Qualys, Inc. (NASDAQ:QLYS) Q4 2023 Earnings Call Transcript

Qualys, Inc. (NASDAQ:QLYS) Q4 2023 Earnings Call Transcript February 8, 2024

Qualys, Inc. isn’t one of the 30 most popular stocks among hedge funds at the end of the third quarter (see the details here).

Operator: Good day, and thank you for standing by. Welcome to Qualys Fourth Quarter 2023 Investor Call. At this time, all participants are in a listen-only mode. After the speaker’s presentation, there will be question-and-answer session. [Operator Instructions] Please be advised that, today’s conference is being recorded. I would now like to hand the conference over to your speaker today Blair King, Investor Relations. Please go ahead.

Blair King: Thanks, Gigi. Good afternoon and welcome to Qualys’ fourth quarter 2023 earnings call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO, and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today’s press release and our filings with the SEC, including our latest Form 10-K and 10-Q. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today’s earnings press release. As a reminder, the press release, prepared remarks, and investor presentation are available on the Investor Relations section of our website. With that, I’d like to turn the call over to Sumedh.

Sumedh Thakar: Thank you, Blair, and welcome everyone to our fourth quarter earnings call. 2023 was another strong year for Qualys in terms of product innovation as we expanded our platform capabilities, strategic relevance in the industry, and market opportunity. We introduced Software Composition Analysis in on-prem and cloud environments to identify open-source software across the production environment of virtual images for our customers. We advanced our Custom Assessment and Remediation capabilities into our agent-based VMDR and Policy Compliance solutions, and launched a groundbreaking First Party Software Risk Management solution. We deployed GovCoud, a FedRAMP High Impact level Ready vulnerability and patch management cloud platform that meets President Biden’s Executive Orders and NIST compliance.

We harnessed technology from our acquisition of Blue Hexagon and extended our cloud-scale deep learning AI to discover and identify relationships and patterns within our own highly integrated data lake that are invisible and undetectable in traditional signature-based solutions. We unified Cloud Workload Protection, Cloud Security Posture Management, Cloud Detection and Response, Infrastructure as Code, and Container Security and brought an organically integrated agent and agentless Cloud Native Application Protection Platform to market. And, at QSC in November, we announced our Enterprise TruRisk platform with which we are now embarking on the most innovative advancements to the platform in Qualys’ history. A comprehensive, enterprise-wide initiative aimed at holistically measuring, communicating, and eliminating cyber risk.

The role of CISOs and security leaders is increasingly shifting way from just buying and deploying security point solutions, towards being able to measure and articulate the amount of risk being posed to the business. C-level executives and boards are increasingly looking to monitor cyber risk and the risk reduction ROI from the cyber security spend. The Qualys Enterprise TruRisk Platform is focused on helping security leaders measure, communicate and eliminate cyber risk and become a partner in de-risking their business. The platform aggregates and orchestrates data from over 25 threat intelligence feeds as well as third-party risk signals from non-Qualys products to provide organizations with comprehensive AI-powered insights that translate risk signals into measurable scores and provide optimized remediation actions based on business impact.

This single source of truth within a unified workflow and powerfully integrated dashboard empowers customers to effectively measure and communicate risk, secure cyber spend, add value, prioritize and eradicate threats across on-prem, cloud, and multi-cloud environments and sets a new gold standard in the industry for risk management solutions. Continuing this pace of disruptive innovation on the platform, we’re also extending our remediation capabilities to include AI-powered patch management and several other mitigation solutions, including virtual patching, configuration updates and compensating controls guided by TruRisk quantification functionality. This new combination of capabilities, which we call TruRisk Eliminate, uniquely softens organizational boundaries and enables security teams to apply flexible, automated, and intelligent risk-based response solutions to address cyber risk based on their organization’s own unique operational characteristics remediation time lines and business objectives.

