Qualys, Inc. (QLYS) Q4 2019 Earnings Report, Transcript and Summary

Good day, everyone, and welcome to the Qualys Fourth Quarter 2019 Earnings Conference Call. This call is being recorded. [Operator Instructions]. I would now like to turn the call over to Vinayak Rao, Vice President, Corporate Development and Investor Relations. Please go ahead, sir.

Good afternoon, and welcome to Qualys Fourth Quarter 2019 Earnings Call. Joining me today to discuss the results are Philippe Courtot, our Chairman and CEO; and Melissa Fisher, our CFO. Before we get started, I would like to remind you that the remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks, investor presentation, and supplemental historical financial spreadsheet are available on our website. With that, I'd like to turn the call over to Philippe.

Thank you, Vinayak, and welcome everyone to our Q4 earnings call. Melissa and I are pleased to report another good quarter in terms of revenue growth and profitability. We are also very pleased to report continued acceleration in our paid Cloud Agent subscriptions with almost 31 million now, 90% growth from prior -- from the prior year quarter. We continue to see good adoption of our free Global IT Asset Inventory -- Discovery and Inventory application with almost 6,000 new companies signed up and over 600 using the service. We now have over 300 existing customers using it as well. We saw strong growth this quarter from our paid IT Asset Discovery and Inventory Solutions. And in fact, a leading aerospace company procured the solution this quarter in order to gain visibility of all their known and unknown assets across multiple environments as well as the end-of-life of their installed software. In terms of our other newer solutions, we also saw robust growth again from Container Security and FIM, File Integrity Monitoring. A large software company selected Qualys' FIM as well as Policy Compliance this quarter in order to build these capabilities into their DevOps and cloud environments, which they could not do with competitive products and deployments, and the deployment was simple as they utilized existing vulnerability management, our existing vulnerability management Cloud Agents. In addition, it's worth noting that Patch Management has seen the highest customer ramp among our newest application, with particular strength in the mid-market segment. Now let's look at our product innovation. In Q4, we continued to make strong progress in our goal of achieving ubiquity for our Cloud Agent. Our Cloud Agent is the technology platform for seven security compliance and IT solutions, namely Vulnerability Management, Policy Compliance, File Integrity Monitoring, Indication of Compromise, and Patch Management, Asset Inventory, and the upcoming Certificate Management and with more to come. Our key accomplishments this quarter to drive Cloud Agent adoption included unveiling Vulnerability Management, Detection and Response, which we call VMDR, at our user conference in QSC. VMDR takes vulnerability management to the next level by providing the power to continuously detect vulnerabilities and misconfiguration across the entire global hybrid IT environment and respond in real time to mitigate or remediate assets that are vulnerable or already compromised. VMDR bundles Asset Discovery and Inventory and Vulnerability Assessment and Patch Detection as a single app. It's effortless to deploy on a global scale and priced as a fully bundled solution, drastically saving deployment, administration, and software subscription costs with, of course, our real-time lightweight Cloud Agents and the virtual scanners that are self-updating and easy to deploy as well. Also announcing a partnership with Microsoft embedding Qualys vulnerability management and Qualys Container Security into Microsoft Azure security center, providing real-time visibility to secure cloud workload, provisioning and DevOps orchestration. And also partnering with Google Cloud to provide its customers with one-click vulnerability management through a seamless integration of the Qualys Cloud Agent with the Google Cloud Platform, GCP, bringing built-in security to Google Cloud customers with essentially no software to install or maintain. Additionally, Google Cloud customers will have access to Qualys VMDR to build a streamlined workflow to create our global IT Asset Inventory, continuously identify vulnerabilities across the entire environment, prioritize and remediate those variabilities at a click of a mouse, drastically reducing again the threat exposure. This build on our other product release earlier in 2019, including the Patch Management app, enabling IT and SecOps teams to quickly target critical common vulnerabilities and exposure then deploy patches across end points, on-premise or cloud assets and verify remediation, all from one single console; IOC 2.0 app, which provides a quantum leap in IOC detection with new detection, investigation and response capabilities that identified in nearly real time, not only known IOCs, but also suspicious devices; the FIM 2.0 app, where we have now added incidence reporting, API integration, rule-based alerting and event correlation capabilities. We have also created a light version of FIM for customers that require compliance only like with PCI requirements; and finally, the Cloud Agent Gateway Service app, an important extension of our Cloud Agent Platform, enabling customers to securely connect Qualys Cloud Agent from sensitive environment like DMZs while also drastically reducing the bandwidth demands of large scale deployment. Now let's look at our go-to-market initiatives. Given the increased breadth of our product suite and the launch of VMDR during RSA, we have now embarked on a few additional go-to-market initiative that leverage the efficiency and effectiveness of our cloud platform. This is, in fact, a key element of our profitable growth, driving value for both our customers and shareholders. Our go-to-market activities in 2019 included leveraging our cloud platform for lead generation. We announced our Global IT Asset Inventory -- Asset Discovery and Inventory app as a free service, as you remember, from our platform to generate meaningful demand of our paid apps. With a single agent, subscribing to additional apps is frictionless. This drive multiproduct adoption, which naturally increase the stickiness of our platform, and helps make us impenetrable to our competition, who do not offer the same breadth of solution. Also, launching new targeted campaigns, which enable prospective customers to easily click and create their own trial accounts. Creating a new team of technical account representative, which we call TARs, who onboard and support customers utilizing our free applications. Also building the Qualys Canadian Cloud, which expand Qualys global operation to 8 locations on three continents. And expanding partnerships: Coalfire Systems selected Qualys vulnerability management and continuous monitoring capabilities to integrate into the secure cloud automation services; Proficio, an award-winning global managed security service provider -- services provider, chose to fully integrate the Qualys suite of cloud-based solutions with Proficio's management, detection and response capabilities; and finally, the Center for Internet Security, CIS, selected Qualys to provide its members with built-in visibility of the externally-facing websites, certificates and SSL/TLS configuration. Additionally, with VMDR, we're now increasing our focus on the small and medium enterprise market segments and are delighted to announce the promotion of Michael Solomon to VP, Small and Medium Enterprises for the Americas and EMEA. Michael has been a colleague since 2016 and was previously running our new business sales team for the mid-market. And I'm also happy to welcome back Dan Barahona as our Chief Marketing Officer, who has now significantly expanded the marketing team. Looking forward to 2020, we plan to meaningfully expand our sales and marketing efforts, given our increased number of solutions, including our game-changing VMDR, which was recently highlighted in a report by Ovum, a market-leading data, research and consulting firm. And you can get the report on our website. Very easy to find that. Just look for Ovum on the reports. In essence, VMDR uniquely provides customers with full visibility across the entire global IT environment and combine this with state-of-the-art prioritization engine that also take into consideration misconfiguration and certificate security exposure. Thus, VMDR provides the real foundation for comprehensive risk-based vulnerability management program that does not solely rely on CVE-based vulnerabilities and arbitrary risk score, which, unfortunately, can give a false sense of security. You can learn more about VMDR as well as our other planned initiative solution at our user conference during RSA at the Four Seasons, San Francisco. And again, you can register for that day, which we're going to showcase really VMDR as well as some of the new innovation, where we will be bringing to market in 2020. And again, you can go to the website to register. At the conference, we will also provide an update on our transformational data lake and EDR solutions that will leverage our robust scalable back end and its array of sensors, which already collect, enrich, normalize and correlates trillions of data points across on-premise, cloud and soon, mobile, OT and IoT environments. This is an important new opportunity for our company and our industry as current incidence response solutions are quite complex and costly, requiring organization to use multiple vendors to collect the data that is needed and bring it into the SIEM with full conceptual information, resulting, as we all know, in what is called the alert fatigue, too many false positive. Additionally, we will host an analyst and investor luncheon on Friday -- on February 26. This event will include a demonstration of our newest application and a discussion on our 2020 product road map by our President and Chief Product Officer, Sumedh Thakar, and a financial update by our Chief Financial Officer, Melissa Fisher. Again, you can register on our website. Please, we're happy to have you there. With that, I will turn the call to Melissa to discuss our financial results.

