Qualys Inc

NASDAQ:QLYS

Ladies and gentlemen, thank you for standing by. Welcome to Qualys Third Quarter 2024 Investor Call. [Operator Instructions]. Please be advised that today's conference is being recorded. I would like now to turn the conference over to Blair King, Investor Relations. Sir, please go ahead.

Thank you, Michelle. Good afternoon, and welcome to Qualys' Third Quarter 2024 Earnings Call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO; and Joo Mi Kim, our CFO.

Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K.

Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website. So with that, I'd like to now turn the call over to Sumedh.

All right. Thank you, Mr. King, and welcome to our third quarter earnings call. Q3 was another quarter of rapid innovation for Qualys, reflecting our ongoing commitment to technology leadership, cybersecurity transformation and successful outcome for our customers. As I have focused on product management and marketing in the last few months, I have personally spoken to many CEOs who are struggling with way too many security tools from shift left to run time, creating too many findings that are overwhelming the IT and dev teams, leading to multiple siloed top 10 dashboards and an inability to articulate the true risk to the business stakeholders.

They are feeling the pressure to articulate the ROI of their security spend and rationalize the security spend in context of the risk to the organization with their CFO, CEO and Board members. Risk can only be mitigated if it is remediated and performed in a timely manner. There is an immediate desire to stop playing the risk whack-a-mole and establish a properly operationalized risk management process by implementing a modern risk operations center. At our recent QSC event in San Diego, we ushered in the next era of cybersecurity innovation by announcing the GA of Enterprise TruRisk Management Solution, which is the world's first cloud-based ROC. ETM transforms siloed data into cohesive real-time risk management solution by consolidating Qualys and non-Qualys data from several technology design partners, including Wizz, AWS, Microsoft Defender, Oracle, Okta and Forescout. The result is a single comprehensive AI-powered platform that aggregates security findings, unifies threat intelligence and provides organizations with actionable enterprise-wide insights to prioritize and remediate cyber risk with unique business context and financial impact via cyber risk quantification.

Unlike some exposure management platforms in the market that only expose the exposure based on data their sensors collect and provide no remediation capabilities, Qualys ETM comprehensively provides a single risk view that goes beyond vulnerabilities across code repositories, on-prem cloud, container, remote endpoint, identity, OT and IoT findings from multiple existing security tools in the customer environment, along with patching and remediation capabilities. With ETM, Qualys has set a new gold standard in the industry for proactive cybersecurity risk management. Cyber risk orchestration is coordinated, quantification is comprehensive, remediation is transformed and the enterprise-wide ROC at scale is now a reality. We see many parallels between this new market opportunity and the early days of VMDR, including a significant greenfield opportunity and being early to market. I encourage all of you to watch the video describing our ETM-powered ROC in more detail at quualys.com. We also announced mROC, which will enable many managed service providers to deliver services on the Qualys ETM as a managed risk operations center.

Lastly, we announced a cyber insurance company is going to provide Qualys ETM customers with additional discounts on their premium for lower TruRisk shared directly from ETM, allowing customers to transfer the residual risk to their business. With a ROC delivered by Qualys ETM, we are now empowering C-level executives and security teams with out-of-the-box instant and actionable insights into trending risk specific to their vertical and map to their own data to preemptively identify prevailing threats well in advance of a potential security incident. With this new app, which we call TruLens going GA soon, CISOs and their security teams can immediately be notified of potentially impacted IT and IoT assets within their environment, the materiality of these assets to their business, the associated impact to their overall risk score and are equipped with the ability to make a remediation frictionless and immediate with a simple click of a button. Alongside several other existing announcements at QSC San Diego, we were pleased to commence GA of both our TruRisk Eliminate and Qualys Total AI capabilities, marking another milestone in Qualys' 25-year history of cybersecurity innovation.

We are pioneering these categories and both are key differentiators on our platform. These new approaches to cybersecurity risk management, along with several others on our road map in the coming quarters, arm our customers with the tools necessary to navigate an increasingly complex threat environment and regulatory environment, streamline security operations and reduce cost. Moving to our business update. With many of our customers already embracing Qualys to help re-architect and consolidate their stack, Qualys VMDR has translated into an enviable customer base, broad adoption and notable industry recognition. As recently announced, Qualys' VMDR with TruRisk was recognized by GigaOm as a comprehensive risk-based approach to vulnerability management and a leader in the category for the fourth consecutive year. We believe Qualys' placement as a leading vulnerability management solution further validates our investments in the platform and continues to represent the high watermark for securing customer environments today and in the future.

Given Qualys' demonstrated track record for delivering greater value to customers, our VMDR solution with TruRisk is not only fueling new logo lands, but also helping to increase platform adoption, especially in the areas of cybersecurity asset management with EASM, patch management and cloud security. Let me share a couple of recent wins, which illustrate why companies turn to Qualys to help consolidate their security tools and fortify their security operations. In Q3, one of my favorite wins was a large federal government agency becoming a Qualys customer. This new customer was previously using multiple legacy and next-gen solutions to manage a variety of risk management use cases across their security, IT and DevOps team. In addition to the complexity of using multiple point solutions, the government agency was also frustrated with increasing costs associated with on-prem deployments, the inefficiencies of operating siloed systems and elongated remediation efforts. looking to migrate to a natively integrated cloud-based FedRAMP high-impact level-ready solution that meets the CISA binding operational directives, we displaced 5 of their existing vendors in a 7-figure bookings deployment using multiple Qualys modules right out of the gate.

