Qualys, Inc. (QLYS) Q4 2021 Earnings Report, Transcript and Summary

Thank you for standing by and welcome to Qualys Fourth Quarter 2021 Investor Call. At this time, all participants are in a listen-only mode. After the speaker presentation, there will be a question-and-answer session. [Operator Instructions] Please be advised that today's conference may be recorded. [Operator Instructions] I would now like to hand the conference over to your host, Blair King, Investor Relations. Please go ahead.

Thank you, Latif and good afternoon and welcome to the Qualys fourth quarter 2021 earnings call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO; and Joo Mi Kim, our CFO. Before we get started, I'd like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today and we undertake no obligation to update these statements as a result of new information or future events. During this call, we'll present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website. So with that, I'd like to turn the call now over to Sumedh.

Thank you, Blair and welcome, everyone, to our fourth quarter earnings call. We are very pleased to report another quarter of strong financial performance, reflecting a year of progress in our efforts of advancing our go-to-market initiatives, significant platform innovation and strong momentum heading into 2022. In Q4, Cloud Agent subscriptions grew 34% year-over-year to $75 million purchased over the last 12 months. There was also a steady adoption of our Vulnerability Management, Detection and Response, or VMDR solution which is now deployed by 36% of our customers worldwide. These results continue to validate our security consolidation approach and the power of single agent as customers increasingly transition to VMDR. Our go-to-market enhancements are starting to yield results as we are executing well to seize on heightened demand trends and opportunities we see in the market. The customer stories I will share with you today not only highlight our growing leadership among large enterprise customers but also the growing desire among CISOs and CIOs to consolidate their security stack and leverage automation in their security and compliance operations to achieve expedient remediation of risk in their organizations. Recent high-profile ransomware attacks and critical vulnerabilities like Log4Shell and [Indiscernible] have highlighted organizations need for a scalable vulnerability management solution like Qualys VMDR that not only accurately detects these vulnerabilities but also helps reduce exposure time with integrated asset discovery and remediation capabilities. Within days of Apache announcing Log4Shell vulnerability, the Qualys research team, engineering team and product teams released a free 30-day log shell detection and remediation service, leveraging multiple Qualys capabilities like Cybersecurity Asset Management, VMDR, Patch Management and web application scanning. Since the Log4Shell announcement in early December of last year, the Qualys Cloud Platform has detected millions of unique Log4Shell vulnerabilities, underscoring the strategic relevance of our platform in our customer environment. Additionally, given the extensive impact of Log4Shell, the global organization, our research team released multiple open source tools to help discover and remediate this vulnerability for the global community, further demonstrating both our leadership and commitment to the industry. A few illustrative wins in the quarter include an existing Global Fortune 200 customer in the EMEA region which standardized on Qualys VMDR policy compliance, Patch Management and Asset Inventory Capabilities to cost effectively consolidate it's stack of legacy enterprise security and compliance solutions into a natively integrated platform, linking multiple data center and endpoint environments. In addition, a new Fortune 600 customer selected VMDR and Cybersecurity Asset Management over several competing solutions. The ability to uniquely provide comprehensive asset discovery for security-centric visibility, CMDB synchronization, alerting and accurate response capabilities once again stood out among vulnerability detection only solutions in the market and was a key differentiator in our win. We believe these new wins and the early success we are experiencing with our newer applications characterized that when customers are ready to rearchitect and consolidate their security stack, Qualys is the best cloud-native multi-solution platform to meet their needs. Looking back at 2021, I believe the Qualys team has responded incredibly well to unexpected challenges and opportunities demonstrating the transformative value of our newer solutions, the depth of our customer relationships and the extraordinary abilities of our global and diversity. We continue to broaden our platform and grow our business. building a strong team with additions of new executives, including a new CRO, CMO, CPO and CIO, more recently, Bill Berutti joined Qualys Board in December. Bill has extensive go-to-market experience in enterprise software sales and marketing and we believe he will be a great asset to the team as we build out our go-to-market motion in 2022. With this foundation in place, over the next several quarters, we plan to increase our sales and marketing investment with a focus on digital marketing programs to drive pipeline and customer reach, grow our sales team to further leverage our opportunity in the market and expand our channel by recruiting and enabling partners. With respect to platform innovation, our goal is to remove friction for customers while making product expansion simple and hassle-free. A customer, who may currently only use VMDR, should be able to adopt all of our other applications with the click of a button. In 2021, we executed well against this objective while changing the game in security as we brought together asset inventory, risk mitigation and threat detection and response into a natively integrated cloud-based platform. We believe these platform innovations help customers remediate vulnerabilities much faster than alternative siloed detection-only solutions. Further advancing our platform innovation agenda, I am pleased to announce that our Context XDR solution now GA. As many of you know, this is a natural extension to the Qualys Cloud platform and our next-generation security analytics and incident response application. Our Context XDR application natively integrates and correlates asset and risk-based vulnerability context, patching, EDR, file integrity monitoring and security telemetry with additional third-party data integration to provide high-fidelity detection and response. Customers are telling us they want a simplified solution for security analytics and response. We believe this solution satisfies that demand as it leverages our scalable backend and it's array of sensors which already collect, enrich, normalize and correlate trillions of data points across all environments on a single cloud agent for Qualys customers. While the overall market for this solution is still in the early innings, we are excited about this product and it's potential, especially in light of the positive feedback we have received from customers who have been early adopters of our XDR capabilities. Looking ahead to 2022, we plan to maintain a dual innovation strategy. Primarily, we will continue to invest in internal R&D and scale our organization to further differentiate our automation detection and response capabilities and we will further expand our product portfolio into EDR cloud container, security and industrial control system security. Secondarily, making highly targeted and opportunistic acquisitions to enhance our platform and accelerate our time to market. As a reminder, in 2021, we completed the acquisition of TotalCloud to bring visual cloud remediation workflow technology to the Qualys Cloud platform. To further support our growth agenda, we plan to invest more broadly in the business to expand our cloud platform presence and to enhance our business processes, tools and systems to help drive better operational efficiency and business outcomes. In summary, we believe the Qualys Cloud Platform is the go-to solution for agent consolidation, cost savings, increased user productivity and better cyber-protection. We believe we are well positioned to continue our market momentum and expand our leadership as we build out our success, enhance our platform capabilities and further extend our reach into new and adjacent markets. With that, I'll turn the call over to Joo Mi to further discuss our fourth quarter results and outlook for the first quarter and full year 2022.

