Qualys, Inc. (QLYS) Q3 2022 Earnings Report, Transcript and Summary

Good day, ladies and gentlemen, and thank you for standing by. Welcome to the Qualys Third Quarter 2022 Investor Conference Call. At this time, all participants are in a listen-only mode. After the speakers' presentation, there will be a question-and-answer session. [Operator Instructions] At this time, I would like to turn the conference over to Mr. Blair King. Sir, please begin.

Thank you, Howard. Good afternoon, and welcome to Qualys' third quarter 2022 earnings call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO; and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website. So with that, I'd like to now turn the call over to Sumedh.

Thank you, Blair, and welcome everyone to our third quarter earnings call. Qualys again delivered another quarter of strong revenue growth and cash flow generation while further executing on a focused investment strategy to deliver profitable growth. Given the accelerated growth in scope and complexity of cyber threats and an uncertain macroeconomic and geopolitical landscape, CISOs and CIOs continue to broadly prioritize natively integrated security solutions to both fortify their security posture and optimize budgets through a reduction of agents and response times to reduce risk and cut costs. As a result, Qualys experienced another quarter of steady VMDR adoption, which is now deployed by 45% of our customers worldwide. Key competitive VMDR wins in the quarter included multiple customers, both down market and in the Forbes 1000. The strength of Qualys' VMDR solution has clear momentum in the market and is garnishing significant industry recognition. As recently announced, Qualys' VMDR application was voted the best vulnerability management solution at the 2022 SC Awards. This award evaluates vendors based on input from security practitioners worldwide and is held in high esteem. We believe Qualys placement as the number one vulnerability management solution further validates our investments in the platform and represents the standard for securing customer environments today and in the future. With multiple long term growth drivers in our business, I will take a moment to share some of the early successes we are seeing to broaden platform adoption with customers and partners. On the customer front, in a highly strategic and competitive win a large government agency entered -- a large government agency entered into a seven figure upsell agreement to expand its asset count with VMDR and Patch Management after selecting Cybersecurity Asset Management, Policy Compliance and Multi-Vector EDR, as part of an initiative to transform its IT security architecture. This customer selected Qualys because we offer the only security and compliance stack available in the market today that utilizes a FedRAMP authorized platform and single lightweight agent to enable full asset visibility and context aware mapping to prioritize vulnerabilities, proactively reduce technical debt, automate patching and continuously monitor endpoints with high fidelity telemetry to defend against future Malware and Ransomware events across multiple environments. In Q3, we also expanded our engagement with the Fortune 100 company in a competitive mid six figure upsell. This customer selected Qualys' Cybersecurity Asset Management Policy Compliance and VMDR capabilities. The ability to significantly enhance its security program with comprehensive internal and external asset context, CMDB integration alerting prioritization and accurate response capabilities with built-in ticketing and compliance monitoring on a single console, while consolidating agents were all key differentiators in this win. Beyond these wins, we continued to see new customers adopt Cybersecurity Asset Management and Patch Management alongside VMDR. Instead of just being a one dimensional tool used to detect and produce a list of Vulnerabilities, these new competitive wins underpin Qualys' ability to help customers not only detect, but also prioritize risk across all assets while remediating vulnerabilities much faster than alternative siloed solutions. This is becoming an even stronger value proposition in the current macroeconomic environment as customers increasingly seek multiple security offerings and capabilities out of a single Qualys platform. Investing in our partner ecosystem continues to be a key pillar in our go-to-market agenda. In the quarter, we expanded our relationships with several MSSPs and entered into a new partnership with a cyber security insurance company to enable reduced premiums for their customers using VMDR with TrueRisk. We also extended our strategic alliance with IBM. Through this collaboration, Qualys solutions are being positioned as key platform for securing IBM’s zLinux mainframe infrastructure to bring highly accurate vulnerability detection and compliance capabilities to several of the world's largest financial institutions, while utilizing the same Qualys agent. Additionally, we continue to see an increase in new customer deal registrations by our partners. We believe the expansion of our partner program since its launch in May reflects our strengthening brand awareness and strategic position in the market. The partner cornerstone of our strategy is engineering innovation and we challenge ourselves every day to lead with the industry. While we have been very focused on helping customers secure their cloud and container environments for some time now, our recent launch of TotalCloud further flexes the power of our platform by enabling cloud native VMDR with FlexScan by pairing agent and agentless zero touch assessment options with high efficacy, vulnerability detection and prioritization capabilities, organizations can now extend the platform to continuously view all cloud assets visualize the entire external attack surface and reduce risk by rapidly remediating and preventing misconfigurations and vulnerabilities from build to runtime. With Qualys agents already securing over 30 billion workloads in the cloud, we believe this solution provides the most holistic, flexible and accurate approach to modern cloud and container security available in the market today. We will showcase TotalCloud with FlexScan, our upcoming Qualys Security Conference in Las Vegas from November 7 to 10. We already have over 900 people registered to attend and we welcome all of you to access the agenda and register at qualys.com. At this conference, our product and engineering teams will showcase the innovation on Qualys platform and our customers will talk about their success with Qualys, including focused conversation on how they have been able to save costs in their security program by moving to unified Qualys platform with a single agent. With vulnerabilities proliferating at an unprecedented pace in the face of a growing cybersecurity