Qualys, Inc. (QLYS) Q3 2021 Earnings Report, Transcript and Summary

Thank you for standing by. Welcome to the Qualys' Third Quarter 2021 Investor Call. At this time, all participants are in a listen-only mode. After the speakers' presentation, there will be a question-and-answer session. [Operator Instructions] I would now like to hand the conference over to your first speaker, Mr. Blair King, Investor Relations. Sir, please go ahead, sir.

Thank you, Rachael. Good afternoon and welcome to Qualys' third quarter 2021 earnings call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO, and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are available on the Investor Relations section of our website. With that, I'd like to turn the call over to Sumedh. Sumedh?

Thanks, Blair, and welcome, everyone, to our third quarter earnings call. Continuing to build on our momentum, we are pleased to report another quarter of solid financial performance while further advancing our strategic agenda to re-accelerate growth and drive continued platform innovation. Taking a closer look into Q3, cloud agent subscriptions grew 40% year-over-year to 70 million reflecting steady adoption of our Vulnerability Management, Detection and Response, VMDR solution, which is now deployed by 32% of customers worldwide. Further validating our security solution consolidation approach and the power of a single agent, several of our top new customers not only purchased VMDR, but also made additional Qualys solutions a part of their first purchase. Highlighting a few of these notable new wins in the quarter, a multi-national bank selected VMDR and Patch Management together to continuously detect and prioritize vulnerabilities and misconfigurations across its hybrid IT environment. The ability of the Qualys Cloud Platform to respond rapidly to remediate and patch assets that are vulnerable, or already compromised, from a single platform with built-in orchestration stood out among several competing solutions. We believe this approach will help them to reduce their risk much faster than siloed point solutions. Our newly released Cybersecurity Asset Management application received a lot of interest from customers, and we are pleased with the early momentum we are seeing. This early momentum illustrates our ability to understand our customer's evolving pain points, respond quickly with updated roadmap and accelerate our time-to-market with differentiated security solutions that help fuel our growth. A Forbes 2000 company selected VMDR along with Cybersecurity Asset Management over several competing solutions. The ability to provide comprehensive asset discovery across its infrastructure to uniquely add context for security-centric visibility, CMDB sync integration, alerting and response capabilities was a key differentiator compared to other vulnerability detection only solutions in the market. And, to reduce the number of agents in its network and secure an increasingly remote workforce that could no longer effectively leverage on-prem solutions, a large government agency in the APAC region decided to purchase both VMDR and EDR. Our ability to provide a prioritized risk-based vulnerability and malware detection response with a single agent was a key factor in our win. Beyond these new customer wins, several large existing enterprise customers significantly expanded their respective breadth of paid applications on our platform, further validating our platform approach. For example, in the quarter, a Fortune 100 customer selected VMDR, Policy Compliance, Container Security and File Integrity Monitoring to cost effectively consolidate their stack of legacy enterprise security and compliance solutions with a single pane of glass view of all assets spanning on-prem, endpoint and cloud environments. We believe that these new wins and expansions illustrate that when customers are ready to re-architect and consolidate their security stack, Qualys is the best cloud-native, multi-solution platform to meet their needs. We are working toward having the right go-to-market motion in place, which includes a strong focus on digital marketing, winning new business, expanding our offerings with existing customers and building out our partner network. To complement our direct and channel sales initiatives with an aligned product focus on security solutions across endpoints, cloud, container, mobile and SaaS environments, we recently hired a seasoned Chief Product Officer. As I mentioned on our prior call, we also brought in a new Chief Marketing Officer to ensure we're top-of-mind as customers around the world look to consolidate their security stacks. And, to continue to improve our business processes, tools, and systems, we recently added a new CIO as well. It's great to have these experienced executives join Qualys as we continue to make investments to accelerate growth and find that right balance with profitability. As an example of focus on enhancing our channel strategy, I'm pleased to announce that TD SYNNEX has recently selected Qualys as its North American distribution partner. TD SYNNEX is currently offering the Qualys Cloud Platform to its extensive base of resellers in the region, including our game changing VMDR solution and patch management capabilities to help customers simplify security operations and lower compliance costs. In Q3, we released Zero-Touch Patch as an extension to our Patch Management application to help IT and security teams further automate the remediation of vulnerabilities. Our automated patch management solution enables customers to set up patching in advance with pre-defined policies by leveraging the Qualys Cloud Platform to correlate and prioritize vulnerabilities while bypassing the need for IT and Security team intervention after the fact. In the current environment of rapid exploitation of vulnerabilities, this functionality changes the game in patch management with real-time remediation and significantly reduces the exposure window as well as legacy