Qualys (NASDAQ:QLYS) reported first-quarter financial results on Tuesday. The transcript from the company’s first-quarter earnings call has been provided below.
This transcript is brought to you by Benzinga APIs. For real-time access to our entire catalog, please visit https://www.benzinga.com/apis/ for a consultation.
View the webcast at https://edge.media-server.com/mmc/p/ggn7rfoq/
Summary
Qualys reported a 10% year-over-year revenue growth for the first quarter, reaching $175.6 million, with channel partner revenues growing 17% and accounting for 52% of total revenues.
The company is focusing on strategic initiatives, including partnerships with OpenAI and Anthropic to enhance their AI-driven cybersecurity solutions, and a new partnership with Converge Insurance to link cybersecurity strength to business outcomes.
Qualys is expanding its Q Flex beta testing to improve customer adoption of its TTM platform, with plans for a full launch later this year.
The company is forecasting full-year 2026 revenues to be between $721 and $727 million, representing a growth rate of 8 to 9%, and expects EBITDA margins to remain in the mid-40s.
Management highlighted a positive outlook due to increased demand for automated remediation solutions in response to AI-driven cyber threats, with continued investment in sales and marketing to drive growth.
Full Transcript
Ned
Agenda. In addition to a growing list of nearly two dozen certified MROC partners beginning to actively launch new services, we are seeing momentum build across all geographic theaters with a strong focus on AI-native ROC. For example, one of our largest MROC partners is now in the process of bringing a ready AI-native ROC to market powered by our ETM and automated remediation solutions. Additionally, through our Strategic Alliances initiatives, we continue to drive deep technology integrations, co selling opportunities and demand generation programs to drive innovation in security research through the latest Frontier models. We have partnered with OpenAI in their trusted Access for Cyber program and Anthropic in their Cyber Verification program to advance our vulnerability and threat intelligence and allow customers to ingest these findings into ETM for further detection and remediation. On the cyber insurance side, we are also pleased to announce a new strategic partnership with Converge Insurance leveraging the Qualys ETM solution to help their customers demonstrate strong security hygiene and qualify for meaningful premium reduction advancing our vision of tying cybersecurity to business outcome for CISOs, further supporting our growth trajectory in Q1. We continue to expand beta testing of Q Flex designed to help customers accelerate and broaden their adoption of the QUALYS TTM platform based on strong early engagement and positive feedback. We plan to build on this momentum by proactively identifying opportunities to extend QFLEX to select customers and partners with a go live date planned for later this year. And finally, as the federal government seeks to garnish greater efficiency and replace outdated and costly on prem deployments from years past with modern cloud native risk management solutions, we are especially excited to host our third annual federal conference in Washington D.C. towards the end of this month. We have made good progress growing our federal business and advancing our FedRAMP high status with large federal agencies and we continue to believe this market will fuel a new leg of growth for the company over time. In summary, we are pioneering a new category in pre breach risk management by bringing autonomous exploit validation, risk quantification and zero-day remediation together within a single AI driven risk fabric that redefines how enterprises operationalize cyber risk. Complementing Frontier model discovered vulnerabilities Our platform leverages proprietary domain data, real time telemetry and deep operational context using sensors and agents behind the firewalls to continuously discover assets, validate exposures, quantify risk, remediate threats and enforce company specific policies which are unavailable in the public domain. This is driven by over two decades of processing petabytes of structured telemetry combined with industry leading threat intelligence in a closed loop system that compounds across thousands of customer environment every day. Frontier models are powerful and accelerate backpack analysis and triage. However they need to be paired with a highly reliable control plane to consistently enforce accurate policy and compliance outcomes across live hybrid environments. This is where the unique value proposition for Qualys customers live and it requires determin deterministic, auditable, repeatable and trusted execution with effectively zero tolerance for error. With attacks moving at machine speed and increasingly requiring defenses that learn and respond in real time, closed loop agent to agent orchestration governed by policy and harnessed by flexible model choice act as a force multiplier, further enabling precise risk quantification, safer remediation and even faster and more deterministic outcomes at scale. For qualys this means our massive data context, LLM and SLM integration and trusted execution serve as the system of record for pre-breach cyber risk management and translate AI into a packaged ROC automation platform that delivers customers measurable risk reduction, zero-day remediation, govern outcomes and immediate roi. With that I will turn the call over to Jumi to further discuss our first quarter results and outlook for the second quarter and full year 2026.
