Qualys, Inc. (QLYS) Q3 2020 Earnings Report, Transcript and Summary

Ladies and gentlemen, thank you for standing by, and welcome to the Qualys Third Quarter 2020 Investor Conference Call. [Operator Instructions]. I would now like to hand the conference over to your speaker today, Vin Rao, Vice President, Corporate Development and Investor Relations. Please go ahead, sir.

Good afternoon, and welcome to Qualys Third Quarter 2020 Earnings Call. Joining me today to discuss our results are: Philippe Courtot, our Chairman and CEO; and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks and in this presentation are available on our website. With that, I'd like to turn the call over to Philippe.

Thank you, Vinayak, and welcome, everyone, to our Q3 earnings call. Let me begin by saying that we hope you and your families are healthy and safe. With the ongoing COVID-19 pandemic, our workforce continues to operate remotely, and our top priority remains providing support for our employees, partners and customers. We are fortunate that the nature of our business allows us to successfully operate in this dynamic work environment. We have been able to adapt to the current challenges and deliver the results we had set -- the results we set out to accomplish last quarter. Joo Mi and I are pleased to report another good quarter in terms of revenue growth and profitability. We also had strong growth in our paid Cloud Agent subscription with 50 million now, representing nearly 80% growth from the prior year's quarter. This multifunction, lightweight Qualys Cloud Agent provides visibility across the entire hybrid environment and is the underlying technology for 7 of the security compliance and IT solutions that are natively integrated on our platform, that is: VMDR Vulnerability Management, Detection And Response; Multi-Vector EDR, Endpoint Detection and Response; Policy Compliance; File Integrity Monitoring; Patch Management; Global IT Asset Inventory; and the upcoming Certificate Management and more to come. Qualys VMDR has taken Certificate Management to the next level by providing the power to continuously detect vulnerabilities and misconfiguration across the entire global IT environment and response in real time to remediate assets that are vulnerable or already compromised from a single platform with building orchestration. Currently, approximately 1,250 customers have adopted VMDR, which includes over 350 new customers. Qualys VMDR is not only being a huge success with customers but it's also driving further penetration of our Cloud Agents because of our Global IT Asset Inventory, which is bundled in it. Since VMDR helps proliferate our Cloud Agent, it in turn sets a foundation for further upsell or other paid application. This quarter, we announced the general availability of our Multi-Vector EDR solution. This Multi-Vector solution unifies different context vector like asset discovery, vulnerabilities and exploits, misconfiguration, in-depth endpoint telemetry and network reachability with our powerful backend for accurate assessment, detection and response, all in a single cloud-based app. As an app built natively on the Qualys Cloud Platform, our Multi-Vector EDR leverages its power, scale and accuracy to correlate billions of global events with threat intelligence, analytics and machine learning to provide unprecedented context and real-time insight into the endpoint to carry out rapid threat hunting and response. Qualys, in fact, Multi-Vector EDR goes beyond traditional EDR solutions by providing comprehensive response capabilities such as killing processes and quarantining files or endpoints, while also uniquely preventing future attacks by orchestrating responses such as patching vulnerabilities, removing exploits, fixing misconfiguration or uninstalling software before endpoints are compromised. Since our Multi-Vector EDR encompasses the entire attack life cycle, it makes it easier to automate the response and dramatically reduce the number of false positives. The combination of Qualys VMDR and Multi-Vector EDR allows us to provide a single end-to-end workflow that helps company greatly reduce the time to respond and allows for the consolidation of the securities stack. Also, we are now providing a comprehensive 2-way inventory synchronization with ServiceNow Service Graph CMDB as part of their new Service Graph Connector Program. This new integration helps customers to quickly, easily and reliably load their complete and contextualized asset information into ServiceNow, enabling a consistent and consolidated data set across hybrid IT environment. Thus, providing with an always up-to-date source of truth across their hybrid environment. In addition, we continue to see good adoption of our cloud-based Remote Endpoint Protection Solution, which leverages the Qualys Cloud Agent and its cloud-based architecture to deliver instant and continuous visibility of remote computers as well as their installed application, obtain a real-time view of all critical variabilities and misconfiguration and remotely deploy missing patches for critical vulnerabilities. We currently have approximately 700 companies, including 300 customer prospects, actively using this free service offering. In terms of our newer paid solution, we saw solid growth this quarter with our paid Global IT Asset Inventory -- Asset Discovery and Inventory application. In fact, a large managed healthcare organization added our Global IT Asset Discovery and Inventory paid module this quarter in order to gain visibility of all their known and unknown assets across multiple environment, identifying the end-of-life of the installed software and synchronize with our ServiceNow CMDB. Patch Management continued to see strong customer adoption both in the mid-market as well as with the large customers. In Q3, a leading financial services firm selected our Patch Management application over several competing solution given its ability to easily and effectively patch remote endpoints without using the limited bandwidth available on VPN gateways. Finally, we also saw robust growth for our Container Security application with adoption from a respected regional financial institution that has already deployed VMDR and Policy Compliance. Now on the go-to-market front, while expanding our relationship with the next-generation of managed security service providers, or MSSPs, given the increased breadth of our product suite with the addition of the VMDR and Multi-Vector EDR, this MSSP can leverage the Qualys Cloud Platform to fully address the security needs of small and midsized customers that lack in-house resources to secure their hybrid environment as well as addressing the needs of large companies. We were pleased to announce that Infosys, a global leader in