Thanks, Philippe, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period unless stated otherwise. We're delighted with our increasing Cloud Agent subscriptions and multiproduct adoption, which lays the foundation for future revenue growth and industry-leading profitability. Our Q4 financial and operational highlights include revenues for the fourth quarter of 2019, grew 14% to $84.7 million. Platform adoption continued to increase as the percentage of enterprise customers with 3 or more Qualys solutions rose to 48% from 41%, and the percentage of enterprise customers with 4 or more Qualys solutions increased to 28% from 21%. Paid Cloud Agent subscriptions accelerated to 30.7 million over the last 12 months, up from 27.9 million for the 12 months ended in Q3 2019. New products released since 2015 contributed approximately 35% of total annual bookings in the quarter, up from 26%. And our average deal size continues to increase, growing 9%. Our scalable platform model continues to drive superior margins and generate significant cash flow. Adjusted EBITDA for the fourth quarter of 2019 was $37.6 million, representing a 44% margin versus 39%. Q4 EPS grew 25%. And our free cash flow for the fourth quarter of 2019 was $25.1 million, up 9%. Excluding onetime CapEx related to the build-out of our Pune headquarters and M&A-related payments, our free cash flow grew 32%. In Q4, we continued to invest the cash we generated from operations back into Qualys, including $5.3 million in capital expenditures for operations, including principal payments under capital lease obligations as well as $3.2 million on capital expenditures for the build-out of our Pune headquarters and $12.5 million to repurchase 145,000 of our shares. Looking back on the year, we are proud to have continued our product leadership while meaningfully growing earnings and cash flow for our shareholders. In 2019, we released several new products, features, and enhancements. The number of customers spending $500,000 or more accelerated. Cloud Agent adoption grew almost 90% from 16.2 million Cloud Agent subscriptions to 30.7 million. New products released since 2015 sharply increased to approximately 30% of 2019, up from approximately 20%. We achieved record EBITDA margins of 44% and grew free cash flow 30% even as we continued to invest for growth. Excluding onetime CapEx related to the build-out of our Pune headquarters and M&A-related payments, our free cash flow increased 35%, and we utilized $86.4 million of our cash to repurchase approximately 1 million of our outstanding shares, offsetting dilution to our shareholders from equity grants. Looking to 2020, we are excited about the revenue growth opportunities from our new solutions, including the upcoming VMDR. Because our VMDR solution packages the ability to detect vulnerabilities with response in a single app, we see an opportunity to further drive Cloud Agent deployment as well as increase our strong renewal rates. Adoption of our Cloud Agents is important because it is the technology platform for 7 of our security compliance and IT solutions and lays the foundation for future revenue growth. We expect full year revenue in 2020 to be in the range of $364 million to $369 million, which represents a growth rate of 13% to 15%. Our Q4 2019 calculated current billings did benefit from a few large deals that were invoiced in Q4 this year rather than at their anniversary in Q1 2020. In terms of 2020 profitability, we expect to maintain industry-leading margins, leveraging our highly profitable operational model while preserving the ability to further invest to drive future revenue growth. We expect full year GAAP EPS in 2020 to be in the range of $1.60 to $1.65, and we expect full year non-GAAP EPS in 2020 to be in the range of $2.57 to $2.62. We expect capital expenditures from operations in 2020 to be in the range of $25 million to $30 million, and we expect to spend an additional $5 million in the first half of 2020 for the build-out of our Pune headquarters. For the first quarter of 2020, we expect capital expenditures to be in the range of $8 million to $10 million, which includes $3 million for our Pune headquarters. As Philippe mentioned, we look forward to seeing many of you at the analyst and investor luncheon during RSA in San Francisco. With that, Philippe and I are happy to answer any of your questions.