Jumi
Thanks Ned and good afternoon. Before I start, I’d like to note that except for revenues, all financial figures are non GAAP and growth rates are based on comparisons to the prior year period unless stated Otherwise. Turning to first quarter results, revenues grew 10% to 175.6 million. The channel continued to increase its contribution, making up 52% of total revenues compared to 49% a year ago. Revenues from channel partners grew 17% outpacing direct, which grew 3%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By geo, 15% growth outside the US was ahead of our domestic business which grew 6%. US and international revenue mix was 55% and 45% respectively. In Q1. As expected, there was no meaningful movement in our net dollar expansion rate, closing the quarter at 104%, slightly up from 103% last quarter. More importantly, we’d like to turn to a new metric that we plan to disclose going forward on a quarterly basis. Net dollar expansion rate of customers with prior year purchase of ETM or CSAM subscriptions. We believe that this metric is currently the best indicator of success of our ETM strategic initiatives. With ETM innovation having stemmed from strong customer demand, we anticipate ETM adoption to drive higher net dollar expansion rate. However, given that ETM adoption is still in its early stages, we have decided to include CSAM customers in this cohort so that the metric has more weight to it. In addition, as a reminder, ETM is essentially an upgrade from csam, so we believe that this is an appropriate baseline to track and measure going forward. In Q1, the net dollar expansion rate of ETM CSAM cohort was 107%. As more customers move into this cohort, we hope to see consistent and meaningful improvement to our overall net dollar expansion rate and thereby driving accelerated revenue growth. Moving on to product mix, our differentiated new products continue to drive growth. First, ET and C STEM combined made up 11% of total bookings and 14% of new bookings on an LTM basis in Q1, up from last year’s 8% and 9% respectively. Next, patch management made up 8% of total bookings and 15% of new bookings on an LTM basis in Q1. This compares to 7% and 16% respectively in Q1 of last year. Lastly, total cloud made up 5% of total LTM bookings in Q1, unchanged from a year ago. We believe that these differentiated products combined will increase contribution to bookings in 2026, given our opportunity to increase market share and maximize share of wallet. Reflecting our scalable and sustainable business model, adjusted EBITDA for the first quarter of 2026 was 83.3 million, representing a 47% margin. Same as last year, operating expenses in Q1 increased by 8% to $67.5 million, driven by investments in sales and marketing, which grew 17%. With this strong performance, EPS for the first quarter of 2026was 1.95 per diluted share and our free cash flow was $93.6 million, representing a 53% margin compared to 67% in the prior year. In Q1, we continue to invest the cash we generated from operations back into Qualys, including 1.7 million on capital expenditures and 53.9 million to repurchase 505,000 of our outstanding shares. Since commencing our share repurchase program In February of 2018, we’ve repurchased 11.2 million shares and returned 1.3 billion in cash to shareholders. As of the end of the quarter, we had $306.6 million remaining in our share repurchase program. With that, let us turn to guidance. Starting with revenues for the full year 2026, we now expect revenues to be in the range of 721 to $727 million, which represents a growth rate of 8 to 9%. This compares to prior guidance of 717 to 725 million. For the second quarter of 2026 we expect revenues to be in the range of 177.5 to 179.5 million, representing a growth rate of 8 to 9 percent. While we believe our approach to pre breach cyber risk management provides some insulation amidst ongoing macro volatility, this guidance continues to assume no material change in our net dollar expansion rate with moderate growth contribution from new business in 2026. Shifting to profitability guidance for the full year 2026 we expect EBITDA margin to be in the mid-40s, implying mid teens increase in operating expenses and free cash flow margin in the low 40s. We expect full year EPS to be in the range of 7.44 to 7.65. From the prior range of 7.17 to 7.45. For the second quarter of 2026 we expect EPS to be in the range of 1.73 to 1.80. Our planned capital expenditures in 2026 are expected to be in the range of 8 to 12 million and for the second quarter of 2026 in the range of 1.2 to 3.2 million. As the impact of the macroeconomy is still unfolding, we are closely monitoring the business environment and adjusting our priorities accordingly. That said, considering the long term growth opportunities ahead of us and our industry leading margins implying further room for investment, we intend to continue to responsibly align our product and marketing investment to focus on high impact initiatives aimed at driving more pipeline, accelerating our partner program, expanding our federal vertical. As a percentage of revenues, we expect to prioritize an increase in investments in sales and marketing with more modest increases in engineering and gna. With that Sumed and I would be happy to answer any of your questions.
OPERATOR
Thank you. As a reminder to ask a question, please press star 11 on your telephone and wait for your name to be announced. To withdraw your question, please press star 11. Again, the first question will come from Patrick Colville, Wiscosia Bank. Your line is open.