next-generation digital services and consulting, is integrating both VMDR and Multi-Vector EDR into its Cyber Next Platform, a Managed Security Service offering. Powered by the Qualys Cloud platform, Qualys VMDR and Multi-Vector EDR will collect vast amount of telemetry from the Qualys Cloud Agent and multiple sensors to combine with network information for a broad view of the environment going beyond just the endpoint. This significantly reduce lateral movement of security breaches to spread across from the initial point of compromise. Infosys' customers can also extend their use of the Cloud Agent to Patch Management, File Integrity Monitoring and other functionalities. In addition, Deloitte Canada is now offering Qualys VMDR via its Cyber Risk Services offering. Deloitte Canada clients now have access to the Qualys VMDR app as part of a holistic solution to meet their Vulnerability Threat Management, VTM, requirement and provide visibility across their entire hybrid IT environment. Qualys Cloud Agents are embedded and fully integrated with the Deloitte Cyber Intelligence Center via APIs to deliver asset discovery and inventory, vulnerability assessment, including configuration control, threat prioritization and patch detection to Deloitte's customer. Finally, last week we announced an expanded integration of Qualys Vulnerability Management with Microsoft Azure Arc, allowing customers to perform vulnerability scanning on server outside of the Azure platform, including on-premise and multi-cloud server. This capability is available to all customers of Azure Defender for servers at no additional cost. We continue to invest in expanding the capabilities of our cloud platform and aggressively developing additional solutions. Looking ahead, we are enthused about the additional solution that we plan to introduce in the next few months. That is: Container Runtime Security, which provide run time defenses and protection capabilities for containerized application now in GA; Additional Detection and Response offering that we call DRs, such as SaaS DR, Cloud DR and Mobile DR, which are also coming out of beta; Granular Access Control module and extension to our Global IT Asset Inventory; Multi-Vector EDR will be also available for Linux environment. In addition, an endpoint protection platform, EPP, extension to our Multi-Vector EDR solution will be available in Q1 2021; major update to our passive scanning capabilities that will significantly expand our coverage of Industrial Control System, ICS; operational technology, OT; as well as IoT, Internet of Things devices; and finally, Data Lake/Analytics/SIEM, or what we now call -- or what is now called XDR platform, which seamlessly will integrate all our current and forthcoming detection and response solutions or the DRs, has now entered beta with 10 design partners, and we're planning for it to go live by the end of Q1 2021. The development of these solutions has been possible because of the massive investment we made in our Cloud Platform and our strong engineering talent base in Pune with over now 900 employees located there. These new initiatives open significant incremental market opportunity for us and allow our customers to easily and cost effectively consolidate their stack of traditional security and compliance solutions, while providing them a single-pane-of-glass view on all assets across on-premise, endpoint, cloud and mobile environment. Similar to our efforts on the cloud platform front, we are also building a marketing platform that, combined with increased investment in sales management and sales capacity, will drive future profitable growth. We will showcase this new solution at our upcoming QSC, or Qualys Security Conference. And I would like to personally invite you to attend this conference, which will be a 12-day virtual event from November 9 to 24. And you could also listen to the presentation at your own leisure and we currently have more than 5,000 people registered. You can access the agenda and register for the conference at www.qualys.com/QSC/2020/virtual. As mentioned earlier, replays of the session will be available on demand at the end of the day when they are presented. At the conference, our President and Chief Product Officer, Sumedh Thakar, will discuss the evolution of our Cloud Platform as well as our recently launched Multi-Vector EDR solution and forthcoming Data Lake/Analytics/SIEM initiative or XDR platform extension. Our attendees will have the opportunity to listen to customers such as the Head of Product security at Zoom; Manager of Information Security Operation at Jabil; and the senior security engineers at Informatica. And we will also present our risk-based approach to vulnerability management, providing forthcoming updates to our Cloud and Container Security solution, share our view on risk management and compliance and discuss our next-generation web application and API security solutions. Our focus remains -- or our focus continues to remain on balancing growth with profitability. The Qualys Cloud Platform serves as a distribution channel, enabling us to grow while maintaining industry-leading margins. Incremental future growth will be driven by our strong partnerships with MSSPs as well as further investments in sales and marketing, as mentioned earlier, with the addition of highly qualified and technical individual. On the hiring front, we are pleased to welcome back David French as EVP for the Americas Field Operation. David has extensive experience in sales and business development and will play an important role in driving continued growth for the company. Finally, M&A continues to be a part of our growth strategy as we seek to accelerate our product development and expand into adjacent markets. Acquisitions over the past couple of years have been complemented -- have complemented our organic product innovation, expanding our cloud platform to provide more comprehensive security and compliance coverage as well as visibility across all global IT assets across, again, on-premise, endpoint, mobile, cloud, containers and our OT and IoT environments. Our Cloud Platform has now reached the level of maturity where we can potentially explore acquisitions to expand our customer base in a disciplined manner as well as continue to acquire small companies with innovative technology. In conclusion, increasing the adoption of our Cloud Agent and the breadth of our solution across environments enable us to offer customers greater visibility, accuracy and scalability while ultimately enabling them to consolidate their security, IT and compliance stack and drastically reduce their overall spend. With that, I will turn the call over to Joo Mi to discuss our financial results and guidance for the fourth quarter and full year fiscal 2020.