IT costs. Garnering broad industry attention, we've received positive initial feedback from customers. Further extending our value proposition in the market of risk-based vulnerability management, we recently launched our 60-day free Ransomware Risk Assessment Service. CISOs are looking for something actionable and measurable when it comes to ransomware. Powered by VMDR and our award-winning research on curated ransomware-specific vulnerabilities, this service includes comprehensive asset inventory, prioritized vulnerability and misconfiguration detection, and remote patching of ransomware vulnerabilities in a single unified workflow along with executive dashboards, enabling enterprises to track risks in a measurable way. We continue to evolve the capabilities of our container security solution. Recently in collaboration with Red Hat, we have containerized the Qualys Cloud Agent to extend security visibility into its operating system. Qualys is the first solution to scan Red Hat Enterprise Linux CoreOS on Red Hat OpenShift to reduce risk. Qualys Container Security delivers comprehensive visibility from the host operating system through to images and containers running on OpenShift and other container platforms. Looking ahead, as the industry continues to move toward cloud native solutions, misconfigured resources have evolved into the number one reason for threat incidents in the cloud. We're currently in beta with our Infrastructure-as-Code, IAC, assessment capabilities, which will enable customers to catch cloud security issues from the time code is written to the time it is deployed. With this extension to our Cloud Security Posture Management, CloudView solution, customers will have complete visibility into both DevOps pipeline and runtime security posture. We look forward to our Extended Detection and Response, XDR, solution going to GA by the end of this year. XDR is our next generation security analytics and incident response application, which natively integrates and correlates asset inventory, risk-based vulnerability management, patching, EDR and FIM security telemetry with additional third-party data integration to provide high-fidelity detection and response. We will showcase these and other new solutions at our upcoming Qualys Security Conference, QSC. I encourage you to attend this conference, which will be a four day live and virtual event from November 15th to 18th and will have many informative product sessions as well as customer presentations. We already have over 3,000 people registered to attend. You can access the agenda and register for the conference at qualys.com/qsc. Big picture, our market position is strong. We're focused on executing on our immediate opportunities with prioritized Go-to-Market investments while advancing new product initiatives that create further competitive differentiation and will ultimately expand our addressable market. With that, I'll turn the call over to Joo Mi to discuss our third quarter financial results and outlook for the fourth quarter and full year 2021.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that, except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period, unless stated otherwise. We're pleased to report continued growth acceleration in LTM calculated current billings with another quarter of solid revenue growth and profitability as reflected in the following financial and operational highlights. Our quarterly revenue surpassed $100 million for the first time, growing 13% to $104.9 million. With our Q3 LTM calculated current billings growth at 16%, up from 13% in Q2, and 8% in Q1, we believe that we've crossed that growth inflection point and are on track to accelerate revenue growth. Paid Cloud Agent subscriptions increased to 70 million over the last twelve months, up from 64 million for the 12 months ended in Q2 2021. We're excited by the continued adoption of VMDR with the total customer penetration now at 32%, up from 28% in Q2 and 12% a year ago. Our scalable platform model continues to drive superior margins and generate significant cash flow. Adjusted EBITDA for the third quarter of 2021 was $50.3 million, representing a 48% margin, in line with last year. Non-GAAP EPS for the third quarter of 2021 was $0.86, up from $0.77 last year and our free cash flow for the third quarter of 2021 was $41.3 million, representing a 39% margin versus 52% last year. YTD free cash flow margin was 47% versus 44% for the same period last year. In Q3, we continued to invest the cash we generated from operations back into Qualys including $7.2 million on capital expenditures and $31.7 million to repurchase 290,000 of our outstanding shares. We're pleased to announce that our Board has authorized a $200 million increase to our share repurchase program, which allows us to mitigate our share dilution and drive shareholder value. Including $107 million remaining as of Q3, this provides approximately $307 million in share repurchase capacity. The weighted average diluted shares outstanding in Q3 was 39.9 million, down from 40.8 million last year We remain confident in our business model and believe that we're well-positioned to drive growth given the traction we're seeing in the overall business. We are delighted to be raising our full year 2021 guidance for both revenues and earnings. We are raising the bottom and top end of our guidance range for the full year for revenue to be now in the range of $409.5 million to $410.1 million from the prior range of $406 million to $407.5 million. We are raising our full year non-GAAP EPS guidance to now be in the range of $3.16 to $3.18 from the prior range of $3.02 to $3.07. And for the fourth quarter, we expect revenue to be in the range of $108.1 million to $108.7 million, which represents a range of 14% to 15% growth. We expect non-GAAP EPS to be in the range of $0.78 to $0.80. Q4 capital expenditures are expected to be in the range of $4 million to $5 million. With that, Sumedh and I are happy to answer any of your questions.

