Brian Colley: Got it. That’s super helpful and definitely encouraging to hear. One for Joo Mi. I’m curious, what your expectations are for gross margins in 2024. And also just longer-term, if you kind of view or really just beyond 2024 if you view low 40s as kind of the new normal for EBITDA margins or if you see other opportunities for leverage in the model to maybe start re-expanding margins again beyond this year.
Joo Mi Kim: Yes. In terms of the EBITDA margin, what we said before was we – I mean if you take a look at our 2023 EBITDA margin was up 47%. So it was clear to us that obviously, there’s room for us to reinvest back into the business in light of the changes that we’re going through right now and opportunities ahead. For 2024, we believe that this is an appropriate guide as we continue to ramp the investment in Sales & Marketing and catch-up on some of the investments that we had planned earlier in 2023. Longer-term, I think it’s a little too difficult to say because if we think that there’s really an opportunity where there is a high ROI in an investment area, we think that it would make sense for us to trade more of that margin with the growth but that model would have to work out for us to really change our new – and reset our targets.
Brian Colley: Got it. Thank you for the time. Thanks.
Operator: Thank you. One moment for our next question. Our next question comes from the line of Trevor Walsh from Citizens JMP Securities.
Trevor Walsh: Great. Thank you for taking my questions. Sumedh, maybe just a couple for you. On a real high level, what are you seeing from a budget perspective as we’re kind of starting out 2024 just broadly within security? And then I can have – just depending on how you answer I have a follow-up around VMDR if I can.
Sumedh Thakar: Can I get the second part of the question?
Trevor Walsh: So the second part just based on what you’re seeing with budgets, I’m curious just you provide good visibility around the VMDR penetration rate in your investor deck. I’m just wondering, you had 56% kind of for this past quarter and it kind of trended I think in a fairly kind of even keel throughout the year last year. I guess, what’s the internal view of what’s good and kind of where are you striving for? And if are there limitations to that expectation is it around – to the first part of the question is it more budget constrained or is it more competitive type of things coming into play? Just like how those sort of push and pull together if that makes sense.
Sumedh Thakar: Got you. Okay. All right. So yes, we are really not seeing a big change in terms of sort of the budget or the amount of time it is taking for customers to do a POC or even after they do a POC and the timing of when they will actually make a purchase or the size of the purchase compared to the initial start of the POC, et cetera. I’m really not seeing much of a difference. I think Q4 we saw a couple of customers who are actually able to close the projects that they have started with us for a while and be able to close the deal, not necessarily translating that into 2024 as being a any major investment – increase in their cybersecurity investment. I think there’s a little bit more sense of stability in the sense that they sort of have an idea now this is kind of where I land and more optimistic that their budget will not be taken away in the middle of the year that happened with some of the customers.
And so I think there is no clear change in direction in the way I see from what we have seen in the last few quarters. I think it’s continuing like that. We just focus on improving our execution, being able to listen to the customer better, size our POCs the right way and close the right-size of the deals. In terms of VMDR, I think VMDR penetration we are very happy with where it is. It is kind of reached a point where we will see, its continued sort of incremental growth. But now our focus really is on, how do we — as you saw we talk a lot about CyberSecurity Asset Management, Patch Management our focus is those customers now who have VMDR and they have the agent deployed. How can we leverage those deployments and work with those customers for additional up-sells on agent-based solutions.
And that’s why, I’m super excited about this ability that we introduced where and any existing Qualys Cloud Agent, can immediately be turned into a listener on the network to find any additional devices that are communicating that are not part of the Qualys Inventory. And so now a customer has immediate access. And with that they can now leverage that agent to find new assets they did not know about and immediately add that into the Qualys subscription, so that they can sort of grow the number of assets that are brought into the Qualys umbrella so to say. And so, we continue to really focus on innovating around CSAM Patch Management et cetera to those VMDR customers, while we expect VMDR penetration to sort of continue at this sort of slow space.
And we continue to work with those customers and opportunities that are coming for us to convert sort of legacy VM-only customers into VMDR customers are always encouraging for us.
Q – Trevor Walsh: Great. Appreciate the color. Thanks.
Operator: Thank you. One moment for our next question. Our next question comes from the line of Yun Kim from Loop Capital Markets.