These initial deployments included cybersecurity asset management with ESM, VMDR and with TruRisk Patch Management, Policy Compliance and EDR. Though -- through this highly strategic and competitive win, the customer is now able to leverage unified dashboards that provide them with greater insights and automation that any of the competitive solutions that we had evaluated while taking full advantage of a natively integrated platform. This win alongside a separate 7-figure upsell with an existing large government agency customer and a significant state win are a testament to our ongoing investments to expand our federal, state and local government business in the United States. Continuing our global expansion, I'm pleased to announce that IRAP in Australia has recently assessed Qualys at the protected level. This achievement opens the door for Australian government agencies and commercial organizations looking to comply with the ACSC central aid strategies as well as their PSPF requirements to meet their country's most stringent security and compliance standards.

Our successful assessment follows Qualys' approval as a cybersecurity service provider to the Victorian state government for vulnerability management services. Qualys has selected through a highly competitive and extensive vetting process and is being bundled into a managed service delivered by E&Y. Turning to the momentum we are seeing with our Total Cloud CNAPP solution in a mid-6-figure booking upsell with a financial services company in the Global 200, this existing VMDR and CSAM customer selected TotalCloud to scale their container deployments to over 70,000 hosts, monitoring millions of Kubernetes container images daily. Through its evaluation of competing cloud security providers, this customer determined that alternative point solutions added complexity to their operations, lacked integration and miss detection, which hindered their ability to assess risk and consolidate their security tools. Today, through a highly scalable, natively integrated CNAPP solution, this customer is leveraging the Qualys Enterprise TruRisk platform to combine runtime insights with proactive risk management while actively detecting anomalies, preventing zero-day attacks closing compliance gaps and remediating risk with ITSM integration through a single dashboard from code to cluster.

These capabilities provide the visibility, automation and cloud hygiene necessary to defend against today's adversaries and represent a significant long-term growth opportunity for Qualys. Our growing partner leadership in the cloud market was also recently recognized by Gartner in its July 2024 market guide for cloud-native application protection platforms. With seamlessly integrated solutions delivered natively on our platform to solve modern security challenges, more and more Qualys customers are beginning to understand how cybersecurity transformation drives better security outcomes, saves time and cost less. As a result, customers spending $500,000 or more with us in Q3 grew 15% from a year ago to $200 Consolidation isn't just happening with customers, it's also embraced and prioritized by our partners where we continue to see an increase in new customer deal registration and cross-sells. We believe the expansion of our partner program continues to reflect our strengthening brand awareness and strategic position in the market.

In summary, we believe our natively integrated platform that comprehensively measures, communicates and remediate cyber risk brings a highly differentiated value proposition to our customers as they get more security using fewer resources with the Qualys Enterprise TruRisk platform. With a unique opportunity in this environment to further strengthen our strategic position as the partner of choice for customers looking to rearchitect and consolidate their security tools, to evolve -- to solve modern security challenges, we believe we can continue to grow long term, maintain best-in-class profitability and invest in key initiatives aimed at further extending the gap between Qualys and the competition. With that, I will turn the call over to Joo Mi to further discuss our third quarter results and outlook for the fourth quarter and full year 2024.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period unless stated otherwise. Turning to third quarter results. Revenue grew 8% to $153.9 million, with channel continuing to increase its contribution, making up 47% of total revenues compared to 43% a year ago. As a result of our continued commitment to leverage our partner ecosystem to drive growth, we were able to grow revenues from channel partners by 17%, outpacing direct, which grew 1%, which grew 14% growth outside the U.S. was ahead of our domestic business, which grew 5%. U.S. and international revenue mix was 58% and 42%, respectively. In Q3, we saw some stabilization in the selling environment, but believe ongoing budget scrutiny will persist for the foreseeable future. Reflecting the sentiment, our gross retention rate remained largely unchanged at approximately 90%, but with stronger upsell performance, our net dollar expansion rate came in higher at 103%, up from 102% last quarter. We continue to see a positive growth trend in new business, achieving a double-digit growth rate for the fifth consecutive quarter.

In terms of product contribution to bookings, patch management and cybersecurity asset management combined made up 15% of LTM bookings and 24% of LTM new bookings in Q3. Cloud Security Solutions, TotalCloud CNAPP, made up 4% of LTM bookings. The foundational theme underpinning these results is the power of our Enterprise TruRisk platform to help customers consolidate cybersecurity at scale. Turning to profitability. Reflecting our scalable and sustainable business model, adjusted EBITDA for the third quarter of 2024 was $69.7 million, representing a 45% margin compared to a 48% margin a year ago. Operating expenses in Q3 increased by 12% to $61.8 million, primarily driven by an 18% increase in sales and marketing investments aimed at capturing the market opportunities in front of us. As we continue to increase our investment intensity and focus on sales and marketing enablement, customer success and productivity, we believe we will be able to drive wallet share and long-term returns. EPS for the third quarter of 2024 was $1.56, and our free cash flow was $57.6 million, representing a 37% margin compared to 64% in the prior year. In Q3, we continue to invest the cash we generated from operations back into Qualys, including $3.4 million in capital expenditures and $44.9 million to repurchase 344,000 of our outstanding shares.