[Operator Instructions]. I show our first question comes from Daniel Ives from Wedbush.

Quarter and to the year, so Philippe maybe you can just talk specifically about -- when you think about what we're seeing on deal scope and size. I mean you start to see more of your strategic deals in the pipeline. I know you don't guide to larger deals. Maybe you can just talk about that in terms of just maybe difference to where we are today versus 6, 12 months ago.

Yes. No. Well, clearly, as you know, we have a very significant penetration at the very high end of the market, with about 70% of the Fortune 100, which are truly standardized on Qualys. And so with these companies, we are seen by them as more and more strategic. Not only vulnerability has been -- now people realize that you've got to absolutely pay attention to vulnerabilities, but just not only across your traditional servers and so forth, but across the entire spectrum,and that's really what makes us significantly strategic. And of course, the ability to create a global IT asset inventory, which is a foundation, is also very attractive for them. So we are really seen as more and more and more strategic. And of course, what is it in our road map, like, of course, the SIM, the next-generation SIM and EDR which we are currently building and hoping to deliver to market sometime at the end of this year, that also makes us even more strategic. So as a result of more deployment, then of course, we become more strategic for them. At the time, also what they have to consolidate the -- their stack, they cannot continue with that many disjointed enterprise traditional security solution and at the same time moving aggressively into the world of the digital transformation and the world of DevOps. And our product line fits absolutely perfectly the DevOps environment. Now in addition to that, what we see today and especially -- and VMDR has been received -- of course, we have presented VMDR already to many of our customers, and it's extremely well received because it simplified and not only it consolidates even further everything into a lot of this application to one single app with what we call transparent orchestration so you don't have to add another solutions like it's all done for you, it's all integrated, it's all seamless, but also, of course, the fact that now we price that on a per asset basis, which is much more interesting for a large corporation, which have a very complex environment and global. What we see also very clearly is VMDR makes us extremely competitive today at the lower end of the marketplace because [indiscernible] of the packaging, but also of its pricing as well. So, we see also a very big demand from VMDR from our mid-market and the SME, SMB business as well.

Okay. Great. And just a question here for you, Melissa. In terms of just spending, obviously you've done a great job on margins and just containing costs, which is well known. But as you look ahead, just talk about that balance going into this year in terms of plugging more into sales and marketing while continuing to focus on obviously margins. Just talk about that balance. And is it different now just given some of the opportunities? Or maybe just talk about that.

Yes. So the implied margin guide from our EPS guidance is modest contraction, a little bit over 100 basis points. And we're proud of the fact that we have a highly profitable operational model that allows us to continue to further invest as well as -- while still maintaining strong margins. So we expect to be investing, frankly, broadly on the technical side as well as, as Philippe mentioned in his prepared remarks, expanding sales and marketing efforts. And we'll be able to do that while still holding margins strong.

And this is because of the model itself. I mean we have the advantage of being a pure cloud-based solution, is that, of course, we can make our solution available for trial, et cetera, at the minimum cost, and that's why we're putting a lot of investment in creating a lot of lead generation campaigns, try and buy. And of course, the installation, everything is self-updating, so you don't need significant expensive – you don't need professional services, et cetera, et cetera. So all of that at the end makes that -- the additional growth, a big chunk of it comes back -- comes down into the bottom line, and that's essentially the model that we have built and proven over time. I mean this is not something new.