Early customer feedback is quite encouraging and with over 54 million patches deployed on Qualys agents in just the last 12 months alone, we believe this new approach to eliminating cyber risk will not only help our customers transform their security operations, but further magnify our competitive differentiation in the market. Today, we announced a major new upgrade to our TotalCloud CNAPP solution to provide comprehensive vulnerability posture and threat management from development to run time across multi-cloud and SaaS environments. Inclusive in this upgrade is the introduction of TruRisk Insights, which integrates data from our CWP, CSPM, CDR and external asset management solutions to provide organizations through the unified and prioritized view of risk.

Combined with additional newly introduced capabilities such as SaaS, SSPM SaaS Posture Management, open-source software vulnerability detection and multiple-cloud ITSM integration with ServiceNow, we have created what we believe is one of the most comprehensive cloud-native security solutions in the market, with a unified actionable dashboard for immediate prioritization and remediation, the net benefit, faster results, better security outcomes and lower overall cost for our customers. Additionally, I’m pleased to announce that we are enhancing the Qualys Cloud Agent with passive sensor capabilities to help new and existing customers obtain real-time continuous visibility of unknown, unauthorized or rogued assets communicating inside their IT and OT environments.

This unique approach to internal asset management enables millions of existing cloud agents to detect many more unmanaged devices with just a single click and eliminate the complexities associated with network appliance-based passive sensing. And this enables organizations to rapidly turn previously unknown assets into security-managed assets with seamless CyberSecurity Asset Management VMDR enablement for comprehensive risk assessment, prioritization and remediation across their attack surface. These innovative new approaches to cybersecurity risk management along with several others on our roadmap for 2024 allow our customers to reduce complexity as they standardize on a trusted platform that delivers an immediate ROI and lower total cost of ownership relative to siloed and detection-only technologies out in the market.

Turning to business update for the go-to-market motion in Q4, we experienced another quarter of steady VMDR adoption, which is now deployed by 56% of our customers worldwide. Key competitive VMDR wins include, a leading health care provider, several global financial services technology and manufacturing companies, and multiple new and other existing customers, both down market and in the Global 2000. Adding to these wins, I will take a moment to share a couple of examples of how our customers and partners are expanding their use of Qualys’ capabilities to further consolidate the security stack. On the customer front, one of my favorite new logo wins in Q4 was with a Fortune 300 media organization. Their organization was frustrated by the high volume of alerts being generated by their legacy security tools and the inability to uniformly contextualize and manage risk across dispersed agencies and environments, which hampered its team’s efficiency and obstructive critical incidents — obscured critical incidents.

Recognizing the increased value, they could gain by modernizing their security stack and consolidating on Qualys’ customer replace several existing vendors and adopted four modules from Qualys including VMDR, CyberSecurity Asset Management with External Attack Surface Management, Web Application Scanning and our newly introduced TotalCloud CNAPP solution in a highly competitive seven-figure new customer bookings win. In another highly strategic and high six-figure of booking upsell example an existing Fortune 200 health care provider expanded its existing relationship with Qualys to standardize on our Enterprise TruRisk Platform. This customer has struggled to communicate the risk posture and list of prioritized risk mediation recommendations to their management, as well as their different IT teams.

The TruRisk platform helps them consolidate risk factors from different Qualys modules into a single score with business context, which led them to purchasing multiple Qualys modules as part of this platform, consolidation and expansion. On the partner front, we continue to advance our evolving ecosystem with two leading global managed service providers, Orange Cyber Defense and Kudelski. Both expanded their offerings beyond VMDR to include our Patch Management capabilities. These partners have indicated they chose Qualys over competing solutions due to our ease of orchestration, natively integrated platform and single-agent approach to simplify their security operations and significantly reduce remediation times for their customers. In addition, we expanded our relationship with Oracle Cloud with OCI, which is now making the Qualys Enterprise TruRisk Platform available in its marketplace.

