Qualys, Inc. (QLYS) Q2 2022 Earnings Report, Transcript and Summary

Good day and thank you for standing by. Welcome to the Qualys Second Quarter 2022 Investor Call. At this time, all participants are in a listen-only mode. After the speakers' presentation, there will be a question-and-answer session. [Operator Instructions] Please be advised that today's conference is being recorded. I would now like to hand the conference over to your speaker today, Blair King. Please go ahead.

Thank you, Crystal, and good afternoon, and welcome, everyone, to Qualys' second quarter 2022 earnings call. Joining me today to discuss our results are Sumedh Thakar, the President and CEO; and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website. So with that, I'd like to now turn the call over to Sumedh.

Thanks, Blair, and welcome, everyone, to our second quarter earnings call. We're pleased to report another quarter of continued revenue growth acceleration and cash flow generation as we drive a focused investment strategy for innovation and go-to-market scale. Despite global macroeconomic challenges and geopolitical uncertainty, growing cyber threats are driving CIOs and CSOs within organizations of all sizes to modernize their security platforms to reduce agents, cyber risk response times, operational complexity as well as costs. Our continued strong growth reflects the commitment customers are making to the Qualys Cloud platform to help drive these objectives. In Q2, there was a steady adoption of our Vulnerability Management, Detection and Response, or VMDR solution, which is now deployed by 43% of customers worldwide. Key competitive VMDR wins in the quarter include a leading multinational chain of retail convenience stores, several global financial service companies and public sector agencies, along with multiple new and existing customers down market as well as in the Fortune 500. Further exhibiting our broader platform approach and expanding market opportunity, I will take a moment to share some of the successes we have seen with our customers and partners. First, on the customer front and existing Europe-based Fortune 500 customer entered into a seven-figure competitive upsell agreement with us to expand its asset count with VMDR, while adding patch management across their environment. Qualys was chosen over the competition, given the platform's unified interface across public, hybrid and multiclub assets, ease-of-use, superior performance, speed of detection and automated matching capabilities without the need for a VPN. Next, a leading financial institution in the Middle East selected Qualys; Cybersecurity Asset Management, VMDR and Patch Management abilities in a mid-six-figure new customer win. The ability to significantly enhance its security program with complete asset context, CMDB integration, alerting and accurate response capabilities on a single integrated platform, while consolidating agents, where all key differentiators compared to vulnerability detection-only solutions in the market. We are executing our go-to-market agenda well, which includes our evolving partner ecosystem. Since launching our new partner program in May, we've already signed up two new large regional MSS partners in Europe and North America to further expand their ability to deliver managed cybersecurity services. Additionally, we're seeing an increase in new customer deal registrations by our partners. As our market share and brand awareness continues to strengthen, we are anticipating an increase in partner integration with our platform, which will further strengthen our strategic position, expand our ecosystem and broaden our reach. On the platform side, this year has already been a strong year of innovation at Qualys. At our QSC event in San Francisco attended by over 700 registrants, we showcased our thought leadership through the launch of VMDR 2.0 with TruRisk, taking our differentiation in the market to the next level. With comprehensive risk scoring and ITSM integration, customers can now focus on quickly identifying risk case vulnerabilities on critical assets and help remediate with speed. Vulnerability Management continues to be a cornerstone of customer security programs as they focus on improving their risk posture. Qualys' unified platform approach differentiates itself from other vulnerability reporting-only solutions by rapidly reducing risk for the most exploitable vulnerabilities with integrated Patch Management with the same agent. Our recent research shows that customers who scan and patch with Qualys as opposed to patching with alternate solutions can experience as much as 60% reduction in the mean time to remediate for the most exploitable vulnerabilities identified by CISA. Qualys' agents have deployed over 130 million patches for our customers, validating our customers' desire to leverage vulnerability management platforms that help to remediate vulnerabilities instead of just reporting on them. At BlackHat this week, we are featuring an organic extension to our Cybersecurity Asset Management 2.0 application to include our recently announced External Attack Surface Management capability. This new capability provides security and IT operational teams with unprecedented insights into blind spots and risk posture with a complete 360-degree view of all the known and unknown Internet exposed assets. Natively integrated with VMDR, this capability adds to external asset visibility through the already comprehensive internal asset visibility we provide on the platform instead of just adding another point solution for this feature. While many security software providers claim to offer a platform because they assemble assortment of point products through acquisitions that are difficult to integrate, we don't see anyone coming close to the offering the tightly integrated capabilities of our cloud-based platform. Especially in the current macroeconomic environment, we believe our organically developed and natively integrated platform that is also remediating and reducing risk can bring value to our customers as they get more security out of the single Qualys platform. In summary, given our market opportunity, extendable platform for cyber risk protection remediation and prevention and speed of innovation, we believe we can continue to grow at scale, generate cash and invest in key initiatives that will further extend the gap between Qualys and the competition. With that, I will turn the call over to Joo Mi to discuss in more detail our second quarter results and outlook for the third quarter and full year 2022.