Thank you, Philippe, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period unless stated otherwise. We're delighted with our increasing Cloud Agent subscriptions and multi-product penetration as well as a strong adoption of the VMDR, which leaves the foundation for future revenue growth and industry-leading profitability. Our Q3 financial and operational highlights include: revenues for the third quarter of 2020 grew 13% to $93.1 million. Please note our Q3 2020 calculated current billings was negatively impacted by the timing and amount of prepaid multiyear subscriptions as well as requests for shorter duration invoicing. Our average deal size increased 7%. Paid Cloud Agent subscriptions increased to 50 million over the last 12 months, up from 43 million for the 12 months ended in Q2 2020. 3 million Cloud Agents were purchased this quarter by a single customer. And 34% of VM customers, up for renewal in the quarter, renewed into a VMDR subscription, up from 19% in Q2 and 4% in Q1. Our scalable platform model continues to drive superior margins and generate significant cash flow. Adjusted EBITDA for the third quarter of 2020 was $45.1 million, representing a 48% margin versus 47%. Q3 EPS grew 19%. And our free cash flow for the third quarter of 2020 was $48.4 million, representing a 52% margin and up 21%. In Q3, we continued to invest the cash we generated from operations back into Qualys, including: $11.2 million on capital expenditures for operations, including principal payments under capital lease obligations; and $37.7 million to repurchase 352,000 of our outstanding shares. We remain confident in our business model, driven by our foundation of nearly 100% recurring revenue and expanding suite of applications. We are delighted to be raising our full year 2020 guidance for both revenues and earnings. We are raising the bottom and top end of our revenue guidance for the full year to now to be in the range of $362.4 million to $363 million from the prior range of $359 million to $360.5 million. We are raising our full year non-GAAP EPS guidance to now be in the range of $2.85 to $2.87 from the prior range of $2.60 to $2.65. We expect to maintain industry-leading margins in 2020 and continue to produce strong cash flow. And our Q4 guidance for revenue is $94.2 million to $94.8 million, and for non-GAAP EPS is $0.69 to $0.71. For the fourth quarter, we expect capital expenditures to be in the range of $7 million to $8 million, which includes approximately $1 million for the build-out of our Pune headquarters. As Philippe mentioned, we are very excited by the robust adoption of VMDR and the launch of our Multi-Vector EDR solution, and we remain optimistic about the company's future. We feel very well positioned during this period of uncertainty due to the value provided by our Cloud Platform and our 20 apps as well as our underlying highly scalable and profitable operational model. With that, Philippe and I are happy to answer any other questions.

[Operator Instructions]. Our first question comes from Yun Kim with Loop Capital Markets.

Congrats on a solid quarter, Philippe and Joo Mi. Can you -- this is just a high-level question from last year's user group conference. Can you update us on the partnership that you guys announced last year with Microsoft Azure, especially in regard to the integration with the Azure Security Center? I seem to recall the attendance to that particular session was especially jam-packed.

This partnership is doing very well. What we have done here is remarkable because this is the integration of our entire Cloud platform with Azure Cloud platform. And as I mentioned in my prepared remarks here is that we have now expanded that to move into Microsoft Azure Arc, which is, if you prefer, is their private cloud initiative as well. And so this is, again, the partnership goes very well. Microsoft is a very big Qualys customer as well. So I think earning the respect of the engineering team and, as importantly, doing the work to fully integrate seamlessly to our solution is very unique. And we are, of course, working with other cloud providers to do the same.