Thanks, Sumedh and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period, unless noted otherwise. We're pleased to report continued growth acceleration and strong profitability as reflected in the following financial and operational highlights. Revenues for the fourth quarter of 2021 grew 16% to $109.8 million, up from 13% growth in Q3. While the majority of the beat was due to outperformance in renewal and upsell, with our net dollar expansion rate increasing to 108%, up from 103% last year, a higher-than-expected growth in new business also contributed to the revenue acceleration. With our Q4 LTM calculated current billings growth at 18.5%, up from 16% in Q3 and 13% in Q2, we are entering the year with strong momentum and increased confidence in our ability to drive shareholder value. We believe the investments we've made in platform innovation in a single-agent approach to enhance our value proposition with customers and help win new business opportunities throughout the year. This quarter was no different. We're excited by the continued adoption of VMDR, with total customer penetration now at 36%, up from 32% in Q3 and 19% a year ago. And continued adoption of Qualys Solutions increased large customer spend, with now over 125 customers spending $500,000 or more with us. This represents a 17% growth from 2020. We attribute this success to our position as a leading security and compliance cloud-based platform that essentially managed and self-updating allowing our customers to consolidate their stack while helping to build security and compliance into their digital transformation initiatives. Our scalable platform model continues to drive superior margins and significant cash flow. Adjusted EBITDA for the fourth quarter of 2021 was $49.6 million, representing a 45% margin. EPS for the fourth quarter of 2021 was $0.84 and our free cash flow for the fourth quarter of 2021 was $35.5 million, representing a 32% margin. In Q4, we continued to invest the cash we generated from operations back into Qualys, including $4.3 million on capital expenditures and $35.1 million to repurchase 273,000 of our outstanding shares. Looking back on the year, we are proud to have continued our product leadership while growing revenue, earnings and cash flow for shareholders. In 2021, with focused execution, we finally crossed a growth inflection point and started on our journey of revenue acceleration. We operated effectively through the pandemic and management changes in the company to reverse course in delivering better-than-expected results on both new and existing customer experience. Cloud Agent adoption grew over 34% from 56 million Cloud Agent subscriptions a year ago and VMDR now accounts for 46% of total bookings. This is a testament to our success in continuing to build relationships with customers and opportunities ahead to seamlessly cross-sell other Qualys solutions such as Patch Management, Cybersecurity Asset Management, Multi-vector EDR and recently launched XDR. Notably, this was achieved even before a meaningful increase in investment with EBITDA margin of 46%. The leverage we generate demonstrates the efficiency of our model and gives us confidence in stepping up ongoing investments in the business. With the new executive team, we plan to significantly increase investments across business functions to maximize returns and also to enable us to remain highly competitive in the talent market. Last year, we grew EPS by 12% and generated strong free cash flow, ending the year with a 43% margin and over $500 million of cash, cash equivalents and marketable securities on our balance sheet. This is after returning $130 million of cash to shareholders by repurchasing approximately 1.1 million of shares. Given our highly scalable business model, even with incremental additional investments in 2022, we believe that we will continue to deliver industry-leading margins relative to peers. Shifting now to guidance for 2022. Our success validates our thesis that organizations of all sizes are increasingly looking to consolidate their security stack into a single agent with their solution. With an executive leadership team in place, armed with powerful new cloud platform capabilities, we believe the time is right for us to flip the power of the platform in the market and invest more in the business. Given that, we anticipate operating expenses to increase as we expand our sales organization and our channel efforts, as well as focus on digital marketing and demand generation initiatives. Additionally, as a leading vendor of security and compliance solutions, innovation remains a top priority. So incremental investment in our platform is anticipated to enhance automation and cloud security capabilities for our customers. And to support our growth expectations, we expect to make investments in our infrastructure and our people throughout the year. We believe these planned investments will position us to further accelerate our growth and maximize shareholder value. With that framework in line for 2022, we expect full year revenues to be in the range of $482 million to $485 million. which represents a range of 17% to 18% growth. In terms of profitability, we expect full year EPS to be in the range of $2.87 to $2.92. This implies EBITDA margin in the high 30s with higher incremental increase and expense in the second half of the year. For the first quarter, we expect revenues to be in the range of $112.5 million to $113.1 million which represents a range of 16% to 17% growth. We expect EPS to be in the range of $0.80 to $0.82. Our planned capital expenditures in Q1 is approximately $67 million. And for the full year 2022, we expect to invest in the range of $25 million to $30 million. In conclusion, as we enter 2022, we remain excited about our opportunity to drive durable top line growth while leveraging our highly scalable model to maintain industry-leading profitability and margin expansion in the long term. With that, Sumedh and I are happy to answer any of your questions.

