcome John Zangardi to our board of directors. John has extensive experience in digital transformation and has successfully transformed the infrastructure of both the DHS and the DoD, as well as modernized their cybersecurity operation.
We are grateful to gain his valuable insight and guidance as we continue to expand our Cloud Platform to deliver innovative security and compliance offering.
In summary, because of the very nature of our business model, which is nearly 100% recurring, and the fact that our solutions have become mission critical, we have a greater visibility than many other security companies in our industry even in such difficult time, not to mention a highly profitable and cash-generating business model.
Our product and platform achievements lay the foundation for our continued progress to enable customers to consolidate their security, IT and compliance stack while drastically reducing their spend. And importantly, it is core to the highly profitable recurring and growing revenue model we've built.
With that, I'll turn the call over to Joo Mi to discuss our financial results and guidance for the third quarter and full fiscal year 2020. Thank you..
Thanks, Philippe, and good afternoon. Before I start, I'd like to note that, except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period unless stated otherwise.
We're delighted with our increasing Cloud Agent subscriptions and multi-product penetration as well as a strong adoption of VMDR, which lays the foundation for future revenue growth and industry-leading profitability. Our Q2 financial and operational highlights include, revenues for the second quarter of 2020 grew 13% to $88.8 million.
Please note our Q2 2020 calculated current billings was negatively impacted by the timing and amount of prepaid multiyear subscriptions, as well as requests for shorter duration invoicing, which we expect to continue to next quarter given the current market conditions.
Our average deal size increased 7%, and platform adoption continued to increase as a percentage of enterprise customers with three or more Qualys solution rose to 54% from 44% and the percentage of enterprise customers with four or more Qualys solution increased to 38% from 24%.
Paid Cloud Agent subscriptions increased to 43 million over the last 12 months, up from 38 million for the 12 months ended in Q1 2020, a 19% of the end customer up for renewal in the quarter, renewed into a VMDR subscription, up from 4% in Q1. Our scalable platform model continues to drive superior margins and generate significant cash flow.
Adjusted EBITDA for the second quarter of 2020 was $42.8 million, representing a 48% margin versus 42%.
Q2 EPS grew 34% and our free cash flow for the second quarter of 2020 was $24.9 million, representing a 28% margin and down 20% primarily due to recent changes in billing and payment terms for selected customers, given the current macroeconomic environment. Year-to-date, our free cash flow margin is 40%, and is up 6%.
In Q2, we continued to invest the cash we generated from operations back into Qualys, including $4.3 million on capital expenditures for operations, including principal payments under capital lease obligations, and $25.3 million to repurchase 242,500 of our outstanding shares.
We remain confident in our business model, driven by our foundation of nearly 100% recurring revenues and expanding suite of applications. We are delighted to be raising our full year 2020 guidance for both revenues and earnings.
We are raising the bottom and top end of our revenue guidance for the full year to now to be in the range of $359 million to $360.5 million from the prior range of $354 million to $359 million. We are raising our full year non-GAAP EPS guidance to now be in the range of $2.60 to $2.65 from the prior range of $2.46 to $2.51.
We expect to maintain industry-leading margins in 2020 and continue to produce strong cash flow. And our Q3 guidance for revenue is $91.6 million to $92.2 million and for non-GAAP EPS is $0.65 to $0.67.
For the third quarter, we expect capital expenditures to be in the range of $8 million to $9 million, which includes approximately $2 million for the build-out of our Pune headquarters.
Because of COVID-19 related delays, the timing of spend on our Pune headquarters has been pushed out a few months and we now expect that $2 million of our original planned spend will occur in the second half of the year. As Philippe mentioned, we are very excited by the robust early adoption of VMDR and the launch of our Multi-Vector EDR application.
We feel very well-positioned during this period of uncertainty due to the value provided by our Cloud Platform and our 20 apps, as well as our underlying highly scalable and profitable operational model. With that, Philippe and I are happy to answer any of your questions..
Thank you. And our first question is from Erik Suppiger with JMP Securities. Please go ahead..
Hi. Thanks for taking the question.
Can you talk a little bit about linearity? How did the pandemic play out through the quarter?.
Yeah. I'll take that question. So, linearity, we didn't see any material highlights to note under linearity. It was similar to last quarter..
Okay.
And then on VMDR, can you talk a little bit about how much adoption you've seen with – of using the Patch Management component to that?.
So we have a big demand....