Our next question comes from Nick Yako from Cowen and Company.

Great. Philippe, you mentioned increasing your focus on the mid-market going forward. Just wondering if you expect to maybe leverage the channel community or partners more so than you have in the past.

That's a good question because we are today -- as you very well know, when you have a major computing shift, the channels are the one which takes it on the change [ph] first, and they have to adjust. So what we see today is that a significant renewed interest from some of these traditional channel to really move in becoming MSSP. And so Qualys in that sense, we can enable them to become managed security service providers absolutely very quickly because they don't have to worry about building all these solutions we deliver them or made, so yes, in that sense, to answer your question, we see a huge opportunity with managed security service providers to bring our solution to the mid-market. They have the customer base, typically, especially these large companies. And so it's just a question of bringing our solution, which are already available and readymade to that market, so we see that absolutely.

Okay. That's helpful. And Melissa, could you maybe remind us of the revenue and customer mix between enterprise and mid-market today?

Yes, Melissa.

Yes, it hasn't moved significantly. It's roughly 20% of the customers and 80% of the revenues -- the enterprise, right, because it's bigger dollars.

Our next question comes from Melissa Franchi from Morgan Stanley.

Yes. I wanted to ask on VMDR. You noted that there is potential within the mid-market, low end enterprise, but it seems like it could be compelling for the enterprise space as well. And so what are you expecting in terms of enterprise adoption? And then I know it's early, but what kind of uplift do you get from VMDR versus just a regular VM sale?

So let me answer the first question first. The second is a bit more complex, and I will explain that. The first one is we have absolutely significant interest from both the mid-market and as well as the large enterprise. It's exactly what they wanted. They have been asking us that for a long time. And what you have to realize for us to deliver that, it was not that easy. That's a major significant engineering effort because on one hand, we had to expand our platform to scale significantly, as we mentioned many times. We currently index 3 trillion data points on ElasticSearch, returning results in 100 milliseconds, and so -- and expanding to cover not only just the traditional network but also the cloud and containers and everything. So that was a huge technological effort. In addition to that, building this best-of-breed because today we consider that the application that we have are best-of-breed because they have the benefit of being able to essentially receive data from multiple sources and correlate that data so we can essentially eliminate better than anybody false positive and false negative, which is really what makes a security application best-of-breed. And so -- and now we have built all of that, and now what we're doing with VMDR is now we're certainly bringing them all together into one single application with the workflow, which are all integrated. That's what we are doing and finishing as we speak. And those 2 are now in that one single platform that allows you to, one, any device that connects instantly would pick it up; second, we can build from there, the global IT asset inventory automatically. Then from there, we can identify vulnerabilities across that entire hybrid environment, then we have made significant extension to our prioritization engine, which unlike, as I mentioned in my talk, I said that's solely relating on -- or depending on CVEs and some kind of scores that are made up, I would say. Now we have a lot of information we can correlate to essentially prioritize those vulnerabilities, which must be absolutely mitigated or remediate first. And then of course, during the remediation, which today we do that with Patch Management -- and the mediation, very soon with the ability to essentially quarantine the device, which is about to come in a few weeks. And so we have the complete end-to-end solution for vulnerability management well beyond what anybody has on the market. So that's appealing significantly to both markets, so a different nature. So for the large enterprises, the packaging that is different, of course, that they can do. That's why we went to an asset-based price so they don't have to count the number of agents and this and this and that. And for the mid-market is the fact that now today, they got an all in one, which, as you know, there are very little resources, and it's also very well-priced at the low end. So that's for the adoptions, which we know today, it's going to be significant. And in fact, we will be reporting on the adoption of VMDR, both on our existing customers and the new customers. Now in terms of what it will do in terms of potential of sales. If on one hand, we bundle in VMDR things like ThreatProtect, which is our prioritization engine, on the other hand, we can see already that it will absolutely help us to populate the agent everywhere, therefore, now increasing the ability to upsell the end point, to upsell FIM, to upsell all these other services, which, of course, depend on the agent. And so the net-net of all of that, we believe that VMDR is the foundation. Fundamentally, it changed the game. It's a totally game changer and really make vulnerability management what it should have been. It has been a long, long road. So today, we have the solution, and we believe it's going to allow us to displace -- as you know, the vulnerability management is a displacement market essentially. To displace much more easily because we bring more value to the customers would simplify their lives and as well as expanding our market in the mid-market, which is where we typically historically and always competing against the Tenable and the Rapid7, which, of course, were more low-end solution when we were, in fact, the one having the solution that would scale. So today, we cover with one single solution, VMDR, from the very, very low end of the marketplace to the very large market. So this is significant.

Okay. Yes, sounds like it. Melissa, I just wanted to follow-up on your comments on investing in sales and marketing next year. I'm wondering if you could talk about how you're investing in the sales part versus marketing and particularly, what you're expecting in terms of sales head growth next year.