Okay. Great. And then, Philippe, obviously, you guys have added -- expanded your portfolio beyond your core VM product today. So just wondering like when you're adding new customers today, are you beginning to see more and more new customer add without the core VM product especially as they get access to some of these more cloud-based products?

Yes. No, this is a very good question. In fact, what we see, clearly, with our large customer is that we are becoming more and more strategic. They start to realize and a lot of these large customers that wait for what is called our SIEM platform and also all of the DRs that have announced, what we have done very uniquely and really say very uniquely is that we're fusing detection and response into 1 app. So you have immediately the ability to detect and immediately the ability to respond, all of that in real time. And so our XDR solution will do -- or the analytics is fusing all these different DRs that we have. And just to repeat, we have done VMDR, now we have EDR, which competes against CrowdStrike. And then, of course -- then there's the SaaS DR, which will allow you to have the full visibility of your SaaS applications like Office 365, Salesforce.com; and the Cloud DR, which will allow you to, for example, to not only identify the S3 buckets misconfiguration but also the ability to -- from the same pane of glass to fix it. So that's the key of security today. And you can -- and it's all that automation with all the workflow that for you, so you realize how much cost we eliminate. And so we -- as I mentioned earlier, our XDR platform now is entering beta with 10 very large customers, which have been our design partners. And we are going to go in beta 2 at the early part of Q1 and then, of course, looking at going GA by the end of Q1. And what is interesting with that platform is that not only it address the needs of the very large companies but it also address the needs of the very small company. Our platform is totally scalable. So we see more and more us becoming very strategic, to answer your question, with our large customers, which, of course, wants to adopt more solutions from Qualys and as well as really -- they really are all looking at the XDR solution that is really coming pretty soon. And then on the low end of the marketplace, of course, again, it simplifies everything. So we have absolutely an offering that cuts across the entire spectrum. And then, of course, because now we have multiple applications, we have multiple arrows in our quiver to attract new customers. So the Global IT Asset Inventory is becoming also very, very interesting for many companies. And now of course, we have more solutions. When we bring, for example, this new SaaS DR, which is in a few weeks, in fact, SaaS DR and Cloud DR, that's a totally new ability for us to go and generate additional new customers and then grow the platform, because once you put the platform into a customer, and that has been our strategy or our agent, if you prefer, then suddenly, we cannot sell. And it's all there. It's all -- everything is centrally managed, self-updating. And then, of course, it's becoming now our marketing platform. And we are, as you will see, if you can register to the user conference, we are really now building a market. So we build a Cloud Platform, which is essentially the distribution channels itself. And now we're building a marketing platform to essentially bring our solutions to many, many more companies worldwide. Does that make sense?

Yes. Joo Mi, I have a quick one question for you. On the 7% ASP increase, is that ASP increase -- is that more broad-based? Or is that mainly driven by large customers? And then also just 34% of the customers who upgrade to VMDR in the quarter, did that contribute much to the ASP increase?

Yes. So 7% average deal size increase is more broad-based, not just concentrated on the larger customers. And in terms of VMDR adoption, we are very pleased with the increase in adoption with it increasing from 19% last quarter to 34%. With that said, as expected, the impact to revenue has been broadly neutral for year-to-date. And this is due to the same reasons I stated before, where you might see a VM-only customer spending a little bit more when they renew into VMDR versus offset by customers who used to have subscribed to multiple Qualys solutions, they might be spending a little bit less. So overall, this year, we are seeing a broadly revenue-neutral impact. However, going forward, we really believe that this leaves the foundation for continued upsell and really drive bookings growth with an increase in retention that we expect to come and witness next year.

Yes. And I would like to -- one thing from the product side that -- to what Joo Mi said is that what you have to understand about VMDR, this is not only the, really, next-generation of vulnerability management in the box, but this is also the application that collects all the telemetry and all the data, which is absolutely vulnerability management DR, which is important for many other solutions, and that's what gives us the context. So if you deploy a VMDR, you have already all that data, which is there. And that's, of course, is going to be very significant for -- in our XDR platform because now we bring you the inventory, the context, et cetera, you know the status of any devices that connect on the network. And so this is absolutely significant. So as you can see, it's a major Trojan horse strategy that we embark when we package our vulnerability management solution become detection and response. But behind you have that Global IT Asset Inventory who pushes the agent and also collects a lot of telemetry. And this is also combined with our passive scanning, which looks at the network analysis. And that's why -- by the way, to give you some idea, of the scale at which we operate, 7 months ago, we're indexing 3 trillion data point ElasticSearch clusters, which were data -- which we were collecting. Seven months later, we are indexing now 9 trillion. Significant scale at that which is, again, makes us significant than any of the other solutions.