[Operator Instructions] Our first question comes from the line of Erik Suppiger of JMP. Your line is open.

Yes, thanks for taking the question. Good quarter. Talk a little bit about the competitive dynamics that you think you'll see as you start to expand into some of these markets. How do you -- what kind of advantage do you think you'll have as you get into the EDR market and what features or functions do you think you'll have to compete against the likes of CrowdStrike and SentinelOne and some of those players?

Thank you, Erik. Great question. I think when we look at the work that we have done with our customers over a period of time, I think today, a lot of organizations are dealing with siloed solutions, including a lot of the platforms that are out there are either only focused on threat detection, somewhat focused only on inventory, others maybe on risk mitigation. And so I think where we see really the core advantage that we have and as you saw in the release that we did with ContextXDR is that we have -- we believe that we have a platform that is obviously highly scalable with the cloud native platform. But it also brings a lot of the additional context that typically detection-only solutions don't offer where they're mainly focused on correlating long data. So a lot of times, analysts really need to find out the context of the asset, the business context, the criticality, what is the posture of those assets, is it running end-of-life software, etcetera. And that context isn't missing from any of these XDR solutions out there. And so that's why as we work with our customers and we saw the challenges that they are facing, we focused on creating a solution on top of our platform that not only does the log aggregation and is obviously, we did this very natively on our platform, not really trying to put different technologies together through acquisition. It's something that we felt like natively developing on the platform would give us that native correlation that comes with having a very strong inventory capability, a very strong risk assessment capability, ability to patch. And so ultimately, what it does is that it brings the various elements of security that CISOs are looking for which is first, know what you have. Second, find and remediate your risk. And then third is threat detection and response, all together in a single platform. So that ability for us to not only detect the threat actor and take response by the same agent, same platform also helping patch things proactively, so you're not getting compromised. We see those are some of the key advantages relative to other solutions or platforms that have sort of put together their solutions by taking different technologies.

Okay. And Joo Mi, in the past, I think you've given a customer count at the end of the year. Do you have a customer account for 2021?