Yes. So we're happy with our sales force. As we discussed last quarter, we promoted Laurie, our VP of North Americas, to head our worldwide sales. We have a lot of people in place. We're always looking to add here and there but not significant -- there's not significant needs to the sales force. And so we look for the right people. Philippe mentioned we've just added significantly on the marketing side, and so there'll be a few places on the sales side to fill in, but nothing significant.

Yes. And you will see more partnerships also essentially really becoming -- I mean we are really the ideal solutions for partners. I mentioned the MSSPs because today, they -- and also because we are moving into a response, and that's the thing that MSSP absolutely needs. To really provide a good application is the ability not only to detect but to respond. So we have expanded significantly our capabilities of responding. We're going to do more. As now our agent, for example, soon we'll have the capabilities to also be capable of being interventionalist, if I had the term in English, so we could certainly remotely remove processes, give some processes. And you could really do microsurgery remotely, which is very important if you want to automate things. So I think we see today and these -- the partners who have already, and then there's quite a few more, which are coming our way because it's a -- we need the scale. We need all of that done for us. We don't have the time to build all of that. And so -- and we are not competing with them. Because unlike other companies, as you very well know, like for example, Rapid7, which have a managed security service providers, we don't and we will never have one. I can tell you because it's not really profitable or as profitable, I should say. So they don't see us as a competing business solution, so they can deliver their service and their additional added value. And what we see also is that they're all looking to our SIM because the problem they all have with the SIMs is that they are using existing SIM, which I don't need to mention, which are very, very expensive for them and do not scale. So we have embarked already having a few of them as our design partner, and I think our SIM will be another game changer as well, plus the ability to do also a very, very scalable EDR solution at a much lower cost than this existing solution today. All of that is in the making. As you know, we have built a significant engineering force in India, where we have more than 750 people now who are moving in May into a brand-new headquarter, which is going to allow us. We are in the process, by the way, of expanding to go to be specific, expanding our marketing capabilities, what I call that we are building a marketing platform, so we've built a technical platform. Now we're building a marketing platform in part out of India, so we could really scale that business and really leverages all with the new media. In fact, we just hired a director of new media platform who are looking -- we're about to hire a VP of digital marketing in India as well. So we're really now gearing up. As always, and I've mentioned that in so many times, instead of trying to grow at any cost before you have the solutions, I've always taken the approach in all the company have made, which all have been extremely profitable for that reason. I've been always careful not to put the cart before the horse. And so we've got the horse now. We've got a fantastic cart. Now we are putting the horse, and that's more on the marketing. But when you do that, you don't have to spend as much money because the product is packaged. And on and on, and you have the delivery model, and that's why we can continue showing good -- very good margin while expanding our sales and marketing efforts. And I'm going to write a document about that. So to -- I didn't want to do that until we're there. But I'm going to explain the power of the model that we have really been today, leveraging the cloud, of course, technology.

Our next question comes from Gur Talpaz from Stifel.

Okay. Philippe, I actually want to follow up on some of your commentary that you just offered. You're pushing into SIM and EDR, and those are 2 very large and very significant markets in the enterprise and really kind of across security, in general. When you think about your push into these new markets, how do you think about your differentiation, what you're going to bring to table that's ultimately different than what's already out there?

So it's a very good question. And it's a differentiation at multiple levels. So the first one is the scalability, the unique scalability that we have. What we have done, so instead of, for example, depending on an AWS back end and so forth, which of course gives you, of course, instant scalability in a way. You don't have to be low that infrastructure yourself. But the problem it gives you is that now you're certainly more -- much more dependent on them and the pricing structure. So when we took the other route of really building essentially our own, if you prefer, AWS, growing microservices, bare metal, huge scalability, absolutely building everything ourselves using open source engine. And so that gives us -- offered us unique capabilities. And as you can see, because of that, and then the reason is why Google, Microsoft, Oracle, Amazon, they're all using us to secure their own platform. So -- and what -- so we can also put our data centers if we own our platform in Azure, in Amazon, anywhere, without being dependent as much of their solutions. So we have much more flexibility, which is very important when you look at the global scale. So that's one element. It's the scalability. We're far above anybody that we know. The second element is the fact that, unlike anybody, we have much more information. We collect the data that they don't. If you look at some EDR solution, the only thing they know is the end point. They have no idea of the rest of the context and the rest of the environment, and that led into more false positive, et cetera. And then you have the challenge, of course, of scale and the challenge of remediation. So Qualys has always taken the longer road of architecting things the right way instead of trying to find the shortcuts, and that's why it took us so much time to get there. But now today, we are almost there. And in fact, we already discussed that in more detail as well as our Investor Day. And again, we are very confident that we are going to deliver these 2 major new applications, if you prefer, which are essentially the extension of the platform. When you look today at an EDR solution, for us, it's an application on the Qualys platform. It's not another point solution, and that's the problem with all of these other solutions. They're all point solution looking at one single element when we are a true very broad platform.

That's very helpful, Philippe. Melissa, just one question for you. Last quarter, you touched upon the notion of some changes in competitive pricing dynamics and your ability to sort of -- to match on renewal. Did you see any changes this quarter on that front?

