Qualys, Inc. (QLYS) Q1 2019 Earnings Report, Transcript and Summary

Good day, everyone, and welcome to the Qualys First Quarter 2019 Earnings Conference Call. This call is being recorded. [Operator Instructions]. I would now like to turn the call over to Vinayak Rao, VP, Corporate Development and Investor Relations. Please go ahead.

Good afternoon, and welcome to Qualys First Quarter 2019 Earnings Call. Joining me today to discuss the results are Philippe Courtot, our Chairman and CEO; and Melissa Fisher, CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update the statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks and an accompanying investor presentation with supplemental information are available on our website. With that, I'd like to turn the call over to Philippe.

Thank you, Vin, and welcome, everyone, to our Q1 earnings call. Melissa and I are pleased to report another good quarter in terms of revenue growth and profitability. We're also pleased to report that we continue to make great progress on our product road map and on our go-to-market activities, which will help us grow our solid foundation of recurring revenues and profitability. We're also very pleased to report the continuing progression of our Cloud Agents with nearly 18 million subscriptions now, more than double the subscriptions of a year ago. Furthermore, with the release this month of our new Cloud Agent Gateway Service, our customers can now deploy our Cloud Agents effortlessly and cost effectively at a huge scale. This solution eliminates the need to deploy costly proxy to secure and capture the data the Cloud Agents continuously beam up to our Cloud Platform, which now indexes over 3 trillion data points. With such new capabilities, it is now our strategy to make our Cloud Agents ubiquitous, because we enable our customers to consolidate a plethora of traditional enterprise agents, such as Vulnerability Management, Policy Compliance, IOC, FIM, Asset Inventory and now Patch Management, that are, as we all know, extremely difficult and costly to deploy as well as to manage. For example, a large credit monitoring service expanded this quarter its deployment of our FIM solution by over 4 times, effortlessly leveraging the agents they had already deployed for Vulnerability Management. Significantly, they achieved these at a fraction of cost it would have been to deploy a traditional enterprise FIM solution. We also see early momentum in Container Security, driven by the greenfield nature of the market as well as the unique capabilities of our Cloud Platform. For example, a large financial institution deployed our Container Security solution this quarter, selecting it against competing point solutions, because it is natively built into our platform and therefore provides them with full visibility across their entire hybrid environment in a single pane of view. In addition, we are also happy to announce that Microsoft Azure selected our Container Security solution for their own development teams to help with early identification and protection against vulnerabilities at scale. These examples illustrate how we are well positioned to expand our revenues from our growing user base as well as to gain new customers, while allowing our customers to buy at their own pace, thus minimizing churn, which is a key element behind our highly sustainable and profitable model. So now let's talk about product innovation. As we have previously shared, we are delivering on our product road map and have released recently -- and have recently released for general availability the global IT Asset Inventory Cloud App, which provides security and IT teams a single source of truth for IT assets spread across their complex and interconnected hybrid IT environments with synchronization capabilities to Configuration Management Database, CMDBs, to keep asset data up to date. Second, the Patch Management App, enabling IT and SecOps to quickly target critical common vulnerabilities and exposures, then deploy the patches across endpoints, on-premise or cloud assets and verify remediation, all from one console. And finally, as mentioned earlier, the Cloud Agent Gateway Service app, major extension of our Cloud Agent Platform, enabling customers to securely connect Qualys Cloud Agents from sensitive environment like DMZs, while also drastically reducing the bandwidth demands of large-scale deployments. We also continue to make good progress on other innovative solutions, including the passive network analysis solution, based on technology from the Nevis acquisition, which will enhance our global IT Asset Management offering by adding visibility of unknown assets to the existing capabilities and which is expected to go GA early in Q3. Second, the IOC 2.0 app, which will include a unique activity-based malware scoring to bring prioritization to malware remediation and is also expected to go GA by the end of Q2. It will bring additional threat feeds directly integrated into the platform for more comprehensive coverage of malware IOCs and enhanced orchestration capabilities with customized alerting and integration into Splunk. Third, the Secure Enterprise Mobility app, which extend our platform 2-second visibility to mobile devices by leveraging the acquired technology from 1Mobility and is planned to go into beta during Q2. Fourth, the run-time Container Security app, coming from the Layered Insight acquisition, which we expect to go beta in Q3. And finally, the CloudView app 2.0, which will include threat analysis and direct remediation capabilities, which we expect to release in Q3. As we shared at our investor event during RSA, we are currently developing a data lake solution that we expect to have in early beta in the beginning of 2020. This is an important new milestone and new opportunity for our company as current incident response solutions have become quite complex and costly, requiring organizations to use multiple vendors to collect the data needed and bring it into their SIEMs with full contextual information. Qualys' unique advantage is that we can leverage our robust scalable backend and its array of sensors, which already collect, enrich, normalize and correlate trillions of data points across on-premise, cloud and soon OT -- and IoT environments. Let me add that our product innovation has been bolstered by the successful acquisition we have made in the last 2 years. We expect to continue acquiring small companies with innovative technology that can help accelerate our time-to-market of new solutions our Cloud Platform then can deliver to our customers. Now let's look at our go-to-market initiatives. Given the increased breadth of our product Suite, we have now embarked on a comprehensive go-to-market initiative leveraging the efficiency and effectiveness of our Cloud Platform, which allows us to deliver all of our solution over the Internet. Our go-to-market activities include: one, new targeted campaign, which enable prospective customers to easily click and create their own trial accounts; building a new team of technical account representative, which we call TARs, technical account representative, who onboard and support customers utilizing our applications; and third, developing a multicity conference, whereby organizations will speak about their digital transformation and the best practice they have learned on their journey; and finally, expanding our partnership. We recently announced a partnership with the Center for Internet Security, CIS, whereby CIS will integrate Qualys CertView into its Multi-State Information Sharing and Analysis Center to provide its member with built-in visibility of their externally facing websites, certificates and SSL/TLS configuration. We remain very optimistic about the opportunity to increase growth in the future, because our solution offer greater visibility, accuracy and scalability across hybrid environments, while ultimately enabling customers to reduce their overall spend. We also believe that security is at a crossroad, and the market will rapidly -- that we believe the market will rapidly evolve into 4 segments, which will all require broad security compliance cloud-based platform serving different use cases. The first one, the large enterprise segment. Only the largest enterprises have the resources to drive their own digital transformation, and they will do so by consolidating their stack and migrating application to clouds to more effectively protect their assets, while achieving greater business flexibility. The second segment, the cloud provider segment. Cloud providers have now -- have all now developed a security center framework offering customers an environment in which security and compliance is already built in. Companies moving fully to the cloud via cloud providers will probably need to worry about only their endpoints. The third segment, the next generation managed security service providers. The remaining companies will have hybrid environments, and due to a lack of in-house resources, will outsource their security to the next generation of managed security services providers. While MSSPs -- while existing MSSPs will have to retool their existing SOCs, a new generation of MSSPs is emerging to fully address the security needs of small and midsized customers with hybrid environment. And finally, the OT and IoT environment. This is an emerging market where security must be built-in, and it requires a combination of agents and passive analysis. Qualys will be providing an SDK for OT and IoT suppliers to build their own agents, and Qualys will also provide the required highly scalable Cloud Platform to analyze the data in real time, leveraging our forthcoming and fully integrated passive sensors. We believe that because of our cloud-based architecture and the priority we made to invest in the extensibility and capabilities of our platform, that Qualys is one of the few companies well positioned in the security market evolution. Our highly scalable cloud-based platform enables us to address all 4 market segments, providing a single pane of glass across on-premise assets, endpoint, and cloud and soon mobile, OT and IoT environments. With that, I will turn the call over to Melissa to discuss our financial results. Thank you.