As of the end of the quarter, we had $185.7 million remaining in our share repurchase program. With that, let us turn to guidance, starting with revenues. For the full year 2024, we are now expecting our revenues to be in the range of $602.9 million to $605.9 million, which represents a growth rate of 9%. This compares to revenue guidance of $597.5 million to $601.5 million last quarter. For the fourth quarter of 2024, we expect revenues to be in the range of $154.5 million to $157.5 million, representing a growth rate of 7% to 9%. This guidance assumes lighter new business this quarter based on current pipeline and continued deal scrutiny from existing customers with no meaningful change in our net dollar expansion rate in Q4. Shifting to profitability guidance. Factoring in the better-than-expected profitability today, we expect full year 2024 EBITDA margin in the mid-40s and free cash flow margin in the mid- to high 30s. We expect full year EPS to be in the range of $5.81 to $5.91, up from the prior range of $5.46 to $5.62. For the fourth quarter of 2024, we expect EPS to be in the range of $1.28 to $1.38.

Our planned capital expenditures in 2024 are expected to be in the range of $12 million to $16 million and for the fourth quarter of 2024 in the range of $5.5 million to $9.5 million. Adding additional context, we are currently making certain investments in some of our data centers to achieve greater operational efficiencies and reduce medium- to long-term marginal costs. These investments pressured gross margin in Q3 by approximately 1%, and we anticipate a similar contraction in Q4. With respect to operating expenses, in Q4, we expect to continue to prioritize an increase in investment in sales and marketing aimed at driving more pipeline, supporting sales, enhancing our partner program and expanding our federal vertical with more modest increases in engineering and G&A. With that, Sumedh and I would be happy to answer any of your questions.

[Operator Instructions]. And our first question comes from Jonathan Ho with William Blair.

Congratulations on the strong results. Sumedh, can you talk a little bit about some of the changes that you've implemented on the product marketing side? And maybe help us understand maybe that -- what that impact could be just moving forward. It seems like you've seen that products did quite well this quarter.

Yes. Thank you. Great question. So I think what -- where we see the opportunity really is aligning overall messaging around the different modules to the messaging around business risk and risk quantification that we have been talking about, which is really helping customers sort of -- there's a lot of people talking about single pane of glass and platformization and different things and just bundling products for the sake of bundling.

I think for us, as we launch the ROC, which is a big sort of announcement that we made around QSC, which is really bringing all the things that we're doing in cybersecurity together from a risk operationalization perspective. The end of the day, how much money you spend on cybersecurity is really directly proportionate to how much risk you perceive to the business and a lot of CISOs struggle to even articulate that. So if you don't necessarily have a good view of how much risk you have to the business, how do you decide on how much you should spend on the different areas of cybersecurity. And so with product marketing and product management, really, we have really focused in the last couple of months on realigning our messaging to the risk message instead of just individual modules and products, of course, is the journey that we have started on.

But really being able to have that quantification conversation with a single risk score across all the different capabilities in the platform and bringing in third-party tools, so we are not getting into the conversation of replacing existing tools we're saying, if you have these tools that you like, you can keep those, but we can bring the data into the Qualys platform and give you that very simplistic view of essentially what is the risk, so you can articulate that risk to your management, to your Board.

And that is resonating extremely well. So when people are saying, I want to consolidate different tools or bring data together, it is really at the end for the purpose of understanding what does it mean to have so many different risk factors affecting a particular business entity? What does that mean in terms of how much risk do I have to the business? And so this change in marketing, product marketing, the announcement of the ROC as well as the mROC, a lot of these things are very new in the way that we have announced them at our QSC event.

Excellent. And then just for Joo Mi, can you talk a little bit about the strength you saw this quarter in terms of the net retention and should we expect things to maybe trend towards this positive direction just given the release of the new products and the new sort of bundles that you put together?

Yes, we were really pleased with the outperformance and the upsell, especially after a few consecutive quarters of a tick down in totter expansion rate. So we're pleased to report that it's increased back up to 103%. Now with that said, what we're assuming for the guidance is no material improvement in Q4 based on the current deals in play. What we're seeing in the business today, we are optimistic and in the longer term that we will see that continue to tick up. But for the purposes of guidance, we are assuming no material change right now.

And the next question comes from Roger Boyd with UBS.

I want to touch on the channel. You continue to sound pretty confident in the opportunities that are unlocking there, particularly with the new platform offerings with mROC. It's clearly showing up in the revenue numbers. But I wonder if you could just expand on the momentum you're seeing there. And maybe to what extent was channel a material contributor to the pretty strong 3Q billings growth here?

Yes. I think at a high level, we are happy with sort of the journey we started 1 year, 1.5 years ago around really focusing more with our partners, channel partners to bring business to us, increasing deal rates. So we're seeing positive momentum there. And I think as we are seeing that momentum, what we are really looking forward to is embracing the strategy, which is our partner-first strategy, right, for both new business and for upsells.

