Qualys, Inc. (QLYS) Q2 2021 Earnings Report, Transcript and Summary

Thank you for standing by, and welcome to the Qualys Inc Second Quarter 2021 Investor Call. At this time, all participants are in a listen-only mode. Later, we will conduct a question and answer session and instruction will follow at that time. [Operator Instructions] I would now like to turn the conference over to your host, Mr. Blair King. Please go ahead, sir.

Thank you, Grace. Good afternoon, and welcome to Qualys' second quarter 2021 earnings call. Joining me today to discuss our results are: Sumedh Thakar, our President and CEO; and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are available on the Investor Relations section of our website. So with that, I'd like to turn the call now over to Sumedh. Sumedh?

Thank you, Blair, and welcome, everyone, to our second quarter earnings call. Q2 was another solid quarter with more customers upgrading to VMDR, increasing the deployment of our cloud agents on end points. We're delighted to share that we have continued to grow and operate effectively through the pandemic and management changes in the company. Faced with the latest increase in malware and ransomware cyber attacks paired with heightened government scrutiny, our customers are turning to us to fortify their security posture, respond faster and integrate patching and reduced legacy IT costs. Our highly scalable cloud-based platform allows enterprises to deploy multiple applications using a single agent, which differentiates us in the industry. Furthermore, our scalable platform enables us to handle more than 20 petabytes of data currently indexing over 9 trillion data points on our ElasticSearch clusters, moving more than 28 billion messages a day on our Kafka bus and pumping over 1 million rights per second on our Cassandra clusters. As a result, our solutions don't need to rely on collecting data from disparate point products to detect, remediate and respond to security threats. The single agent approach provides better security and user experiences and in turn, underpins the continued acceleration of our Cloud Agent subscriptions, which grew 51% year-over-year to $64 million. We continue to expand the ubiquity of our agent with our VMDR solution, which continues to gain traction in the market with 28% customer penetration as of Q2. Additionally, validating our solution consolidation approach, our top new customers in Q2 not only purchased VMDR, but also started with a number of additional Qualys solutions out of the gate such as Asset Management, Patch Management, Multi-Vector EDR, File Integraty Monitoring, Policy Compliance with application scanning and Container Security. We expect to further drive the VMDR adoption in the SMB segment with the new pricing and packaging we recently introduced. And given the desire of these smaller resource strapped customers to have a single risk-based vulnerability management tool with built-in remediation. We recently announced the launch of a very strategic initiative, which is our cybersecurity asset management, CSAM application. Accurate and UpToDate Asset Management is in the continuously changing hybrid environment remains a major challenge for large and small businesses. Despite this, being a fundamental building block and compliance requirement, organizations struggle with asset management that is focused on cybersecurity. We believe that Qualys Cloud Platform with our multiple sensors and scalable back end that collects correlates enriches and categorizes large amounts of data provides the ideal and robust solution for this challenge. By combining agent-based and agentless data collection, active and passive scanning and APIs to Qualys Cloud platform, now provides comprehensive asset discovery across the entire infrastructure, including on-prem cloud container OT and IoT to add context for security-centric visibility with reduction of security gaps, CMDB integration, alerting and response capabilities. It was particularly encouraging to see the top-tier financial institution select our CSAM application just days after its introduction in pursuit of agent consolidation, simplified rational workflows and a comprehensive view of the financial institutions' IT asset infrastructure as it rebuilds the security architecture for the modern hybrid work environment. Exhibited virtually at Black Hat, we were pleased to see an overwhelming reception for this application by large enterprise customers worldwide. We continue to see customer interest in reducing agents sprawl with a single solution for risk management and set response. So as an example, in Q2, a new Fortune 100 customer purchased VMDR Policy Compliance, patch management, cloud security, web application scanning and continued security together to standardize security hygiene on a single agent solution over multiple best-of-breed point solutions. In terms of our other newer paid solutions, we saw continued customer interest in our Container Security solution as well as patch management application. In the quarter, several large new and existing enterprise customers selected our Patch Management application over competing solutions, given its ability to quickly patch remote endpoints easily and effectively