Good day, everyone, and welcome to Qualys First Quarter 2020 Earnings Conference Call. This call is being recorded. [Operator Instructions] I would now like to turn the call over to Vin Rao, VP, Corporate Development and Investor Relations. Please go ahead.

Good afternoon, and welcome to Qualys first quarter 2020 earnings call. Joining me today to discuss the results are Philippe Courtot, our Chairman and CEO; and Melissa Fisher, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks, investor presentation and supplemental historical financial spreadsheet are available on our website. With that, I'd like to turn the call over to Philippe.

Thank you, Vin, and welcome, everyone, to our Q1 earnings call. We hope that you and your families are healthy and safe, and that soon, America and the world will be open for business, again. It is now clear that after COVID-19, organizations and government agencies of all size are going to have to rethink the security and business continuity plans to include remote connectivity, accelerate their migration plans to the cloud and streamline and secure, if not reinvent, their supply and delivery chains. This will have a profound impact on our industry, as it has also become clear that most of the current security solutions were not designed for remote and highly interconnected working new work. In fact, we experienced these ourselves. Unlike most other companies, we suddenly have most of our workforce, working from home. Fortunately, because we had moved early with cloud-based enterprise application, and spent many years laying the architectural foundational work for a robust, scalable cloud platform, we were able to not only secure our remote workers, but also continuously monitor and patch validities under computers in a very short period of time. As a result, we could continue our engineering and business development initiative without much disruption. This was, in fact, the genesis for launching a cloud-based Remote Endpoint Protection free service in a matter of days. For our customers first, and now for the community at large by leveraging our powerful cloud platform and our strong base of engineering talent in Pune. As a result, today, we have close to 500 companies of which 50% – nearly 50% our new customers' prospects signed up for this free offering, which allows security teams to gain instant and continuous visibility of remote computers, easily see missing patches for clinical vulnerabilities and employ them from the…

Thanks, Philippe, and good afternoon, everyone. I would like to reiterate Philippe's comments that we hope our investors and analysts and everyone on the call are all safe and healthy. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period, unless stated otherwise. We're delighted with our increasing Cloud Agent subscriptions and multi-product penetration as well as the strong adoption of VMDR, which lays the foundation for future revenue growth and industry-leading profitability. Our Q1 financial and operational highlights include: revenue for the first quarter of 2020 grew 14.5% to $86.3 million. Please note our Q1 2020 calculated current billings was positively impacted by the timing and amounts of prepaid multiyear subscriptions, somewhat offset by a few large deals that were invoiced in Q4 2019, rather than at their anniversary in Q1 2020. Our average deal size increased 3%. Platform adoption continued to increase as a percentage of enterprise customers with three or more Qualys solutions rose to 50% from 42%, and the percentage of enterprise customers with four more Qualys solutions increased to 32% from 22%. Paid Cloud Agent subscriptions accelerated to 38.4 million over the last 12 months, up from 30.7 million for the 12-months ended in Q4 2019. 3 million Cloud Agents were purchased this quarter by a single customer. And new products released since 2015 contributed approximately 44% of total annual bookings in the quarter, up from 23%. Since this metric includes VMDR, we do expect it to become less relevant for investors as more VM customers renew into VMDR over the coming quarters. As a result, we do not plan on providing this metric going forward, but we plan to introduce new metrics relevant to VMDR adoption,…

[Operator Instructions] Your first question comes from the line of Daniel Ives [Wedbush Securities].

Yes. Thank you. So maybe you can talk, Philippe, about from a day-to-day, what you're doing in terms of customers, partners to navigate the COVID-19 backdrop. Maybe just talk about from a day-to-day, what you're doing to sort of handle customers? And could you comment on the month of April versus March?