skills gap, now more than ever architecture matters. With the recently announced acquisition of Blue Hexagon, Qualys can now apply cloud, scale, Artificial Intelligence and Machine Learning capabilities to the Qualys Cloud Platform and it's more than 13 trillion data points collected from over 100,000 network scanners and over 90 million cloud agents, what makes this combination so significant its ability to discover and identify relationships and patterns within our highly integrated data lake to rapidly predict and detect anomalous activities in customer environments that are invisible and undetectable in traditional security solutions. Specifically upon integration, this capability will allow Qualys customers to detect active vulnerability exploitation, identify advanced network threats and enable adaptive risk mitigation, including real time zero day threat detection across all assets applications and environments. This is a uniquely powerful new addition to the Qualys Cloud Platform and we are pleased to welcome some of the best security minds and associated innovations in AI and ML to the Qualys family. In summary, we continue to pioneer and define a security cloud category built to solve modern security challenges. And given the large market opportunity in front of us with multiple growth engines in our business, we anticipate that we can grow at scale long term, generate cash and continue to invest in key initiatives that will further extend the gap between Qualys and the competition. With that, I will turn the call over to Joo Mi to discuss in more detail our third quarter results and outlook for the fourth quarter and full year 2022.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period, unless stated otherwise. We're pleased to announce another quarter of strong revenue growth and healthy cash flow generation. Revenues for the third quarter of 2022 grew 20% to $125.6 million, up from 13% growth in the year ago period. LTM calculated current billings grew 18%. And net dollar expansion rate speaks to the power of our platform and improving land and expand sales model driving year-over-year increases over the past several quarters. In Q3, a net dollar expansion rate on a constant currency basis was $111, up from $104 a year ago. Our LTM average deal size increased 18% as organizations continued to turn to Qualys to solve modern security challenges through cloud native platforms that aggregate and analyze data in the cloud, operate at web scale, leverage network effects to produce superior outcomes, and are easy to deploy and simple to manage. Vulnerability management continues to be a cornerstone of customer security programs by enabling real time visibility of their security posture. Qualys’ unified platform approach differentiates itself from other vulnerability reporting only solutions through an integrated combination of capabilities, including comprehensive asset discovery, rapid risk detection, prioritization and remediation on a single agent. In Q3, total customer penetration for VMDR was at 45%, up from 32% a year ago. We're also pleased with the continued adoption of our newer products like Patch Management and Cyber Security Asset Management. In Q3, on an LTM basis, the two products combined contributed to 8% of total bookings and 15% of new bookings with both applications growing over 50% from last year. Continued adoption of Qualys solutions, increased large customer spend with 151 customers spending 500,000 or more with us. This represents 29% growth from the year ago period and speaks to a strategic role we are playing in our customers digital transformation initiatives. We remain focused on leveraging our scalable platform model to continue to drive superior margins and significant cash flow. Adjusted EBITDA for the third quarter of 2022 was $54.9 million representing a 44% margin. EPS for the third quarter of 2022 was $0.94 and our free cash flow for the third quarter of 2022 was $40.9 million representing a 33%. Year-to-date margin was 40%. In Q3, we continued to invest the cash we generated from operations back into Qualys including $1.2 million on capital expenditures and $95 million to repurchase 684,000 of our outstanding shares. With a long history of demonstrated strong profitable growth through times of uncertainty and volatility, we plan to continue to return excess cash to shareholders. As of the end of the quarter, we had $259 million remaining in our share repurchase program. Shifting now to guidance for the fourth quarter and full year. We are raising the bottom and top ends of our full year 2022 revenue and EPS guidance. While cyber security budgets remain largely unchanged, this guidance continues to reflect a pragmatic outlook regarding the uncertain global macroeconomic backdrop. Our guidance also reflects the planned increase in investments this year, while not losing sight of the importance of optimization as we remain committed to driving long term profitable growth. Specifically, these investments continue to include expansion of our partner programs and enhancing our relationships to leverage their large distribution networks. Alongside this, we will continue to invest in digital marketing initiatives and expand product management capabilities as well as sales capacity and support functions. Additionally, as Sumedh touched on earlier, shortly after quarter end, we announced the acquisition of Blue Hexagon. This is expected to have a de minimis impact on full year results. With that, full year revenue is expected to now be in the range of $488.6 million to $489.6 million representing a 19% growth. This compares to prior full year revenue guidance of $488 million to $489.5 million. In terms of profitability, we are raising our full year EPS guidance to now be in the range of $3.60 to $3.62. From the prior range of $3.50 to $3.55. This implies an EBITDA margin in the mid-40s. For the fourth quarter, we expect revenues to be in the range of $129.7 million to $130.7 million which represents 18% to 19% growth. We expect EPS to be in the range of $0.89 to $0.91. Our planned capital expenditures in Q4 is approximately $2.5 million to $3.5 million and for the full year 2022, we expect investments in the range of $15 million to $17 million. In conclusion, we believe our product differentiation will enable us to improve a competitive edge and drive durable top line growth, while leveraging our highly scalable model to maintain strong cash flow and industry leading profitability. We believe that with customers becoming more cost conscious with heightened scrutiny of their security spend, we will continue to see higher levels of customer interest associated with the value proposition of consolidating vendors on a single agent and see that dynamic playing well for Qualys long term. With that, Sumedh and I are happy to answer any of your questions.