without using the limited bandwidth available on VPN gateways. And finally, we are receiving positive customer feedback and support for our EDR solution. This application is a natural extension to our highly scalable cloud platform and strategically aligns our vision of a single agent. Looking into the remainder of 2021, we plan to introduce XDR, which is our extended detection and response and next-generation security analytics and insurance response solution, which natively integrates and correlate security telemetry across the security stack for an end-to-end platform and like EDR, another natural extension to our platform. This solution is currently in private beta with several design partner customers and the feedback we are getting has been very encouraging. As the adoption of cloud applications continues to proliferate in the industry, we continue to focus on enhancing our cloud-native security solutions. We are rapidly expanding the power of our platform through organic innovation and targeted acquisitions in this area. The total cloud acquisition we announced today will continue -- will soon be integrated into several of our cloud platform modules, including our CloudView application and upcoming XDR solution to strengthen our cloud security posture management capability and enable users to easily create automated cloud workflows for rapid integration. In addition, as I outlined on our last earnings call, another key area of focus for me is on our go-to-market strategy and sales execution. Here, we continue to make appropriate investments in our business. And I'm pleased to say Alan Peters, who recently joined Qualys as our new CRO, is off to a great start. It's great to have him as part of the team, and we are looking forward to continuing our growth momentum under his leadership. In summary, we believe Qualys has a superior competitive position that provides a runway for long-term revenue growth and profitability while supporting industry-leading performance of adoption for our customers and speed of innovation for our R&D efforts, paired with the investments that we are making in our go-to-market and sales enablement activity. We view these advantages as a major contributor to an already favorable competitive environment that the company has benefited from in replacing legacy point product deployments. With that, I will turn the call over to Joo Mi to discuss our second quarter financial results and guidance for third quarter and full year 2021.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that excess or revenue, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period unless stated otherwise. We're pleased to report another quarter of consistent growth and profitability reflected in the following financial and operational highlights. Revenues for the second quarter of 2021 grew 12% to $99.7 million. As a reminder, last quarter, our calculated current billings were negatively impacted and this was expected to reverse this quarter to have a positive impact on Q2 2021 calculated current billings. As of Q2, LTM calculated current billings growth was 15%. Paid Cloud Agent subscriptions increased to $54 million over the last 12 months, up from $61 million for the 12-month period ended in Q1 2021. And 47% of nonstrategic alliance customers with our vulnerability management solution, up for renewal in the quarter purchased VMDR, up from 34% last quarter. We're excited by the continued adoption of VMDR with a total customer penetration now at 28%. Our scalable platform model continues to drive superior margins and generate significant cash flow. Adjusted EBITDA for the second quarter of 2021 was $46.7 million, representing a 47% margin versus 48% last year. Non-GAAP EPS for the second quarter of 2021 was $0.79, up from $0.74 last year, and our free cash flow for the second quarter of 2021 was $47.7 million, representing a 48% margin versus 28% last year. Year-to-date free cash flow margin was 51%, which is 40% for the same period last year. In Q2, we continue to invest the cash we generated from operations back into Qualys, including $6.7 million in capital expenditures and $32.2 million to repurchase 316,000 of our outstanding shares. The weighted average fuel shares outstanding in Q2 was $40.1 million, down from $40.9 million last year. We remain confident in our business model, a deal that we're well positioned to drive growth given the traction we're seeing in newer solutions and the overall business momentum. We are delighted to be raising our full year 2021 guidance for both revenues and earnings. We're reaching the bottom and top end of our revenue guidance for the full year to now be in the range of $406 million to $407.5 million, from the prior range of $402.5 million to $404.5 million. We are raising our full year non-GAAP EPS guidance to now be in the range of $3.02 to $3.07 from the prior range of $2.67 to $2.72. And for the third quarter, we expect revenue to be in the range of $103.8 million to $104.4 million, which represents a growth rate of 12%. We expect non-GAAP EPS to be in the range of $0.78 to $0.80. Q3 capital expenditures are expected to be in the range of $6 million to $7 million. With that, Sumedh and I are happy to answer any of your questions.