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period unless stated otherwise. We're pleased to announce our continued, consistent and strong financial performance with double-digit growth in both revenue and earnings per share. Revenues for the second quarter of 2022 grew 20% to $119.9 million, up from 12% growth in the year ago period. Similarly, LTM calculated current billings grew 20%. In Q2, our Patch Management solution contributed to over 5% of bookings for the first time, with over 50% growth from last year. In addition to strong adoption by existing Qualys customers, Patch Management contributed to 9% of bookings from new customers, demonstrating our ability to drive growth through distinct product differentiation. Our LTM average deal size continued to increase for both new and existing customers as organizations turn to Qualys to secure a wider range of network-connected devices and associated applications, spanning on-prem cloud, container and mobile environment. LTM average deal size increased by 17% from 7% a year ago. Through the seamless integration of workflows onto a single agent, Qualys is helping organizations efficiently respond to threat by enabling real-time visibility of their security posture. As such, customers are increasingly looking to Qualys to help solve their most pressing security needs at legacy point solutions for fragile, difficult to operationalize and significantly extend remediation time struggle to deliver value to the customer. This quarter was no different, and we're excited by the continued adoption of VMDR, with total customer penetration now at 43%, up from 28% a year ago. And continued adoption of Qualys solutions increased large customer spend with 139 customers spending $500,000 or more with us. This represents a 23% growth from a year ago period. Our platform and single-agent approach is resonating with customers, while strengthening our market position. With CIOs and CSOs looking to cloud platforms that are agile, easy to deploy and easy to manage, organizations are increasingly phasing out legacy point solutions and adopting cloud native, full staff security and compliance coverage to meet the demands of today's threat landscape and reduce costs. We remain focused on leveraging our scalable platform model to continue to drive superior margins and significant cash flow. Adjusted EBITDA for the second quarter of 2022 was $54.4 million, representing a 45% margin. EPS for the second quarter of 2022 was $0.89. And our free cash flow for the second quarter of 2022 was $30.3 million, representing a 25% margin. Year-to-date margin was 44%. In Q2, we continue to invest the cash we generated from operations back into Qualys, including $3.5 million on capital expenditure and $71.2 million to repurchase $561,000 of our outstanding shares. The resilience of our sustainable and scalable business model has been proven over time that's currently demonstrated by our strong profitable growth during the time of uncertainty and volatility. With over 500 million invested to repurchase shares over the last four years, and $354 million remaining authorized for future share repurchases, we plan to continue to leverage our excess cash to return capital to shareholders. Shifting now to guidance for the third quarter and the rest of the year, our strong year-to-date performance continues to bolster our confidence in both our strategic agenda and business environment. We are raising the bottom and top end of our revenue guidance for the full year to now be in the range of or $488 million to $489.5 million, representing a 19% growth. This compares to prior full year revenue guidance of $484 million to $486.5 million. In terms of profitability, we are raising our full year EPS guidance to now be in the range of $3.50 to $3.55 from the prior range of $3.13 to $3.17. This implies an EBITDA margin in the mid-40s. This revised guidance reflects the planned increase in investment in the second half of this year. Partners remain strategic to our growth strategy. So our current focus is on further investing in our partner program and enhancing our relationships to leverage their large distribution network to drive profitable growth in the business. Alongside this, we will continue to increase our investments in digital marketing initiatives and expand product management capabilities, as well as sales capacity and support functions. For the third quarter, we expect revenue to be in the range of $124.5 million to $125.1 million, which represents a 19% growth. We expect EPS to be in the range of $0.85 to $0.87. Our planned capital expenditures in Q3 is approximately $2.5 million to $3.5 million. For the full year 2022, we expect investments in the range of $16 million to $18 million. In conclusion, we are pleased with our Q2 results and believe we are well positioned to drive durable top line growth on the back of a large and growing market opportunity, while leveraging our highly scalable model to maintain strong cash flow and industry-leading profitability over the long term. We remain cautious on the macroeconomic and geopolitical situation, particularly in Europe, but believe that offsetting this is the upside from our product differentiation and with customers becoming more cost conscious with their security budgets. We will continue to see higher levels of customer interest associated with the value proposition of consolidating vendors and a single agent to see that dynamic playing well for Qualys. With that, Sumedh and I are happy to answer any of your questions.