Okay. So let me maybe – yes, I mean, this is pretty straightforward. We are very close to our customers. Today, what we see is that many of our customers are essentially asking some payment terms, which of course, for us it's relatively easy to do, assuming, of course, they got good balance sheets because we're not going to extend payment terms with companies that we believe are going to get bankrupt. As Melissa mentioned, we are not that much affected in our business by the travel industry and other industries. So fortunately, we are fortunate there. So then also what we see coming, and that also, which give us a very unique opportunity. Customers, they want to reduce the spend. Because, of course, cash is king, and you need to weather – we all need to weather that economical shutdown. So as I said, it put us in a very good opportunity because instead of discussing discount, we speak then about consolidation of the stack because customers, if they adopt multiple solutions and replace our solution, virtual access or what Docker [ph] with Siebel Systems, not only we can allow them to easily extend their scope, gain visibility, but also they can reduce significant cost because everything is centralized in Qualys, everything is self-updating, you need much less people to operate these solutions. And of course, you have the advantage of having everything done from one platform. So that's the general trend. So we have this discussion almost every day with all of our customers, and they are very positive. As far as the difference between March and April, not much. Quite frankly, we see that our business is solid. We have this kind of discussion, as we discuss. We had in the early – in the really difficult time. Q1 was slightly impacted, I would say, by, or somehow impacted by the fact that some new business were essentially pushed out, and some upsell were also pushed out. But not again – that significantly again all in all and so that's – so we feel very good.

Okay. Great. Well, thanks again and good job.

Thank you.

Your next question comes from the line of Sterling Auty [JP Morgan].

Hi, guys, this is Matt on for Sterling. Thanks for taking the question. In terms of hiring, how has the current situation impacted your hiring plans, if at all?

Well, I'm really glad that you have that question because we are in a very unique position. People are flocking to Qualys. So we are in fact, one of the few companies today, which is continuously hiring. We always have been very deliberate with our hiring’s. We go for quality. We don't go for quantity. But now we have a unique opportunity because a lot of people are worried in their companies. And they see Qualys, as the shining star. So we have been interviewing a lot, in fact, via video conference, of course, and we're continuing hiring. So there's no hiring freeze, but we are again very deliberate.

Got you. And then just one quick follow-up. Which products would you say are – you feel are going to be more positively impacted by the current situation? Have you seen a shift in customer preference in terms of which applications they're using Qualys for? Thanks.

Yes, that's another – that's a great question as well. So the – obviously, everything which is remote is hot. That's why we launched in a record time that free Endpoint Protection Service, with the ability for us to patch across the Internet, which is very unique, very few companies can do that. That has been absolutely a fantastic response, as I've mentioned during the earnings call. And now we're going to add the, very soon, in a couple of weeks, three weeks at the most, the ability to detect malware. And that set us up for our next big application to come, which is the next-generation EDR, which we're planning to essentially announce and deliver in the summer. And that's obviously a very hot market because you need to be not only – you need to really know what you have out there. So the beauty of our agents is that today, we have agents, obviously for all the Windows and MAC version, et cetera in Linux, but we also now have a agent for the Android and iOS and then there's also a new world of the Cloud and Container Security and so forth. So we're extremely well positioned. So we are, in fact, very, very bullish because of we put these many, many years of architecting, and as mentioned, some of the performance of our platform, it's incredible. But it didn't happen in one day. And for any company today, to really build at the scale at which Qualys has built and bringing all that information into one single platform. So you could eliminate, for example, the problem of EDR solutions today, as they exist, they have many false positive. And so how do you manage, false positive remotely? Very difficult. So you better have a minimum false positive. And then you need to be able to everything remotely. So we are introducing very soon, in our agent, the capabilities to do the response side, which is killing processes and all these other things. So we're very well – extremely well positioned.

Yes. Just to add on to Philippe's comment, we also view and we talked about this in our prepared remarks, that VMDR is very well positioned in this environment because it's a very attractive value proposition, integrating multiple applications into one. And so we do expect to see continued strong adoption. And the benefit for us is, as we've talked about, customers with multiple solutions have increased stickiness, and it drives proliferation of our Cloud Agents, which then have laid – which lay the foundation for further upsells of additional paid solutions.