Patrick Colville (Equity Analyst)
Thank you very much for taking my question. Sumed and Jimmy, in your prepared remarks, I mean I think you did a really good job of conveying why Risk quantification I guess. Testing whether an asset is exploitable with a runtime context, the ability to patch and revalidate all make qualys at low risk of AI disruption in the enterprise. But what I want to ask though is there’s a lot of hype around anthropic Claude Mythos OpenAI GPT-4.5 Cyber are they leading to more inbounds? And if so, how will those inbounds and that kind of surge of interest translate into the financial model in 2026? Yeah, that’s a great question. And I think our customers who are in this day in and day out, they understand pretty well that this is going to lead to more disclosures of patches and vulnerabilities from multiple vendors that they use. And I think the challenge is going to be more about on the positive side, I think these models are helping companies get better with finding these vulnerabilities themselves versus waiting for attackers to find them. But it also means that they’re going to lead to more patches being announced by multiple vendors that the customers will have to deploy. And I think the challenge is going to be more that once the patches come out, attackers leveraging AI can reverse engineer those patches and find the exploits. And so it really becomes a game of how quickly can you apply the patch that the vendor is giving in a matter of hours and not wait for days and weeks as it happens right now. And that’s where a lot of the conversations that we have had with our customers, we’re seeing a lot of CISOs customers reaching out to understand how our patch management capability and the remediation capability and exploit validation capability is really going to be helpful for them because they all need to provide an update to their board in terms of how they are going to fight against AI induced attacks that are coming from these models getting better. And the response cannot be we are going to do more manual remediation. They need to have a response that anchors themselves in fighting autonomous AI attacks with autonomous remediation. And they see us as a trusted vendor having deployed 150 million patches already and 40 million of those already fully autonomously deployed. And so a lot of those conversations are positive right now, but of course it’s in the early stage and we need to work through to see how they take out the conversations, how they go back to their boards to their IT teams, partner with the IT team so happy with the activity, but a little too early right now to talk about how the impact is going to be on the pipeline and outlook. As Jumi said, we’re not considering any change from where we are right now in terms of the guidance, but we are happy to see the engagement that we are seeing from the inbounds that we’re getting from customers trying to understand how Qualys can respond to this. Very clear. Can I just touch on that point? So I mean Jumi, you Very kindly last quarter provided us a soft guidance for 7 to 8% current billings growth in 2026 is the point you were trying to make in the prepared remarks. That remains the case. So no change to that level even with the strong 1Q performance and I guess the positive vibes that sumed were just talking to.
Jumi
Yes, that’s correct. I think that if you take a Look at our Q1 performance, it was a solid start to the year. We’re very pleased with the Q1 outlook as well as what we anticipate for the rest of the year. However, we don’t see any material kind of meaningful change for the full year today. So given that the baseline still remains a 7 to 8% for the current billings for the full year.
Patrick Colville (Equity Analyst)
All right, thank you so much.
OPERATOR
Thank you. And our next question will come from Roger Boyd with ubs. Your lines open.
Roger Boyd (Equity Analyst)
Thanks for taking my questions. Sumed it was a strong quarter from a new customer ad perspective and particularly for one Q which is typically seasonally a little bit lower. Can you just talk about what’s working right from a new logo perspective and then everything you just kind of mentioned from a patch management remediation standpoint, to what degree is that sort of impacting the new customer conversation? Any metrics you can give around attach rate of patch management or true risk eliminate would would be great.
Sumed
Thanks. Yeah, great question. And I think we kind of talked about right now where we are with patch management. Sort of 8% of LTM overall bookings and 15% of new bookings. Right. And I think definitely good execution by the team focused execution is key there. If you can recall what we talked about at RSA and a little bit before that our focus on agent-based AI agents as you we went into last year. I mean if you look at today, what everybody’s talking about is how can we very quickly autonomously remediate things. And this is not by accident that we are here right now. We have been delivering capabilities around patching going beyond patching the exploit validation and those messages have been resonating with customers and so I think this is leading to better conversations with customers as they look at. We are encouraged with the conversations we are having around etm. I mean the thing is look at the end of the day risk measurement and risk management is going to be critical because if the number of patches that you have to deploy explores you just as a company cannot just deploy all the patches and so anchoring it back to risk is very important. So eliminating the right risk and the minimum amount of risk is important and to be able to get there so you’re not patching and fixing everything, creating more risk from an outage. ETM then becomes very important because ETM is the one that does the hyper prioritization. And for ETM to be successful, you need high quality detection capabilities. I think one of the concerns that customers have brought up after these models have come out has been the question of false negatives. If you are using Tier 2 scanners, the time it takes to get signatures out and find the findings versus a scanner like Qualys where we are getting signatures out multiple times a day, we are adding capabilities to detect things to reduce the false negatives is becoming very important. And I think those conversations are culminating in positive conversations for etm which is still early, and ETM and eliminate conversations. Typically they do go hand in hand many times. And so I think while it’s still early for etm, we are encouraged by the conversations that we are having at this point. And so again we have to work to continue the execution. Very happy with how Q1 went, but we’re going to continue to work on executing with the opportunity that’s in front of us. And like we said, our partners are working with us closely and we look forward to continuing our partners bringing us additional sort of new logos and working with our existing customers with the MROC services which can get more value for existing customers through our partners to make sure that our upsell also continues to tick up.