Thanks, Philippe, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP, and growth rates are based on our comparisons to the prior-year period unless stated otherwise. We're pleased with our solid Q1 results, which we believe reflect the unique value proposition of our Cloud Platform and its orchestrated applications. This is evidenced in the following financial and operational highlights. Revenues for the first quarter of 2019 grew 16% to $75.3 million. Platform adoption continued to increase as a percentage of enterprise customers with 3 or more Qualys solutions rose to 42% from 34%. And the percentage of enterprise customers with 4 or more Qualys solutions increased to 22% from 16%. Cloud Agent adoption increased with 17.9 million Cloud Agents purchased over the last 12 months, up from 16.2 million for the 12 months ended in Q4 2018. New products released since 2015 contributed approximately 23% of total bookings in the quarter, up from 15%. And average sale size continued to increase, growing 15%. Our scalable platform model continues to drive superior margins and generate significant cash flow. Adjusted EBITDA for the first quarter of 2019 was $30.6 million, representing a 41% margin versus 38%. Normalized for software capitalization for comparability purposes, Q1 adjusted EBITDA margin would have been 40%. Q1 EPS grew 37%. And we generated strong operating cash flow for the first quarter of 2019 of $44.3 million. In Q1, we continued to invest the cash we generate from operations back into Qualys, including $9 million in capital expenditures, including principal payments under capital lease obligations; $850,000 on the acquisition of Adya; and $7.9 million to repurchase 94,090 of our outstanding shares. We remain confident in our model, driven by our foundation of recurring revenues and expanding suite of applications. Current billings in Q1 were $85.2 million or 23% greater. Our current billings growth rate benefited from large deals that were invoiced in Q1 this year rather than at their anniversary in Q4 2018. As we have consistently communicated, we do not manage to quarterly billings and are focused on the long-term growth of our business. We're raising the low end of our fiscal year 2019 revenue guidance and therefore our midpoint. Our current fiscal year 2019 revenue guidance is now a range of $320.5 million to $323 million. We are raising fiscal year 2019 non-GAAP EPS guidance from a range of $1.84 to $1.89 to a range of $1.89 to $1.94. And for the second quarter, we expect capital expenditures to be in the range of $5.5 million to $6.5 million. As Philippe mentioned earlier, we believe we are well positioned in our markets, given the unique nature of our integrated, highly scalable Cloud Platform and our strong suite of IT, security and compliance applications as well as new ones to come in 2019. Our new solutions provide us the opportunity to accelerate revenue growth as well as expand margins in the future, driven by our highly scalable model. With that, Philippe and I would be happy to answer any of your questions.

[Operator Instructions]. Our first question comes from the line of Erik Suppiger of JMP.

Congratulations on a good quarter. Could you talk a little bit about the contribution from the new products? It was 23%, which is up from a year ago, but I think it was up -- it was 26% last quarter. Can you just comment, is that going to hover around at this level or will that continue to expand from 26% as we go forward?

Yes. We feel good about the how the new products are doing. As you mentioned, it was 23% of bookings this quarter, and actually, the growth rate was close to 100% year-over-year. The mix of what people buy shifts every quarter. So it's -- as we've talked about in the past, it's hard to forecast by product. But given that we have new solutions coming out, we do expect that to expand over time.

Okay. And then, Philippe, your -- some of your comments talking about the Cloud Agent, you're making that ubiquitous. Can you talk a little bit about what you're doing to make it more ubiquitous? So are you doing anything in terms of the go-to-market with that or in terms of pricing?