[Operator Instructions] Your first question comes from the line of Matt Hedberg from RBC Capital Markets. Please proceed with your question.

It's Dan Bergstrom from Matt Hedberg. Thanks for taking our questions. It is really nice to see the revenue acceleration here at 13% this quarter versus 12% in the first half, guidance implies 14.5% at the midpoint of fourth quarter. Can you talk a little bit about the components leading to revenue acceleration here in the second half and then particularly with the fourth quarter guide?

Yeah, happy to. So we've been talking about the revenue acceleration for a while now. And as you can tell by the LTM current billings, what we're really seeing is the continued growth for this span from existing customers as well as new. So if you take a look at our bookings trajectory and looking at the pipeline, and what we're seeing right now, it's continued adoption of VMDR which has been created and strategically very important to us. And as customers continue to adopt VMDR and increase customer penetration from a product perspective that's been helping us to land more customers as well as cross-sell additional products as Sumedh mentioned during his portion in the spreads like stack [ph] and patch management, we also introduced a new product like CSAM. So overall, I think that our market positioning has strengthened with the new product launches and that has helped with increasing spend from existing customers as well as with our pipeline and our new deals.

Great. And then you mentioned VMDR there. Could you talk about the traction in multi-product adoption by new customers, you mentioned that in the prepared remarks and the last couple of calls, what's driving that trend? Is it simple as vendor consolidation or are customers increasingly realizing the power of the platform on that initial sale?

Yeah, I think it's a combination of both those things. I think, NEC, so you talk to, they really do want to consolidate their stack. And too many vendors solutions and the time is wasted in trying to get the solutions to work with each other. So when you take that, that's essentially that's what the market is really looking for. And then when you look at the Qualys' approach of the platform, where it's a truly unified platform, not just a combination of different tools put together, what that does give with VMDR is that ability to shorten the amount of time that they potentially have to have exposure, because we not only give you a list of vulnerabilities, like other scanners do, but then we take that into the prioritization as well as the ability to provide patching of those vulnerabilities with the same solution. So you can really get that ability to reduce the exposure window and make that much quicker and faster. And a big part of VMDR is also the adoption of the agents approach, right. So as customers who deploy the VMDR and they have agents, then that ability to drive additional module consumption when you already have the agent certainly is a quicker way for them to see the value so that they can turn on File Integrity Monitoring, they can turn on cybersecurity asset management. And so what we see right now is new customers, when they are coming to us they are in the mental state where they really are looking to re-architect their security solution and look for a new vendor. And so when they see that Qualys is providing not only just a list of vulnerabilities, but the ability to patch, the ability to have asset inventory, the ability to have File Integrity Monitoring and other capabilities, policy compliance built in that's why we see that our top new customers this quarter, as we said also last quarter, right out the bat when they buy something from Qualys, they're not just buying VMDR, they're buying other capabilities, including patch management, as well as file integrity monitoring and other solutions right off the bat. So we see that desire to consolidate with the fact that our platform actually provides that in a seamless and easy manner. A combination of that is what we see in our conversation with customers.

Great, thank you.

Thank you. Your next question comes from the line of Curtis Boulanger from Summit Point Capital. Please proceed with your question.

Hi. Thank you very much for taking my question. I want to get your thoughts on capital allocation. So I noticed the Courtot Family Trust has been selling shares in the open market since August. So, it looks like it's been a bit of an overhang and probably explaining the 10% short interest in the stock. I mean, given how well you're executing and tailwinds you are experiencing on cyber, I'm a little bit surprised that stock is higher. So I know you spoke a little bit about share buyback authorization, but I was wondering if you'd be willing to get a bit more aggressive with share buybacks or maybe conducted tender offer to remove the Courtot Family Trust overhang? Yeah, just kind of getting a little bit more aggressive than just offsetting dilution from share-based comp.