We're looking to say, how do we work with our partners and pivot more and more towards helping them not just bring a resell deal to us, but with the launch of the mROC, how can we enable these partners to now provide some meaningful services to the customer. For a long time, MDRs and managed SOCs have been something that they have been focusing on, but a lot of our partners now are excited that after a few years, they actually have the ability to now provide some really fresh new services in cybersecurity that are relevant to the customers, especially around providing a risk advisory service, a risk quantification service and a technical service around ability to ingest data from multiple different tools, a prioritization, ongoing risk monitoring service around the ROC, a Board reporting service so that they can have reporting that actually is meaningful to the Board and then, of course, a remediation packaging service where they can actually take packages.

And so for us, we see as we have worked with our partners and AT&T company level Blue signed up as the first mROC partner and expanding from just a channel partner, just managed service providers to even cyber insurance companies that we're talking to is that partnership that can essentially help to say if you invest a certain amount in building out a risk operations center, that can give you benefit with lower risk scores and getting out of this like too many alert fatigue to actually focus on saying that this can actually give us a meaningful discount on our cyber insurance premium because we have set up a ROC with the True risk score.

So we see that a lot of things that we are doing really is about how do we embrace this partner for strategy across the board and creating products and capabilities and service that actually our partners can offer services on top of what we do and not just taking and reselling the capabilities.

And our next question comes from Patrick Colville with Scotiabank.

Sumedh and Joo Mi. Congratulations on a very healthy print. I guess I want to focus specifically on the current billings performance, which is highly impressive. The question I'm getting is, were there any deals remind me that was pushed from 2Q into 3Q? Or were there any deals that were signed in 3Q that maybe kind of pulled in for 4Q? I mean I guess, were there any one-offs maybe is kind of phrased more succinctly this quarter with the current billings performance?

There were and -- but not outside the normal course of the business. In any given quarter, we do have some deals that get pushed out and then pulled forward. And so it was a typical quarter from that perspective. With that said, when you take a look at current billings, it does get impacted by the billing schedule and the contract terms for the customers.

And I would say that the 14% that we just posted, it is higher than the bookings performance just based on the billing schedule. And so one of the things that we do guide to is if you take a look at on an LTM basis or even year-to-date basis, that helps to kind of smooth out the lumpiness in current billings. And so I would say that's probably more indicative of the business momentum that we see today.

Very helpful. And so I guess, I mean you just touched on this now, but I guess I want to zoom in on exactly what you said. So is using kind of an LTM basis, the best way to get a kind of normalized view of what things might be next year. I appreciate you're not providing early guide. But is that kind of mid- to high single-digit level, the right level on a forward-looking basis? Or should we expect more like a double-digit performance like this quarter?

Yes. It's a little too early to be commenting on next year. But because of the focus on current gains, I would say that look like the best guy that we can give right now, the indication we can give for Q4 is more or less in line with the revenue growth guidance. So we're guiding to 7% to 9% revenue growth rate for Q4. And I would say that current billings, we are expecting it to be more or less trend in that direction.

The next question comes from Kingsley Crane.

Really impressive results. I'm sure it's gratifying for the whole team. Just want to get a little bit more granular on what drove the strength from a product perspective. It seems like with TruRisk and Total AI that those are really going to be more meaningful over the next couple of quarters and years.

Yes. Great question. Look, I think overall, we're happy with -- to see -- we had a good quarter. We're happy about that. Glad to see the tick up in the NRR that we saw this quarter. We're happy with multiple quarters of new business growth that we have seen, though, as Julie mentioned, looking at sort of the Q4 pipeline, we expect some of the new business stuff to moderate a little bit.

But having said that, our federal investments like that we have been making, we saw some good momentum and good deals with upsells and new business from the federal side as well in Q3. And we're happy with how our TotalCloud solution has been evolving and also the kind of performance that we saw from a Q3 bookings perspective. As you saw, VMDR or vulnerability management is really shifting with people buying more patch management as part of VM solutions rather than just scan-only tools. And so you see that reflected in 15% of the LTM total bookings being Patch Management and CSAM and then 24% of new bookings as game bookings are Cybersecurity Asset Management and Patch Management in addition to VMDR.

And so these new product capabilities that are -- that we are providing with VMDR are driving the net new business coming to us because people are saying instead of just moving from a scanning-only solution to another scanning-only solution, they're buying patch management, they're buying cybersecurity asset management in the first purchase itself. We're also seeing some of them buy the cloud security solution in the first purchase itself.

And so as we continue to put more training, more resources, more product marketing around the TotalCloud and then the risk operations center ETM driving it, we're also seeing some very, very positive early conversations with customers around Total AI because what is happening right now is a lot of IT teams are getting ready to deploy some form of AI into production next year, they're coming to the security team and saying, "Hey, can you guys certify this and most security teams today don't have any idea what to test from an AI LLM security perspective. And so with Qualys Total AI providing almost like a point and shoot scanner for AI that tests jailbreakes and some of the common AI vulnerabilities and giving a thumbs up or a thumbs down is really the perfect recipe for what they're looking for at this point of time.