Roger Boyd (Equity Analyst)
That’s really helpful. And then maybe just a quick one for Jumi. On Q Flex, you talked about kind of building out this pipeline and identifying a customer pipeline to extend that that procurement model too. Can you just talk about kind of the customers that you see is a good fit for Q Flex and any thoughts on when that kind of push could start this year? Thanks.
Jumi
Yeah. So mostly Q Flex is targeted towards our enterprise customers who need that flexibility to potentially cover the forecast that they have anticipated for the full year. So as an example, what they’re looking for is given that we continuously enhance their products and come out with newer products throughout the year, they want the comfort of having to pre purchase or pre commit to a higher amount that they might necessarily think that this absolutely needed for the year. So we’ve been talking with their select group of customers that have the budget that are willing to pre commit to a higher credit with Qualys with the ability to swap out different products and offerings and try out newer solutions throughout the year. We’re pleased with the momentum that we have today. And we do plan to go TA with Q Flex later this year.
Sumed
And I would quickly add to that this is right now with what is happening is a good example of where a Q Flex model will be helpful for customer because we didn’t have exploit validation earlier last year. But now that we have that and we have methods driving more focus on patching QFlex customers through the year will have more flexibility in being able to use those credits to suddenly pivot towards patching more because there is a particular event that has come up and not have to sort of keep going back from a procurement perspective. So like Juni said, exciting early conversations with these large customers and we look forward to working through with them this year and then, you know, kind of getting towards the GA by the end of the year.
Roger Boyd (Equity Analyst)
Makes a lot of sense. Thank you both.
OPERATOR
Thank you. And the next question will come from Kingsley Crane with canaccord your lines open.
Kingsley Crane (Equity Analyst)
Hi, thanks for taking the question sumed I guess just to start off, I’m kind of curious how important is access to something like Mythos Preview just for your business at all? And then just in general talking about the growing marketplace of agentic AI solutions, we’ve seen a pretty significant jump recently even with just models like Opus 4.7. But what is the future of that type of integration with agents for the platform? And like how relevant is inference as a line item for Qualys? You know, if you look like three years out.
Sumed
Thanks, that’s a great question. I think it’s less about a particular model and more about the direction that these models are going. Right. And so I think for us it is we have been leveraging other open source models as well and we’re excited to now be part of the TAC program from OpenAI which gives us access to GPT-5.5 cyber, which is equivalent model for the most part to Mythos as an example, and also part of the Cyber verification program. And since we have really been doing a lot of exploit and vulnerability research ourselves, these type of models, whether these two Frontier models or other open source models that have been using in my mind, are definitely something that help us do a better job of figuring out exploits that we can safely create for our customer environment so that the customers can really test these at scale through the Qualys platform. It also helps us do a much better job at figuring out the right patches or the right mitigations. One of the key things that we have done at Qualys is really put a lot of research energy into coming up with Mitigations that don’t need a patches. People worry about patches, but we reverse engineer patches to figure out maybe there are other mitigations that can be leveraged to make sure that these mitigations can help the customer deploy a compensating control on the machine without having to deploy an immediate patch, which is extremely valuable for them when they only have a few hours to make a decision on mitigating a highly exploitable vulnerability. And that research is definitely what we have been doing as the models are progressing. These partnerships definitely help us accelerate and cover more and get more options to help our customers go through that. So I see that leveraging these models, either whether it’s through research or integrating with them to pull findings from these models so customers can actually take their core findings findings and run it through the millions of qualys agents that they already have installed to find the actual instance of that or whether it is overall our own agent. Take AI solutions where we use different small language models, large language models to optimize the outcomes for whether it’s chat, whether it’s an AI agent that is taking action. I think that is something that we look forward to continuing to partner with whether it’s open source or these frontier models. And I do think that for any solution it is going to be important to make sure that they leverage some form of AI capabilities. It’s just that because we uniquely do the exploit validation and patching, we have a very interesting use case for use of these models
Kingsley Crane (Equity Analyst)
that’s really helpful. And for Jimmy, you know, it’s great to see the continued efficiency in the business. You’ve talked about R and D growing a bit more modestly than sales and marketing this year. So at 2% growth year over year, is that about what we should expect for the rest of the year? And just like thinking bigger picture in such a dynamic time for the cybersecurity market, I mean, what would get you to invest more in that line item and then understood that you’re already very efficient there operationally. So I can appreciate that. Thanks.
Jumi
Yeah. Currently what we’re forecasting is OPEX growth in the mid teens. Sales and marketing continue to grow well above the 15% mark. Last quarter it grew by 18% year over year. This quarter, 17% year over year. So with sales and marketing potentially ramping in the second half of the year, rest of it that we’ve allocated is for the R and D for the most part. We do anticipate significant investment that we think that could be justified from a return perspective. Especially with the AI investments that we continue to make in the business. So given that we’re guiding to mid-40s EBITDA margin, which is implied by the mid teens growth in opex. Okay, thank you.