Yes. Before when we disclosed over 19,000, it actually included three customers. If you take a look at just our paid customers, it's over 10,000. The growth in the customer base has been in single digits. And so in 2022, our focus and priority is to increase market share, increase in new customer plans and we're planning to do that by increasing our quota carrying sales reps in addition to working on some of the other metrics -- performance metrics, including the win rates as well as attainment per rep.

Did you say that historically, it's been growing in the 10% range? Or what was the growth that you said?

It's in the single digit. It's less than 5% for this year.

Okay. All right. Last question. Any updates on your web app security or your cloud container security business. Some of the smaller companies have been showing some good growth in that space. Any updates in terms of your progress on that front?

Yes. I think we continue to see the early conversations, early adoption of some of these solutions by our existing customers. And I think it really comes down to the same conversation that we have is that a lot of the smaller players, they end up focusing only on the cloud aspect of it, when almost all organizations have to deal with a hybrid environment that includes on-prem assets, that includes assets that are remote with workers who are still working from home, as well as cloud and multi-cloud and container environments altogether. And so when they're looking for risk, as an example, with Log4Shell, the don't want to go to four different solutions, one for cloud to find your exposure, one for on-prem, one for endpoint. So we do see that continuing with that consolidation and providing these capabilities on the same platform and enhancing those capabilities which we plan to do in 2022 with additional updates to those products. I mean I see that the customers will be looking forward to getting a more consolidated visibility rather than sort of having cloud silo, cloud-only solutions and endpoint-only solutions.

Very good. Thank you.

Thank you. Our next question comes from Matt Hedberg of RBC Capital Markets. Your question, please.

[Indiscernible] for Matt Hedberg. It's nice to see the revenue acceleration for '22 here and momentum to start the year. Joo Mi, you pointed out in your prepared remarks some of the acceleration or inflection maybe somewhat preceded incremental sales and marketing spend. Just curious if that evolved or maybe redirected any areas you had planned for investment previously or was -- were the targeted areas more decided with budgeting based on what you saw at the time? And then maybe what was your view around determining the right magnitude of investment?

Yes, it's a great question. With the new executive team in place, we've had some in-depth discussions with the CRO, CMO as well as CPO and other executives to determine where are the right priorities that we should focus on and how do we maximize our ROI. And what we decided on for 2022, there are multiple different levers that we're working on right now. And one of the key priorities is in attracting and retaining great talent. And I think part of that has to do with our quota carrying sales reps. If you take a look at our sales and marketing head count, in 2021, we ended the year slightly over 300 which is single-digit growth over the fourth -- prior year. We think that there's definitely room there where if we're able to increase our sales force, that should help to increase our bookings growth, since 60% of our revenue actually comes from direct sales force versus 40% from channel. So that hasn't changed. In terms of the magnitude, we're planning to increase investments to the extent possible, where we've actually increased our recruiting team to make sure that we're taking advantage of the opportunity out there. I think that given the inflationary pressures, a lot of the companies are facing some challenging times. Fortunately for us, given our highly comfortable business model, we do have the flexibility to increase spend at this time to not only gain market share but to scale the team and the business, so that we can target a higher longer-term margin where -- as we said before, we think that given our business model, the fundamentals remain strong. We think that there's definitely a possibility for us to get our margins back up to that 40% plus in the longer term. But for us to do that, we need to be able to accelerate the growth momentum and we're planning to execute against that this year.

Okay, great. And then certainly an elevated threat environment, you mentioned the 330-day web application scanning trial around Log4Shell in December in the prepared remarks. Just curious around the reception of that free service that drive new customers and then maybe more generally, was Log4Shell, was that something that benefited the quarter? And then maybe does that persist through '22?