Right. What we talked about last quarter was the fact that in certain cases, we were leveraging our position to be more aggressive. I think the VMDR package itself is going to make us more impenetrable because we're providing all these solutions bundled in a single app. Really, the way I think of it is the end-to-end life cycle of vulnerability management through remediation. So we think that'll provide us with a lot of strength.

Yes, it does, and we see that already. And I will not use the term bundle because, yes, it's bundle, but it's more than bundle, as you will see when we see the app itself. It's all integrated in one single app. So it's not really bundling and putting together these different apps that we already have and then giving you a more -- a better price, but it's essentially putting all of that as one single app. And that's where we call it transparent orchestration or building orchestration, if you prefer. It's all building. So you move from one app to the next. It's all one single thing. And that's the big differentiator. And now you will see that for yourself. And once the customers, which already have seen some of it, but once we start to really market that, you already see videos, you already see a very big marketing effort to show because the solution will sell itself at the end of the day when you look at it and say, "Wow." I mean this is absolutely what we need. I don't need to have that another one application and that screenshot and go this here and go there. It's all done for you. And so that's very, very important. So again, it didn't come just like that. This is the work of many, many, many years of efforts of trying to expand the platform, as I said earlier, and building best-of-breed solutions. And now what we're doing is integrating them, all of them into one single solution.

Our next question comes from Matt Hedberg from RBC Capital Markets.

It's Dan Bergstrom for Matt Hedberg. So you've had a number of large agent purchases by the cloud providers in the past. You mentioned the recent partnership with Google to embed the Cloud Agent and the GCP on the call. Could you talk a little bit more about that partnership? How did it originate? What are you looking for from it? What does it mean from a validation perspective? And then I guess is it live in the marketplace currently?

Yes. So it starts very simply that both Google, Microsoft, Amazon, et cetera, were already using the Cloud Agent for their own needs for securing their own platform. So from there, of course, that means we have the right architecture. I mean you don't -- this kind of company at the scale at which they operate, of course, you have to have the right platform, the right architecture. And so -- and you speak of millions of agents here at the end of the day. So for us, now what we did is to now go to their customers and doing exactly what we're doing for them now for their customers. So the answer is yes. I think today it's well integrated with Microsoft. I don't know exactly where we are with Google, but I think it's done. But if it's not done now, it's very -- it will be done. We need to check. I don't remember. And we're discussing with many other vendors as well in the cloud because today, there is nobody who has the architecture that Qualys has done. And again, remember, this agent -- and we have patent, by the way, around these agents. So that we build this agent. They didn't come again just a few weeks ago. That was -- that's been a long time in the making. And to get the scale, the self-updating capabilities, the fact that they also need to be very secure, all of that is just not easy work, and we have been working at that for many, many, many years now. And starting to have 30 million agent is already -- but of course, our goal is to have an agent on every end point. And now we have now the agent, which we are now rolling out onto the Android, the mobile platform. And where our agent are today, very soon they're going to go in contains as well. So our agent architecture, if you prefer, again, that's the way we look at it, it's essentially spans across all these different environments and also to the OT and IoT environment as well. So we're just at the beginning, and that's what I speak about ubiquity of our agent, just at the very, very beginning. But we are the one who really built this agent technology better than anybody else. And again, we have been working on that. I don't remember exactly the time, but I think our first agent was 2007. I don't remember. It's a long time ago. I would think it's a long time ago so -- that we built these agents.

Great. And Melissa, gross margins were impressive here this quarter, about 82%. They've trended higher sequentially through the year, 4 quarters in a row now. Can you talk about what's driving that? And then maybe any thoughts about how we should think about gross margins with the evolving model here and into calendar year '20?

Yes, absolutely, Dan. So we're very proud of our robust gross margins, but we did benefit from mix shift to India. We do have a lot of more investment going forward. We're looking at adding some shared platforms potentially in other parts of the world. So I would expect there to be more investment in the cost of revenue line, putting some downward pressure on gross margin because it is at a very high level. We don't guide to gross margin. So not going to give you a range, but you can imagine that it'll stay at best of class but not necessarily at the current levels.

Yes, on the gross margin, also the fact that we are very architected and we are benefiting also at significant cost reduction. For example, we have eliminated 70% of our VMware layers and to go bare metal with containers and microservices. So that's the beauty also of that -- of our engineering-driven, if you prefer. We have copied on what Facebook did and what all these big guys done. So we have not invented anything here, but we have been very good students of how the Google, the Facebook, et cetera, did scale their platform and reduce their costs. And so that's -- and we have done our own DevOps, the digital transformation in Qualys significantly. And so that's a big advantage that we are looking forward and when a lot of our competition have not even started.

Our next question comes from Howard Smith from First Analysis.

Just wanted to follow up on the prepared comments regarding the technical account reps or TARs, which is kind of new for you last year. How do you assess where you are in their development and the progress seen to date? Just some commentary about that would be appreciated.