Yeah, I think go ahead, Philippe..
...I can – yeah. No. We have a big demand for Patch Management. There's no question that this is an application that is really coming up and VMDR makes it much easier because obviously the last mile is you patch and it's at your fingertips. So, yeah, it's very significant.
And we see what we're (00:22:51) interesting is both on the mid-market, but as well as with large enterprise. In fact, I mentioned on the call that we had the large enterprise which really adapted not only VMDR but they also adapted a big deployment of Patch Management..
And who are you displacing or who do you see on that patching front? Is that BigFix?.
Yeah. It's interesting is that it's not so much of the displacement, it's fact that it's become – it starts more like adding, for example, is much easier, of course to – with our solution to patch the endpoints. So we, in fact, believe in some cases, they could continue using, for example, SCTM for other solutions.
But on the endpoints, it's much easier to do it with Qualys, so – and other Patch Management solution, but essentially it's adding to what they are doing.
And we see more and more appetite to essentially move to a solution at Qualys, which integrates their entire – from discovering new assets to identifying the vulnerabilities on those assets, to prioritize the remediation, and then remediate.
We have also, by the way, the integration with some customers, they don't take the full Patch Management solution, but they take all the information that we provide them with the superseding patches and so forth, so they can continue pushing that into their own Patch Management solution..
Very good. Thank you..
Thank you. Our next question comes from Shebly Seyrafi with FBN Securities. Please go ahead..
Yes. Thank you very much. I want to drill down on the current billings. It looks like it grew by 13% year-to-year, down from 15% the prior two quarters.
And I saw what you said in the script, so what would current billings growth have been versus 13% reported had duration not changed or declined?.
Yeah. So we have a healthy business. It's a little difficult to specifically normalize growth rate to account for the multiple different impacts because, for example, one of the reasons why (00:25:18) impacted is because the renewals were not done at anniversary of initial deal.
There could also be changes in billing terms that we've highlighted in terms of the shorter duration billings as well as the amount of pre-pay subscriptions that have a negative impact basically in the first year upon renewal, you see that fluctuation.
And so what we'd like to point to is year-to-date consolidated current billings is up 10% from last year and in terms of – this actually supports why this trajectory of our annual revenue guidance is the best proxy for business momentum with our current bookings confirming our guidance.
And if you take a look at our annual revenue guidance, we did raise this basically from – the prior high end is our current low end, and our bookings actually came in better than expected this quarter, especially from new..
I want to correct myself, current billings was up 7%. Like you said, 10% for the first half, but I'm trying to see because you expect these moving parts to linger, looks like, for the next few quarters.
And I just want to know when you think things may normalize such that your current billings growth can go back to the historical something like 15% or so, do you think it's two quarters long or four quarters long?.
I think it's a little too early for us to talk, given the uncertainty of the environment.
Basically at this time, we are leveraging our strong financial position to accommodate customers that are asking for shorter duration invoices as well as the late billings, which is another factor that we should take into account in addition to the renewals not being done at the time of end like renewal..
Okay. Last one for me is Spell Security.
Do you have estimated incremental revenue and expenses for that company?.
Yeah. So for Spell Security, it's a small tuck-in acquisition, similar to what we've done before. We don't see a material impact to our top line or expenses from that acquisition..
Okay. Thank you..
Thank you. Our next question comes from Alex Henderson with Needham. Please go ahead..
Thank you very much. I was looking at the revenue associated with the customers that have bought the highest number of units, and it actually shows the revenue declining from $270 million to $257 million, even as you're adding more revenue per customer.
And I was wondering if you were including in those statistics any of the free solutions that you're offering.
How – why is it – why is the average revenue declining on your top customers?.
Yeah. Average revenue on the top customers, it could fluctuate depending on the category that as customers move into different categories. And another factor that we should consider is we're relooking all their metrics to make sure that they're all still relevant to customers.
I think that one of the metrics that we've highlighted before is the multi-product adoption. With the launch of VMDR, VMDR is really counting as – we're counting it as core product.
And so, what we said before is generally we expect it to be a revenue neutral impact, because, for example, for VM-only customers, we do expect them to see some uplift as they renew into VMDR, where some other customers who used to collect – like several other Qualys products, they may be spending a little bit less..
So, are you including in that any of the free solutions or is that not included in the number of solutions?.
No. It only includes on the paid solutions and it's incremental solution that's (00:29:19)..