[Operator Instructions] Your first question comes from the line of Hamza Fodderwala from Morgan Stanley.

This is Calvin on for Hamza. I think, first, I'd like to start out with, Alan Peter is now 3 months into the role. Have you seen or do you anticipate any further kind of productivity improvements? And I know last quarter, you mentioned sales enablement and new businesses of focus. Can you tell us how much progress you've made there?

Yes. I mean Alan has come on, we've been working together on figuring out what are the right investments that we need to make in working with Alan. We have continued to focus on sales enablement productivity in terms of process improvements, prospecting, bringing on more solution architects. So -- and you can see some of the early indications of that in our guidance that we have provided. So I think these are the things that we are working on. And as we continue to focus the right investments, we will be making those through the rest of the year.

And then for my second question, can you kind of talk a little bit more about the recently announced partnership with Deep Watch and what that kind of means for the company and potential go-to-market motion?

Yes. We've talked about this in the past that as more and more managed service providers are looking to modernize their platforms. They want to be able to get the benefit of being able to provide tools where they can provide their expertise on top of the platforms, which they have been building themselves, which obviously have not been able to keep fully on top of the changing and evolving cybersecurity posture. And that's what qualities the advantage that for these managed service providers as they look at focusing more on using a platform that already provides them a lot of the security context, whether it's asset information, vulnerability assessment from the risk mitigation perspective, providing the intelligence. MSSPs like Deep watch, which we signed a partnership with, and we look forward to working with them. We are looking to leverage more Qualys capabilities so that they can consolidate their own stack and then focus the resources on providing their customers with security expertise rather than spending the resources and trying to build disparate point solutions into their own stack so that they can provide this visibility. So from a go-to-market perspective, we're going to be working together as they are -- they will be taking us to bear existing customers as well to leverage Qualys as their core solution from availability management perspective, as they continue to bring on more sort of security, automation-focused customers on that platform.

And your next question comes from the line of Brian Essex from Goldman Sachs. Your line is open sir. Hannah Velásquez: This is Hannah Velásquez on for Brian Essex. Just following up on that previous question on the first one, rather, can you give us an idea of how much you plan to grow sales and marketing headcount this year? Perhaps maybe quota-bearing reps in particular?

Yes. So last year, we ended the year with sales and marketing headcount approximately in the 300. We haven't disclosed the quota-carrying rep headcount. And with Allan Peter's on board, and we are planning to onboard a new CMO later this month. We will be reassessing kind of the right profiles and the team members to add to the team. So we -- although we don't have a specific number target, we are planning to expand our sales and marketing professionals and grow that team. Hannah Velásquez: And then I guess another follow-up there. So S&M grew about 17% in the quarter year-over-year. This quarter, do you plan to follow a similar trajectory after the past, I don't know, 3 or 4 quarters of declines in growth?

We are planning to increase our investment in sales and marketing. With that said, in terms of the timing of when that investment will actually translate into our P&L and the impact on margins. It's a little bit difficult to say since Allen is still very much new. And we do have other executives, including not just the CMO, but also the CIO that we are looking for. And so with Sumedh at the helm in his new position as a CEO, we are planning to work very closely together as an executive team to figure out when is the right timing and what is the rate of men to invest this year and then continue on next year. With that said, one of the things that we are very optimistic about is the current trend in the business momentum. As you can see, on the revenue guidance, we've always said that the trajectory of our annual revenue guidance is the best proxy for the business momentum. And you can see that with our annual revenue guide is now increasing to 12% year-over-year growth. And our current quarter at 12% growth next quarter, we're guiding to 12%. And what that implies is Q4 will also be 12%. And -- you can see kind of with current billings increasing at a faster rate than revenue. We're very optimistic about the potential reacceleration in bookings.