Yun Kim: Hey. Great. Sumedh, just like you said VMDR adoption has been steady. Cloud Agent deployment seems to be steady here, over the past several quarters. You have Patch Management, Cybersecurity Management Solution consistently doing well. I know you have guidance for the year, but I am assuming you are hoping to do better. Do you feel that the incremental sales and marketing investments and new go-to-market motion could drive that upside to your guide? Or do you feel that you need another new killer product to jump start the growth?
Sumedh Thakar: Seeing no lack of products at Qualys, right? So we continue to innovate and work with our customers and make sure that we align our go-to-market with that. And so look, I think CyberSecurity Asset Management, Patch Management are continuing to do well over multiple quarters, pretty excited about the opportunity that we are generating with TotalCloud and our CNAPP solution there, and response that we are getting with customers’ ability to display some of the large cloud-only vendors that are out there. So that’s an area that this year I’m looking forward to do more investments in marketing et cetera, so we can generate more opportunities to — from that upside perspective. But also as I mentioned, we launched the TruRisk platform, at the end of last year at our QSC.
And so that product is actually now going beyond just Qualys. And so not only it is going to help us focus on getting our customers to look at getting multiple modules from Qualys in one go, just because they get a unified view of their entire risk score in one, rather than having to go module-by-module. But also the ability that we’re going to add to ingest third-party data from multiple other sources like competing VM Solutions, Cloud Security Solution as well as Code Scanning Solutions et cetera which means that that gives us additional opportunity to ingest data and charge the customer for taking the data that they have from other solutions and then adding additional analytical and meaningful value from a business context to that. And so TruRisk platform, we’re super excited about that as we continue to launch that through the rest of the year.
And that’s an area that I’m looking forward to next year to really be something that we will get more and more of our customers adopting to that because at the end of the day the CISOs are really saying like all this like finding counts and dashboards are fine, but I’m not able to articulate to my Board and my executives and my CFO what the risk is I’m not able to articulate how much money I’m willing to spend to bring that risk down. And so I think you talk about things on a nuclear product and I think TruRisk the Enterprise Platform. I’m super excited about that.
Yun Kim: Okay. On Azure and hyperscalers in general, are you getting increasing traction with your marketplace or app store offerings?
Sumedh Thakar: On the Azure marketplace, I mean look we have the BYOL is one and that is — we already have a lot of enterprise customers who leverage Qualys directly in Azure that don’t go through the marketplace, like we have millions of agents today running in Azure that are through our enterprise customers already. And so I think the BYOL is one channel for us potentially now to get customers coming to us. But other than that a good amount of our enterprise customers are using Azure already coming to us because they are looking for a more holistic solution that goes across multiple clouds, on-prem platforms, laptops, et cetera. So we’ll continue to see how that channel evolves more, but it’s too early to say right now.
Yun Kim: And then Joo Mi real quick, any insight into any ASP trend in the quarter? And how do you see that metric trending this year?
Joo Mi Kim: The average deal size is growing by double digits and so we kind of expect it to continue to 2024.
Yun Kim: Okay. Thank you so much.
Operator: Thank you. One moment for our next question. Our next question comes from the line of Dan Bergstrom from RBC Capital Markets.
Dan Bergstrom: It’s Dan Bergstrom for Matt Hedberg. Thanks for taking our question. So you called out a couple of Fortune 500 wins in the prepared remarks and looking at the earnings materials, it looks like you’ve had some nice incremental adoption in that Fortune 500, the Global 2000 over 2023. I guess, following a couple of years of more consistent penetration, maybe can you help us with what drove that incremental traction at the upper end of the market? Was it a product? Partners? Reach? Thanks.
Sumedh Thakar: I think it’s a combination of all, but I would say that Qualys generally does really well on the enterprise side in terms of solving complex problems. And so as our cybersecurity asset management product has matured, patch management has matured, our customers seeing — there was a hesitation at the beginning to say well the VM buyers going to buy patch management from a VM vendor right? So there was a lot of pushback at the beginning. But now seeing that 55 million patches have been deployed by Qualys agents in the last 12 months, I think that adoption and customers really having those conversations with each other and seeing the outcome of that is definitely helping drive that focus on these additional modules and additional upsell.