[Operator Instructions] Our first question or comment comes from the line of Joshua Tilton from Wolfe Research. Your line is open.

Hey, guys. Thanks for taking my question. Is there any chance you can just start off with maybe commenting on the calculated billings growth in the quarter and maybe what caused the [indiscernible] from the quarter before?

Yes. So this quarter and Q3, current billings grew by 13%. For us, for our business, most of the time current billings could be indicative of bookings, but there are multiple different reasons why it may differ. So for example, this quarter specifically, I think current billings was impacted by multi-year prepaid deals that ran off as well as there was some FX impact that is not translating that full impact to revenue.

So I guess maybe just as a follow-up to that. Are you guys or are you guys not seeing any macro impact yet? I'm just trying to understand seemed pretty positive on the prepared remarks, but you also have kind of this slowing billings growth. So just help us understand what you guys are seeing from the macro and maybe where those impacts are or not showing up?

Yeah. I think that we are seeing the impact of the macro, we are seeing the uncertainty. In terms of the current billing though I think that most of the -- majority of the impact is FX (ph) adjusted, it's not materially different from last quarter. So the impact from the FX headwind is greater this quarter than last quarter and even excluding that because FX does have an impact on both bookings and current billings. We did have a negative headwind or impact from the multiyear prepays as well. So you can think of it as couple of hundred basis points negative head to current balance this quarter.

Thank you very much.

Thank you. Our next question or comment comes from the line of Matt Hedberg from RBC Capital Markets. Mr. Hedberg, your line is open.

Hi. This is Anusha for Matt Hedberg. Thanks for taking my question. Maybe just on the hiring, if you could just update us on the hiring front. You talked about double-digit growth in sales headcount in 2022. How is that progressing? And then looking out at 2023, have you set your priorities and budgets, how are you thinking about hiring? Yeah.