[Operator Instructions] And our first question will come from Dan Bergstrom from RBC Capital Markets. Your line is open.

It's Dan Bergstrom for Matt Hedberg. Sales and platform adoption driving higher customer spend, I think that's a real impressive part of the presentation, that $500,000 customer spend. Could you drill down into the trends you're seeing around those larger customers and maybe the partnership that you have with them?

Yes. I think right now, we're seeing that as these customers, they get deployed with VMDR, which is sort of what we focused on the last a few years, and I gave that example of one of those customers in Europe. We are expanding additional licenses with Qualys for VMDR. They are additionally also adding Patch Management, looking at Cybersecurity Asset Management. I think, overall, that is helping them get additional value out of Qualys and also able to -- for us to be able to position sort of differentiators in the VM space where they are actually able to now deploy additional capabilities that we right now don't see being offered in the market by the other VM players, right? So, I think those customers, they will continue to expand from an upsell of existing VM license, but also add additional products from Qualys. We are pretty excited about what that can mean in terms of these deal sizes. And overall, that also essentially makes us strategic partners with these large customers because, at this point, we are well integrated into their cybersecurity stack and very strategic to the success of their programs. And so as we gain more visibility that creates more opportunity for us to have conversations with the customers on what value we can bring to these large customers.

And then maybe for Joo Mi. You touched on this a little bit in the prepared remarks, but investment over the second half here into '23, can you talk about how you're weighing kind of the mix of investment in head count, channel and digital marketing? There's a lot of talk about the channel on the call here in the prepared remarks. Are you leaning more into that perhaps than previously?

We are. We did announce a new partnership program and initiatives that we were thinking through earlier this year. And we are seeing early indicators that's working well for us. And in terms of our partners, we are seeing growth that we can definitely leverage and accelerate in the shorter term and balancing out with their investments in the direct business. And so for us, so we are investing in all areas. As we said before, if you take a look at our guidance for the EBITDA margin, that does indicate a healthy growth. And that happens to be increasing investment in partnerships, increasing the headcount as well as the digital marketing and product marketing as well.

Thank you. And we'll take our next question from Joel Fishbein from Trust Securities. Your line is open.

Joo Mi, I have a quick follow-up question to that. You had also initiated to accelerate some hiring in sales. Can you give us an update on where you are with that, not just the investment in channel? And also love to just get your confidence in the visibility for the guidance for the back half of the year.

Yes. Happy to address that. I think that at the beginning of the year, we had as far to increase spend faster and more this year. I think that we're a little bit behind on the hiring. With that there, we've made some progress, definitely better than what we see last year. And I think that's demonstrated by our increase in spend. So for example, just as a non-gas sales and marketing, if you take a look at the Q2 year-over-year spend, that 28% growth is the highest we've seen in recent years. Even taking a look at year-to-date growth, that's 20% growth versus 7% in the same period last year. And I think the two years prior to that, we've been decreasing. So last year, I know that the sales and marketing headcount was only up by net 10. We're up by more than that in the first half of this year. So, we're optimistic in our ability to continue to increase in spend and hire more people going forward.

That was great. And then just your visibility into the guidance.