Very much, Howard. So that -- yes, this is something that we really -- again, that's not something that I personally am very much involved because it's about scaling not only just every aspect of our business. So this technical account representative, for those who may not remember, we realized that today, it's all about making life easy for people to adapt, to make your solutions not only easy but that you have all the information at your fingertips. So we built a team of technical account representatives in India, which are people that we hire, very junior people but yet from the highly -- high -- good technical schools. And of course, because we have a huge engineering team there, we train them. They have all the technical resources. And their job is not to sell. Their job is via what we call the Qualys Q agent, like in the James Bond movies, Mr. Q. So you have the Q agents who comes in immediately and is there to help you. And behind, you have the TARs, technical account representative because there's a huge pool of talent in India that we can attract, and the cost is absolutely -- we pay about $700 a month. And -- but we give them more than that. We give them a career path. So we have a highly skilled, motivated technical people, which are there to help the customer onboard, and that's all what they do. And now we're putting the systems around in place so we could automate a lot of that as much as possible, get all the feedback, which goes back into engineering and marketing to understand what the difficulty customers may have and deploying the agent, for example, whatever that is. So all that information is essentially more and more automated. So we have today a fantastic running that team. That team will not report to sales because we don't want to have them being salespeople, but they also are helping us to qualify leads. And then we pass that then automatically to our -- what we call our technical account managers, who are the pre- and the post-sales people, which are now the one which engage the customers to sell them or upsell them. So that's the system, again, we have put in place. So again, in India, we can scale. We have about today about a group of about 10 people already, and we can bring it to 100, to 200, whatever the number is. There is -- the manpower is there. Trying to do that in the U.S. is almost impossible. In California, it's impossible. You could not even keep them even if you would build that. A year later, they will be gone. So I think doing that out of India is very -- now, it's very good. Now it doesn't cover the entire world because you have the issue of the language, but it covers a lot of English-speaking countries. So what we do for Europe, so we do kind of a hybrid solution where we may do that function with a partner in Europe, which, of course, is the managed security service and essentially. So -- but they could benefit of the entire machine that we have put in place. Does that make sense?

That's very helpful color. Yes, I hadn't realized the full distinction between them and sales and how they generate the leads. So that's helpful color. Congratulations on a solid year.

Our next question comes from Sterling Auty from JPMorgan.

This is Matt on for Sterling. So looking at the March guide for revenue, that 14%, 14.5% growth, the midpoint of the range is about the same as this past quarter. So does that mean that the seasonality throughout the year is expected to be even quarter-to-quarter?

Yes. I don't think they're actually related. There's nothing in our business that's changed that our seasonality would be different necessarily than prior years.

And we don't have much seasonality anyway in the -- we have some, but it's very -- it's really minimum. And remember, for us, we take always -- we're very pure in the sense that we do not sprinkle in our projection any kind of perpetual license. We don't have professional services either, so there's none of that. It's all recurring, 100% recurrent. And which, of course, as you know, it's a little bit harder to really grow a recurring model. But on the other hand, it's a much more predictable and more profitable model than pushing and having a kind of a mixed bag. I don't think it's very misleading for the investors, but that's not our case.

[Operator Instructions]. Our next question comes from Patrick Colville from Arete Research.

Can I ask you about CrowdStrike and Tenable? I mean they are articulating more aggressively about their vulnerability management features, and I was wondering whether -- what you make of those guys and whether you see them as competition or whether they are kind of complementary to Qualys.