We also evolved our partnership with Microsoft Azure by sunsetting our vulnerability assessment only integration to provide Azure customers with the full capabilities of VMDR in its marketplace and we’ll start ingesting Defender data into VMDR TruRisk platform. Further continuing our partnership with Microsoft, we are also selected to participate in its Security Copilot leveraging an AI-powered security solutions. Finally, on the partner front we expanded our relationship with Ingram Micro which is now offering a full suite of our CyberSecurity Asset Management VMDR and prioritize remediation workflows to its customers in the APAC region. As evidenced through these wins and several others like them, Qualys is much more than just a Vulnerability Management vendor with more and more companies begin to turn to Qualys to reduce agents security gaps, complexity, and costs, enabling them to transform and consolidate their security stack on the Qualys TruRisk platform.

Largely as a result customers spending $500,000 or more with us in Q4 grew 14% from a year ago to 183. In summary, we believe our natively integrated platform that measures communicates and eliminate cyber risk, brings a highly differentiated value proposition to our customers as they get more security using fewer resources with the Qualys Enterprise TruRisk platform. Looking ahead into 2024, we’ll continue our disruptive innovation, advance our go-to-market investments, and execute our strategic vision with a proven approach to balance growth and profitability. With that, I will turn the call over to Joo Mi to further discuss our fourth quarter results and outlook for the first year — first quarter and full year 2024.

Joo Mi Kim: Thanks Sumedh and good afternoon. Before I start, I’d like to note that except revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period unless stated otherwise. We’re pleased to report a strong finish to the year, with Q4 revenues in line with expectations and strong earnings beat, delivering 13% revenue growth and 47% adjusted EBITDA margin in 2023. The leverage we generated this year demonstrates the efficiency in our model and enables us to step-up investments in new technologies, sales motion, targeted marketing programs, and people to accelerate long-term growth and further enhance our position in the market as a trusted security partner of choice. Now, let’s turn to fourth quarter results.

Revenues grew 10% to $144.6 million at the midpoint of our guidance. Growth from channel partners outpaced direct at 16% versus 6% growth from direct. With continued investment in our channel, our revenue contribution mix has shifted slightly over the past year, with the channel making up 44% of revenues in Q4 versus 42% a year ago. We expect a similar trend to continue in 2024. By geo, 13% growth outside of the US, was ahead of our domestic business, which grew 9%. Looking ahead to 2024, we expect our US and international revenue mix to remain roughly at 60% and 40% respectively. As for calculated current billings, although, we don’t focus on or manage to this metric, anticipating questions related to bridging this LTM calculated current billings growth to revenue growth guidance, we would like to note that our Q4 calculated current billings was positively impacted by the timing of invoicing of multiyear prepaid subscription and large early renewal.

Normalized for this, LTM calculated current billings growth would have been approximately 12%. Turning to land-and-expand results. With customers confirming their prioritization of security within IT budgets, we anticipate the selling environment in 2024 to remain stable with ongoing budget scrutiny being the new normal for many organizations. In Q4, we are pleased to see improvements in the new business although the upsell environment remained challenging with our net dollar expansion on a constant currency basis at 105%, down from 106% last quarter. While there continues to remain room for improvement from smaller customers, LTM revenues from customers spending $25000 or more with us increased by 12%. In terms of product contribution to bookings, Patch Management and CyberSecurity Asset Management combined made up 12% of total bookings and 22% of new bookings in 2023.

In 2023, the increased adoption of these products resulted in over 50% growth on a combined basis. Our Cloud Security solutions made up 5% of 2023 bookings, led by our natively integrated TotalCloud CNAPP offering. Turning to profitability. Adjusted EBITDA for the fourth quarter of 2023 was $65.8 million representing a 46% margin, compared to a 42% margin a year ago. Although operating expenses in Q4 were largely unchanged up only 2% to $59.5 million. Sales and Marketing expenses increased by 12% with us, closing out the year with 438 Sales and Marketing headcount, up 16% from last year. EPS for the fourth quarter of 2023 was $1.40 and our free cash flow was $32.3 million. Free cash flow for the full year 2023 was $235.8 million, representing a 43% margin compared to 37% in the prior year.

