Qualys, Inc. Aktie

Ladies and gentlemen, thank you for standing by. Welcome to Qualys First Quarter 2026 Investor Call. [Operator Instructions]. Please be advised that today's conference is being recorded.

I would like now to turn the conference over to Blair King, Investor Relations. Please go ahead.

Thanks, Michelle. Good afternoon, and welcome to Qualys' First Quarter 2026 Earnings Call. Joining me today to discuss our results, Sumedh Thakar, our President and CEO; and Joo Mi Kim, our CFO.

Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to product capabilities, future events or future financial or operating performance. Actual results may materially differ from these statements and factors that could result -- and factors that could cause results to differ materially are set forth in today's press release in our filings with the SEC, including our latest Form 10-Q and 10-K.

Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website.

So with that, I'd like to now turn the call over to Sumedh.

Thanks, Blair, and welcome to our first quarter earnings call. I'm pleased to report we delivered another quarter of strong revenue growth and profitability. With the accelerated progress of new frontier models, discovering vulnerabilities and writing experts autonomously, the number of detections is going to go up significantly while the exploit window is going to shrink dramatically. The need for organizations to know their true risk to effectively prioritize and auto-remediate riskiest vulnerabilities in less than a day has never been greater.

This is why we innovated with the ETM enterprise tourist management platform, which implements an AI rock risk operation center so customers can get the risks remediated instead of relying on dashboard tourism with siloed products that increase their exposure. Given our #1 rating in the GigaOM Patch Management radar with over 150 million patches deployed and over 40 million of these delivered autonomously in the last year with a Six Sigma accuracy organizations are turning to Qualys as the trusted solution to help them move from current broken manual remediation processes to high-impact, low-risk autonomous remediation workflow at scale that go beyond patch management. And that's exactly where we are focused.

With exploitable vulnerability volumes surging 6.5x and average time to expect collapsing to under a day as adversaries weaponized vulnerabilities before Patches even exists, security teams focus on theoretical exposure are overwhelmed. Just finding more and more vulnerabilities doesn't equal risk. Real risk is determined by whether an adversity can successfully execute and explore path in an organization's live environment. That's why I'm pleased to report that our most recent addition to our agent AI marketplace agent Vail is now generally available, powered by TruConfirm within our ATM solution agent well delivers closed-loop exploit validation and autonomous remediation directly to the rock.

Using autonomous exploit validation at scale, we remove the guest work for customers by running safe exploits over the network to confirm whether attackers will succeed in their breach attempts while enabling security and IT teams to focus on the less than 1% of threats actually exploitable in their production environment. In doing so, we have closed the gap between theoretical and actual exposure and believe set a new adoption standard in the industry, while traditional ETM solutions take days to pull scan telemetry from scanning tools and rely on theoretical risk scores ignoring, mitigating security controls, ETM and its agentic AI workforce takes a fundamental different approach.

Inside a continuously functioning loop, it detects vulnerabilities, validates exploit, quantifies real risk, automate remediation and revalidate the exploit, optimize and integrated with leading LLM and SLM this end-to-end approach empowers organizations to be laser-focused on prioritizing only exploitable threats for the next logical step, which is autonomous remediation, leveraging agent era and TruRisk eliminate.

Underpinning our risk eliminated solution is our new AI-powered batch reliability score, a model trained our own proprietary data set of hundreds of millions of deployed patches, which predict patch induced outages before they happen, giving customers the confidence to deploy with certainty or positive purpose while setting a new standard for predictive operationally aware patch management.

With an umbrella of remediation solutions, including matching and other competing controls, with less than 10% rollback rate. The AI native rock accelerates streamlines and demoralizer security outcomes, so transforming from, we think, to know it's being fixed at machine speed. In the context of the newest frontier AI models giving attackers the ability to soon discover diverse -- zero-day vulnerabilities, generate exploits in near real time and develop autonomous attack agents, unlike anything the industry has seen, the feedback to our get it fixed in our approach from many of the CISOs I met at our decent [ Rocco ] EMEA event in London has been very positive. They shared their excitement about the rapid pace of new capabilities we are delivering their deployment agenda and their ability to now autonomously monitor, measure and confidently remediate actual risk in multi-vendor environment in an era where just generating visibility dashboards is increasingly unacceptable.

Our industry-leading capabilities are gaining broader recognition among our customers, partners and third-party analysts. Specifically, our total cloud solution was recognized as a leader in CNAPP in the Q1 2026 Forrester Wave report, and subsequently won the 2026 SC Award for the Best Cloud Security Management solution.

Both underscore our capabilities in delivering unified visibility with real-time detection and response at run time across hybrid environments. It was also positioned as a leader in 2026 GigaOM report for cloud and entity and title management and following our dual pan awards late last year, our third research unit has again demonstrated its impact with the discovery of Track Armor uncovering critical app armor vulnerabilities that can lead to root-level compromise and container escape across millions of Linux systems worldwide. This, alongside with our recently released research on the broken physics of remediation further demonstrate Qualys' commitment to fortified security operations and raising the bar on adversaries. The net result is that we have distinctly unified CTM exploit validation cyber risk quantification and remediation into a single AI-driven risk fabric that continuously senses alerts reasons and acts across hybrid environments on with these capabilities and growing rock momentum that will soon autonomously trigger ITSM workflows. We remain laser-focused on accelerating ETM adoption throughout our vulnerability management and detection response customer base and positioning Qualys for larger upsell opportunities over time.