So we're seeing that momentum building up as well. And so as we get into next year, we were looking forward to continuing that momentum with Patch Management, Cybersecurity Asset Management, bringing on more customers who are looking at cloud security solution consolidation as we are seeing wins against the established cloud-only players that are the ones in the market. We're seeing wins against them, one of those we highlighted here as well. And then also, we are seeing that the amount of interest in the ROC and the ETM is very, very high. Our Strategic Advisory Board, CISOs. We are seeing a lot of them eagerly waiting to test this, try this and really hitting a key point of contention that they are seeing with their management and their Board. And so we feel like as we get into the next couple of years with growth on cloud, federal, ETM and AI are really building up some very, very nice potential growth opportunities for us over the next couple of years.

Great. That's really helpful. And Sumedh, I just wanted to take a step back and circling back the departure of in cash, the Chief Product Officer in September, which had been planned. I mean, what have you learned operationally over the past couple of months? Do you feel like you have the appropriate bandwidth? It seems like you do, it seems like things are going well.

Yes, I do. I think it's always good to get back in and see. And like most places, you just get people to talk to each other what a wonderful impact that can make. And so I think as I stepped in and brought the product management, product marketing teams together, and we were able to really just in a very quick period come up with this branding of Risk Operations Center, which is a wonderful way of describing instead of calling it security data lakes and all kinds of different names that people are struggling with, it's resonated really well.

And this just came from the creativity of our product management and product marketing team sitting together and saying, what are we eventually offering our customers instead of coming up with some very fancy terms and names, like it's literally just a risk operations center that helps them operationalize that cyber risk.

And so we're -- I'm able to really see that enthusiasm in the team coming together, and you're seeing some of that with the messaging and the clarity and the crispness of the messaging that is coming out of Qualys now as we have evolved ourselves from just being a vulnerability scanner into a really much bigger, broader platform for risk management and not just scanning and finding vulnerabilities.

And the next question comes from Joel Fishbein with Truist.

Sumedh, just to follow up on the product question. Really interested in TruRisk eliminate very -- it seems like a very differentiated product Love to hear what the early feedback is? And when does it specifically go to market? And when do you expect revenue to come from the management platform altogether?

Thanks, Joel. You always ask a product question. I like that. So it's really -- TruRisk Element is very interesting. So I mean, if you recall to the history a few years ago when I introduced Patch Management, there was a lot of pushback at the time, the analysts were not quite ready for that and the market and our competition today hasn't really picked that up. But Patch Management has become a real differentiator for the vulnerability management solution that we have, which has really helped us evolve our vulnerability management solution and our customer spend has really been now distributed between scanning and patching with us.

And while there were initially some questions on would anybody buy patch management from a vulnerability scanning vendor, to date, just this year in 2024, Qualys agents have deployed 78 million patches in our customer right? So we are looking at some significant uptake in the patching cycle from our customers and the number of devices that they are patching, et cetera. However, patching is a little bit of a political battle in customer environment between IT team and security team, and so we run into that sometimes. It's also an operational challenge, right? The more patches you deploy, the more opportunities that something could go wrong. And so there is hesitation on patching, though it is required. So with TruRisk Eliminate, we have come up with a very nice packaging that not only does patch management that we have done, but it also now provides the ability to mitigate the issue without patching. So our agents can actually deploy very specific mitigations because we study how attackers go about attacking a device, and we can make some small changes to the device that will prevent the attacker from being successful even without deploying a patch.

And this is really something that our customers are really, really looking forward to because those who cannot buy patch management can now buy the mitigate capability because now they're saying, look, we're not buying patching, but we're buying something that allows us to mitigate the risk. And also, it provides a capability of isolation. And so we're seeing some highly regulated environments where they're saying, look, if I cannot patch, I cannot mitigate. I'm going to actually take the machine off the network because it has way too much risk, and I just cannot take that kind of a risk. And so this packaging is something that just rolled out to production this quarter. And so as we start to get this messaging out, we talk to our Strategic Advisory Board members, they were very optimistic about that because it helps them address the IT political challenge internally, but it also helps them address the zero-day challenge where there is no patch available and devices are being attacked, we can actually provide solutions for that.

And so I'm looking forward early next year for that momentum because now we just go back to our existing customers who have patch and say, "Hey, here's an upgrade that you can buy that allows you to also bring mitigate and those who are resistant to patch management can now actually purchase the mitigate capability as part of the eliminate where they say, well, I'm not patching, but I can actually buy this additional capability. So lots of interesting opportunities. And as we start to roll this out more broadly and getting early adopter customers using it, we're optimistic for this to be something that we will see more momentum in next year.

And the next question comes from Rudy Kessinger with D.A. Davidson.

Congrats on a strong quarter, particularly on revenue and billings. Similar to Patrick's question, I guess, I'm curious on the revenue outperformance in the quarter. One of your largest, I think, as a public company, if not your largest relative to your guide, it sounds like upsell being better than expected was the primary driver. But I'm curious if that was it or anything else to it? And in particular, on the upsell, just was it a handful of large upsell deals? Or was it broad-based better upsell than expectations?

Yes. From an upsell perspective, it was more or less broad-based, and we were really pleased with the performance just because if you take a look at the recent quarters, because we've been underperforming not only in Q2, but it's been continued to tick down from a net dollar expansion rate. We were conservative in how we were reviewing the potential results of Q3. And so with our net dollar expansion rate finally going back up to 103% was really primarily driven by the upsell performance, our focused execution, getting the deals in the quarter that we had to work with.