It's more in toward the go-to-market rather than the pricing. I think we're -- our pricing is very fine. And as you -- as I mentioned on the 4 market that was aligning, you have two of them, which I believe are more like -- which was -- you could call OEMs, which is all about building, building the agent in, namely the cloud providers as well as the OT and IoT devices. So again, we are coming up with an SDK, so companies could build their own agents. At the end of the day, the agent doesn't do much. That's the beauty of our architecture. The agents capture data continuously and bring that data up to the platform for correlations. In addition, our agent is also now moving into the response, which is very important, and that you see that with Patch Management. So we have so many, many angle today that now we can penetrate the marketplace through many different segments, and that's really the way you reach ubiquity. Either you have one single solution, which is broadly for everybody and then, of course, you push it. As you package it, in our case, we see this whole market as absolutely the agents are critical, and -- but then it's slightly different packaging, and that's what we do from an engineering and pricing in that sense or terms. So again, we feel very well positioned with our agent. We're now -- they are at huge scale, and we already make future announcements of more partnerships with -- around the agents.

Our next question comes from the line of Alex Henderson of Needham.

I was hoping you could talk a little bit about the amount of traffic you're planning on sending up to the data lake. And to what extent your agents are able to minimize some of that processing by smartly determining what's relevant, what's not relevant? Or whether it's sending all of the content up, in which case, do you run into traffic volume issues on your customers' networks as they're bringing that traffic up to your cloud? It seems like a lot of data relevant to some of the other companies we've talked to relative to efficacy.

No. That's, in fact -- yes. Yes, this is a very good question. In fact, the beauty of our agent architecture is that because we only beam up changes, the amount of data that we have to beam up is significantly reduced than if we were continuously to beam up that data itself. So we have significantly less than other solutions in our approach. This being said, the issue is not so much about the traffic. So we don't see any issue with the traffic itself. The issue is with your capacity to enter, correlate, enrich, analyze that huge amount of data that at the end of the day we have. So to give you an idea of our current backend about 1.5 years ago, but index on our ElasticSearch cluster is about, see if I recall correctly, but is -- the number is pretty -- is around that about 600 million data points, and now we're under 3 trillions about 1.5 years later. So you need to have the backend. And that's where your traditional enterprise solution, obviously, they don't work anymore and you need to have this kind of a cloud backend, highly extensible. And so to answer now your question about the data lake, that's exactly why we're all moving into the data lake. On one hand, we capture the data very well. And the problem that the current SIEMs have is that for them to bring the data into their SIEMs, they need to take multiple solutions, inject the data into their SIEMs, which costs a fortune, do all the correlation, all the analysis, et cetera, themselves and for us, our agents and our forthcoming passive scanning, bringing all that information, Qualys does the cooking, the normalization, everything. And then, of course, the question becomes now you have significant amount of data and how do you also communicate with other data lakes to essentially bring the next generation of SIEM solution, which is exactly what we're working on. So stay tuned. We're going to communicate a little bit more about where we are on the progress with that data lake. It's going very well. We have now four design partners, which are companies, which are helping us design that the correct way. And we are very, very bullish about it, and it's a very natural extension again of our platform.

If I could just expand that question a little bit, the data lake is then correlating in the metadata cloud above the -- can you just remind us how that works?

Yes. So that's something -- what I would like to do is to push that to maybe to another day where we could have, in fact, probably at our analyst conference, I think that will be the time where we could go into the architecture for data lake and scalability. At the last investor event, we did mention about the architecture about some of the question that we had, because now you have the data. Almost every large company today is building their own data lake. And of course, it's our approach, we would also communicate where the data lake that they create, because the amount of data becomes significant. So it's about the storage, about many other aspects. So that's a much deeper conversation that our Chief Product Officer, Sumedh, will be very happy and I think a good subject for our next Analyst Day. And then by that time, we'll have our architecture pretty well defined.

Our next question comes from the line of Robert Breza of Northland Capital markets.

A solid quarter. Melissa, just to put it into context, when you talk about customers coming in and taking more than one product per se, if you look at that, how -- if I came in today, how much -- and I bought all the products, how much is that approximately, give or take, 10%?

Well, thanks, Rob. It really depends on the size of your environment. So I think a good way to think about it is -- what we have said is -- and this includes a few things that aren't yet released. But if someone were to buy all of the solutions that we've talked about that are either recently released or are coming out, including the passive scanning, et cetera, then they could -- their spend would be 10x out of $1 VM. So I think that's the way you should think about what the potential spend could be.

Got you. That makes sense. That's very helpful. When you think about the overall demand market out there, and I think Philippe touched on it in his prepared remarks, with IoT being kind of a growth category. How -- are they -- I guess, from industry perspective, I still think of IoT as early stages and the industry. But yes, the fact that they're thinking about security seems like they are a little bit ahead of the curve. Am I thinking about that correctly? Or how are you thinking about that industry trend within that marketplace?