Great. So, the second question with the – you've obviously got a lot of free stuff out on the market today. You talked about Patch Management and the free Asset Inventory, a number of programs.
If you were to tally all of those free customer subscriptions up, what type of nut are we talking about? How big a chunk of business would that be? And to what extent – I'm assuming that that predominantly starts to roll off the free into some of the paid version of it.
What type of conversion rate do you expect? And I think that's mostly in the fourth quarter, is it not, since most of that runs through September?.
Right. So, one thing that I'd like to highlight is because we're a – as a subscription business, our model is to really allow customers to buy at their own pace. Customers do trials and then often expand at the time of renewal for existing.
And then for new, we do realize that with our several of the products that we've launched, it's great that we're seeing adoption and some traction in terms of the active usage both with respect to the Endpoint Remote Protection as well as the Asset Discovery and Inventory.
And we are tracking it, but at the same time, we don't – it's not that we expect everyone to convert to paid. We wouldn't be surprised if some people continue to use our free service, which is fine, because we don't offer free service as a half-baked offering. And we really don't push products to customers.
We kind of see like based on the customers' need, we do expect some to convert. I do think that's a little bit early given that a lot of the products are fairly new. (00:31:11).
...any of those products, so that would then force them to make a decision?.
Yeah. So let me add on the Endpoint Remote Protection, 60-day free trials as we do have at least – and in fact, we estimate we can see that there's a very, very happy customers. In fact, some have even deployed very largely.
So we expect to see some of these customers convert to the paid subscription, when the program will end up, as you mentioned, that will be at the end of September, essentially.
Then we have other services which have been very successful, like the Global IT Asset Inventory, which is the free Global IT Asset Inventory that we are using more for lead generation and that are now today fully integrated with VMDR. So, of course, the Global IT Asset Inventory comes with VMDR. So that's all that.
So, as you can see, we've skinned that cat in different way. One way of looking at these paid services is looking at them as lead generation creating, of course, exposing the power of our platform to customers. And then, of course, we have a team to essentially add them, to onboard them, and then, of course, to try to upsell them as well.
So, yes, so this is part of our marketing strategy. It's a very cost-effective marketing strategy because, of course, for us, we can deliver software at the four corners of the universe, I would say, thanks to our cloud-based platform, at very cost effectively..
Okay. Thank you..
Thank you. Our next question comes from Yun Kim with Rosenblatt Securities..
Thank you. Actually, congrats on a pretty solid quarter and welcome, Joo Mi. Philippe, one metric that really stands out in the quarter is the acceleration in the adoption of the multiple products, growth in the percentage of the customers with 2+, 3+, 4+, 5+, all accelerated from prior trends, not just 4+, products.
Can you specifically point out anything particular that drove that acceleration in the quarter, and what are you expecting in terms of that trend going forward?.
So, the trend will continue. What you see with some of these – it's a combination of few things. With some of these products is the maturity that we are reaching with these products. We see that very clearly with File Integrity Monitoring.
We are also seeing, of course, Patch Management, has been also a very good uptake, while waiting to get the Unix and the IOS patch capabilities, which are coming in a couple of months, if I recall correctly. But it's – imminently, that will boost further the adoption.
And so – and of course, now what we see more and more is the interest in the platform itself, where you've got all the solution for the integrated. So, VMDR is a really huge success. And it addresses not only essentially – all of our customers have no reason to look for other solutions today.
This also helped us in penetrating and displacing current competitors. So, VMDR is a big success and we anticipate with the Multi-Vector EDR, which is, of course, brand-new, will go GA at end of the month, early September the latest, that that we have already significant interest with Multi-Vector EDR.
And by the way, remember, one thing is that for all of our customers which have the agent already installed, moving to EDR or Multi-Vector EDR is a no-brainer. They can immediately try and try and buy essentially. So that give us a huge advantage with all these agents that we've now deployed..
Okay. Great. Thanks for that. And obviously, now with the initial success with the VMDR and, obviously, a lot of high-profile product launches ahead, I think it's pretty clear that you have a platform strategy that is beyond your core VM footprint.
Can you update us on any major go-to-market initiatives you may have planned to support all the product launches and where you are in terms of that product positioning today? And then, in that regard, any plans to increase sales and marketing to support this? Perhaps any new sales and marketing initiative to perhaps accelerate adoption in the marketplace and really more focus on maybe the initial land deals and whatnot?.