And then in addition to that, new definitely helped as well because you're seeing a continued momentum in the new business bookings where we're able to take some market share, get the new logos in. It's another double-digit growth. And so looking to Q4, we don't expect that to continue. We do expect a lighter new business quarter. And then on the upsell, we don't anticipate a similar rate of success on the upsell based on the deals that we see today.

Okay. That's helpful. And then I leave in an answer to the question earlier, you said Q4 current calculated billings in the 7% to 9% range that you're guiding to on revenue. Just to be clear, was that for CCB for Q4 or for trailing 12-month CCB In Q4, 7% to 9%.

Yes. Q4 CCB.

And our next question comes from Matt Hedberg with RBC.

Sumedh, a lot of positivity from this quarter. the channel contributions really start to be a new product momentum. I guess I'm curious, based on what you've seen now and maybe through the first month of Q4, can you comment on the durability of these trends, they seem to have an idiosyncratic nature versus maybe more macro driven, but I was kind of curious on if you could provide a bit more color on maybe the durability of some of these trends that you're seeing.

I think if you look at the conversations that we are having, our user conference that we had in Mumbai as well as in San Diego, the Strategic Advisory Board. We just did this fun exercise where we gave money to the CISOs to put on different products and the momentum, like the interest that we saw with AI, et cetera. I think there's a real desire and a real focus on we need to move in this direction. We can't continue to just buy more tools and get more alerts and just randomly ask IT and dev teams to start to fix everything.

So aligning with this sort of business outcome and figuring out how do you get that one view of the different risk factors while keeping your tools and not having to go into the conversation having to replace. I think the momentum around looking to replace or get more TotalCloud and AI opportunities seems to us is very real. I think -- but it is -- the reality of the macro is still there where there is extra scrutiny on the deals where deal cycles are longer. So I think we're encouraged with the conversations, the momentum, the level of interest I think all of that has been quite positive. Now how does that translate quarter-over-quarter in the short term, I think it's something that is a combination of our execution, which we are happy with how we did in Q3 and then focusing on some of the pipeline build that we need to have, et cetera. I think what I look at is, given these different capabilities are quite differentiated. I mean, if you look at ROC ETM, if you look at Illuminate, if you look at the patching piece, if you look at AI security that we have, these are quite differentiated from what the nearest competition has.

So I think in the longer term, I see that as the focus on cybersecurity is starting to -- is going to be stable and people continue to come back to say, what are the areas of focus I have, I look forward essentially for these things to make a bigger impact in the next 2, 3 years rather than sort of trying to time just the next couple of quarters. So I think the interest and all of that is real. I think how the deals close, I think some of that is going to be lumpy as we have seen in the last few quarters.

Well, that's super helpful. And maybe this kind of partially answers my next question. But for Joo Mi, just maybe a point of clarification. I know you said even just to the answer to the last question that your guidance assumes later new business trends for I just wanted to put a finer point on that. Is that something -- is that a trend that you're seeing? Or is it just sort of layers of conservatism as you go into what typically is a pretty strong end of year quarter for you guys?

It's definitely not the trend that we're seeing today. I think that we've seen the trend where the new business bookings have been performing very well year-to-date for us. What I'm commenting on is based on the deals that we're looking at and the outlook kind of the pipeline per se. We are seeing a lighter pipe than we would like to see for Q4. So because of that, I'm pointing to the fact that, look, we've had a fifth consecutive quarter of double-digit new bookings growth, which was great. I don't necessarily see that continuing in Q4, not to say that it won't continue out to 2025. I'm just giving a little bit of color for Q4.

Just to add to that, as you know, right, I mean, the pipeline in Q4 is informed by IFRS made a couple of quarters ago. And so the changes in marketing that we have made are important for us to understand kind of where we came from and really look forward to, with the changes that we have made to bringing that pipeline back on momentum over the last few quarters has been quite encouraging and it has been a trend essentially, right? I think Q4 is just calling out sort of what we see just for Q4 at this point.

And our next question comes from Trevor Walsh with Citizens.

Sumedh, I know you had a lot of questions already around risk. So I wanted to just maybe back out from a high -- super high-level view. You had a good slide in the deck around just all the different tools out there that are quantifying risk in some way and totally understand or get kind of where you guys are coming from being kind of the consolidator of all those different views.

Can you just maybe tell us from the customer view of the conversations you had what's maybe the 1 or 2 things that you think customers are going to lean on or like look to Qualys to kind of be that consolidator around risk as you roll out enterprise risk management?

Yes, an excellent question. I think there are some smaller companies that are doing some form of quantification, but if they're focusing on the quantification from a dollar value perspective, they're not necessarily doing the finding consolidation of pulling data from multiple tools. And then if there are some tools that are doing some of that, primarily, they're pulling a lot of the data from Qualys and they're not doing a really good job of quantification. And neither tool is doing a good job of any remediation at all, right? So at the end of the day, you spend billions of dollars building all these nice dashboards and staring at them doesn't mean anything if you don't actually get remediation done.