Our next question comes from the line of Yun Kim from Loop Capital Markets. Your line is open.

Congrats on a solid quarter, Sumedh and Joo Mi. I mean, I'm sorry, a strong VMDR, VMDR upgrade rate for the quarter. Can you just talk about whether there was much of an uplift that you're seeing in terms of the overall multiproduct adoption when someone is upgraded to VMDR and any kind of uplift that you're seeing in the overall deal size when a customer upgrades to VMDR?

So I think VMDR enables a lot of additional capabilities for the customer, and it does take some time for them to absorb those as part of their environment to operationalize those. But what we do see and kind of in some of the examples out there is those who are looking at VMDR also looking at asset management or cybersecurity asset management, they are looking at patching in some way or the other. They're looking at file integrated monitoring. So we -- as I mentioned in the call, our new customers, as you're bringing on board, they look at VMDR. They are also purchasing these additional solutions as part of that. And so we kind of see that interest and that traction from not just looking at VM, but actually starting to look at the product portfolio even for customers who are bringing straight off the bat when you bring the new on board, they are actually looking at multiple different capabilities. And I think that's definitely encouraging for us to see. And then with the existing customers, we continue to work with them now as they get the agents and they're deploying the agents and they operationalize those agents in the existing environment, that does potentially open us up for opportunity to go and start to deploy patch management, EDR and other solutions. So we do see that in some of the examples that we mentioned in the call earlier as well.

Sumedh, you mentioned MSP in your earnings press release. Can you just update us on your traction in the MSP market?

So I mean, yes. We see that -- look, the reason why they are looking at Qualys and why they are leveraging Qualys is because they see that with a single platform, they can get 5, 10, 15 different uses of security information that they need to provide services to their customers. So as we work with them, we get these partnerships onboarded. There's going to be a time that they work through getting Qualys invested as part of their platform, build services around that. And so today, what we see as we work through with them is that there is definite interest and potential, and we're working with some of these managed service providers that we recently signed up to get us integrated into the stack. So that way, they can take us much more seamless leading into their customer base and provide additional services around that. And that's kind of where we are right now. And as we move forward, we expect to see that there will be more traction from the managed service providers.

Joo Mi, our favorite question for you. Can you at least qualitatively talk about any ASP increase in the quarter?

Yes. So what we've historically shared was, if you take a look at the average deal size, and we've shared the last quarter, it grew 9% year-over-year. But of course, that does tend to fluctuate so that it's not really indicative of how our customers are really faring with us. However, in Q2, that percentage was 17% year-over-year. So obviously, that's positive. But because we didn't think that it was that meaningful or indicative we decided to not include it in the earnings script this time.

And then just lastly, international revenue growth came in very strong. How much of that was FX-driven?

Some but FX impact as a whole for our business is not that huge, just because we hedge both revenues and expenses.

Your next question comes from the line of Mike Cikos from Needham & Co.

You have Mike Cikos on the line here from Needham. Just had a question for you. If I'm thinking about the guidance and the results you guys just put up in Q2 here, it looks like most of this upside is coming from lower-than-expected OpEx. And I'm trying to determine, I guess, should we anticipate a larger ramp as we look out to calendar '22? Are you behind in any of your expenditures, whether it's ramping sales force or hiring engineers for your R&D team? Can you help us think about those different expense buckets.

Happy to. So as you know, earlier this year, when we had first set out and share the annual review guidance as well as the EPS guidance, things were a little bit different. We are going through some change in management, including with Sumedh, who's been with us for a decade. But obviously, he's in a new role as the CEO. And Alan, the CRO, we haven't had a CRO before he joined for the person this year, and that's been a fairly recent. Our new CMO, who will be joining later this month. And so with that said, the timing of investment has been a little bit pushed out. And as we're working together as a team, we're not exactly sure in terms of when that will translate into actual P&L impact and the margin contraction. So I think it is fair to say that some of the investments that we were planning to make this year has been pushed out to next year. But also keep in mind that we are seeing the business momentum and turn around on bookings kind of indicated by our current billings growth even without a significant investment in expenses, whether it be sales and marketing or R&D or G&A or cost of revenue for that matter. And so we don't see that changing. But I think it is fair to say that next year will continue to be an investment year for us.