Yes, I can take that. I think as you've seen with some of the services we have released throughout the year with ransomware or even SolarWinds earlier, our focus generally. And as you heard in the prepared remarks as well, our focus generally is first to create a solution that will help the customer base, existing customer base, other noncustomers their ability to really protect themselves. And that's why we also released open source tools this time that were not targeted specifically at our existing customers. So our goal definitely is to show the capability of the platform and how quickly we can spin up a new service and how quickly the customers, in the case of Log4Shell, as an example, can sign up and start getting value out of a cloud-based solution, where they can sign up and start using a web application scanning to detect this in a matter of minutes or hours. And so the way we look at that is that, that generates engagement with the various customers and prospects. And it gives them the opportunity to experience the capabilities of Qualys. That doesn't necessarily mean that they are at the point immediately within that time frame for changing their existing solution or acquiring a new solution but it does help us create that engagement which as -- since it is a displacement focus for them that they are ready to have experience the Qualys capabilities their existing products may come up for renewal, etcetera. So I think we look at that as more of an engagement strategy that allows us to have multiple points of engagement and be able to quickly show the capabilities of the platform, not just on the endpoint but also on the web applications as an example. And definitely Log4Shell really highlighted how critical it is to have a really professional vulnerability management solution. But more importantly, it also highlighted that customers, it's not just a vulnerability management solution, they needed the ability to have a solid asset inventory, to track as an example, the list of software that contain Log4Shell that was released by CISA that people should focus on. So that ability on the platform can not only detect a vulnerable instance will also provide asset inventory and patch management as a way to get remediation done in a broader scope and then using EDR on the same platform to track if some of those exploits are actually being executed. I think that's the engagement and the power of showing the multiple capabilities was important. So I think in Q4, I would say that a lot of -- we were very focused on helping our customers who are really at that point scrambling to respond to that and we were able to detect millions of these vulnerabilities on customer environment and help them with seeing where they are. And I would say it helped a little bit, nothing material, I would say. It helped with just some customers who wanted to maybe acquire some of these licenses that they were looking for quickly. But I do think that in 2022, it's not just specifically to Log4Shell but I think just the elevated conversation around Log4Shell and ransomware and [indiscernible] has created conversations that we think are favorable in terms of customers looking at vulnerability management remediation and authentication platform going into 2022.

That's great. Thank you.

Thank you. Our next question comes from Yun Kim of Loop Capital Markets. Your question, please.

Thank you. Sumedh, Joo Mi, congrats on a solid quarter and a positive guidance. Good to see that business momentum is building here. Sumedh, obviously, you're benefiting from the VMDR upgrade cycle within your installed base that's driving that additional attach and whatnot. It looks like that's tracking very well. Can you talk about, at least qualitatively, the velocity and perhaps the timing of the expand, once the customers upgrade to VMDR and whether -- is it more driven by usage or additional attach of additional products? And should we continue to expect the expansion rate improving as more of your customers are on VMDR?

I think it's a mix of different things. Some customers, as they see the value of VMDR will increase the licenses for VMDR. Others as they have deployed the agent see the value in the remediation. So some of them when they look for patch management, others, they have compliance requirements and they look at file and DVD monitoring. And I think the advantage that I see is that, because we have so many different capabilities on the platform, we're able to meet the customer where they have the need in that particular quarter from their business needs perspective. What is driving maybe in that quarter, they have been driven more for patch management in another quarter. They may be driven or some other customer in the same quarter may be driven by compliance needs, etcetera. So I think we look at it more holistically in terms of that -- our fundamental belief that VMDR is a very powerful capability and the single agent will have customers looking to see opportunities to consolidate their existing tool set. And so we're encouraged with some of the initial momentum that we're seeing and we're going to continue to track through that and make these capabilities available for customers to meet them where their needs are rather than sort of only focusing on one thing or the other.

Okay, great. I mean -- has the timing between the initial upgrade to VMDR and then the additional purchase once they're on the platform, has that time -- timing between the two events shrunk a little bit over the almost two years now? Or has that not necessarily changed? And if you look at the cohorts of the first wave of customers, who upgrade to VMDR, what is their expansion rate in the second year -- or second year?

Yes. Like I said, I think we focus on it holistically. I don't think there's anything material there to talk about right now. But I think we -- we continue to see the conversations of the platform consolidation, driving the initial -- even the initial desire to move to vulnerability management is the future ability to expand into these additional capabilities with this platform is one of the drivers there and so we continue to see that more.

Yes. And just to add little bit of color Yun, you could see that the magnitude and the speed of adoption has -- is much faster than what we had anticipated with 36% of our customers now having VMDR and it hasn't been that long since we launched VMDR. And the VMDR contribution of total bookings is now nearing 50%. So given that what we're looking at it on a holistic basis, I think you could tell by the net dollar expansion rate that we shared. It's 108% up from 103%. And I think that's partly definitely driven by our strategic move in launching VMDR and attracted this in the value proposition that our customers understand and recognize.

Okay, great. That makes sense. Joo Mi, just kind of going back to your answer to Erik's question earlier on. Is there a way to kind of look at how the mix between new and existing customers have trended especially since the introduction of the VMDR?