OPERATOR
Thank you. And the next question will come from Jonathan Ho with William Blair. Your line’s open.
Jonathan Ho (Equity Analyst)
Hi, good afternoon. I just wanted to better understand sort of the pre breach risk management opportunity
Sumed
and how maybe this changes from prior approaches and what makes maybe QUALYS better positioned than other competitors to offer this solution. Yeah, that’s a great question, Jonathan. I think it’s not that it changes from the prior approach. From a QUALYS perspective. We have been building and innovating around the ETM platform and the concept of a risk operation center the last couple years almost in preparation for something like this where we will see significant number of vulnerabilities coming our way. But you cannot fix everything in an operation and you cannot play vulnerability whack a mole where you’re trying to jump from one vulnerability to another. So the idea of creating a risk operation center and implementing that with ETM has been to make sure that we are creating an outcome where things are fixed for the customer in a matter of hours. And I think that’s an approach that different than a CSAM solution which is waiting for collecting data from different scanners and then creating some reasoning. But then they don’t actually do the patching, they pass it off to somebody else to do the patching, which again loses time as an example. And so what I think we are seeing is the opportunity here is having created sort of this end to end. I mean what’s interesting is if you look at our demo that we did at RSA where agent validation, agent VAL went from finding the vulnerability, validating the exploit, applying a mitigation and then revalidating the exploit that it is fixed in under 15 minutes. I don’t know if any CTAN solution can really do that where you get an outcome of something being fixed. And then with ETM we have focused on the CRQ aspect of it as well. Just because the vulnerability and patch count goes up significantly. Customers still need to think of this in terms of the business and the budget that they’ve allocated and how, how much of a risk to the business do these vulnerabilities carry so that they can make better decisions on prioritization? And that’s again the other aspect of our ETM solution being integrated now with a cyber insurance company where if you have a good score on your, a good score that demonstrates you are actually doing the right cadence of fixing your vulnerabilities. You can actually get a premium reduction for your cyber insurance, which is a positive thing for your business. And so ETM really has been about taking the business risk quantification, the traditional CTIM component, but also pairing that with exploit validation and remediation, giving an end to an outcome. I think what we are seeing now more is the customers who have been interested in this are now feeling like this is the time that they really need to look at this more deeply. Because of the number of vulnerabilities that are going to come their way. They feel like looking at a risk operation center and ETM and the ability to maybe some of the resistance that people have had in the past against autonomous remediation or patch management. In the initial conversations we have had in the last couple of weeks, we’re seeing a bit of a change in the way people are thinking about this as given that the threat landscape has changed. So in that sense it’s a positive outcome for us to say that instead of other solutions where somebody else is scanning, somebody else is pulling the data and somebody else is patching, the ability to go from detecting, validating, fixing and revalidating in under 15 minutes is something that is really desirable and doing that at a Six Sigma accuracy is very desirable for our customers. So I think it’s more that the platform really was innovated and designed for this. And now we’re excited to see sort of these early conversations we are having with customers that are more interested in looking at this now because of the push coming from these frontier models detecting more vulnerabilities. Excellent. Just one quick follow up. Does mitos potentially expand the number and types of assets that you would also cover as well as maybe accelerating this adoption of more products on the platform to deal with the increased complexity? Thank you. Yeah, I think these models will be able to find vulnerabilities in any code base. I think that’s where the comprehensive nature of the QUALYS sensors, whether it is detecting vulnerabilities on network assets, let’s say the traditional assets, which have agents on laptops and other servers, expanding that into network assets or network based assets like firewalls and VPN devices or cameras that are on the network or IoT devices, we already covered that. And then of course we also cover cloud and container security and a lot of these. And so I think what, what we are seeing right now is that customer interest in covering as much as possible more natively so that they can get quick scan results and not have to wait for hours to pull the scan results if they can do more and more of those natively. So I think given that the threat, whether your server is running on prem or in a data center, or if the server is running as a container in the cloud, the threat from a quick vulnerability exploitation coming your way is similar. You know the conversations do lead themselves to it and in a way the way ATM is designed, it is designed to pull data from all kinds of different capabilities, whether it’s cloud or containers or others. And so there is more willingness from customers to say today they are doing dashboard tourism. They have a separate dashboard for code scanning, a separate dashboard for cloud, a separate dashboard for on premise, separate dashboard for endpoints. If there is a way to operationalize and consolidate all of these different types of assets into more of a unified workflow where agentic AI is looking at it and making autonomous decisions by looking at their previous enterprise context and then minimizing and then executing the minimum remediations, that is really where the focus of the customers is. So I think again how these conversations proceed will be interesting. But it does lead customers to say I don’t have necessarily the time now to go to look at a different individual risk management dashboards when it comes to pre risk breach management. If there is a way for me to pull different things, normalize all of that and quickly focus on the ones that matter the most and then actually validate with exploits and remediate those, that is the ideal solution. Thank you.