And just 2 other questions, if I could. The first on your VMDR uptake, I think the adoption that you guys cited was 47%, which I know is above the mid-30s that you guys were running in recent quarters. And so the first question on VMDR, can you help us understand what's driving the improved adoption rates there? And then the second item, I know it's still early days, you're in beta with a few customers on your XDR solution. But if I'm just thinking about the overall XDR market, it seems like there are real players there. And I'm just wondering how you guys anticipate differentiating your solution or more effectively competing there versus some of the other vendors?

So with respect to VMDR, let me address that first. So what we have said, the penetration rate that we've been disclosing previously what percentage of VM customers that are up for renewal in the specific quarter. Just because we launched VMDR at the end of Q1 last year. So what we were focused on is take a look at VM customers that are up for renewal in that specific quarter and see, which subset of customers, it makes sense for them to really adopt VMDR. So that percentage we knew would from quarter-to-quarter. So that percentage being 34%, slightly lower than I know that some people were expecting and 47%, which is higher than I'm sure that some people were expecting. It wasn't necessarily a surprise to us because it's really up to the customer. And this is actually one of the reasons what that's kind of hitting that first full quarter of VMDR, we did disclose that percentage customer penetration, which is 28%. So 28% is slightly different because that's at a total number of ad customers that we have, and that has been also trending up, which has been a meaningful metric for us to track. And that was last quarter, 24%, now it's up to 28%.

And I will add to that, the VMDR adoption definitely is good this quarter, and we are quite happy with the way it's trending. And it's been a combination of, obviously, as VMDR has been out there for a year. Customers who are coming up for renewal, they're seeing the secure, they are being able to see that as we talk to other folks in the industry who have used VM. The -- some of them are somewhere attack and malware attack that we're seeing are pushing more towards how do you get remediation much faster and VMDR is very unique from that perspective. Is that it combines that ability to get quicker remediation down. And that is -- that combined with some of the packaging changes also that we are doing from an SMB perspective. So it's been a focus for us as we combine a combination of few different things that we are pushing to get that adoption going up. But mostly, it's really just customers seeing the value and as they are budgeting or their renewals are coming out, they're budgeting for the upsells that are required for VMDR and we hope to continue to see this moving forward from a VMDR adoption perspective. And then I would say on the XDR side, we're getting positive feedback from our current customers. And I think the biggest differentiator for us is unlike a lot of XDR vendors, which are some variation of a SIM, those platforms typically do require a lot of the telemetry in the data collection to be done by the other solutions that the customer has to deploy and put them into the TDR solution. And that's where we see ourselves -- and as customers are deploying a single quality agent and collecting all the data about inventory, about longer cities, about EDR, about file integrity in cloud containers, information about non-IT assets where you cannot have an agent as we do a lot of scanning, so IoT devices, being able to get printers, all kinds of different infrastructure information into the platform. That's different because all of that is already collected by Qualys. And now we're just taking some additional data points from firewall and a few other solutions to bring that additional context versus what we see otherwise for the most part is it's DR solutions. They have data collection capability for maybe one aspect, but then they still require a customer to deploy multiple other solutions so that they can take a lot of data from those solutions into there. And that's really the big differentiator that we see as we will be going to market those customers as they continue to standardize on multiple solutions from Qualys with them being able to enable HDI on the same platform and see the value quickly should be much quicker than having to try to deploy some sort of other SIM solution.

And your next question comes from the line of Jonathan Ruykhaver from Baird. Your line is open.