And so the level of interest from a lot of our customers is very high with ETM and the ROC story because, first of all, those who are Qualys customers already that information or about asset inventory, which is a foundational element of any ROC is already in Qualys. The findings -- a large part of the findings are already in Qualys and now they can just take their time to start to plug in additional sources with the partnerships that we announced with some of these key vendors that they are using.

And so that -- being able to have that inventory, being able to consolidate on a scalable platform. So we have a proven scalable platform where we can bring millions and millions of findings and actually provide that visibility with the scoring, which is another capability that a lot of customers use. But then ultimately, being able to create reporting that is relevant to the Board and the remediation part are really the differentiator, right? Like you could have some folks who are consolidating some stuff and giving some risk numbers, but ultimately, they don't really help you actually get things fixed and provide you a report that you can take to the Board for the most part.

So the fact that we are able to actually bring these different pieces and tools that are out there instead of having multiple silos, bringing all of that in one workflow. And it's a lot easier from what the feedback that our CISOs gave us is they say, when I'm going for a conversation about cybersecurity and a budget, it is a lot easier for me to talk to the Board to say that we are putting in place a risk operations center, which is going to operationalize our risk across multiple tools rather than go and ask for money for the next big the next big trend that has come out and whether it's Zero Trust or this or that, I can't explain that if I'm going to go and do something around Zero Trust as an example, what is the outcome that the company and the business is going to get. But with this, I can report something that says my $500 million business unit has a possibility of a $10 million loss per day and my score that is collected from multiple different vendors in a single score is giving an indication that there is a high possibility that you're going to lose that $10 million a day.

And when I take that to my CFO to say, look, our score is high, the possibility of losing $10 million a day is much higher, then it's a much better conversation to have to say, like can we spend $650,000 to put these 4 controls in place. which will then bring the risk down to 30%, which is an acceptable level. And you can have -- you can prove that, that risk actually came down. And that conversation is a lot easier for them rather than saying and going and asking for more money to deploy the next big thing in security without actually being able to explain how -- what they're going to get in return for that other than just saying, "Oh, we're going to make things safer. And so that's where the initial enthusiasm is very high that the time to value is very fast because a lot of the data is already in Qualys. I think for the business side, I'm excited because our sellers and our partners, when they go to prospects who maybe have other competing solutions, they don't have to walk away or get into protracted battle for replacement. They can say, okay, give me the data of your 4 different security tools. I can show you value in the next 1 hour of how all of that can come together and give you a true risk score.

We're also looking at existing customers adopting more modules because these modules are already integrated into the TruRisk scoring rather than having to go with other solutions, which then they again have to pull feeds and feed into something. So there's a lot of positive things that we see with the ETM ROC from -- not only for the customers, but for our business as well. And so our focus for the next few quarters is really going to be on executing across different fronts. But as you can see, we have really taken a holistic approach on not only the product marketing of it, but also forming the mROC as well as the cyber -- the insurance, cyber insurance as the other end of the risk transfer market as well. So we're quite -- that's really what customers like. It's not just a one score here. It's really a comprehensive look at how they can provide this visibility to their Board and management.

Great. One quick follow-up for Joo Mi, if I can. I appreciate the color around some of the sales and marketing investments made in the quarter and kind of the effect on operating expenses there. I think that's been a theme for a few quarters now around just the overall investments, whether it's channel or otherwise. Can you just maybe give us a sense of how you're thinking about tracking the ROI from these investments maybe like a few levels deeper than the metrics that we're seeing, whether it's revenue or billings and just how you kind of are seeing whether or not these different choices that you're making are kind of paying off?

The way that we measure ROI, I mean, one of the kind of the standard metrics is obviously from a direct sales force perspective, the sales productivity, how much bookings we're able to generate for each ramp sales headcount. And the way that we've been tracking on that metric is we haven't seen that significant of an increase overall just because you have puts and takes.

We have presales business, the sales reps who are working on the new business bookings has been doing really well this year, as indicated by the fact that we've been growing new bookings in double digits. Now on the post-sales side, if you take a look at the renewals and upsell, we haven't done as well in that area for this year. And so what we're trying to do is really taking a look at the sales overall to make sure that the structure is set up properly for us to really accelerate growth next year.

And as we go through 25 planning, we will be taking a look at that in addition to all the initiatives that we've kind of tried out this year when it comes to the channel partners. We've been trying to invest in channel, whether it's from like setting up MSSP portal, making sure that they're incentivized from the dealer perspective or sharing rebates with partners. We're taking a look at the different campaigns to see which ones work and then which ones we should continue into 2025 and how that will impact our profitability.

And our next question comes from Shrenik Kothari with Bayer.

Congrats on the really great quarter. Sumedh, I had asked about the federal last quarter and the first Public Sector Summit at the time and you sounded quite enthusiastic about it. You highlighted some great wins in Q3. So just if you can help like quantify or any color in terms of the potential uplift relative to your expectations or seasonality. And you mentioned that the pipeline is still looking pretty robust from a federal standpoint in terms of the momentum beyond just the 3Q budget here. If you can talk about like specific products and go-to-market strategies there, specifically in relation to deepening federal relationships and federal agencies and how to expand into new departments there? And then I have a quick follow-up.