Yes. I think that our visibility into the guidance right now is similar to how we look at the business. The trajectory of our business momentum is informed by our current billings, current deals in play in our discussion with our customers. We recognize the uncertainty that a lot of our peers have and other companies. With that said, I think that the momentum is there. We are optimistic in our ability to continue to accelerate. If you take a look at our revenue guidance, what that implies is 19% growth in the second half after achieving healthy acceleration in revenue in the last year. We feel confident in our ability to deliver that. And then in terms of the investments, as you can tell by the increase in non-GAAP EPS, this is really informed by taking a look at the initiatives that we had at the beginning of the year, and finding that right balance and thinking through in the next six months what we think that we'll be able to really realize in terms of investments, and that's informed our guidance.

Thank you. And our next question will come from Nehal Chokshi from Northland Capital Markets. Your line is open.

Yes, can you hear me?

Yes.

Great. Congrats on a strong quarter. Short-term billings, that was up 18% year-over-year. Is that correct?

That's right.

Okay. And that represents a slight deceleration. What's the narrative behind that slight deceleration in short-term billings?

Quarterly billings tend to fluctuate from quarter-to-quarter, and that happens to do with the renewal time, timing of the deals and the duration of the delay. But with that said, even on an LTM basis, you'll see that slight tick down. Part of the reason is because we do have some headwinds that all the other companies are seeing right now and the certainty in the business. That said, what that means for us is, I think, in the near term, especially in this volatile market, I would point to our revenue that's more normalized just because we do hedge on the top side on the revenue, and that's not reflected in our current billings.

Okay. And then, Joo Mi, you also mentioned that you remain cautious on macroeconomic concerns out there, especially in EMEA, but are you actually seeing that play through in terms of your bookings or billings?

We do see -- in our discussions, we're a little bit cautious, rightfully so. I think that all companies are. But based on our discussions with our customers, we don't think that it's going to be a significant impact on our business. We still see a high demand. I think that the security budget as a whole is not decreasing, although the Company are looking at their spend is scrutinizing their spend to make sure that they have the right vendor and prioritizing the spend and investment friendly. And that's reflected in our guidance.

Thank you. And our next question will come from Rudy Kessinger from D.A. Davidson. Your line is open.

On the revenue, in terms of the beat versus your guide, one of the largest beats I think you've put up in the last several years. If you could just maybe bucket out where you saw the upside in the quarter more specifically, was it more so from new customers, existing customers, expansion into past management, some of the other products as opposed to maybe VMDR? Just what really drove the solid upside in the quarter despite the macro?

Yes. I think that right now, we're seeing the early indicators as signed. I think this is the first time that we've provided some color into our newer products like Patch Management. We've always know that there's an upside to our newer products. We're seeing that kind of adoption happening as we speak right now. So this was the first quarter where we felt Patch Management may be material to the business. And by that, I mean more than 5% of our bookings. And even more encouraging for us is the fact that 9% of our new bookings came from Patch Management as well. So that's contributed to our net dollar expansion rate, which remained at 110%. We are seeing strong retention in the business and existing customers, as well as upon cross-sell opportunities. With that said, that 5% of cash management is still very small, and so that's why we think that there's a huge upside. It's just starting now. And given the current situation, I do think that customers are more focused on starting to view us as a cloud security provider, and it does increase our opportunity to consolidate other security out there with more customers looking to pull it for multiple solutions.

Got it. And then just circling back on the sales hiring, I know you had said previously you wanted to hit double-digit growth in S&M headcount this year. Certainly, it sounds like from the commentary, you're leaning a bit more towards channel versus direct. But do you still think you'll hit that double-digit growth in S&M headcount this year or no?

Yes, yes. So, we are still on target for that. We are targeting we're still growing. The sales and marketing has account by double digits, but we are looking into other avenues as well to make sure that we have a balanced approach to investment.

Thank you. And our next question will come from Hamza Fodderwala from Morgan Stanley. Your line is open.

Sumedh, a question for you. Just Qualys has broadened out its portfolio across IT security and compliance over the last few years. Are there any areas within that portfolio where you're seeing more of a prioritization than others? I'm thinking of like maybe asset discovery seeing more demand versus vulnerability management or advice ever. Any color you can give there would be really helpful?