No. I think, Rob, you're in fact very, very correct. Because yes, it's an emerging market. And yes, again, this is the opportunity for these companies to think about security and instead of voting security on after the facts. Now this is, of course, they'll see very clearly, especially because of the amount of devices that you have to deal with that building security in is absolutely paramount. And you need 3 elements to do that. One is you need preferably an agent, you cannot put always an agent everywhere, but if you can put an agent, that's absolutely the way to go. You need also to have the passive scanning, which then you can look at what's coming in and out of these devices, so you can analyze the traffic, so you could detect suspicious activity, all of malfunctions, which is also important. Because here in the new environment, you've got both IT, security and compliance, which all have to be fused into one single solution. And then finally, you need to have the platform to absorb all of that. And that platform needs to have the scalability, but also needs to be very portable. And that's one of the reasons why we, by the way, containerize our platform. We're not totally done, but let's say we are 70% there. Having containerized our platform, we can deliver it anywhere, whether it's on the Google Cloud, whether it's on Amazon cloud, Azure cloud, whether it's on your own product cloud. So our platform has become very portable. And let me remind you that we have today more than 80 private clouds today, which are functioning around the world. And so that's what I mentioned in my remarks that we think we're extremely well positioned to be a major actor in the market. However, this being said, this is an emerging market, as you just pointed out.

Your next question comes from the line of Daniel Ives of Wedbush.

So in terms of Azure deals, there's just large sort of deals in that channel. Are you starting to see backend-specific details of the pipeline, more strategic deals, just larger deals come through, maybe companies with a different sense going into '19 in terms of budgets for this technology and maybe '18, Philippe?

What you mean, you meant to make sure that I understood the question. Is that -- you mean with the cloud platforms like Azure and....

Yes.

Okay. So I think we have a very different view than you could see. We see this platform as a fantastic platform to deliver solutions, software. Like our platform is, of course, the platform to deliver software plus, I would almost say, soon the universe if we continue with the pace of innovation. Well, essentially, we see security in that environment as more security being built in, because it's not -- that's really what you want to do. And so then there could be also delivery solutions to essentially deliver security solutions. But at the end of the day, I mean, there's many other ways of doing that. So I don't see them as primarily the [indiscernible] delivering security solution. We see them conversely at places where we can embed our security solution and essentially making security totally transparent. And that's what we've done already very much with Azure. I just mentioned also that we are now moving also with our containers. And that's the way we see the market. And it so it's all about building security in. And that's again where our agents are very unique, because they fit. We have some of these large cloud providers, as you may remember. All of them are customers of Qualys, and they use our agent technology to, in fact, ensure the security of their own platform. And now it's about putting and embedding our agents on the top. So we could now provide the same capabilities for the applications and the environment of their customers. So that's the way we -- that's the view we have. Very different market, and essentially, again, you cannot build in. It doesn't make any sense. And Microsoft showed the way very well with the Security Center, which now have been copied essentially by Google, which creates an environment where embedding your -- the security into their infrastructure, into their solution becomes significantly easier as long as you have the right architecture, of course. You could not take an enterprise software and putting it inside. Does that make sense?

Yes. Totally. So in terms of the platform today and even newer solutions, I mean, how penetrated do you think typical Qualys customer is today?

So we have, in fact, published the data. In fact, we see continued adoption of our solution. And Melissa will remind us the exact numbers, because our board was wrong by [indiscernible]. But I think she's got it right, not me. What is significant for us is for -- a few things. One, it's fantastic for our customers, because they can: one, reduce their spend, because everything is centrally managed, everything is self-updating. The second thing, they increase our visibility. So that's what is in it for our customers. What is in it for us is that, of course, we have significantly more retention from these customers, because if I recall again correctly, customers, which are now more than -- which are 4 solutions, the gross retention rate is 99%. So -- and today, we have Melissa, how many customers now today have 4 solutions or more?

So 42% of our enterprise.

So 42% of our enterprise. And so -- and of course, now we're looking at 5, and then we'll look at 6 and 7 and 8, et cetera, et cetera. So I think that's the power of the model that we have created with the platform. We've spent significant amount of time and energy. I remind you, now today, we've about 700 people in our offices in Pune in India, which are essentially engineering, QA, customer support and production and engineering, of course, a significant pool of talent that we have there. And then, of course, is building this application on the top of it.

Yes. And to -- just to add on, Dan, I think our view is that the penetration is rather low relative to what it could be. And let me give you few specific examples. So for example, when you even think about VM, which is the longest tenured product for the company, it's still very early in terms of deployment on the endpoint. And companies have many more endpoints and major server. So that's -- that'd be very low penetration for us. The Cloud Agent itself is only in 18% of customers, so again, still significant opportunity there. And then on the multiproduct statistics, we talked about -- we felt good about the product progress we're making. But like when you think about the metric of customers -- enterprise customers with 5 or more solutions, we're only at 11% and we have easily more than 10 applications that customers could have. So we would say the opportunity very large relative to where we are currently penetrated.

Our next question comes from the line of Howard Smith of First Analysis.

Congratulations on a strong start for the year. My first question deals with the technical account reps or TARs, as you call them. Maybe a little more about that. Is that replacing the current customer service onboarding team or is it augmentation? Or what's kind of changed or added here to what you're currently doing?