Yes, it is great question. We've actually been talking about the capital allocation strategies on a regular basis with the Board and with management as well. And this is actually one of the reasons why the Board has authorized additional 200 million when we had slightly over 100 million left as of Q3. We do believe that our stock is undervalued from our perspective, so it's a good opportunity for us to leverage our cash on our balance sheet with our cash and short-term marketable securities kind of nearing that 500 million mark and so that is our intention. We will be executing based on the revised spread.

That's fantastic. Thank you.

Thank you. Your next question comes from the line of Erik Suppiger from JMP Securities. Please proceed with your questions.

Yeah, thanks for taking the call. A couple questions. One, just in light of a number of new executives that you've brought on, including the CRO, I'm curious, have you formulated any differences or changes in strategies in go to market or anything - any observations that we could take away? And secondly, in terms of the XDR product, I'm just curious, are there any particular profile customer that you're looking to take that into? Is there a logical direction that you would initially take with taking that to market?

Yeah, great questions. I think, first, I am definitely excited to have these seasoned leaders come on board. I think, as we have stated, our focus really is to drive continued platform innovation and that's where bringing someone on board as a CPO really helps us ensure that we are continuing with our innovation, continuing with our engineering innovation and then working closely with the CRO and the CMO and their teams to have a much better education between the product and the new products that we are creating and the new opportunities that we are creating and ensuring that we have a good sales enablement, we have a good end-to-end workflow between marketing and sales so that we are getting all the campaigns driven through the product from other sources, as well as the driving that to the sales team so that they can focus on converting these accounts. And Alan now has been here for five, six months and we really work very well together and we've really established a really good working relationship there, so quite excited to see him start to focus on having an impact here. And we have been working through different strategies in terms of how we want to proceed with investments, where we want to make them. And I think as we will work through that to the rest of the year and we should have some additional thoughts on the Q4 earnings. And then on the XDR side, I think there's a lot of SIM solutions that are starting to brand as XDR but the issue with a lot of them is that the SIM solution really does need the ability to have other vendors deployed to collect the data and pipe that into the SIM solution and that's where we differentiate ourselves in the approach that with Qualys platform deployed, as you see, so many solutions already consolidated on the platform, a customer who has the current Qualys capabilities already is getting all the telemetry needed for everything from endpoints, vulnerability management, asset inventory, EDR, File Integrity events, and then also all a lot of the data from the cloud and container environments is already coming into the Qualys platform as part of their subscription. So the amount of additional information needed for correlation from third party products is limited to firewalls and a few other solutions like that. So the deployment and the value that a customer can get by being in their existing Qualys account and enabling this capability XDR capability and then being able to bring third party data, we believe is going to be very differentiating in the market where typical XDR solutions require a lot of time to get them deployed and get them working and a lot of professional services are required. So, clearly, we see that this is going to be a journey where we will focus on the - very initial focus after we go [indiscernible] will be on the mid-market and lower-end of the market where customers do need a simplified single platform solution where it's not just a threat detection platform, but it also does that risk mitigation with vulnerabilities and patching. And so they don't have as many resources - I mean, there's a general shortage of cybersecurity resources across the market, but especially on the mid-market and the lower end of the market, certainly there are more needs for a consolidated solution where they need fewer people to manage and monitor and deploy these solutions. I think we have use cases, we are working with larger customers as well, where they see specific value in XDR that Qualys is bringing, despite them having some other SIM and XDR platforms, just because the amount of context data that already is collected in Qualys and the threat intelligence is already there is very valuable to them. So I think, as the next year or so evolves, we will see more of that shift in terms of how mid-market customers and then going up to the larger end of the customers, how they will start adopting the solution.

Very good. Thank you very much.

Thank you. Your next question comes from the line of Brian Essex from Goldman Sachs. Please proceed with your question.

Hi, good afternoon and thank you very much for taking the question. I was wondering maybe if I could fall into one of the previous questions that were asked and I apologize if I missed it, if it was commented on before but I guess on sales and marketing initiatives, given the changes in executive management, any sense of what we might anticipate for the trajectory of spend there, and how you might think about incremental spending relative to maintaining profitability to drive growth.