OPERATOR
Thank you. And our next question is going to come from Rudy Kessinger with DA Davidson. Your lines up. Ben.
Rudy Kessinger (Equity Analyst)
Hi guys. Great, thanks for taking my questions. I guess I’m curious just on the ETM sales so far, are you getting that full $1 uplift on those early sales so far. And then if we think about the 107% net expansion rate with those customers,
Jumi
I feel a little foggy in that. You’re saying that includes customers who purchased ETM in the past? I guess. Does that expansion percentage include, you know, the upsell from them purchasing etm or if you could just break down that number further? Yeah, it’s a little too early for us to comment on how much of the uplift actually is the illustrative dollar Uplift is based on more of a list price. The cohort of customers that have subscriptions to ETM is too small today. And so given that what we decided to do was the number that we disclosed, 107%, that actually includes customers who purchased CSAM or ETM. And so the way that we calculate that number is one year ago from today. So Q1 of 2025, which customers had ETM or CCAM subscriptions? We took those customers and then the revenue that they generated spawn of 2025. So that would be the denominator. Took the same cohort of customers in Q1 of 2026 and looked at the revenue contribution from that group. And so we calculated that percentage. It doesn’t just include the ATM or CCM subscription, it’s a total spend spent by those customers. So what we’re thinking is our hypothesis is these customers, theoretically, whether they have CSAM and then eventually later upgrade to etm, because ETM is essentially an upgrade from CSAM or they start to purchase etm, these flows of customers will help to drive the total net dollar expansion rate. Eventually because they see the value in it, they’ll be stickier with us, and then they’ll result in a higher upsell. So that’s part of the reason why we’re tracking this metric internally to make sure that one, we’re successfully upgrading CSAM customers to be ETM customers and two, is that really generating the type of upsell that we’re looking for?
Rudy Kessinger (Equity Analyst)
Got it. That’s really helpful. I must have misheard it earlier on. And then secondly, how should we, you know, what does sales productivity look like? How has that been trending in the last few quarters?
Jumi
And you know, just given the increases in sales, marketing expense outpacing the revenue growth, is there a lot more marketing dollars in there or where all is that investment going in sales and marketing? Yeah, majority of the increase in sales and marketing is still driven by headcount. So if you take a look at our headcount growth, it was over 10% for the sales and marketing that GTM said last year. And part of the reason is because we do see a huge upside in the business and because we are focused on moving the business from direct to indirect. As we work closely with the partners, we have different sales teams. Whether it be a sales team focused on direct sales or sales team focused on ATM sales or sales teams that are really focused on the channel management or relationship there. And so we do anticipate continued growth and continued investment in that team. And so as a result, the productivity is not necessarily the traditional SaaS view of it. It’s not exactly where we think it will be in the future. We’re working on it right now. There’s room for increase in efficiency. Not seeing it there yet. Like you pointed out, Especially because, you know, we do see this is a time for us to invest more versus making sure that we scale that based on the productivity metric that we see today.
OPERATOR
Thank you. And our next question will come from Joseph Gallo with Jeffries. Your lines open.
Joseph Gallo (Equity Analyst)
Thanks for the question. I believe you mentioned that your guidance today reflects NRR kind of stays flat ETM. NRR is 107 and expected to grow. So maybe how should we think about the potential timeline for acceleration of total nrr? And is there any pressures or offsets that we should think through that might keep that number flat over the next couple?
Jumi
Yeah, our NRR has been around the 103, 104% range for the last couple quarters. And the reason why we’re still assuming for the baseline that to be the case is because ETM is still in the early stages. We don’t anticipate a significant ramp in terms of the adoption of ETM that will result in the total company NRA to be picking up materially this year. So for this year our baseline is that, you know, taking into consideration the macro factors, you know, geopolitical conditions today, we do see some potential headwinds could be fully offset by the tailwinds as Met had mentioned earlier with the increase in demand given that, you know, our customers are willing to spend more with us, increase in cybersecurity risk that we can definitely help to remediate. But with that said, all in all, our guidance assumes baseline case of growth more or less in line definitely from the current billings perspective. Revenue we’ve increased slightly just because of the beat that we saw in Q1, but overall nothing has changed from the case that we saw earlier in February.