Yes, that's a great question. I think if you look at today, we continue to have healthy growth in VMDR. But I think as we have provided the color with Patch Management, not just from what we see on the business from bookings, but also the fact that Qualys agents have deployed 130 million patches for our customers, it really is a testament to the fact that we are becoming a very critical for these customers to help reduce the vulnerability, right, not just report on them. So while Vulnerability Management traditionally is just focused on if you tell me the asset, I'll tell you what issues are on the asset and then you have to go figure it out. The broadening of the platform across multiple different aspects has really helped customers bring the Asset Management, Vulnerability Management, and Patch Management together. And those really go hand-in-hand. And so they actually do help each other in terms of customers who are looking to get VMDR are more likely, in our opinion, to go with Qualys when they see that they can also leverage Patch Management and they see that external attack surface is built into that solution or Cybersecurity Asset Management is bringing them a lot of visibility into the asset inventory. So as Vulnerability Management continues to be critical, the surrounding functions, as I would call them, to first find all your assets and then fix all your vulnerabilities start to become more and more important than especially conversations with our customers in the current macroeconomic environment that we see they are looking for how they can get additional value, how they can get more out of the solutions that they already have. And so that's why we are quite excited and we kind of do see that Cybersecurity Asset Management and Patch Management are starting to be the area of focus for customers as they're looking to really reduce the amount of time it takes for them to find an asset to actually fix it, which today, with multiple tools and multiple teams. It takes quite a bit of time, and that was demonstrated in some of the research that we put out where we were able to take customers who are using Qualys to scan and some other tools to patch, versus those who are using Qualys to scan and Qualys to patch. There was a marked difference in the top 10 most exportable vulnerabilities that just put out. We are helping them really reduce the amount of time it takes when they're doing a broader platform adoption. So I think those are the areas within the platform that we see. So of course, we have other things that customers buy like file integrity monitoring and a few other things. But Cybersecurity Asset Management and Patch Management tend to really kind of go with that VMDR purchase and which is also being reflected in our new business where we are seeing the deal sizes and take into account the first purchase directly off VMDR Patch Management and Cybersecurity Asset Management instead of just coming and getting only VMDR. So hopefully, that answers your question.

Yes, that was super helpful. Maybe just for Joo Mi on FX. I just wanted to understand the negative and potential positive impact there, because I understand 24% of the revenue, I believe, is priced in local currency, but that exposure is hedged. And then on the OpEx side, you've got about 29% of your OpEx, which is local currency. Just was there any headwind on the revenue side that we should be aware of for the billing side? And then on the OpEx side, how should we think about maybe the stronger dollar benefiting you on the margin front over the next 12 months?

Yes. Because of our hedging program, we have forward contracts in place, just like you said, on both the revenue and expense side. And so what we're seeing right now is, we don't -- the part that we hedge, we're seeing some benefits and caused a gains or losses that are offsetting. Year-to-date, it's really not material for us on the revenue. It could become greater in the second half of this year. But with that said, I still don't see it on an annual basis. It will be significant because of our hedging programs and how it's working right now. On the expense side, same thing, we hedged the INR, which is about like 15% of our expenses. We see the benefits and losses offset each other more or less. And so that's why on a margin, it hasn't been material for us in the last couple of years. I don't see it being material for us in the next 12 months either.

Thank you. And our next question will come from Yun Kim from Loop Capital. Your line is open.

Congrats on another solid quarter, Sumedh and Joo Mi. Obviously, your VMDR strategy continues to play out very nicely, especially with existing customers. Sumedh, you kind of mentioned some data points regarding new customer acquisition front. But can you give us update on how your VMDR strategy and your overall expanded product portfolio is helping you in terms of a new customer acquisition? What has been the trend around new customer acquisition, especially among the large Global 2000?

Yes. I think, just to add color at a high level, we are very pleased with what we are seeing with the new business right now. As you know, we have been making changes in investments in that area for the last few quarters. And so, with new business right now, we're seeing that our bookings in this quarter were amongst the highest that we have seen along with the increase in the average deal size, right, which is quite interesting and exciting for us because what that tells us is that when we are in a competitive situation with -- and we are talking to these customers, we're actually able to bring them, show them the value of the combined solution set that they can purchase multiple things together. And which ends up becoming a lot more cost effective for them in terms of deploying and operationalizing these programs. So it's not where it's the only buy VMDR initially and then say, okay, we'll take a look at some of these things later. Right out of the bag, they're able to see the value coming out of that. And that's reflecting in the average deal size going up, that's reflecting in Patch Management being 9% of our new business, as well for this quarter. And then, I think the other side of that is just the reduction of point solutions is very helpful for these customers in being able to really be able to not have to take on the cost of deploying these things. So overall, I think early days, but quite pleased with the momentum that we are seeing on the new business side.