Yes. This is a very good question. So, in fact, our strategy since day one was to really build that multi-platform. It was – it has been a huge, huge undertaking as well, which we've been able to do because of the significant engineering team that we have now in Pune, India. We're close to 900 people. That was not a walk in the park. It was very complex.
We had to inject a lot of the newer technologies like ElasticSearch, et cetera. So, that's where our focus has been. At the same time, not only beefing up the computing power of the platform was to also acquire telemetry.
The problem today that you see with security is that, in order for you to have context, you need to build – you need to bring data from multiple different application and you have not very much idea of how good that data is. And that's the problem that the SIEM today have.
So, not only it's costly, it's complex, but then to correlate, to analyze, to enrich that data is not also that easy. So, that has been our overall strategy. So, today, finally, our platform and clearly VMDR showed that that we could now sort of integrate all the solution.
Multi-Vector EDR is as well our ability now to go well beyond what the current EDR solution upward, because we have significantly more telemetry. And now, of course, our next big theme is essentially to – essentially moving to the SIEM space which, as I mentioned earlier, are planning to go beta in – at the end of the year.
One of the lynchpin of all of that is that the unique – and I'd say and I repeat that – unique ability that Qualys has to automatically create the Global IT Asset Inventory (00:37:52), et cetera, automatically that nobody – you cannot secure what you don't know, end of the story.
And having that ability allows us to essentially really provide, if you prefer that context, and of course, how do we get that is because the combination of our agent, which brings information and our Passive Scanning, all the network analysis, bringing all that data into one single platform.
So now that we are starting to obviously prefer solutions that carry significantly more dollars or when you look at the EDR marketplace, for example, the EDR marketplace is not so much the (00:38:32) endpoints, but it's the fact that you have many of them. And then, when you look at the SIEM, it's a significantly bigger standpoint.
So, yes, to answer your question, we are doing as we deliver these services obviously expand our marketing and sales capabilities to bring these solutions to market. Then, we have already a large customer base which is a huge advantage, of course, because we can bring very cost-effectively those solutions to our customers.
And the third element of our go-to-market is we believe that now today we have a platform that essentially becomes very attractive for the managed security service providers because today they don't have the means anymore to take these – to build this kind of platform which is what they have been in the past.
They absolutely need to move beyond the monitoring to do the response, which is now what Qualys provides. And so I think we have already a large number of managed security service providers, which are using Qualys. They are all moving into VMDR. And you saw the announcement that I made about Infosys, which is now is adopting as well the EDR solution.
So we see that as another channel if you prefer to bring these solutions to market, as well as them being able to consume our incident response solution, because obviously this is the core of managed security service providers. You need to monitor and then you need to respond.
So I think we're extremely well-positioned from an architectural standpoint, well ahead of anything which is out there. And, of course – now, of course, we need to bring all that to market..
Great. Thanks for that detail.
But one question I do have on that is that do you plan to maybe accelerate the sales head count addition for your (00:40:24)?.
Yeah. The big advantage we have is that, it's a proportion, because now we're going to be able to do bigger deals. Of course, you get more – you can spend more as a result. It's not going to change really our profitability. We're not going to deploy a lot of (00:40:38) salespeople again. Our model is try and buy. It's very effective.
Again, I mentioned our managed securities channels. We see that as a very big channel, so to bring all these new solutions to market – and so that doesn't mean we certainly need to put a lot of salespeople in the field, but, yes, we are building, expanding our sales force everywhere..
Okay. Great. Thank you so much..
Thank you. Our next question comes from Hamza Fodderwala with Morgan Stanley..
Hi. Thank you for taking my question. Philippe, I was wondering if you can comment a little bit more on the competitive landscape in Vulnerability Management and the sales cycles for Q2.
Because, clearly, I think as far as your solutions are concerned, as far as providing more visibility and efficiency and more distributed work environment, the prioritization of that is clearly increasing, but we're not fully seeing that reflected in results quite yet.
So, I'm wondering if you could comment a little bit about those two aspects, sort of the sales cycles, as well the competitive environment..
Sure. So the sales cycle has not changed essentially. If you look on the enterprise market is much more a displacement market. While on the mid-market and the small enterprise, it's a much more rapid market, but the sales cycle has not fundamentally changed.
What has changed today is, with the entrance of VMDR, we have totally differentiated our solution vis-à-vis competitors, and today, with the forthcoming entrants – if we look today, we have two main competitors now, or less (00:42:29), I should say, are Tenable and Rapid7.