In Q4, we continued to invest the cash we generated from operations back into Qualys including $1.5 million on capital expenditures and $23.1 million to repurchase 140,000 of our outstanding shares. As of the end of the quarter, we had $83.7 million remaining in our share repurchase program. We’re pleased to announce that our Board has authorized an additional $200 million share repurchase program, bringing the total available amount for share repurchases to $283.7 million. With that, let us turn to guidance, starting with revenues. For the full year 2024, our revenue guidance is $600 million to $610 million, which represents a growth rate of 8% to 10%. For the first quarter of 2024, we expect revenues to be in the range of $144.5 million to $146.5 million representing a growth rate of 11% to 12%.

This guidance includes an estimated 1% reduction to revenue growth in 2024 from sunsetting our embedded solution for Microsoft Defender, effective May 1. Earlier this year, Microsoft Defender for Cloud users using Qualys solutions were notified that we will be retiring our integration on Microsoft Defender and transitioning to BYOL model. With this change these customers will be able to leverage Qualys TotalCloud CNAPP to effectively manage their security risk for cloud and container workloads. Although this strategic shift is estimated to result in a short-term negative impact to revenues, we believe it will be key to delivering long-term value to consumers. Normalized for this change, our revenue guidance for the full year 2024 would have been 9% to 11%.

Shifting to profitability guidance. For the full year 2024, we expect EBITDA margin to be in the low 40s, implying approximately 20% to 25% increase in operating expenses similar to increase in investments in 2022 and free cash flow margin in the mid-30s. We expect full year EPS to be in the range of $4.95 to $5.27. For the first quarter of 2024, we expect EPS to be in the range of $1.27 to $1.35. Our planned capital expenditures in 2024, are expected to be in the range of $15 million to $20 million and for the first quarter of 2024, in the range of $3 million to $5 million. In 2024, we plan to align our product and marketing investments to focus on specific initiatives aimed at driving more pipeline, enhancing our partner program, expanding our federal vertical and supporting sales while maintaining a disciplined approach to unit economics.

As a percentage of revenue, we expect to prioritize an increase in investments in sales and marketing as well as related support functions systems and people with more modest increases in engineering and G&A. As we increase our focus on sales and marketing enablement customer success and productivity in response to a more stable selling environment, we believe we will be able to drive wallet share and long-term returns while balancing growth and profitability. In conclusion in 2023, we delivered a healthy top line growth and industry-leading profitability in the wake of a challenging macroeconomic environment. We continue to lead with product innovation and announced an exciting new roadmap for the Qualys Enterprise TruRisk Platform. We are confident in our ability to deliver on our growth opportunity long term, and remain committed to maximizing shareholder value.

With that, Sumedh and I would be happy to answer any of your questions.

See also 15 Countries with the Most Reserve Military Manpower in the World and Best Workers’ Compensation Lawyers in Each of 30 Biggest Cities in the US.

Q&A Session

Operator: Thank you. [Operator Instructions] Our first question comes from the line of Josh Tilton from Wolfe Research.

Q – Josh Tilton: Hey, guys. Thanks for taking my questions. I just want to sneak two in here. The first is on the really strong billings growth in the quarter. I know in the prepared remarks, you kind of highlighted as one-off. But could you maybe just give us a little bit more detail around the one-off early renewal? And then again, I understand that it’s early, but you should still be able to rev-rec it. So is the way to think about it that revenue growth would have been — or revenue guidance would have been lower had this early renewal not happened in Q4?