Okay. Very good question. So let's start with the Tenable, which is more of a direct competitor since many, many years. So the big difference between Tenable and Qualys is that, essentially, they have a very disjointed architecture. So they have the Tenable.io, which is a cloud-based solution. Then they have the security center, which is an on-premise and other solutions, and these are very different solutions. So for them, essentially, their biggest challenge that we see ahead for them is, essentially, they will have to really bring all these different solutions together to one single platform, which is going to really, of course, take time and very expensive. Today, they have been essentially -- as many people know, they have been essentially pushing Tenable.io into their existing customer base. They have a very good customer base with Nessus, very loyal. They're pushing -- try to push Tenable.io. They have had a lot of salespeople and marketing. That's what they do. So for us, I think VMDR is absolutely again, a game changer. So we can anticipate that we are now going to be able to compete very well at the lower end of the marketplace. We see that already happening. And as I mentioned earlier, on the high end of the marketplace, now it becomes very difficult to displace. And you cannot play some of the tactics that they did, which is dumping the price because now we offer so much more into one single application. So I think it makes us more inoculated, if you prefer, against this kind of viruses. So that's what Tenable. So we are a competitor with them head-to-head, and we offer significantly more than what they do in the world. So that's for that. CrowdStrike is a little bit different. So CrowdStrike, as you all know, have done a very good job at essentially cornering that EDR market, which there's so many players. But I think they really did a very good job that is actually differentiating themselves from this other player, a combination of having a very good, strong technical team, which understand the problem and then also creating a managed security service on the top of it, which has been the problem for a lot of these other solution. Because the problem with EDR is that you have all these end points, which are roaming the world and the seven seas on the Internet. And then suddenly, you discover that one of these end point is compromise at 2 a.m. in the morning local time, but knowing that device is in Singapore. So how do you mitigate, remediate, prevent, quarantine the device? So you need to have people watching these devices. Very few companies are capable to follow their own end points everywhere in the world. And so by other watch, they really essentially, it's a managed -- quite sorry, managed service in disguise. And they are, of course, it gives them very good revenues growth. The problem with that is that seven sea, it's very expensive to both, on one hand, develop your own platform and, on the other hand, to have a managed security service on the top of it. So you become very dependent on people, which is, of course, do not scale. Then also, their back-end is essentially on AWS so they have essentially AWS. They have Splunk and they have Cassandra as the back end. So all of that, again, to make scale and the cost, it's very hard to do. We, again, do not depend on all of that. In fact, today, we use a Cassandra back end for pumping 1 million writes per second in our Cassandra back end. We have ElasticSearch, again, trillion data points. So all of that is our own technology. So now the advantage. So yes, they are trying to move the -- of course, they can do vulnerability management on the end point by just knowing what is the application that you have, but that's not enough. And so of course, you need to have more context about that end point to really eliminate all the potential vulnerabilities on that device. So what -- in fact, what we see today happening in many of our large customers, which is interesting, is that they have 2 agents today on their end points. They have the Qualys agent, and they have the CrowdStrike agent, and they don't need any other agent because the CrowdStrike agent, of course, provides essentially also antivirus and all these other capabilities. Now we are, today, working very hard at delivering exactly all the functionalities that CrowdStrike has on the end point. We already have with our IOC 2.2 -- 2.0. We have franchising capabilities, et cetera. So what are we missing? We're missing an antivirus solution and a few other things, but we have also the back end to our advantage, plus the entire context. So that's essentially how we're going to differentiate themselves. But I would say that we'll be, by far, into their turf far before they can come into ours unless they start to acquire companies who do what we do, but then they would have to integrate all of that, which is not a walk in the park. So I think this is where we are. So we are working towards providing the additional functionalities to our customers. And our go-to-market will be very different, is that we do not want and we will not have a managed security service who are going to leverage all the partners that we have, and we have most of the managed security providers today Qualys customers. And so they are the ones which are going to deliver the services, so we will enable them. So this is fundamentally the difference. So does that make sense?

Yes, I mean very clear. And can I ask a question for Melissa, please? The current billings in the quarter was very impressive, 15% growth, based on my numbers. You mentioned in your prepared remarks there was a small benefit from large deals closing in the quarter that may have typically closed in the first quarter. I mean can you give us an idea of what the impact on growth or dollars those large deals could have contributed?

Yes, so that's correct. That's what I touched about in my prepared remarks, was the fact that some deals were invoiced in Q4 that instead of that their anniversary in Q1. And just as we've been for timing when deals slip out a quarter, we wanted to be transparent when deals move in. Given that there's multiple scenarios when the renewal happens or doesn't happen at the same time as the anniversary of an initial deal, it's really hard to normalize for comparison purposes. And that's why we point to the trajectory of our revenue -- our annual revenue guidance as the best proxy for business momentum.

Yes. And I will add one thing because Melissa is using the term that deals slip out of the quarter. This is an enterprise term. Does not apply with us. We really were clearly -- for us, it's well driven by the customers. So it's the customer sometimes, and we had some of these deals which have been slipping from December 31 to January 1 depending on the budget cycle of the customer, which may have changed. So they are the one requesting that to us. And for us, we don't care because it doesn't impact the revenue. And that's the reason why we always said the way we -- our billings are not really, really representative of what is happening in the quarter. So what happened here as -- and that's why we disclose whenever -- when the business are very strong or very weak, we explain this is what happened. Sometimes, the customers may move the deal, for example, if the early renew or there's so many variables. It doesn't change the revenue, but it absolutely change the billing cycle. So that's the very way we build the model, which, again, is an element of our profitability because when we go at the end of this quarter, then we got procurement, saying, "Okay, guys, if you want me to close the deal, you need to give me a better price. Sorry, guys. The renewal is now, so we could either shut down the service." But we're not like that. But by the way, we don't really care. So whether we close now as long as you renew and we don't care so -- because it doesn't really impact our revenues. And that's what makes us very different from quite a few other companies.

I show no further questions in the queue at this time. I'd like to turn the call over to Philippe Courtot for -- Chairman and CEO for closing remarks. Please go ahead, sir.

Okay. So thank you very much. And in fact, thank you very much for attending our earnings call and for your questions. And again, one of the things that I mentioned earlier is that we'd be really happy the next earnings call to discuss about the adoption of VMDR from our existing customers or from -- as well as from new customers. So looking forward to see you, all of you, I hope. If you can make it to RSA, the Four Seasons. It's a beautiful hotel. There's much less noise there than at RSA, and we have our customers there. Also, if you could attend our event, you will see VMDR in action, and you could also speak with our customers directly, and you're more than welcome to do that. Okay. So thank you very much.

Thank you.

Ladies and gentlemen, this concludes today's conference call. Thank you for participating. You may now disconnect.