Yes. And I will add also to what Melissa, yes, absolutely forgot to mention that, Melissa. Thank you. The key is that a lot – see, some of our competitors want to, of course, they are very scared of VMDR because it's really, really – it's a true game changer. And so when they try to paint VMDR, oh, it's just a bundle of solutions. No, it's not a bundle of solution. This is where we have all the record data to one place. And then as a result of that, we can provide all the workflows and everything into a single app. So this is the ability to essentially detect any devices that connect to your network, instantly, figure out what the device is, decide whether you want to manage that device, create your global IT assets inventory, then create the assets group. So you could now go and look at your vulnerabilities, of course, on premise, endpoint, cloud, containers, web applications, et cetera. And then prioritize, we have a totally new prioritization engine, which is far ahead of everything that the competition has and then, finish the remediation by patching, and now we are soon are going to have the ability to also quarantine. So you have in the one single app from the beginning the detection to up to the remediation or to the response. And that's why we call it Vulnerability Management, Detection and Response. And you will see the same thing happening, with a new offering, that we're going to do for identifying all your SaaS applications, identifying all your cloud application and again, EDR, all endpoints and having that capabilities of response and of course, and as well as your mobile environment and then very soon, the OT and IoT environment. All of that because of the power of the platform that we have built and the ability to collect all the telemetry and bring that telemetry into one place. Nobody, but nobody has built that. It took us time, but we've done it now.

Great. I appreciate all the color there guys. Thanks.

Your next question comes from the line of Yun Kim [Rosenblatt Securities].

Thank you. Hi, Phillipe and Melissa, hope you guys are doing well and safe. In regards to the overall Cloud Agent adoption, I think, this was probably the strongest, sequentially growth quarter by a mile. Even if you exclude that one customer purchasing 3 million agents, which I am assuming was a VMDR driven. But can you just talk about the strength in your cloud adoption, in regards to where you are seeing the adoption of your Cloud Agents? Is it more end-point driven? Or is it – are you – is it more broad based? Are you seeing strength also in the cloud environments as well?

Yes. Now this is another very good question as well. So the reality is that, it's everywhere. You have to realize that to handle 38 million agents, and in fact, we today could handle hundreds of millions of the agents, if not billions of agents. You have to have the right architecture. So it took us, obviously, some time. You need to deploy them, you need to update them, you need this. So there's a lot of engineering work, behind the scenes. So we started early on, with a slower progression, replacing our traditional scanning, which, of course, we're very good, but doesn't give you the real-time. So that's where we initially started. Now today, of course, we are now branching out. And so we're branching out to the endpoints, as I mentioned earlier, you see that free service, that we delivered 500 companies, generating now 2.1 million agents. That, of course, are now installed, or in the process of being installed and therefore, all the upgrade capabilities. And then, of course the cloud is another greenfield, where of course, you need to have agent to really know what you have into your cloud. There's no other real architecture. So you need to have connectors to pump up the data from these platforms. And then you need to have agents to have a more internal and more granular view inside as well. So again, it's all about the architecture, and that's where it's a lot of work. We needed to be able to deploy at that scale. We are doing it now. Then you need to collect the data. It's not by accident, that today, we have nine petabytes because these agents continuously bring the changes back into the platform, so you need to have the computing power and the analytics, and we're, of course, adding more and more machine learning and analytics into the back end. So we can really treat that data in real-time. We have a response time today on ElasticSearch cluster about 100 milliseconds, so which is again very, very, very real-time if you prefer. So no, this is already changed. It's that simple.

Yes. Just to add on Yun, as you pointed out, yes, we saw significant acceleration of Cloud Agent adoption, which we're very excited about. And VMDR did play a big role in it. So that one large customer that is up to 3 million. That's actually separate from VMDR. So VMware did play a big role in driving Cloud Agent adoption, and this is why we had talked about before it was formally unveiled, how excited we were about it because it gives us the potential to drive proliferation of Cloud Agents, both internally and at the endpoint. And also, and as Philippe pointed out, we've seen very good adoption with the free remote Endpoint Protection Service, but that's not included in the paid subscription, so that's also additional upside in the future for us.

Okay, great. I just have a question around just the core VM market, the overall dynamics there and pricing environment in the core VM market. Just saw the ASP was up 3% in your press release. That's probably at the lower end of your range, typically. Can you just talk about the market dynamics in your core VM market?

No, the dynamics are very clear because, I think VMDR was – our customers love it. This is the adoption of VMDR is going to be very fast, we believe. And you're going to see even before the solution was even available in the ship, we have already adoption, and it's accelerating. Every customers, we discussed with, is VMDR. It allows us to find out some of the, I would say, questionable tactics of some of our competitors, which dropped their plans because they absolutely need to bring top-line revenues because, of course, they are not profitable. And now today with VMDR, what's the purpose of trying to – they don't have what we have. So they are so far below. So what's the purpose of, yes, maybe on the – just the traditional scanning, you could drop the price, but what about all these other things? Do you have a global IT assets inventory capabilities? No, you don't. Do you have very good prioritization? No, you don't. Do you have real agents that can deploy that quality? No, you don't. So it puts us in a very, very strong position to fend off this kind of pricing tactic. And so we feel very good about the VMDR market. I think we are now in a position to really go and gain market share.