Very good question. This is my favorite subject. So designing scalable delivery model essentially. So what we're doing here is a part of this campaign that we are now -- that we have now already started, we are packaging our solution so that it could be easily -- not only easily they can be distributed, but easily consumable. For example, today, we reliably, in a few weeks, launched a special -- a repackaged version, not a special, repackaged version of our CertView, which is that free service, allowing you to discover all of your additional certificates on all of your Internet-facing devices as well as the security of the SSL, et cetera implementation. So currently today, the way we do that, so we do a campaign, you click on the link and then you request a trial. And then you are now on the Qualys application, and then you have to configure everything yourself. So in this new campaign that we're designing, it's going to be different and that [indiscernible]. One, you click on the link or the link on the e-mail or on the banner ad, and immediately you're going to be directed to the place where you can automatically create your own account. You have nothing really to do. Then the only thing you will have to do is to put your domain names. And then we'll have dynamic dashboards already pre-populated -- prepared for you. So as we collect the data, you have all the results. So that's what I meant by absolutely immediately consumable information. You have nothing to do. You just click on the link, create the account automatically essentially, and then the data becomes populated automatically for you and you have your results. Now in parallel, what we have is what we call the TARs, which is another category, technical account representative today, our technical people essentially. We are building the team in Pune, again in India, which would take young people from the technical schools, highly technical and their job is, not going to sell, is going to ensure that if these people have questions, so we have now essentially above the agents, which is coming, which we call Mr. Q. So Mr. Q will come and behind you at this technical account representative, which augment you, and if needed, onboard you, answering all the question you have when you try the product. So as you can see, this is all to increase the velocity. So we are taking all of our solutions today and we are going through that packaging. So that's the bottom-up approach that we're making to make now people aware of all the solutions that we have for them. And then, well, as I mentioned in my prepared remark, embarking also preparing to do a top-down campaign, which is now to go more to the CIO and the CISOs and explain to them the power of the Cloud Platform. So this is the combination of the 2. And I didn't want to do that early, because we needed to have a platform, the scalability, all these applications. So our philosophy has been always, it's -- we all know it's not good enough to be good, you need to tell, but you better tell when you have something to tell rather than go and create all that, unfortunately, vaporware that we're hearing so much in our industry.

That's very helpful color. Maybe for you Melissa, although Philippe, you can chime in if you want. The expense management continues to be very good. I'm just curious where you are on your hiring and maybe marketing spend relative to kind of your own internal plans?

I think we feel very good. Obviously, our performance this quarter reflects what a scalable model we have, and we benefited both from being on the top line as well as there was -- we did have lower headcount expense across a number of areas from a variety of factors: people getting hired later in the quarter, hires being done in India, some positions where we haven't found the right person yet. We do believe that our EBITDA margins now will come closer for the year to roughly 30% to 38.5% versus what we originally provided on the Q4 earnings call of 37% to 38%. So we do expect benefit for the year.

Yes. And then I may add something here. Is that we have been -- since the very beginning, and this is something I mentioned quite a few times, we have really put a huge effort to understand the scalability that the cloud model offers you and also of the advantage of having a pure subscription model, which in fact is, in a way, more predictable. So we can -- we know our expenses. We know our revenues ahead pretty well, so we could manage our expenses as a result significantly better. On the other hand, if we would have a mix like many others of having a mixture of recurring revenues and perpetual, you will -- it's absolutely fascinating, and I just went through the exercise very recently, is that if we were to take 5% and only 5% of our recurring revenues today and turn them into perpetual license, it will have absolutely incredible effect on our numbers. So for example, we will come from 80 -- 11% earnings growth to 35%, 36% earnings growth. Our revenues will go to 26%. And so you realize that if you do the reverse and take some of these other companies, which have essentially a mix of perpetual license, if you will be moving them back as recurring, purely recurring revenues, it would have exactly the opposite effect. So their losses will be bigger and, of course, their revenues will be significantly lower as well. So the reason why I'm making that point in answering your question is because the model, in fact, that we had allowed us to execute in the very beginning a very disciplined approach to our expenses and not try to go -- to be ahead of ourselves because that's essentially the price you've got to pay to have such a recurrent and highly profitable model. So that's something people want to think about because that's very unique to Qualys.

Your next question comes from the line of Melissa Franchi of Morgan Stanley.

Philippe, the 23% of bookings coming from the new products, I think previously, you had said that's Cloud Agent and maybe Threat Protection. I'm just wondering if that is still the case or if you're starting to see some contribution from the new products may be released in the past 12 months in 2018.

It's starting to vary, but it's about the same still. But however, we can see that the changes are taking place. For example, we see -- we mentioned earlier, that the FIM, we can see today now the FIM is getting maturity. We still need to add 2 more features essentially to make the FIM solution totally complete, which are essentially the alerting, which we don't have yet. We have the APIs now in the alerting. Then it's some kind of reporting that we need to tune to for certain regulations and so forth. So -- but we see the traction. We see people now starting to deploy FIM at a much larger scale. Remember again, one of the thing which requires for us to be patient is that typically, as we mentioned, our customers, what do they do, they evaluate the product. And then after that, they do a first -- a small deployment, and then they finally deploy it, so it takes time. But FIM is really starting to take off. And we also mentioned that Container Security, which is becoming -- which is a hot market, I mean the Containers is [Technical Difficulty] we see very good success. But again, this is early days. So in term of -- they don't move the needle yet, but I -- we could see them coming.

Okay. That's great. And then I just wanted to follow up with Melissa on the commentary on EBITDA margins for this year. You noted that there was slower hiring, I guess, in Q1. Is that just a timing dynamic? Or are you maybe seeing like better-than-expected productivity at your sales force such that you can maybe moderate your plans for sales investment?

Yes. So let me answer that with a couple of points. So first of all, it's really a variety of factors. I think some of what I talked about was people just getting hired later, hires that are in India because it's not just about sales and marketing, it's also R&D and operations. On the sales and marketing front, I think as Philippe had said earlier, we're very happy with the sales force. And remember we're using our platform, we're leveraging it as a distribution channel. So our model is not just about adding heads and pushing product onto customers. So we are looking to add in the area of sales, people focused on new business who have a solution selling background, and that will be our area of focus.

The next question comes from the line Gur Talpaz of Stifel.

Philippe, could you give us some color in terms of customer interest and doing full VM life cycle management, meaning you're the only vendor right now that can kind of go from device discovery all the way to Patch, including inventory. It's a pretty broad road map and a pretty broad product set. What kind of response do you get from customers these days when you sort of approach them with that more end-to-end focus that you have?