Yeah, in terms of the sales and marketing, we're working very closely with our CMO and CRO, as well as our new CTO to understand the incremental spend that we think that is necessary, and we should be spending. And, we do have an intention to increase that investment, as we said all along. And I'm sorry to repeat that every quarter, but it is taking a little bit of time for us to formulate a plan, just because everyone is new and of course, it takes time to further increase spend in a meaningful way, keeping the right ROI in mind. So with that said, we're going through the budget planning cycle right now, we will be providing additional color and guidance at next quarter when we will provide the annual revenue guidance as well as the ETS.

Got it. That's helpful. Thank you. Nice to see the incremental VMDR penetration within your installed base. Have you offered how and I apologize again, if I missed it, but the percentage of VMDR as a percentage of total bookings over the last 12 months or any kind of other metrics to give us kind of a bookings or revenue penetration rate.

Yeah, so in terms of the bookings, as a percent of LTM bookings, VMDR now makes up over 40%, so it is significant. And I know that one of the metrics that we talked about that the quarterly renewal ones that are up for renewal with the VM solution, we're talking about that percentage actually went up to 57%, up from 47% last quarter. So what you're seeing and what we're seeing in the momentum of the business that we wanted to make sure that we communicate and relay that message to investors is, we really see this as an inflection point where you see a couple of quarters of consistent kind of uptick in the leading indicators that we're tracking, VMDR is one and that has kind of contributed to some of the customers purchasing additional solution. It's still a little bit earlier on but we do see it. We do see a pattern, a strong retention rate continuing that upsell rates and as those continues to track the momentum in the business, we believe that this will lead to further acceleration in revenue. We're hoping to give a little bit more color and of course, a full year guidance next quarter.

Got it. That's helpful. Thank you very much.

Thank you. Your next question comes from the line of Hamza Fodderwala from Morgan Stanley. Please proceed with your question.

Hey, guys, thanks for taking my question. Apologies, I dialed in a little bit late, so if this is already answered. But just, first question for Joo Mi, just a housekeeping one, for the current billings metric, was there any sort of contribution from the total cloud acquisition at all, either to acquired deferred revenue or revenue in the quarter?

No, it had no impact to that top line financials at all, so it's outside of that.

Got it. And then just my follow up on the hiring environment, obviously, it's a very difficult labor market. A lot of companies are seeing a lot of wage pressures. I'm curious, as it relates to hiring, what's the experience been like there in the past couple quarters and how you're kind of reflecting that into your forward margin outlook? Thank you.

I think if you will see, we have done, I would say, a good job in the last few months of getting a lot of the key hires hired in the company, right. So yes, I think the market is interesting. But I think when there is a good strong opportunity, and these leaders as they are coming into Qualys, believe in the story and opportunity here, I think we're seeing that we do feel the market right now can get sometimes inflated for certain roles, etc. But I think when we are spending the time to talk to the right people, show them the right growth that they can have at Qualys, I think we're seeing good results in terms of us continuing to be able to hire the right people and bring them on board. And I think that's what we are looking at across the board, even on the engineering side. And then also it helps us in different ways, because a good part of what we do with engineering product development is also spread out with our teams in India, where we have a large presence as well. So it gives us more opportunities to be able to find good talent between different locations and continue to invest and hire the right resources and the right talent in India as well. So that kind of helps us in terms of being able to withstand the pressure that we get from the market right now and in the hiring scene that we're seeing right now.

Yeah, and in terms of our margin forecasts, primarily if you take a look at our Q4 that implied margin, it's slightly lower than what we've been achieving so far year-to-date and primarily it's due to our Q4 event. As Sumedh mentioned that QSC is live, it will be in person in Las Vegas. We will of course have some sessions available online as well but we do have incremental additional marketing expanse that we typically incur in Q4.

Okay. Thank you

Thank you. I'm showing no further questions. I would now like to turn the conference back to Sumedh Thakar. Please go ahead.

Thank you all for joining us today. We believe that we are well positioned to capitalize on the move in the market towards a consolidated security and that sort of platform solution really offers. We look forward to sharing continued progress in coming quarters. Thank you very much.

Thank you. This concludes Qualys' third quarter investor call. Thank you for participating. You may now disconnect.