We're seeing that in 2021, I think that the acceleration in the momentum in the bookings growth and that has translated into revenue growth wasn't primarily driven by existing customers. However, with that said, new bookings did better than what we had anticipated as well. So all in all, we're seeing multiple different levers and signs that the business itself is turning around. If you're taking a look at whether it's from an average deal size increase, average deal size increase for both new customers as well as existing customers. Upsell as well as the retention that's higher for existing customers. And so looking ahead in 2022, we think that the material impact to our bookings and our revenue could be driven by new customer wins. We'll really focus on gaining market share at this point and added investment in sales and marketing will help with that.

Okay, great. And then in terms of your revenue guidance for fiscal year '22, should we expect fairly linear growth throughout the year? Or how should we think about what we just saw in Q4 for this past quarter in terms of a strong sequential ramp in Q4?

Yes. If you take a look at our revenue growth, it's always lagging, right? So if you take a look at our -- I think current billings to revenue is a good indicator. So for example, last year, on an LTM current billings basis, even though our current billings trended up from 8% to 13%, 16%, ending the year strong at 18.5%. Taking a look at the revenue growth, it was 12%, 12%, 13% and 16%. And our guidance for Q1 is 16% to 17%. So we expect that kind of trend and momentum to continue. It will have a material impact in terms of the revenue acceleration of the momentum since the revenue guidance for the full year is 17% to 18%.

Thank you. Our next question comes from Andrew Smith of Berenberg Capital. Your line is open.

Hi. Just with regard to the step-up in investments for fiscal year '22 to further that growth. I've heard the comments on increasing quota-carrying reps in digital marketing to drive new sales and I believe you also briefly mentioned investments in the channel, too. Can you just break out how you're thinking about that investment? Is investment in increasing quota-carrying reps, a higher priority at the moment than furthering investment into the channel?

Yes. I think it's -- I mean, we look at -- again, we look at it holistically. I think we've decided to really invest broadly across the board in our people and talent with a focus on sales and marketing and so quota-carrying sales folks, digital marketing, even investment in product management to help with sales -- better sales enablement so we can increase the productivity for sales reps. Overall focus on new logo acquisition and the investment there as well as partnerships and also investing in solution architects as customers deploy multiple different solutions, having technical -- additional technical hub that can help do the proof of concepts, etcetera. So, I think it's a broad-based approach for us to invest across the board within the company and including acquiring and retaining the right talent. As you see, we continue a lot of organic development on the platform as well. So we're not just essentially a maintenance mode or something. We continue to invest in R&D and product management as we bring out newer solutions like XDR just came out. CyberSecurity Asset Management came out about six months ago. The brand-new solution and we have additional things that we're focusing on with Cloud EDR with the rest of the year. So I look at it as more as a broad-based investment that includes focus on sales and marketing.

Got it. Thank you.

Thank you. Our next question comes from Brian Essex of Goldman Sachs. Please go ahead.

Great. Good afternoon. And thank you for taking the question. Maybe Sumedh, I know last quarter you noted a partnership with Red Hat OpenShift. And I was wondering how the traction has been with that, particularly given Lock4Shell and impact to perhaps some open source platforms?

I mean, I think if you look at Lock4Shell, the detection that we talked about with millions of detections across the board, I think it was not specifically concentrated just on OpenShift. However, what it also highlighted is that Log4Shell did not impact just your traditional servers, it impacted end points and it impacted cloud and container environments where we have that partnership with Red Hat. And so the adopter customers who have been leveraging that, I think they got a better ability to detect something like Log4Shell in a closed environment like Red Hat Openshift, as an example. But it is something that we saw broad-based across the board in many different infrastructure that we were able to have -- discover Log4Shell, including the containerized environment as well. And that's sort of where the customers see the value of a platform that's bringing all these different capabilities because those customers who run OpenShift were also, at the same time, trying to figure out all the endpoints of the cloud resources, everything that had Log4Shell and we were able to show that to them in a single pane of glass instead of just one aspect of the infrastructure.

Got it. Super helpful. And maybe, Joo Mi, just as we're fine-tuning our models for the guidance, just kind of baking in I guess what the implied impact is to net income and operating margins, I think that will be probably offset by deferred revenue growth. How do we -- how should we think about free cash flow margins in light of the investment ahead? And to what extent might billings and deferred revenue offset some of the spend as you have kind of a timing difference there from a revenue recognition perspective?