Our next question comes from Nehal Chokshi with Northland Capital.

Simple question. You had a $4.3 million Q-o-Q increase in revenue. I think it's the largest over the past 6, 7 years. Is this simply VMDR adoption? Or is there something more going on here?

Yes. It's not attributable to the VMDR because the VMDR adoption is great. It's a long-term strategy, and we believe that it will drive the bookings growth and revenue growth overall turning next year. This year, it's been broadly neutral. So if you take a look at the revenue growth, we did outperform, beat our high-end of our revenue guidance because bookings came in better than what we had expected. We are seeing that the momentum overall, not just specific to VMDR, with the bookings coming in and the deals closing on both the new and upsell as well as maintaining our strong retention rate.

So I guess what I'm driving at there is why did bookings come in stronger than expected? Can you point to some sort of broad theme that you would expect to continue? Or was it onetime in nature?

I wouldn't say it's onetime in nature. New deals came in better than what we had expected. So typically when we guide to revenue, what we do is we take a look at the pipeline in play, right, with respect to both new customers as well as upsell and expand potential with their existing customers and, of course, the renewals that are coming up. And so it just so happened that this quarter, we had better linearity. We had better new bookings than what we had anticipated. And so we are seeing that growth. And this is part of the reason. And what we've always said was if you take a look at our revenue, it might not necessarily be in line or -- and that current billings might not be indicative of the business momentum because if you take a look at current billings, we indicated that it was at 8% year-over-year. But revenue, we outperformed growing 13% year-over-year.

Yes and which is also driving more specifics about this solution. The Patch Management, for example, is doing very well. We have our Container Security also is moving very well. And again, as I've mentioned, we are very optimistic about our Cloud DR coming, our SaaS DR coming. So we have all this new solution. And what is very unique, again, is that -- down that additional solution. In other words, if you look at other solutions whereby the companies, they end up by having 4, 5, 6 different console to essentially access all these different applications that they required, whether they are on cloud or not cloud. With us, ultimately it's a 1 single platform, 1 single URI, 1 single application. And so you essentially have a lot of power at your fingertips and all the workflows are integrated. So it's coming from multiple, if you prefer, routes and one can say that routes creates big rivers.

Our next question comes from Shebly Seyrafi with FBN Securities.

Congrats on the strong results. You said that -- Joo Mi, you said that bookings were better than expected. But your current billings grew by 8%, down from double digits a few quarters ago. First of all, can you say whether bookings grew by a double digit percentage? And I think you also mentioned in your script that there were changes in duration in multiyear. Do you expect those metrics to rebound soon?

Yes. So great question. So we don't guide to bookings, and we haven't shared bookings previously. But what we can point to is, typically, we've had some negative impact from multiyear deals. So that's one example that I'd like to give it. If you have a multiyear deal, on the second year, because there's no change in the current deferred the current spending, the way it's reflected is not indicative of bookings. And so that's one reason. And that we expect to continue because as we close multiyear deals and our contracts at length increases, we do expect that impact to continue. With respect to shorter duration invoicing request, we've seen the uptick in that in Q3. We are seeing less of it in Q4 this quarter, and we expect that to kind of diminish or decrease over time. And so there will be continued puts and takes. Another reason why current billings might not be trending or be indicative of the bookings or the business upfront is because you don't manage quarterly billing. And so because of that, we have renewals that are done not at the anniversary of the initial deal. So that might be another negative or potentially a positive impact. So this is part of the reason why it's hard to perfectly normalize growth rates to account for all these different scenarios.

And the short-term billings essentially is the COVID-related thing where people are asking some payment terms and so forth. And what we do is that we very specifically mention that this is only for the COVID year. So this is not to be repeated at the renewal time.

Right. And one bit of factor is if you take a look at our customers, right, typically, what we've seen historically is for the multiyear deals, we've seen over 60% might have been prepaying upfront for all the years. Now we're seeing because of the COVID, onetime relief and COVID-related concession, we're seeing less than 1/3 of that. And so right now, we are seeing both impact on current billings as well as the cash flow margin but we don't expect this to continue into next year.

Okay. And also, can you talk about the puts and takes on the gross margin line which declined sequentially and year-to-year?

Yes. So gross margin is impacted by multiple different factors. And one is, basically, we're expanding our data centers and the timing in which the assets are put into service, that does impact D&A. So if you take a look at our depreciation line, it increased by 6% quarter-over-quarter. And it just had to do with the timing. We are expanding into new data centers like Dubai and Las Vegas. And we do expect some headwinds as we transition over to Las Vegas. But in the longer term, we will see the benefit, right, because it is cheaper or more cost-effective than the one that we have currently in California. And so that has to do with the gross margin contraction.

Our next question comes from Alex Henderson with Needham.