Joo Mi Kim: So in terms of early renewal, we booked it earlier. And typically, when we book early renewals, it’s a combined with an upsell. So it actually doesn’t have a rev-rec impact earlier in the period, because we closed the deal earlier. So the revenue recognition as an example, if it was an early renewal that was supposed to renew on January 1, and were renewed on December 1, because the customer wanted to have an upsell combined with the renewal and we closed the entire deal on December 1, because that’s what the customer preferred the early renewal piece even though it impacted the billings, because we would invoice for the total amount wouldn’t have had an impact on the revenue into Q4.

Josh Tilton : Super helpful. And then I guess just my follow-up is really appreciate the clarity on the Microsoft partnership and the contribution to revenue. Could you maybe just dive one level deeper on obviously the short-term negative is a clear impact, but how you guys envision this being more of a long-term positive for Qualys?

Sumedh Thakar: That’s a great question, Josh. I think if you look at what VM has evolved quite a bit over the last few years, and VMDR that we came out with, which took the scan-only VM and evolved it into multiple other additional capabilities, including inventory and threat detection as well as certificate management giving an ability to patch systems. And so that VMDR really in my mind set the standard for what end-to-end modern VM needs to be. And so what — with the relationship with Microsoft, the particular integration was the legacy scan-only VM that they were leveraging. And so moving to the full — to the BYOL allows us to have the ability to work with the customers to bring the full VMDR license into Azure environment.

And then with that full VMDR license, of course, it allows us to not only sell them VMDR, but also allows us to have conversations with them out on CSAM, Patch Management, File Integrity Monitoring, TotalCloud upsell, because today Cloud Security is evolving and integrated CSPM with Vulnerability Management, which we provide is significantly better than just getting ACV list out there. And so with that we feel over the longer-term, it gives us opportunities to have more upsells and more — and access to these customers to talk to them about the additional capabilities of Qualys. And help them see a much more unified view of their overall risk posture, especially as we talk about the Enterprise TruRisk platform. And so as the partnership has evolved, we will be taking a Defender data into our new TruRisk platform that we are working on as well as pushing Qualys data into Copilot for a different type of insights that Microsoft provides.

And so the BYOL still gives that integrated experience and the ability to embed the Qualys agent just that the licensing then comes to Qualys and does not become sort of an embedded thing that we don’t really have access to.

Josh Tilton : Makes sense. Thank you so much.

Sumedh Thakar: Yes.

Operator: Thank you. One moment for our next question. Our next question comes from the line of Jonathan Ho from William Blair.

Jonathan Ho: Hi. In terms of your investments in Sales & Marketing, can you maybe help us understand the magnitude of those investments and just given that you’ve got the new sales leadership here in place, what are some of the specific opportunities that you’re seeing to make those investments? Thank you.

Joo Mi Kim: The way we’re looking at the investment in 2024 is relatively in line with what we had in 2022. So back in 2002, we said that it was going to be an investment year. We had increased Sales & Marketing investment by approximately 25% back then and we have increased our Sales & Marketing head count by 22%. This is kind of what we’re looking to repeat in 2024, especially given that we’ve only grown sales and marketing by 14% in 2023. Primarily it will be driven by increasing the Sales & Marketing the employee count that hiring for quota-carrying sales reps, as well as other support functions associated with that especially with a particular focus on the channel managers with our focus on partner first. Additional investment that we plan to make is related to anything that’s like pipeline generating activities including marketing trade shows events and partner enablement as well as sales enablement.

Sumedh Thakar: Yeah. We’re pretty excited about what we’re seeing with the response on our CNAPP solution with TotalCloud and then our Enterprise TruRisk Platform kind of coming up. And so with — pretty encouraged with what we’re seeing for new logos that are coming to us and really interested in the cloud security solution, not VMDR or not just VMDR I should say. And so we’re going to also invest more in sort of marketing around our cloud security solution as well this year in addition to the Sales & Marketing head count growth that we look at for 2024 as the way for us to invest into our platform.

Jonathan Ho: Fantastic. Thank you.