So, Tenable, is essentially a VM company, they don't have the platform that Qualys has.
Rapid7, a quality (00:42:46) company, as I'm sure you know, which essentially gave them a kind of a SIEM platform, and of course, today, Qualys, we're entering that SIEM market, and we don't see them very much in the Vulnerability Management – we don't compete that much more on the VM side.
They are more essentially moving, and their growth is coming from that low-end SIEM market that they have addressed. So, we're coming up with, of course, what we call the next generation of SIEM, which goes well beyond the mid-market – well, goes really after the very large installations as well. So, our SIEM scale will scale significantly more.
So, we see ourselves extremely well-differentiated against these traditional competitors now and of course, the question becomes, who can build out the platform that Qualys has built, and how long are they there and how long it will take them.
And if we look around, we are really well ahead of anybody, because we have been working at that for a very long time. This didn't happen overnight, and we really focus on that and today, we're very happy. Again with the VMDR introduction, we've demonstrated the power of what we have done.
Now with Multi-Vector EDR and very soon it's going to be with our incident response addition, which is entering alpha now, and that we plan to go beta – early beta at the end of the year..
Got it. Thank you. That's helpful. And then just one quick follow-up for Joo Mi..
Sure..
Any way you could quantify perhaps the impact of the shift toward lower durations and some of the renewal timing that impacted current billings?.
Yeah, we're tracking that internally. I mean, in terms of the shorter duration invoice (00:44:38), we've experienced a couple million impact to it.
With that said, one of the reasons of why we're not actively managing the quarterly billings is because, as you know, we have the industry-leading margins with our operating cash flow margin at 33%, and so that's why we wanted to make sure that we take this opportunity to leverage that, to help out our customers where it makes sense.
We do expect to get paid at the end of the day and this is part of the reasons why we've highlighted that we've actually had a great quarter, where the bookings came in higher than what we expected. And so, billings is just not tracking, or is not indicative of the billings – bookings performance this quarter.
And then going forward, we expect it to be similar because we don't really see a reason for us to not accommodate wherein when we feel that the customers actually need it..
Got it. Thank you very much..
Thank you. Our next question comes from Brian Essex with Goldman Sachs. Brian, your line is open..
Apologies. Yeah. Apologies. I have mute on. Good afternoon. Thank you for taking the question.
Philippe, I was just wondering if you could maybe give us a sense of conversations that you're having with customers, particularly after what we've seen high demand for endpoint identity firewall spend, are you seeing any derivative spend now that these more disparate networks may need to focus on security posture now that they've addressed those kind of initial concerns in a more distributed environment?.
I'm not so sure – could you repeat the question? I'm not so sure that I understand the question there..
Yeah. I guess – just trying to get a sense of the conversations that you're having with customers from a budgeting and spending perspective, particularly after we've seen high demand for the obvious kind of work-from-home solutions like....
Okay....
...endpoint identity firewall.
Are you getting a derivative of that spend now that those issues may have been addressed?.
Yeah. No. Okay, makes sense. So I think today what happened is that the – obviously, the COVID has highlighted for a lot of companies the fact that their enterprise security solutions, they just don't – they are not built for that world where essentially everything is connected with everything across the Internet.
And so, of course, enterprise security solutions were not designed for that. So, as a – so that became very visible. The first visibility is how do you patch a system which is outside of your network? (00:47:14) with a lot of difficulties. Then, you have to buy more VPNs, more this, more that.
So that has really, if you prefer, essentially given the wake-up call, that it's about time that people rethink their security infrastructure and layering on all these enterprise security solutions not only is very costly. So, the move to the cloud is very definitively is happening in our industry. There's no question.
It used to be that our industry was very resisting the cloud because for security reason and so forth, and now today, of course, we can see that the minds are changing, and with our customers, the discussion is contact (00:47:56) consolidation. And so, that's the number-one priority they have.
They cannot continue to have that many applications that they have to manage. They don't even find the people to do that. So they're all looking for solution like Qualys, which consolidate essentially as many solutions as possible.
And that's – this was our vision, when you will get there, that it took much longer than we thought and to build a platform that we build was far more complex than we thought, but I think we kept on going, if I may say so, and I think that's serves us – serves us very well.
You also see that our multi – that our agent – the fact that our agent, one single agent, if you prefer, one single agent, one global view is what people are looking for, and we see today a lot of interest in our Multi-Vector EDR.