I wanted to just delve into the commentary that you said about you built out your platform and now you're building out your capacity to go into the market and aggressively sell. That's somewhat of a change in tone around the strategy of building sales capacity, as I hear it. Obviously, some of that has to do with the MSSPs and Infosys type stuff. But can you talk about what capacity additions you're doing with a little bit more granularity?

Yes. So first of all, it's not a change in our strategy. Our strategy, is always put the cart before the horse. In other words we always and we always say that we need to really get the platform, get all the solution integrated, that's a lot of work. And there's no [Technical Difficulty] pushing sales, if you prefer, until you've got this solution really mature enough. So today, we have reached a point where the maturity of the platform is such. And of course, once we ship XDR, I would say that we have really, really completed our first goal to [Technical Difficulty] a lot of these solutions. There will be further expansion into more adjacent market, but our platform has really web and engineering masters, the platform scales. I mean absolutely, as I mentioned today, the number of wins is impressive. We are managing that more than -- we have passed the 9 petabytes. It's absolutely incredible, the scale at which we operate. So today, now the thing that we need to understand is like enterprise software, the Cloud Platform is the distribution channel. So today, we see huge shift happening today and more and more MSSPs flock to Qualys because we create a platform that cannot build anymore. Before the platform that we're building all the [Audio Gap] and of course, they have their own distribution. Also today, the platform itself is becoming also a distribution that we're going to provide more content, more return, more degeneration, more of this, more that. And in fact, if you -- I strongly [Technical Difficulty] as you listen that -- to register into our user conference because we see that platform, which now distribute comes very cost effectively [Technical Difficulty] has been, in fact, I always view that that [Technical Difficulty] reach out to advertise our solution. I used to say it's not good enough to be good, you should tell. Thing is that you don't want to take too early, and you don't want to take it. But the time has come, and I've always said that that time will come. So specifically, what we're doing now to answer your question about the expansion, so we are now, of course, we're beefing up our strategic alliance team so we could now essentially embark in having more MSSP. This is our focus, as we discussed earlier. The second is management. We have now VP of EMEA, VP and General Manager for EMEA, for the Americas. We have also added significant, what we call, executive VPs or VPs for byproduct line, only be there to look at the [Technical Difficulty] sell the go-to-market. So we're also expanding our marketing capability. So because of our highly stable platform, we need to also spend the amount of dollars to which have more of a financial price, if you prefer structure, go spending of 50% in marketing. So that's where we are. So that's what I call it. Now we're building the marketing. And of course, it's much easier and much quicker to build the marketing platform than it is to build an engineering platform.

If I could follow-up. Could you talk a little bit about when you start moving into protecting Cloud Platform or cloud application workloads? Are you seeing that predominantly around what I would describe as the more traditional applications when they move to the cloud on digital transformation? Or are you seeing it coming in from more modern applications Kubernetes-driven, DevOps-driven, or is infrastructure driven?

Yes, yes. This announced this morning, the fact that now finally -- I don't know if you recall the Layered Insight acquisition that we made. It took us a bit longer than what we have thought to fully integrate them into containers. And so that's, really, when you look at application today, containerization is really what allows you to distribute microservices containerization. So we are, ourselves, made a huge DevOps change on our entire platform, which was absolutely at the scale at which we do. So we're one of the today, which are really operating DevOps today. If you -- so yes is both ways. So yes, in fact, when you look at the web application, you have to take care of the existing ones, you have to take here now more and more of the APIs and, of course, all that containerization of the application that we make today, which is absolutely differentiate us from every other Container Security solution because now we can do protection. So again, the same philosophy, that notion of DR, detection. We analyze but then is found, if you prefer. So that's today we've got. So that's another deal. That's if you cannot really protect or if your protection is very complex or very costly, what the purpose of detecting. So -- but if you can automate the detection -- that response to really allow sale and of course, and the cost protection point that and this is the analogy I always give between diagnostics and cure.

So is the answer to that you're seeing cloud first point in the cloud customers coming to you as well as more traditional customers coming to you for cloud? I'm not sure I understood the exact answer. I mean clearly, the legacy guy comes, he's going to eventually move to more modern applications, but you are also seeing cloud customers. Can you talk about the penetration of -- born in the cloud companies that are moving to your system and your technologies, your platform that are starting from a Kubernetes-centric viewpoint only? Is that a meaningful percentage of your adoption?

No, it's not a meaningful percentage. [Technical Difficulty] [Audio Gap] to become disruptive.

Our next question comes from Hamza Fodderwala with Morgan Stanley.