Yeah. We're very happy with the progress that we've been making. This year was an investment year for us. And I think that -- so far, we're on track. I think that the double-digit growth in sales and marketing headcount that we had shared at the earlier this year. We've already achieve that mark. And so right now, we're kind of turning to look to see where we can optimize and focus on that return. So next year, although, we will continue to invest in sales and marketing as well as other functions, the focus will be more on the optimization.

Got it. And then maybe kind of a follow-up on that. When we think about 2023, how should we think about the mix of investment around headcount, channel and digital marketing? It seems like you're leaning more into the channel. Maybe if you could just elaborate on that.

Yes. The channel investment started this year. It's new for us still early in the phase. And I think we're satisfied with the progress we've been making so far, but it's a little too early, so we'll be able to share more thoughts around that at our Q4 earnings.

Got it. Thank you.

Thank you. Our next question or comment comes from the line of Trevor Walsh from JMP Securities. Just to say Mr. Walsh, your line is – I'm sorry. Our next question or comment comes from Mr. Matt Saltzman from Morgan Stanley. Mr. Saltzman, your line is open.

Hey, team. Thanks for taking the question. So just first question, trying to understand how much of VMDR growth is coming from the existing base versus new customers? And then second part of that question is, as penetration into the existing base continues to increase and you need more net new business for further growth, how are the channel incentives going to impact the margin structure going forward? Thanks.

Yeah. I think that historically our growth has been primarily coming from the existing customer base as demonstrated by our -- a strong net dollar expansion rate. I think that we've been very successful in selling into our existing customers. The retention still remains to be very strong. On the new business front, I think there's work to be done. We could have executed better this quarter on the new business side and in terms of the unit economics, how we're thinking about pricing and incentives, especially with respect to channel partners. So little too early, we are working through that right now to think about how we're going to think through the profit sharing as well as the pricing overall because we are seeing increase in pricing competition.

Got it. Thanks so much.

Thank you. Our next question or comment comes from the line of Trevor Walsh from JMP Securities. Mr. Walsh, your line is open.

Hey, can you guys hear me?

Yeah.

Okay, great. Thanks for taking my question. Sumedh, maybe for you, I was curious if you could walk us through the thought process around the Blue Hexagon acquisition. My understanding that's more of a network detection response type offering for the most part. So as far as building or buying or partnering, actually probably more importantly given you've got some integrations with other network centric players. Can you just help us understand kind of what was special about them and the logic behind that? And then kind of relatedly maybe kind of what you're seeing in the broader XDR picture and how that might help to kind of flesh out your offering there? Thanks.

Yeah. Great question. So in Blue Hexagon, they really brought to us a very strong team and a platform that understands machine learning and AI more specifically in the security space. And so when you have that kind of a platform with Qualys having the large amount of data, the 13 trillion data points. So we talked about that. We index and the telemetry that we get. There's many different applications that we can see that are very relevant to security that can be sort of created from that combining platform that they have from a machine learning perspective with the data that we have. And the ability to sort of detect macro-based intrusions from our malware in the environment that you mentioned about is sort of one application of that and that's sort of the first more matured application that we will be looking to integrate into our total cloud that we announced where leveraging the network data that we see in the cloud environment, we will be able to provide detection around zero to exploits, et cetera. But we see a broader application over the next few quarters over the next year or so that we will integrate different aspects of our data into the machine learning platform and we'll be able to help different applications including more targeted patching for vulnerabilities that using ML model actually bubble up to be the ones that are going to be the most exploitable, et cetera. And then just providing more insight to our customers on what to prioritize on remediation as well as help with our EDR and our XDR capabilities to bring additional machine learning capabilities into those modules as well for analyzing the data. And so, as we continue to build a more holistic platform as we really think about it is customers need to know their devices, they need to be able to mitigate risk and then they need to be able to monitor the threats and that's where the combination of asset inventory, VMDR plus branch management and then EDR plus XDR from Qualys is going to benefit from the integration of Blue Hexagon into our stack.

Great. Thank you.

Thank you. I'm showing no additional questions in the queue at this time. I would like to thank everyone for participating in today's call. This concludes the program. You may now disconnect. Everyone have a wonderful day.

Goodbye.