Operator: Our next question comes from the line of Mike Walkley from Canaccord Genuity.

Q –Unidentified Analyst: Good afternoon. It’s Dan on for Mike. Thanks for taking the question. So in the prepared remarks you called out expectations of I guess shifting more revenue coming from the channel. Can you give us some additional color on what you’re seeing with your channel partners and sort of how this is progressing following the hiring of Dino?

Sumedh Thakar: Yeah. We’re pretty happy with Dino having come on board. We also hired in Q4 in an SVP of channels who’s really working closely with us. And so as we are looking into 2024 encouraged by the mix that we are seeing with partner versus direct, we’re going to continue in 2024 to invest with our partners. There’s the next phase of our partner program that we are planning to roll out in a couple of months as well. And as you see some of these additional partnerships that we are making whether it’s with Orange Cyber Defense or Kudelski taking on our additional solution like Patch Management also as part of that to take it to market. So we’re also investing in hiring some partner-focused marketing as well as partner-focused product management roles internally as well.

And overall encouraged by the conversations we’re having with our partners and seeing sort of the contribution that they are making. We have a good comprehensive plan this year to invest with our partner ecosystem including focusing really on net win logo generation and working with our partners to help kind of generate that pipeline for us and work with them on most of our net new logos.

Q –Unidentified Analyst: All right. Thanks for the color. And just as a quick follow-up maybe for Joo Mi. How should we sort of think about the potential timing for the increased Sales & Marketing investments. Should we anticipate maybe the step-up in cost to be more back-end loaded or kind of just progress throughout the year evenly?

Joo Mi Kim: I think what you could assume is progress evenly throughout the entire year, but it will be more heavier in the second half than the first half.

Q –Unidentified Analyst: Great. Thank you very much.

Operator: Thank you. One moment for our next question. Our next question comes from the line of Brian Colley from Stephens.

Brian Colley: Hi. Thanks for taking my questions. So could you talk about what your win rates look like in the CNAPP space today kind of what you view as your biggest competitive differentiation in that space whether or not you see CNAPP is becoming a source of new lands rather than just landing with VMDR in the future?

Sumedh Thakar: Great question. With our CNAPP solution with TotalCloud, I think the biggest differentiator that we see right now is that cloud is not the only infrastructure that customers deploy. And so while they are a cloud-only security solutions, they do not give them the full perspective of the risk that these cloud environments have. As an example, if a cloud environment access is on a laptop of a particular admin employee and that laptop has certain vulnerabilities and risk configuration that can lead to a compromise that can then lead to compromise in the cloud. And so today, with our early — it’s too early right now in terms of calling out win rates et cetera, because we just recently launched it and now, we’ve released additional updates to that.

But what we do see is that customers really want to see that comprehensive view of their risk, not just in cloud environments, but across different environments and our ability to tie the different components of cloud and non-cloud together to give them a more holistic risk score is really something that they are excited about. And now sort of uniquely introducing this concept of SSPM, which is SaaS Posture Management as part of our cloud security solution is also very interesting because if you recently saw the SEC requires that CISOs be also responsible for data hosted in cloud environment. And so it becomes more important that when you look at cloud security holistically, it is not just about your own public cloud environment but also being able to look at your SaaS providers configuration, where you are storing all of your data.

And so with that we’re pretty excited to have a more comprehensive solution, which we believe compared to the cloud security – cloud security only solutions out there. And also what we are seeing very early on right now it’s still really small numbers but we are seeing net new logos coming because of the interest in cloud security solution or first-time buyers directly coming in and buying the TotalCloud solution from us not just the VMDR solution. And so that’s definitely encouraging. And that’s kind of where I look forward this year to invest more in our cloud security and looking to generate more opportunities and pipeline to say, look, you can go and look at a cloud security only solution, which gives you only a small view or look at a more comprehensive solution like Qualys, which does cloud and non-cloud on-prem all kinds of different assets together in one view.