Philippe, maybe first question for you. So it seems like the platform is really coming together. There's been good traction with VMDR. But from a go-to-market perspective, you've obviously brought on David now as the new EVP of Americas. I'm wondering, are there any sort of broader restructuring of the sales work that has to be done to align the sales organization to a more -- to selling multiple products or selling a broader platform? Or do you expect maybe some tweaks around the edges as you try to expand on this platform story?

So it's not -- no, this is -- okay, this is a very good question. It's not so much just the sales force. So what we're essentially doing with the sales force is essentially strengthening the management of that sales force, so we can now essentially speak more, we have been selling bottom-up in the past. We have a technical sales force that remains, no change in that, but we're really now in a position to really speak with the C-level much more because we have more to offer than, of course, in the past, when we're just vulnerability management. Because, quite frankly, the C-level is not that much interested in vulnerability management. In their view, they've got bigger fish to fry. The digital transformation, for example per occupies is significantly more. So we have now all these pieces coming together. So we have essentially expanded the management of our sales force. And of course, we're going to add a few more. We still have that model of hunter and farmers, that's not changed. What we're doing around that is that now that we've got a much broader solution while expanding what we call our subject matter experts, people who are specialized in EDR, who are specialized in this, which are there to support our partners and, of course, our sales force. And then we also have beefed up from the engineering standpoint, as I mentioned briefly in my prepared remarks, with having now people in charge of the product line. So we have -- we attracted somebody now today who is in-charge of the VMDR product line. We have attracted somebody who is now is in-charge of the EDR product line, somebody who is in-charge of the Global IT Assets Inventory product line, somebody who is in-charge of the Policy Compliance product line. And we're going to add a few more like that. So what they have under them is, of course, the product managers as well as the subject matter experts. And their mission is live. It's just not to ensure that we do the right thing from an engineering standpoint, but that we also -- they are, in fact, the responsibility of the go-to-market. So that's the more important structure change here that we are doing in the company. As we now today have essentially very, again -- as I mentioned, again, a very broad and very disruptive platform. And this is going to show, we believe, very soon.

Got it. And then maybe just a follow-up for Joo Mi, if I may. Joo Mi, so I appreciate the commentary on billings versus bookings. So you mentioned that booking in Q3 improved sequentially, and you're seeing a pretty healthy pipeline in Q4 so far. But just if you could, maybe from a qualitative standpoint, give us any color as to how we should think about the pace of revenue growth going forward, right. Because it seems like, obviously, some of the investments that were supposed to be made from a sales perspective are likely to be pushed out into next year. And that's going to continue to generate strong bookings from the VMDR and some of the newer products that you guys have had. But from a revenue growth perspective, how do you think about the pace of that going forward?

Our Q4 is like 11% to 12% for..

Joo Mi, I think you're breaking up on my end. I can hear now.

Okay. So in terms of new product adoption, it's hard to tell, and I said, when the impact on revenue will be. So typically, when we guide, we think that it's prudent for us to be a little bit cautious. So we don't dig into the revenue guidance, the new product adoption and the contribution to revenue that we expected to have. So for example, for Q4 we assume that we're -- from VMDR, it will be similar as now, where it will be mostly revenue neutral. However, next year is a year that we really think that with all the new product adoptions and product launches that we're seeing this year as well as going into Q1 in the first half of next year, we do expect some meaningful contribution to revenue and the acceleration in bookings that come from new products in addition to the continued business growth as is from existing customers as well as new opportunities.

Our next question comes from Brian Essex of Goldman Sachs.

Philippe, I wonder if maybe if you could give us a little bit more color around MSSP and the traction that you're seeing in that market. Any way you can quantify the percentage of revenue associated with that channel? And how might we anticipate customer adoption as you go through that channel, particularly as you may add more kind of smaller customers on to your platform versus the large enterprise customers that may be in your installed base?

Yes. No, so that's a good and broad question. So the -- so let me -- so we essentially -- mentioned essentially that we have about -- we have a hybrid model, whereby we sell directly and we also sell-through channels, which essentially, I don't remember exactly the mix, but it's about 60...

60-40.

60-40. 60% direct and 40% channel. Now within, what disclosed is the amount of MSSPs, 40%. However, what I can tell you and that probably at some point in time, we could, so we see that the traditional channels with more the recent -- fairly to of course the [Technical Difficulty] [Audio Gap] with Deloitte, etcetera. So we have more MSSPs knocking on our doors. And so you will see more announcements to come. That's the bottom line.

Great. That's very helpful. And maybe, Joo Mi, just a follow-up. Just playing with the model, looking at triangulating to guidance range, it looks like similar to last quarter, to get to guidance, we need a pretty steep ramp-up in spending for OpEx. But I understand that, I guess, last quarter, it seemed as though that there was some element of return-to-normal operating environment baked into that guide. Is that similar for 4Q? And if so, where might some of that flexibility for upside to margins or maybe lower-than-expected spending might come from? Is that mostly sales and marketing? Or is it kind of across the board?