Joseph Gallo (Equity Analyst)
That’s super helpful, thank you. Just as a follow up, you mentioned kind of geopolitic tensions. I think you made a comment in your opening remarks about closely monitoring the business environment, adjusting priorities accordingly. Is there any way to quantify, I guess what you’re seeing is that mostly related to the war. Is there anything in terms of customer budgets and they’re prioritizing AI spend today and not necessarily cyber. I’m just kind of curious what the actual math was behind some of those comments you made on macro and if anything has changed over the last 90 days?
Jumi
Yeah, the way we’re monitoring the situation is basically stemming from the conversations that we’re having from our existing customers as well as new products. So when we’re discussing potentially, you know, coming over to Qualys as a new customer or increasing their spend with us, whether in quarter cycle or out of out of quarter cycle there could be disruptions during that discussion. So as an example I would say that any announcements from OpenAI or Anthropic could, could be a disruption as in as we’re talking through it, it could be a factor now that could result in increase in sales from us, but it could increase the sales cycle. And so that’s why we’re taking a look at the scenario. There will be puts and takes, there will be some gains, there will be some offsetting factors. And that’s why we thought that the baseline, if you model it out the way we view it today is more or less falls in that range that we had calculated at the beginning of the year.
Sumed
Yeah, so far in terms of budgets we haven’t seen any real changes there from customers or any conversations directly. When it comes to cyber, I think, I think it stayed roughly the same but as Jimmy said, you know, just being prudent at sort of what potentially could we should look at in the future.
Joseph Gallo (Equity Analyst)
That’s reassuring. That’s good to hear. Thank you.
OPERATOR
Thank you. And the next question is going to come from Srinik Kathari who is payer.
Srinik Kathari
Your line is off. Yeah, thanks a lot for taking my question. So. So in light of the frontier AI agentic explosion and now with agent valve to more broader remediation, you also emphasize the patch based patching which I remember you’ve been specializing in and talking about in the past. So I know you talked about early customer conversations. Just would be really appreciated if you would maybe point to some anecdotes, some proof points how that can or is becoming a real budgeted sort of operating priorities for customers over and above typically as your products customers like conceptually but just what’s really changing and anything you can point to and have a quick follow.
Sumed
Yeah, like I said, I think I gave that example of we have been having quite a few customer conversations the last few days and you know I had a CISO for a very large bank in Canada sort of got on the call and you know he’s like basically look, our challenge right now is how do we get things quickly Qualys scanner right now and how who should we partner with for patching. And you know when I was able to explain to them, you know we already do the Eliminate part immediately he was excited about that so that he could go talk to his board that they’re partnering with a solution that is going to help them have the ability as needed to rapidly fix and patch things and not wait for the IT team’s patching. Solution to take days and weeks to patch things. And so that led to an immediate conversation of starting a immediate POC as an example. Right. So again it’s early days, that’s an anecdotal example. But we are seeing that pushback or resistance that we had for integrated patching and autonomous patching in the early conversations is coming with a like where they are asking hey, do you have a patching capability? Because that’s what I need to be able to explain. Not that I’m finding more and scanning more or I’m taking my scanning and I’m passing it off to some other patching solution which is taking even longer. So that is an example of a good conversation that we had where customers quite excited to have the ability to quickly find, remediate quickly find, exploit it, verify it, patch it in a matter of hours and be done so they can show that level of success rather than just finding more things. So that would be an example of just something that happened two days ago.
Srinik Kathari
Great, that’s super helpful. Sumed and just a quick follow up. Just following up to Joe’s question on nrr, just wanted to hear your thoughts on what sort of moves the needle for this next leg of growth. I mean you still appear to be guiding off sort of a base case with no real assumed NRR movement. You of course have Agent Wall in ga. There’s better ATM mix, there’s continued strength in Channel International. So can you help us understand is it mainly just prudence about the sales cycles as you mentioned, and you still need more proof points on monetization or there’s also some legacy mix drag which is playing a role in addition to you accelerating higher value attached here.
Jumi
Yeah, it’s based on a historical track record of what we’ve been able to see. One of the reasons why we thought that this was the best metric that we could share with the investors today is because if you take a look at our historical products, whether it be CSAM or otherwise, it does take a bit of time for our newer products to take to our customers. So as an example, CSAM was actually launched in 2021 and if you take a look at the percentage contribution to bookings, BTM plus CSAM currently make up 11% of bookings on an LTM basis. So you can understand that how we’re looking at the CSAM conversion or upgrade to ETM will likely take some time since ETM just went live and it’s been in GA for a little over a year. So given that we’re Assuming that this will take time for more of our customers to adopt ETM and that will translate to increase in spend that’s meaningful enough for the total revenue growth.
Srinik Kathari
Got it. Thanks a lot, Julie.
OPERATOR
Thank you. And the next question will come from Brian Essick with JP Morgan. Your line’s open.