Yes. Sumedh, I'm wondering if you can talk about the demand trends around vulnerability management, particularly in light of the constant barrage of announcements regarding known vulnerabilities in -- And have you seen an uptick in, I guess, volumes in scope of scanning within enterprise customers? And if so, does that lend itself to expansion opportunities at renewal? Or is that not the case?

Yes, I think there's multiple different things happening. That's a great question. And I think what we see right now, everybody is surprised with ransomware attacks, right? So organizations are surprised and the reason they are surprise was while they've always owned that asset, they've had that asset, they have not had visibility in the way that they would apply. So that they did know the asset was there, they did have the inventory of their asset or they were not clear that these assets have vulnerabilities or they were not prioritized properly, or if they were, then they were not cash properly. And so I think that's a big reason why the risk is being evaluated a lot. We're having a lot of conversations with our customers as they're looking to say, how do I get that visibility. So I can be ahead and try to fix these issues before the attackers are getting that visibility, right? And so these conversations, but what it does lead to is more of a holistic conversation or not just a knee jerk reaction of should I just buy more of this and more of that. What they are looking at is with VMDR, with CSAM, how is Qualys and with Patch Management combined, how does that provide them much better visibility into being on top of their assets, their end of life, their vulnerabilities that are being attacked actively prioritizing those, being able to patch them much quicker than traditional IT setup where you have to go through multiple tools and teams. And rearchitect their VM programs to be a lot more automated, a lot more nimble. And those conversations we do see are happening. And that, obviously, in case of customers are really to expand their scope with VMDR with Qualys, either immediately in some cases. And again, we don't choose our customers, push them to do that. In some cases, they are working out on a new architecture that they're going to deploy over the next few months. And so they are getting more, I understand. But like I said in that one of the examples that new customers that are coming on to Qualys, they are getting the MDR CSAM, EDR, a few of those right off the bat. So we do see that as we are looking -- customers are looking at getting a new solution and new architecture, they are buying few things from Qualys right off the back because we see the value of having all of that in a single platform.

So you're seeing the opportunity to really drive a higher ACV because of the value in the broader platform, it sounds. So the other question, so if you look at the U.S. growth, it's lagged international, I think since the beginning of 2020 -- Can you just talk about the reasons for that relative difference? Is there anything specific around competition or execution that you would highlight?

No, nothing in particular. It's really driven by our sales reps and their ability to kind of penetrate and land new customers as well as expand our existing. And there is a law of smaller numbers with EMEA and APAC still being a smaller percentage of our total business versus Americas, but nothing notable to highlight there.

Just to clarify that fleet year suggesting that it's more new customer growth that's driving the strength internationally?

No, no. It's both new and existing. So what I was highlighting is there's really -- like there's both a new renewal and upsell bookings that we see across the board, but nothing notable in terms of our competitive advantage or positioning across different regions or territories. It has more to do with the fact that EMEA and I would say compared to Americas like U.S., it's still a pretty emerging countries or territories that we haven't really fully penetrated at this point. And there is a law of smaller numbers there.

Yes. And we're also seeing that as in the U.S., the large customers have very entrenched architecture over the years. So as they are working to change that move towards more modern architectures, some of that lag we see at times between when they want to and when they can actually make it happen in the U.S. more so, whereas internationally, they tend to have not so much of an entrance legacy architecture and tend to sometimes be able to execute a little bit faster on all these things. So it's a combination of different things that we see.

Thank you. I am showing no further questions at this time. I would now like to turn the conference back to our CEO, Mr. Sumedh Thakar for any closing remarks. Sir?

All right. Thank you for attending our earnings call and your questions. We believe our integrated platform is very well positioned to respond to customers' increasing need to detect and remediate issues at an increasingly rapid pace. Looking ahead, we're focused on executing our growth strategy encompassing continued innovation and advancing our go-to-market motion to reaccelerate growth while driving increased value for our customers and shareholders. Thank you again.

Thank you. Ladies and gentlemen, this concludes today's conference call. Thank you all for joining. You may all disconnect.