This is a marketplace which, of course, is growing very fast today because of the need you just described, but it's also a market that needs also some – a lot of consolidation as well. So I think we're very well-positioned here..
Got it. That's super helpful. And I just want to follow-up with maybe one for Joo Mi. I think someone touched on a question earlier about – particularly for enterprise customers with over four solution stack, LTM revenue per customer coming down slightly, but it looks like if you look at all the categories, you're coming down.
So, I guess I'm just wondering what are the other categories? How are those affected and what are the drivers of that? Maybe it's a customer growth issue or a mix issue, but just wanted to get a sense of the declines in the other categories as well..
Yeah. So, in terms of some of the other categories, some of it is attributed to the fact that we've rolled out a lot of smaller solutions, now with the newer solutions that are coming out, that we're expecting to be priced similar to VM, we are expecting the ARPU to go up over time.
So, for example, we talked about Patch Management, FIM and IOC, that will have a similar deal size, whereas some of the smaller solutions that we've launched, like, an example is like Continuous Monitoring, it's not as – priced as high..
Got it. But, I mean, if I look at this, can I infer that – I mean, it looks like it implies that just overall revenue per customer has gone down. Is that not the case? Is it just mix issue or....
Well, overall, the average deal size we mentioned in the prepared remarks, it is up 7% year-over-year..
Okay. All right. Thank you very much..
Thank you. Our next question comes from Gur Talpaz with Stifel..
Okay. Great. Thanks for taking my questions. Philippe, you noted that you've added malware detection this quarter alongside the launch of EDR. I want to understand more broadly what your confidence threshold here is in competing in more traditional endpoint markets.
And I think beyond that, what are you seeing in terms of customer interest thus far?.
Oh, no. There's a very big interest. Now, the Malware Detection that we added with our 60-day free Endpoint Protection is detection, not response, because we didn't have yet the capabilities of response in our agent – build into our agent, and that's what is coming up with Multi-Vector EDR, which give you the full solutions.
And the differentiation between our solutions – our solution and other solution is that all endpoint solution today, they essentially have only information about the endpoint. Now, of course, because we have all the telemetry, we can look beyond the endpoint, and that is very important.
So, today, I think we have a solution that, technically speaking, have significant more advantages eliminating possibilities, allowing you to do certain things much more easily, because you need that access to all that information, you don't have go fishing, as I used to call it, and so I think we have a very good solution.
Now, the big advantage we have here is that we have already a large, large usage of our Cloud Agent, and for us to upgrade to – for our customers to really look at the solution, it's very easy because it's instant update of the agent to give them that response capability that I just discussed about.
And that's essentially all that is needed and it's pretty straightforward. And now you can try our Multi-Vector EDR. And we call it Multi-Vector EDR because the attacks today are precisely multi-vectored.
So it's not only just the endpoint, you need to know to what that device connects to because the device could be attacked from another part of the network, and that's why you need that full view, just not the view of the endpoints..
That's helpful. Thank you.
And, Joo Mi, maybe one for you, just kind of building on the last question, how should we think about products like EDR and SIEM serving as the lift, if you will, to the ASP or average deal size?.
Yeah, this is something that we're very optimistic about.
We believe that with the launch of VMDR followed by EDR and Data Lake and SIEM coming after with our customers, having already – have Cloud Agents installed at the endpoint, so we really think that this will drive our ARPU higher, increase the dollar retention rate, and overall drive acceleration in revenue..
That's helpful. Thank you..
Thank you. And our next question is from Matt Hedberg with RBC Capital Markets. Please go ahead..
Hey, guys. Thanks for taking my questions.
Philippe – and maybe I missed it, but – or could you comment on sort of some of the geographic trends you did domestically here and then overseas in terms of when economies start to reopen?.
I think today we see – yeah, I think the US, as you know, is (00:54:18) our market. We're not seeing, in fact, much difference fundamentally between all the markets, and we see very, very good adoptions in Europe and in Asia Pac as well. So, we have not seen really an economical impact.
And the reason is very simple, you still – I take the example of Qualys, we have nobody working in our offices, obviously. However, this is our network that we need to continuously maintain because that's a network that connects us together. So, that network is essentially like the nervous system.
So, that's why the security market – and you need to secure this network, so that's why, as a whole, we have not seen significant reduction in the demand. What we see conversely is a lot of companies essentially asking for price concession, payments, et cetera, that's what we see.