Well, the response -- I mean this is something we knew. This is not new for us, the demand from the customer. That has always been there. The issue is that we needed to do it. And again, to do that at the scale that you have so many variables to put all that together, it's absolutely something, that I think we see a very big demand for our customers as well as we see significant opportunity. And this is coming from our customers as well to integrate with ServiceNow their VR solution, which, in fact, is the other side of the [indiscernible] and so forth. So obviously, our customers are asking us to do further integration. So absolutely environment you have an environment where -- that you have really then the full Vulnerability Management cycle. And that's very important for large companies as well as for small companies because they have different issues. For the small companies, they don't have the resources. They want more automation, more things already readily available, all totally packaged. The large companies, of course, they have the complexity of that hybrid environment and especially this critical vulnerabilities that they need to fix pretty fast. And so that's -- these are the 2 dynamics. And I think the packaging that we have done -- and again, packaging, it's easy to say, but it's not easy to do. So I think we are really very happy with that. A very big response, let's put that like that. Again, we're still at the beginning, same story again, now doing evaluations, now going to do a smaller deployment and then the bigger deployment.

Okay. That's helpful. And then in the transcript, you noted interest in maybe doing other small acquisitions. Could you maybe expand on that a little bit and give us some color as to where you might be looking to augment the current strategy?

So yes, so two things. One, I think we have really established a significant image in India, which now we see companies coming to us in India because, as I mentioned I think in some other talks, is that why the strategy is a fantastic technology. And I've learned how to really bring that technology to the U.S. for some reasons. And in fact, I think I said to myself, "I need to understand the reason why," but that will be for another discussion. I think I found the reasons why India was not able to do what the U.S. already has done. There were a lot of companies there, which have very good technology. Of course, there's a lot of good engineers there, but they could not really bring them to the U.S. as well as the strategy, the fantastic job, in fact, they are doing so. So today, so for us, that's guts. And because they come to us now for acquisitions. So they come to us, we don't have to go to them, which is, of course, very different. So we are currently in discussion with quite a few of them in India as well, which have the advantage, of course, of having essentially a significantly lower cost of acquisition than if we were looking that -- if we were doing that in the U.S. but as well as more loyalty, if you prefer, because then we represent a very good company there for them essentially to join the company. So that's -- thanks to the effort we made like now or 10 years ago -- 12 years ago of selecting Pune and really making a big investment. Let me remind you also we're going to move early next year in Pune into a new campus where we could have up to 2,500 people. We currently have 700 people. So we see, of course, that to be very significant. We see also entertaining companies in the U.S., and we see more and more and more kind of this feature company as we call them, which I'll now put on the block by their investors, except that they really want big multiples. So I'm not ready for that, to be quite candid.

Our next question comes from the line of Matt Hedberg of RBC Capital Markets.

As a follow-up to an earlier question on your sales force, Melissa, you mentioned you're looking to hire a few more solutions expert. I'm wondering though, when you kind of step back and take an even broader view and thinking about scaling the business to $0.5 billion and beyond, are there additional things that need to be done to kind of your hunt or farm strategy as you kind of think about continuing to ramp multiproduct sales?

Yes. I'll start, and Philippe will join in. The background behind the focus around these new business sales team was really about, as I mentioned, people who have consult and selling background. And that's because as we have so much more to sell from the platform, we want to sell more top-down, we essentially sold more bottoms-up. So I think our view is that is a key -- that represents kind of the evolution of us becoming a more strategic sale, people buying more solutions from us, which will then significantly add to the revenues.

Yes. And I could add to what Melissa said is that we have done already some researching in our model, which essentially are the process side on the renewal people. We have now this MASAs, we call them, the major account solution architects, and that is working very well. We have essentially promoted some of our best technical account managers to take on that role, which is essentially having more -- less accounts to manage, but bigger accounts, we can go significantly well above the multimillion dollar accounts. And that's already is well progressed, as Melissa mentioned. On the new business side, we're also expanding to have people who know how to sell to the C suite, and we still want them technical. That's a very big difference between us and most of our competitors. And as we just discussed earlier about these TARs, as we call them now, which is more for the high velocity lead generation business or -- and SMB, which is a much higher velocity business. So we, as you can see, have tuned our model to answer the different. And then there's another component, which we are now investing as well, which is the strategic alliance group where we have a fantastic VP, which has been with Qualys for a while. And now we're establishing a lot of partnership. And this is more in the OEM side that I mentioned earlier, starting to really discuss about embedding the Qualys technology into other solutions, which we will make some announcement relatively soon, we hope.

Great. And then -- and maybe just a quick one for Melissa. I appreciate the color in calling out some of the Q4 deals that closed this quarter. I'm curious if you can provide a little bit more color maybe in terms of how many deals or perhaps the dollar value. And then maybe just more holistically, as these multiproduct sales increase, can you put a little bit more color around the large deal pipeline in general versus, say, this time last year?

Yes. So I'll take the first one, and I'll let Philippe handle the second part. It's really hard to perfectly normalize what billings would be because there's really multiple scenarios where renewals are not done at the same time as the initial deal because we're not managing to quarterly billing. So we shared the fact that we made some large deals in collaboration with our customers from Q4 into Q1, and it was a benefit to our Q1 billings because since we've shared one large deal that's negatively impact billings, we think it's appropriate to share when we see the positive impact. But as I said, because of the constant movement and the fact that we're not managing to quarterly billings, this is why we believe the trajectory of our annual revenue guidance is really the best proxy for business momentum because of our current bookings and former guidance.