Okay. Great. Thank you so much.

Thank you.

Your next question comes from the line of Nick Yako [Cowen and Company].

Hey, guys. Thanks for taking my questions. The company now has a number of free offerings, that all seem to be gaining good traction in the market especially in this environment. I was just hoping you could discuss the likelihood; you can convert these users into paid customers. And then maybe when we could see it show up in the numbers?

Okay. That's a very good question, also. So what we have done with these free services is that, as I mentioned, I think, in the last quarter, we have built a team in Pune, India, which we call the technical account representative, and they are not there to sell. They are there to help customers on-boarding these free offerings and as well as trials, because at the end of the day, the buying patterns are changing. Today, it's essentially more a word, where you try and buy. Like today, more and more after COVID – more and more people now realize that it's much easier to shop online than to go to the store. And so the same thing is happening here, so all these free services are essentially a very cost-effective way to do lead generation. And then because we onboard them properly, then of course, we have now established already a good relationship with these people, and then we can discuss about potential upsell. And one of the things also we do with this free service, we do not entrap the customer. In other words, our free services do the job, entirely. It's not all, but if you want that, you need to pay more. So we have more the tendency to cross-sell. So it takes a little bit longer in a way, but it also gives the customers a very good experience and the value of Qualys. And so we see, for example, today with our global IT asset inventory, which now, by the way it’s part of VMDR, that we start to see customers adopting now, the additional paying solutions, which are complementary like the ability to detect, for example your end-of-life software, like the synchronization with your CMDB. And so I think, we're in a very good position. It costs us very little to provide this free service because, again, the platform is the delivery. We don't need channel, we don't need people to go and install anything. It's all available to try and buy. So it's a very powerful marketing machine. We've just hired, by the way, of VP of Digital Marketing in India. So we're going to do more and more of those programs and really creating a formidable machine, which I call the marketing machine. So we have a formidable machine, with the platform itself, and now we are building a formidable marketing machine as well.

And just to add on, we believe is that model is very sticky, right? Because we're letting our customers buy at their own pace as opposed to – it's a very important, it's just, in a subscription business, not to have sales force, not to have salespeople pushing products that a customer is ultimately not going to deploy because they're not going to renew at the end of the day. So this model, as Philippe pointed out, it's very cost effective because the service has – the platform is the distribution channel, but we believe it also increases the stickiness of our solution.

Okay. Great. And maybe one follow-up for you, Melissa. As it relates to the outlook for the year, in your prepared remarks you mentioned that you do expect some deals for new solutions to get deferred. I was wondering if you could just maybe talk about some of the underlying macro assumptions, embedded in your full-year guide?

Yes. Thanks Nick. Happy to go into that. So we had a good quarter, and we talked about the adoption of new solutions in VMDR. And as you pointed out, what I explained was that, the guidance was based on potential impact to new and upsell bookings. And so the range is really around the amount of that impact as well as the degree to which the business is impacted by COVID in Q4. Also, while we're not seeing this to-date, at the lower end of the range we're assuming some potential impact on retention rates to customers, especially at the lower end. Now the lower end doesn't really drive a lot of dollars for us, and we feel like VMDR actually gives us a very attractive value proposition to actually increase renewal rates, but we want it to be appropriately cautious, given the uncertainty around COVID-19.

Make sense. Thanks guys.

Thank you.

Okay. And now for closing remarks, Philippe the floor is yours.

Okay. So thank you very much for attending our earnings call and your questions. So these are obviously challenging times, but we feel fortunate to be very well positioned with our cloud platform and apps, including our game-changing VMDR application, while continuing to grow our pool of top-notch talent, as I mentioned during the call. So we emerged stronger than ever to serve our global community, employees and shareholders. I hope all of you remain safe and healthy. And that the country is back in business very soon. Thanks again.

This does conclude today's conference call. You may now disconnect.