We see, of course, some companies which are going – are getting bankrupt or will go bankrupt. That's of course the dynamic.
Now, for us, instead of speaking in term of reduction, we try to essentially now change the debate in saying, by the way, what about consolidating? You are spending so much amount of dollars maintaining disparate solutions, why don't you take a solution like Qualys and look – where everything is integrated, and of course, overall, your total cost of ownership is drastically reduced because you won't need that many people to do that.
You don't have to worry about the integration between these different solutions. It's all done for you and you don't have to worry about the infrastructure cost because, of course, this is a cloud-based solution. So, I think we're extremely well-positioned..
Got it. And then I know you've historically taken a very active role in sales, effectively running sales for several years, but I believe you promoted Laurie to EVP Worldwide Field Ops last year. As far as I can tell, I don't think she's with the company anymore.
I'm wondering if you could comment on that and just sort of like the overall sales initiative..
As you know, we have, of course, replaced Laurie, and in fact, as you know, we have very long-term employees at Qualys, but not everybody stays forever, obviously. And so, I think now we are very well positioned here. We have, in fact, promoted somebody from within to take her role and who is doing very well.
And so, I think again, as I mentioned earlier, we are looking at expanding our sales force today. So I think we're well positioned at getting there..
Got it. Thanks..
And our next question is from Sterling Auty with JPMorgan..
Yeah. Thanks. Hi, guys. I think you mentioned a couple of times on the call that bookings in the quarter were stronger than expected. Early in the call – in the Q&A, you mentioned linearity was the same as it was last quarter.
If that's the case, then I guess – I wonder why wasn't revenue in the quarter actually stronger than the reported number?.
Revenue – when we guided to the revenue, it was $88 million to $88.6 million and we actually reported a revenue of $88.8 million. And so it did come in higher than what we had expected.
Is that what you meant, Sterling?.
Yeah.
But I guess I would call that more in line with the top end of the range – or maybe were the bookings maybe just slightly above what you expected in the quarter?.
Yes. And coupled with the fact that sometimes when we do bookings, it really depends on – some of our bookings actually are based on a consumption model as well, as you know.
Given our established partnerships, we do have consumption-based (00:58:25) that do come in, that could be factored into it, but overall, yes, we were expecting our revenue to be somewhere in the midpoint of our revenue guidance range, and after – we ended up coming in a little bit higher at $88.8 million..
Got it. And then one follow-up on the VMDR and EDR. Can you remind us – I think you have some different pricing models, especially with VMDR.
How is the uptake under that pricing model, and what should we take about the revenue contribution looking like for this year?.
So, the pricing model is different.
As you know, we're now an asset-based model which makes it very simple – much simpler, as you know, for our customers to procure than going through the old system that we had, which was a la carte and then also IP/day (00:59:16) so, I'm not so sure that I understand exactly your question in terms of the impact on what..
On revenue for the year. So, given your new products, so not knowing how much contribution you expect the total revenue for this year, is it meaningful, is it de minimis, is it a slow ramp, a fast ramp? Those types....
No, no, VMDR is moving very well. I mean, we have a huge adoption of VMDR as we have mentioned in the numbers.
And, no, this is – everybody is working (00:59:49) to VMDR and what we mentioned, again in some cases, either because for those customers which have adopted already multiple solutions, VMDR end up a little bit cheaper and then for those who have not essentially deployed new solution, of course, it comes a little bit more expensive.
And all-in-all, I mean it's a very healthy business and what it does – of course, we anticipate most of our customer base migrating to VMDR relatively quickly and we see that adoption accelerating, and what it does is populate the agent, it makes us absolutely much more sticky because of course now you have all of these solutions totally integrated.
So, we think it's a huge success. I mean, VMDR is a huge – absolutely a huge success..
Thank you..
Thank you. And I'm not showing any further questions in the queue. I would like to turn the call back to Philippe Courtot for his final remarks..
Okay. So thank you – thank you all, and again, this – as you know, we are very excited to see our new solution coming, VMDR, it's been a fantastic, as I mentioned earlier, solution. We're now bringing the Multi-Vector EDR.
As you can see, we are now moving into detection and response, VMDR, EDR, we have more to come, and of course, we are looking forward to launching our new incident response solution. So with that, we'd like to thank you for your time, and again, thank you very much..
And with that, ladies and gentlemen, we thank you for participating in today's program. You may now disconnect. Have a wonderful day..