Yes. And I will add to what Melissa said two things. One, when we say we're not managing our billings, another way of saying it is to say we are not pushing customers to do big deals and say all-we-can-eat type of deals, bring the things upfront. We let the customer -- essentially, we follow the pace of the customer. Sometimes our customers, they want to realign their renewal times. So they say, "Okay, we'd like to renew only for 3 months," but then we do a 3-year contract later on. So we let that happen. We don't try to really push anything onto our customers. We follow them. And so that's why these billings, if you prefer, are very different, it's almost impossible if you prefer to normalize them. But it doesn't really affect the revenues at the end. This is what -- that's the key point here. It's not about revenues, it's more about billings. Now the second thing fundamentally is that the -- if you look at our large deals, so we mentioned I think on our earning presentation that we have -- in fact, we could see the large deals are expanding very nicely. So we are now into having more and more customers having multimillion-dollar deals. And again, so you realize that it makes us very sticky. We can sell them more solution while becoming more strategic. We still are not pushing deals. What I'm hearing is some of our other companies, they do this $10 million deal, et cetera. We could do that, but we don't want. We don't want because fundamentally that we go against our model of trying to avoid absolutely the down-sell. If we sell to a customer more than what they can take, guess what will happen? Remember, we are 100% renewal base, they will not renew for that amount. And then how are we going to compensate? Trying to shove it onto other customers. That's not a healthy model. Now the other part of software, which is perpetual license, as long as you get big enough of a market, you can do that for a certain long period of time. When you have -- with Qualys, the average length of our contracts are 1.1 years. If we were playing these games, we would see the pain pretty quickly. So of course, that's why we are not doing it. So does that make sense?

Yes, it does.

Yes. And just to put some numbers around it. So there's a slide in our investor deck to something that we monitor, which is customers with greater than $500,000 of revenues. And that -- the numbers, I think 75, it's up 32% year-over-year. So we feel good about our customers growing with us.

Our next question comes from the line of Joshua Tilton of Berenberg.

In regards to the Cloud Agent Gateway, it seems like this will allow you to leverage the agents with operational technology. From my understanding, I thought passive analysis was to be used for OT. So could you maybe explain how these two will work together?

Yes. So that's a very -- so you're right. So one of the things that Cloud Agent is in proxy, now this is nothing new in terms of technology. What we have done here is that companies have already proxies. The problem with the proxies is that they are very expensive, you're speaking about $100,000. And also they are managed by IT. So -- and then you will have to build the security into it, et cetera. So at the demand of our customers, which we're starting to deploy the agent more and more and more, they say, "Guys, we need a much easier solutions," and so we created a kind of a proxy ourselves, well packaged, totally secure, high availability, and we priced it extremely attractively. It's on the virtual side. It's slightly less than $1,000 per year. So -- and that will absolutely allow us to deploy the agent much more better and more broadly. Now as far as OT and IoT are concerned. So on the OT environment, most likely you cannot really put -- the only person that can really put agent if you can put an agent are the vendors themselves and same thing on the IoT. So that's what we have introduced. We have already or we will introduce -- we have already an SDK, but we have not really published it. So we have -- we will be publishing an SDK. So now the vendor of these devices can either build the agent, which is pretty easy. So remember, it's only a 3-megabyte agent that we have currently today, which only essentially takes the data and build it up. And then, of course, the big advantage of it, we have the platform again that we can distribute or deliver as the customer wants, as that IoT vendor wants or either in a cloud environment, whatever you like. And so that's where that combination and full integration of, on one hand, that cloud -- the Gateway Service, the fact that we have an SDK and the fact that we have an agent and the fact that we have the Passive Scanning and the fact that we have got a platform. So you realize the significant barrier to entry we have created for ourselves. And by the way, we have been working at that since quite a long time. So it's not by accident that all these pieces are coming together.

Okay. That's helpful. And then just real quick, maybe sticking with operational technology. It seems like the spend of securing these environments is still relatively low even though we keep hearing more about OT and IoT convergence. So I'm just wondering what is the catalyst for your customers to increase spend on securing their OT environment.

I think today -- as you very well said, I think this is a very small market. So we have already large customers, which already have, in fact, that requirement. So we are working with some of the car manufacturer and others. So we are working with them, so they could have greater visibility in what they are looking at in this environment. So it's just a question of again you need to get the technology well matured, well packaged, et cetera, and it has to be built in. You cannot really go and say, okay, we're going to discover all the things after the fact. This is -- that was the nightmare of the enterprise software and all this new environment, you just -- when everything connects almost directly to the Internet, unless you're on air-gap network, which is another challenge, by the way, we are also resolving as well, but that's another discussion. So to me, a lot of people make a lot of noise about that market. I think it's going to take some time for that market to mature as it will require a lot of packaging from a company like ours. And that's -- and I think in having the right architecture. So we feel well positioned, but again, one by one, we're going to do and have more of these solutions with some of our existing customers, our new customers who really wants to work with us to -- so we could add them to build security into their environment. And I could give you, by the way, one example. There's one of our customers today that we'll explain to you, which has the fulfillment center, which are fully automated with a lot of wall mounts that absolutely the full view of their entire inventory I think that they sell across the Internet essentially will have absolutely not the view they would like to have on all these kind of OT devices, which are there, which are absolutely kind of fundamental to their fulfillment center. So of course, their worst nightmare is to say, "What if some kind of malware comes into it and cripple us?" Then they will not be delivering. So you realize the impact. But again, it's easy to talk about it. It's another thing of really doing the right thing, so you can gain that visibility and then -- and essentially ensure that everything is probably secure. So that's a lot of work.