Okay. Great. And then just trying to understand whether or not the VMDR penetration to potentially peak at a certain point or slow down? Obviously, the penetration rate has increased 3% to 4% sequentially, fairly consistently every quarter for the past couple of years. Now that you're kind of entering the third year anniversary of that VMDR release, is there any expectation that VMDR adoption rate maybe perhaps slow a bit as you hit up the customers for VMDR second or third time around this time? If you can -- and then also if you can just give us some sense on how much of your mix of your renewals are slated for second half versus first half?

Yes, great question. I think VMDR, in our opinion, continues to be a significant differentiator in the market, and we really have been innovating quite significantly. And exactly for that purpose, we want to continue to stay ahead of where everybody else is in terms of the capabilities we bring with VMDR to the VM market, which is why within two years of launch, we launched VMDR 2.0 recently, which was really well received by our customers, bringing additional capabilities on risk rating, risk ranking, and really focusing on remediation along with the ability to leverage ITSM tools to really significantly reduce the time for remediation. So, I think it's VMDR and then the rest of the capabilities that they can purchase on together with that really kind of makeup that cohort of capabilities that our customers look at, not just VMDR. So VMDR adoption strategy has been to get VMDR, get them to see the value of the adjacent capabilities, get more agents, which make it easier for them to adopt some of these additional capabilities and then continue to innovate with, as we did with VMDR 2.0 to add these additional capabilities, and we're excited to see how our customers can benefit from External Attack Surface Management, also which we are launching, which we just launched this week so that they can bring additional assets into their VMDR purview. So, I think there's -- we see that there is customers who have adopted VMDR, early adopters. We're seeing [Audio Gap]. So, I think there's -- we see that, that is customers who have adopted VMDR, early adopters. We're seeing some customers who are on the sidelines are adopting that. We are working towards more innovation to get the rest of them on board, and then there's obviously a cohort of customers that today, we may not be bolus for VM and maybe leveraging for application scanning. So that remains an upside opportunity for us to look forward, but we continue to look at it from multiple different angles.

Thank you. And we'll take our next question from Brian Essex from Goldman Sachs. Your line is open.

This is Charlie on for Brian. A quick question. So, I know you mentioned that essentially FX wasn't a huge impact on the top line. But can you talk about the impact of FX in pricing outside of the U.S., like deal, for instance, are getting more expensive just because the strength of the dollar? Like how has that impacted like your sales and marketing as a whole? Is there more discounts associated? Any color would be great.

Yes. I think we obviously are aware of the macroeconomic conditions, and we continue to be cautious about the way things are heading, but we are having positive conversations with our customers, especially around the ability to add value because of the different capabilities that are integrated in the platform rather than being more of a pure play. So in terms of competitive conversations or when customers are being told to make sure that they get the maximum value out of the budget that they have been given. Those positive conversations have been recently happening for us in Europe, and we continue to stay excited about the opportunity that it can really help us show the customers additional value instead of getting into discounting conversations, right? So that way, we can now provide the customer in addition to VMDR, Cybersecurity, Asset Management, Patch Management, these are going to help them reduce their overall cost rather than point solutions that only do one thing where they have to focus more on discounting. So again, we continue to monitor and see how the environment evolves, but we feel well positioned with the overall stack that we have, that we have multiple things at our disposal to work through with these customers to show additional value rather than focusing on just discounting.

Got you. And I guess another question. If you could expand cash from operations declined decently over Q-or-Q. Is that just a seasonality thing? Just any color regarding that would be great.

Yes. Our cash flow tends to fluctuate. And so that's why we look at where they also provide the color on the year-to-date. And similar have been two years ago where our cash flow in one quarter might be down 30%, but year-to-date, it does normalize mainly due to the fluctuation whether it be from prepaid or the operating cash flow from AR for balance.

Thank you. And we'll take our last question from Alex Henderson from Needham & Company. Your line is open.