Federal is an area of focus for us the last -- over a year or so in a big way. Of course, we have always focused on getting our FedRAMP medium certification for a few years, and that's definitely helped to get our name out there. But focused team building where we hired Bill Hawkins really to build up our federal sales practice, work with our partners, the first conference that we did from a marketing perspective to get Qualys in the name out there and the work that our team is doing with these agencies, and we highlighted one net new 7-figure deal and upsell for 7 figures in this quarter are really good sort of indicators of what the interest level is in consolidating multiple different tools. I mean that's the good news is in the federal space, focused on complexity and cost is driving people to drop 4, 5 different solutions in favor of one single Qualys platform. And Typically, these are bigger names that we are replacing as well. So we see the momentum. I think, as you know, federal business is Q3 budgets is a little bit lumpy that way. But overall, we are seeing positive momentum as we get into the next few years. I think it takes time to build out that federal practice where it's a significant amount. And so we are looking forward to continuing that investment into next year on the federal side and then seeing the outcome of that. But we're pleased with what we're seeing right now.

Very helpful, Sumedh. Just a quick follow-up for Joo Mi. You touched on and mentioned the billing schedule, if I heard it right, if you can kind of delve a bit more into at all kind of change in terms of scheduling compared to what perhaps said last quarter in terms of billings growth expected to kind of mirror revenue growth for like mid-single digits in the second half. Just trying understand if there are any factors which might be missing contributing to kind of the upsides in relative to the revenues.

Yes. The current billings, it tends to fluctuate, and there is definitely lumpiness in current billings when you're looking -- trying to use it as a proxy for bookings performance or business trajectory. And so that's what I was commenting on. There was nothing really that was significant to highlight. There were some deals that were pushed out and then pulled forward.

So nothing abnormal or significant. But last quarter, as an example, current billings happen to be lower than the bookings performance. And then this quarter, it's a reverse current billings growth happened to be higher than the bookings growth performance. So you see that fluctuations and that lumpiness. So I would say that if you're really trying to use that as a proxy for bookings, using it on an LTM basis is probably more accurate.

And our next question comes from Yun Kim with Loop Capital.

First, congrats on solid execution. Sumedh, good to see continued solid bookings around new products. If you can give us some insights into the go-to-market around these new products, for instance, is there a sales process for new products? Is that primarily driven by renewal process? And also, what kind of traction are you seeing with new customers for these new products?

Yes. I mean, as Judy talked about it, right, if you look at Patch Management, cybersecurity asset management, 24% of LTM net new bookings is basically coming from these products. And so this is really thanks to the execution in sales enablement, sales training that Dino and team have been really focusing on is the ability for our sellers to go in and not have the conversation of, oh, our scanner is a little bit better than the other scanner really to talk about the comprehensive ROI of saying you cannot scan without an inventory and there is no point of scanning if you don't patch things. And so Qualys is the only platform that is really providing the ability to have all of these 3 together. And so in this market, that is what is helping customers make the decision to say, even if they may be satisfied with the current scanner that they have from a scanning perspective, and they look at it holistically at their vulnerability management workflow, and we had the session at our QSC where we said Qualys is putting the M back in VM is the management of vulnerability management process is important.

And so as our sellers are now going in and positioning the comprehensive packaging and in new business is giving us advantage because when we provide that and the sellers -- the customer goes back to a competing solution, they cannot offer patch management. They're not offering patch management. In fact, I talked to a CISO of a new logo that just came on board, and he said he did talk to our competition and said, one of them is doing patch management. They said, well, then in that case, you should go to Qualys. And so we're seeing that these new product capabilities are differentiating as we are evolving out of just a vulnerability management scanning tool, which is something that people are not focusing as much on to just say, okay, we want to scan stuff. So new products are getting momentum. As I said, Total Cloud, we had a good quarter with TotalCloud, and we're happy with that right now.

So we are seeing even net new business people coming to us look at to say, well, I could buy a cloud scanning-only solution, but then it doesn't scan my desktops and my laptops. So might as well go with something like Qualys, which again is providing a comprehensive solution where we are not cloud only, though we are very good at the cloud security. We also provide the ability to assess all of your other devices as well in the same context. And so enablement has been a key focus for us this quarter, and we've been really putting a lot of focus on getting our sellers to articulate the newer messaging rather than just sort of going and saying our scanner is better than your scanner.

Okay. Great. Just want to make sure, though, is the selling around these new products driven by the renewal process? Or is it independent of that?

Sorry, the what process?

The renewal.

Yes. Are you selling these new products in conjunction with renewals? Or is it really, really independent of the renewal product?

Yes, yes. No, no, both. So the -- yes, I get the question. So the 24% that we talked about for LTM was on new bookings that come to Qualys, which is net new logos coming to Qualys, right? And then the 15% is overall, that includes existing customers who are either buying additional cybersecurity Asset Management and Patch Management or in some cases, might be adjusting some of their VM spend to spend more on patching and buying more Patch Management. So it's both. We're seeing that in both places.

So we are attracting net new logos because we have Cybersecurity Asset Management and Patch Management, and we are also creating opportunities to upsell to existing customers, these new capabilities because we don't see that with the competition.

We would like to thank everyone for your participation. This will conclude today's conference call, and you may now disconnect.