Our next question comes from the line of Sterling Auty of JPMorgan.

Just one question. And I just want to kind of connect the dots. When you set the guidance for revenue for 2019, talk about the time needed to get the new products out, get them kind of in front of customers, get them to understand it and ramp, if I look at it, the sales and marketing line drove a pretty big part of the beat relative to I think consensus and our estimates. Is that connected where you're just waiting until certain milestones on the development front to step on the gas on marketing to drive those products? Or are those two unrelated?

This is very unrelated, and it's more according to your model than to ours in many ways, Sterling. So no. I think for us, I think we're pretty much in line to where we were. And as you know, we fundamentally continue our business, and we believe we are going to get accelerated growth. I wish it will come earlier. But as I made the mention earlier about the fact that we don't have any perpetual license, which would essentially we could flow on the top of what we do and look much, much better. But at the end of the day, I would say that not all growth are made equal. You have the good growth, which is ours; and you have other growth, which are more essentially bumped, if I may say so. So for us, this is our model, so everything is coherent here.

Yes. And maybe just to add on to that. Think about what we've talked about in the past is that it doesn't take -- many of our salespeople will double their accounts, you don't need two salespeople to do that. So the acceleration that have come as people are adopting more solutions isn't going to necessarily be tied to the expense of the sales of marketing.

Yes. And on the top of that, we don't want -- that sounds absolutely heresy for some others. We don't want to incentivize our sales force to create bigger deals than what the customer can take. So even on the new business side, we have the tendency of adding -- taking the customers young, as we call it, and then growing them, which is significantly more cost effective, it's better for the customers and ultimately it's better for us. And that's what -- that's our model.

Our next question comes from the line of Patrick Colville of Arete Research.

Can I just ask you about the market in aggregate? I mean if I look at your growth, the growth of Tenable, the growth of Rapid7. the -- it's -- the vulnerability management market is -- looks very buoyant. And I would love to know what you see driving that and just any color or insight as to where you think it could go over the coming periods would be great.

Now as I mentioned earlier, I think we still -- we believe that the vulnerability market -- vulnerability management market is healthy, it's very healthy, and it's growing. And then when I follow the numbers of IDC, which are more in the low teens. I know there are some other people who makes it like it's a marketplace, which is accelerating. So when you look -- again, I mentioned that not all growth are created equal. Again, you can really pump your numbers with the perpetual license pretty easily when you are essentially recurrent like we are subscription-based. And of course, it's different. And in a way, if we would take the present value of our recurring revenues, we would be significantly dwarfing everybody in the market because you multiply our current revenues by 2.7, and then you have the present value. And so it's significantly bigger than any of our closest competitor. And so that's where people lose their perspective on it that I was mentioning earlier that if we were just taking 5% of our revenues and turn them into perpetual license, which we could do in a beat, certainly, we'll be growing at 26%, and then our profitability will go to the roof because we'll add $25 million to the bottom line. So today, we are at -- sometimes people say, "Guys, you are too profitable." Oh my God, we'll be extremely profitable. So you're comparing here apples with oranges at the end of the day. So I think the marketplace is very healthy. But again, it's not a marketplace, which with certainty, it's going to grow to the roof. We don't buy that. And I think low teens is very reasonable, and that's what we see. Now what about the market of the IoT, OT devices? Yes, you could sell those 50 million devices, but how much are you going to be able to get? So yes, this is future growth for that market, but it's going to take time. And we don't see the revenues coming anytime soon on the OT and IoT front. It's going to take a few years.

Understood. And can I just ask a very quick follow-up on the kind of on-premise vulnerability scanner? Why would an enterprise use an on-premise tool versus -- as a cloud-based tool? I mean what are the kind of main advantages of that deployment model?

So the only -- no, there's no advantage at all on the on-premise solution, and I would tell you why. Because the problem of the on-premise solution is that the architecture of this on-premise system, you are limited by the database you have, you are limited by a lot of factors inherent to the client server architecture. So the cloud really give you a different architecture, and which gives you more scalability, et cetera. So you have no interest whatsoever today when you have, in fact, a hybrid environment, you have more devices, more digital, not just there to do your critical servers. You have to do it all to go to an enterprise model. So why are people not moving very fast? Because you have the people, which are managing these services that don't want to lose their job. When we replaced the McAfee in one of their large customers in a bank, they could reallocate 15 FTEs. And needless to say, there were -- these FTEs were the ones doing the evaluation of the replacement, and they didn't recommend our solutions because they could see pretty quickly that their job was in question. So that's -- these are the natural resistance to change that you see, of course. Now you still have some time, albeit even from a -- so what we did very uniquely and very successfully is to take our cloud architecture and to turn it into a private cloud. So now you can have all the benefits of the cloud architecture but then delivered on-premise. And today, we are also looking and, in fact, we have done one successful installation to even push that model into an air-gap network. And so we could still be capable of going into the air-gap networks where don't have any access to the Internet and yet provide those customers with the scalability that the cloud architecture provides you.

And that does conclude our question-and-answer session for today. I'd like to turn the conference back over to Mr. Vinayak Rao for the closing remarks.

Thank you all for attending our first quarter 2019 earnings call. We look forward to seeing you later this month at the Jefferies Software Conference in Los Angeles and JPMorgan Global TMT Conference in Boston. We'll also be at Bank of America Merrill Lynch Global Technology Conference in San Francisco and Baird's Global Consumer, Technology & Services Conference in New York in June. Thank you.

Thank you.

Ladies and gentlemen, thank you for your participation in today's conference. This does conclude the program. You may now disconnect. Everyone, have a great day.