I actually have two different questions, and they're kind of related. One is, can you talk a little bit about the degree to which your new product portfolio has allowed you to overcome pretty tough economic environment? And in the context of how much of a delta, I know this is obviously a positive question to ask, but how much of -- how harsh has the environment gotten and how might it have looked had you not seen that benefit of having this much better product portfolio? And conversely, can you talk a little bit about when you were getting these additional wins, who are you displacing in that environment? And how are they reacting relative to their pricing against that macro environment that was expressed in the last quarter or last question, i.e., pricing down significantly in Europe in order to bring it into a callable range for foreign companies that are struggling under a 20% currency translation?

I'll answer the possible ones first. I think that going in the trend of what we talked about in terms of the new product portfolio, especially focused on Cybersecurity Asset Management and Patch Management as sort of additions to VMDR, I think, for us that has been really positive. And our vision from a couple of years ago that the market was going to go in this traction. And even a couple of years ago when we introduced Patch Management, where players who are not looking at a Patch Management as something that should be part of vulnerability management. I think, 130 million patches later. We're very proud of what we have been able to achieve in providing value to our customers. And we look at our innovation on the platform, very similar to the way we run our company in terms of being very focused on bringing value. And so, when we talk to our customers and we are able to get in the conversations to showcase them how they are able to reduce the risk, right? At the end of the day, while the number of products and the cost of the products is one aspect of it, when we are able to showcase that when they are leveraging the combined solution with VMDR and the new capabilities together with Asset Management and Patch Management, the time to remediate for the most critical vulnerabilities is reducing by half in many cases, right? And for a security practitioner and a CSO of being able to do that, reducing the amount of exposure that they have on the number of days by that kind of quantity, I think, is really helping us with these conversations to showcase that, yes, we displace point solutions, we displace sort of platforms that are loosely pulled together with acquisitions. But the combined integrated platform capability really helps them reduce the risk, and that's really, at the end of the day, focus for all security teams, right? There is, of course, a financial benefit as well, and I will give an example of where one of our customers for cybersecurity for External Attack Surface Management are looking at a pure play external attack management company, their product, it's low six figures that they have to pay for that. Qualys, when we have the conversation with them, when the external attack surface is now part of our Cybersecurity Asset Management for about the same amount of money, we can give them significantly more value because we are not just giving them the external visibility over giving them Cybersecurity Asset Management capabilities that include things like internal visibility end-of-life software, et cetera, right? So that innovation in terms of making sure that we are staying ahead and then providing this as a bundle with VMDR. It's now helping customers to see the value to say, why do I go with this pure play vendor that's only giving me the list of what is discovered but it's not integrating into what I need to scan, et cetera? Or I'll give an example, for the same amount of money, they could actually then leverage Cybersecurity Asset Management from Qualys, and then competitively, competition, even if they try to look at the price drop, it's not -- they don't have patch management. They don't have subsea asset management to sort of offset that, right? So that's some examples. Of course, we'll continue to see something here and there. But I think that's the conversations that we have and why we are seeing the increase in the deal size, the net retention, as well as Patch Management becoming strategic to us.

Where do you see your incremental growth coming from in terms of competitive displacement? Who are you displacing?

It's a different combination. Many times it's internal security teams, homegrown products, sometimes it's other pure-play products that are just giving you a list of vulnerabilities in some cases, Patch Management stand-alone products that don't have the context of what needs to be patched. So it's just different in different customers. Sometimes we see that they buy us as a supplemental patching solution to their existing patch management because patch management, as an IT capability, meant for upgrading software. So if you need new features in Java, you're going to do that patching once every two months after a lot of testing. Security teams need the ability to patch for security issues much faster than that, and that's where the friction comes, right? So for us to be able to go and say your security team, while IT team can continue to use their patching tool for their more sort of add new feature type of capability, the ability for Qualys with the existing solutions that they already have to go in and say, in the case of a cyber-related issue, we can actually very quickly go and do a targeted focus patch of this. In those cases, it helps them also buy that capability in addition to maybe SCCM or something like that, that they may already have.

Thank you. And this does conclude today's question-and-answer session and conference call. Thank you for your patience. You may now disconnect. Everyone, have a wonderful day.