Yes. In terms of the free cash flow, we anticipate lower relative to EBITDA margin than the prior year just because we do have increase in cash taxes that we anticipate paying. I mean, with that said, we don't know what's going to happen with the tax reform. But -- that's one lever. The second lever is because of the new tax legislation that's going into effect in 2022 and the mandatory calculation of R&D expenses, we do see some pressure there as well as the increase in CapEx spend, we are guiding to $25 million to $30 million this year. Obviously, if there's an additional incremental bookings acceleration, there's additional pressure on [indiscernible], it might actually be higher too. But with that said, all in all, there's no change in terms of our overall billing and deferred tax like that deferred revenue that we anticipate this year; so there might be a little bit of pressure but not significant.

Okay, that's very helpful. Thank you.

Thank you. Our next question comes from Hamza Fodderwala of Morgan Stanley. Please go ahead.

Hey guys, thanks for taking my question. Before I begin, just -- Sumedh, I just wanted to congratulate you over the last year, taking on the accelerating momentum that Qualys has had.

Thank you.

So Joo Mi, maybe a question for you. Do you think this is sort of the final reset, if you will, for Qualys in terms of the investment here? Because clearly, you've got line of sight now into 20% revenue growth. It seems like you have the sales leadership. You've got the strategy here. Do you think this will be the year where margins finally bottom? And if so, where do you see them bottoming? I remember last year, you mentioned 40% EBITDA margin was sort of the floor that you were looking at. It seems like this year is going to be lower. So where do you see that bottom?

Great question. I'm hesitant to say the bottom and the timing of it in light the current report that just came out, I think that last year, when I had talked about, I don't see a reason why we couldn't maintain EBITDA margin above 40%. I don't think any one of us expected the inflationary pressures that we're seeing right now with our latest CPI report coming out at 7.5%. And one of the things that we are keeping in mind is we feel that we're very fortunate in that we have a very strong, highly profitable and sustainable model. And so what we have baked into the guidance is a wage adjustment in light -- and given that it's increasingly important for us to attract and retain top talent. And so just to give you a little bit of color on this is without this change in the macroeconomic trends, I think that our guidance would have been 40% plus on the EBITDA margin. So with that said, we are planning to invest outside of that in sales and marketing or R&D as well as customer support and operations. But as we see the ROI where that actually gives us a return that we think makes sense to further accelerate momentum in 2023 and 2004 onwards. We could have margin kind of continuing on in the high 30s or even potentially lower but it would have to make sense and it would have to be justified from a growth perspective as well. I hope that gives a little bit of color. But I think for right now, this is what we have planned that we think that, that makes sense to maximize shareholder value.

Got it. Maybe just a follow-up, Joo Mi, on your earlier comment about VMDR. So it's almost 50% of your bookings now and you talked about the higher net retention. So are you in the phase where the customers, who may have bought VMDR at a heavily discounted rate or perhaps even bought it for almost free. You're not going back to that renewal base and saying, "Hey, you found value from the solution, we're now going to true up that price to what the actual value that's being delivered"?

That's not how we're approaching and that's not the discussion that we're having with customers. We really think of it as a relationship and a partnership. And so how we're approaching it when they recognize the value, they're actually increasing the Cloud Agent deployment and more prone to purchasing additional solutions as well as increasing their spend in the VMDR itself. And so if you take a look at our bookings trajectory and our revenue guidance that, that keeps into account what we're seeing right now based on that. And I think that because of that, we're really optimistic about the potential reacceleration and the momentum that we're seeing.

Okay, thank you.

Thank you. At this time, I'd like to turn the call back over to Sumedh Thakar for closing remarks. Sir?

Thank you very much. In conclusion, as we enter 2022, we remain excited about our opportunity to drive durable top line growth while leveraging our highly scalable model to maintain industry-leading profitability and margin expansion in the future.

And this concludes...

Sorry, just wanted to finish the rest of it, I had to turn over to my page. Thank you all for joining today. I wanted to briefly reiterate that we believe the future of Qualys cybersecurity resides on a single unified platform driven by solutions, designed to solve key IT and security and compliance challenges. We're entering 2022 with strong momentum to accelerate growth along with a balanced approach to profitability. We look forward to sharing continued progress in coming quarters. Thank you.

And this concludes today's conference call. Thank you for participating. You may now disconnect.

Goodbye.