Brian Essick (Equity Analyst)
Hi, good afternoon. Thank you for taking the question. I guess maybe one for you, Samed,
Sumed
on the back of, you know, the increased capabilities of foundation models in the security space, thinking about where you’re seeing vulnerabilities across the spectrum. Where you have, you know, operating systems infrastructure, both package as well as custom applications and then OT environments, the spectrum of fixability, if you will, across those different types of areas can be materially different, particularly for hardware. Some of it can’t be patched, it might have to be replaced. Custom apps that have to maybe need to be refactored. From your experience and what you’re seeing from the foundation model companies, where is their expertise best placed for vulnerability, discovery and potential exploitation and how does that change the risk profile of your customers and how they may utilize your platform to mitigate those risks? Yeah, great question. I think helping software developers find more vulnerabilities in their code is definitely one of the key things there that these models bring and which will definitely lead to more disclosure. But in theory you could say that, well, if all software developers are able to find these vulnerabilities using the models, then you kind of don’t necessarily have a zero day problem because all these software developers will find the code themselves before the attackers do and they will create patches right now and then customers just have to focus on applying those patches. I think the other capability the frontier models are doing well is ability to chain low level vulnerability exploits that maybe have a lower CVSS score and the customer might not have fixed those in the past because their score was low, but being able to chain a few of those to create an exploit, and that’s where the advantage of the TrueRisk platform is very solid. Because our TrueRisk scoring, and we have demonstrated this multiple times that we are actually scoring low level CVSS vulnerabilities as very high about 40 days before they get added into CSACK as an example. So having the customers have that intelligence that we are bringing to their environment to say, look, this is a low level vulnerability, but it is prone to be used in an attack and making sure that that is mitigated becomes important. Now the third piece of what you mentioned is I think it’s perfectly fine to say that I’m not going to patch this because my risk is low. And that’s a very individual organization level conversation that needs to happen. Which again, with ETM and the TrueRisk platform, we are helping customers understand context in their environment, understand the exploitability and make the determination that maybe it’s perfectly valid to say we’re not going to patch this because we have mitigating controls in place. And that’s where we were again ahead of the curve when a couple years ago we introduced the concept of patchless patching is the ability to deploy mitigations for some of these environments where yeah, you cannot necessarily patch an OT asset immediately like you would normally do, but maybe. Or even the regular assets with operating systems and packages, but providing them a way to say, look, I think if you just delete this old dll, which our agent can do for you, deleting a DLL or making a change to Registry key or something simple like that can actually prevent the exploit from running in that particular environment. And so that is the third piece of it which is perfectly valid with ATM to say, look, less than 1% of the vulnerabilities are actually exploitable in your environment. And then these are the ones we don’t need to fix because we validated that not exploitable. But then to also be able to say we actually have a way to mitigate this with a compensating control without deploying a patch makes it very interesting. In fact, one of the popular ones with our customers is we provide them the ability to see that the package that has the vulnerability is actually not being used on the asset for the last 18 months. So uninstall is actually a better option than trying to patch it. So that’s why I call it the eliminate buffet, which gives customers multiple different choices because the goal is not a patch. The goal is to remediate and eliminate the risk. That’s why the true risk eliminate with prioritization, validation becomes so important.
Brian Essick (Equity Analyst)
Great, that’s super helpful. Maybe if I could squeeze one in for Jimmy on Q Flex. It sounds like you know that the programs targeted at large enterprise customers are already spending a meaningful amount on the platform. But are you.
Sumed
Is there any potential for existing customers who may be ripe for migration to etm, where you can actually accelerate that migration by offering them Q Flex as well? There is. And so we are working with customers today. So we are working with a select group of customers so that they have an option of adopting Q Flex today. And so it’s not stopping, it’s just that we are planning to go broadly ga with it by the end of the year. So we think that there is definitely a potential where that could help us to drive growth. And we do have those conversations with customers who are looking to do atm. We start the conversation with Q Flex, which is well received, especially given this environment where so many new capabilities are coming. Things are changing fast and they need the flexibility. Even if you’re not the largest enterprise, you still need the flexibility to be able to move things around pretty quickly. And in fact, enterprises that don’t necessarily have a cyber budget that is the size of the GDP for small countries actually have the most value in many, many times from being able to do these kind of automations and say like I don’t need to fix all these things because I validated they’re not, they’re not relevant in my environment, no matter what the frontier model says.
Brian Essick (Equity Analyst)
Makes a lot of sense. Thanks.
OPERATOR
Thank you. This is all the time that we have for questions. We want to thank you for your participation. This will conclude today’s conference call and have a good evening.
Disclaimer: This transcript is provided for informational purposes only. While we strive for accuracy, there may be errors or omissions in this automated transcription. For official company statements and financial information, please refer to the company’s SEC filings and official press releases. Corporate participants’ and analysts’ statements reflect their views as of the date of this call and are subject to change without notice.
Recent Comments