Yes. For Q4, it's mostly on the sales and marketing side. So in Q3, some of the spend or investment opportunities that we thought that it would incur in Q3 was pushed out to Q4. In Q4, we have QSC, even though it's virtual, we had some additional onetime expenses that's going to be occurring in Q4 as well as the Pune expansion was pushed out to Q4. We had thought that we would be moving into the Pune office in Q3, but unfortunately that had to be pushed out. And there are some other one-off expenses related to employees and COVID-related reimbursement that we expect to happen in Q4. But overall, that implied margin, EBITDA margin for Q4 is in the mid-40s. And for the ending of the year, we expect to end the year with EBITDA margin above the mid-40s. And so we anticipate there's always an upside to margin, given our scalable business model. But with that said, we did hire some new leaders in the sales, including David French. So we expect to continue to invest and if I write employees and to onboard them so that we can effectively drive the sales force.

Our next question comes from Sterling Auty with JPMorgan.

This is Matt on for Sterling. You talked about expanding the relationships with MSSPs. Wondering if you could give any more additional color on what geographies you're really focused on expanding for that relationship.

So that's -- yes, no, that's…

Hey, Philippe, I don't -- I can't hear you.

Okay. So this -- is that better now?

Yes. Yes, now I can hear you.

Okay. So what I was saying is that you have two kind of MSSPs, the global ones and the more regional ones. So really our -- we see all of them coming to us whether they are regional or global, and we are totally a global company. So we have already, for example, a lot of telcos, which are our customers worldwide. And of course, we have a lot of local MSSPs as well. So we have a significant portion of MSSPs. Now they were not generating that much dollars in the past because it was just all about VMDR. We have probably -- IBM is a very good MSSP customer for Qualys. So -- but now today, with the platform and all these other things that we have, they are even more interested in Qualys because not only of the consolidation, which reduce their cost to operate and on and on and on, but the fact that they can generate more revenues, make their capital more sticky. And as a result of that, because we are now providing these response capabilities, they can offer a better service and, therefore, gain -- get a business which is becoming more profitable at the end of the day. Because the problem of the MSSPs has been this is not a very profitable business because of the human cost that you need to have. And if you cannot remotely respond, then it's very difficult to send people. So then the companies [Technical Difficulty] with the plan. And we knew since the beginning, except that to put the pieces together at the scale at which we need to put them was just not a walk in the park, which also gives us a significant barrier to entry that we have created for ourselves.

Great. That's very helpful. And then one last question from our side. So you've talked about the dynamics between the billings and bookings growth. I was wondering, obviously, not really asking for committed guidance on 2021, but how should we think about some of the targets that you laid with regards to revenue growth? Do you think that the trends that you're seeing here would indicate that revenue could accelerate in 2021?

Yes. We're very optimistic given the new product launches and what we're seeing in terms of the momentum. We do think of next year as an investment year. We do expect some positive impact on bookings from the new product lines, including the VMDR because we really believe that it lays a foundation for increased retention as well as cross-sell and upsell opportunity and, of course, once a budget opens up post-COVID. With that said, we will be providing more color next quarter when we give the full year guidance for 2021.

And I'm not showing any further questions at this time. I would now like to turn the call back over to Philippe Courtot for any further remarks.

Okay. So thank you very much to all of you for attending our earnings call and for your questions. And despite the very challenging environment that we are all in, unfortunately, we do feel fortunate that we are very well positioned, as we discussed, with our Cloud Platform and the app is fully integrated. And we are very pleased with our progress this quarter. We're also looking at next year in a very positive way, as we just discussed again. And essentially, our broad suite of IT security and compliance applications, including VMDR, Multi-Vector EDR, et cetera, et cetera, our forthcoming XDR and -- we believe, position us extremely well. So I again encourage you to really attend our user conference. I guarantee you, the big advantage is that we have really skinned that cat in many, many different sessions that you don't need even to attend when they run because you can have the link to the recording so you can really select what you want. And again, we look at that as the beginning of a marketing platform that we're really creating, which will allow us to distribute not only training, but also the content, trials, et cetera, et cetera. And of course, this is, as you would see, very effective. It's very good for the customers, for everybody. So everybody wins here. And that's again -- that's what we see in the broad market with what is happening today with the way you buy things. And then in my house today, now I put a lock -- automatic lock on my door, so when somebody delivers a package, I can open the door with my finger. That's the response. So that's essentially what Qualys is doing for security. So with that, again, thank you very much, and looking forward to continue the discussion. Okay. Thank you.

Thank you. Ladies and gentlemen, this concludes today's conference call. Thank you for participating. You may now disconnect.