Turning to our business update. We have established a long history of converting operational challenges into strong competitive advantages demonstrated by customers spending $500,000 or more growing 9% from a year ago to 2021 -- [ 2020 ] months. That's why one of my favorite wins in Q1 was with an existing global 1,500 customer despite strong foundational visibility that teams struggled to operationalize risk reduction across the growing mix of on-prem multi-cloud environment, silo tools fragmented telemetry, a growing population of LLM and millions of vulnerabilities with limited business contacts. This customer recognized the traditional severity-based prioritizing methods were not long -- are no longer sufficient and launched a strategic initiative to unify risk signals across their environment and operationalize the rock. Leveraging AI for security and security for AI, they expanded the Qualys footprint by adopting ETM and total AI in a mid-6-figure annual upsell.

By consolidating disparate signals into the Qualys platform, this customer now has a unified orchestration layer that delivers end-to-end visibility across the attack surface, including deep scans on their assets across binaries, open source libraries and dependencies with centralized risk quantification, prioritize remediation workflows and measurable outcomes aligned with business risk tolerance. This win reflects broader ETM momentum as more and more customers turn to Qualys for evidence-based export validation and remediation while benefiting from the efficiency and scale of AI-native -- automation.

Partners remain a key pillar for our growth agenda. In addition to a growing list of nearly 2 dozen certified MRO partners beginning to actively launch new services we are seeing momentum build across all geographic theaters with a strong focus on AI and native rock. For example, one of our largest MRO partners is now in the process of bringing the case-ready AI-native rock to market powered by our ETM and automated remediation solutions. Additionally, to our strategic alliances initiatives, we continue to drive deep technology integrations, co-selling opportunities and demand generation programs. to drive innovation in security research through the latest -- models. We have partnered with open AI in their crystal access for cyber program and anthropic in their cyber verification program to advance our vulnerability and threat intelligence and allow customers to ingest these findings into ETM for further detection and remediation.

On the cyber insurance side, we are also pleased to announce a new strategic partnership with Converge Insurance, leveraging the quality team solution to help their customers demonstrate strong security hygiene and qualify for meaningful premium reduction, advancing our vision of tying cybersecurity to business outcome for CECL.

Further supporting our growth trajectory in Q1, we continue to expand data testing of Flex designed to help customers accelerate and broaden their adoption of the Qualys TTM platform. Based on strong early engagement and positive feedback we're planning to build on this momentum by proactively identifying opportunities to extend [ Keflex ] to select customers and partners with a go-live date planned for later this year.

And finally, as the federal government seeks to garnish greater efficiency and replace outdated and costly on-prem deployments from years past with modern cloud-native risk management solutions we are especially excited to host our third annual [ Pedro ] conference in Washington, D.C. towards the end of this month. We have made good progress growing our federal business and advancing our fed ramp high status with large federal agencies, and we continue to believe this market will fuel a new leg of growth for the company over time.

In summary, we are pioneering a new category in pre-breach risk management by bringing autonomous exploit validation, risk quantification and zero-day remediation together within a single AI-driven risk fabric that redefines how enterprises operational as cyber risk. Complementing frontier model discover vulnerabilities. Our platform leverages proprietary domain data, real-time telemetry and deep operational context using sensors and agents behind the firewall to continuously discover assets, validate exposures, quantify risks, remediate threats and enforce company-specific policies, which are unavailable in the public domain.

This is driven by our 2 decades of processing petrabytes of structured telemetry, combined with industry-leading threat intelligence in a closed-loop system that compounds across thousands of customer environment every day. printer models are powerful and accelerated back path analysis and triage. However, they need to be paired with a highly reliable control plane to consistently enforce accurate policy and compliance outcomes across live hybrid environments. This is where the unique value proposition for Qualys customers live, and it requires deterministic auditable, repeatable and trusted execution with effectively zero tolerance for error with attacks moving and machine speed and increasingly requiring defenses start to learn and respond in real-time closed-loop agents orchestration, driven policy and harness by flexible model choice act as a force multiplier further enabling precise risk quantification, safe remediation and even faster and more doministic outcomes at scale.

For Qualys, this means our massive data context, LLM and SLM integration and trusted execution serve as the system of record for pre-beach cyber risk management and translate AI into a packaged Rock automation platform that delivers customers measurable risk reduction, zero-day remediation, government outcomes and immediate ROI.

With that, I will turn the call over to Joo Mi to further discuss our first quarter results and outlook for the second quarter and full year 2026.

Thanks, Ned, and good afternoon. Before I start, I'd like to note that except revenues all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period unless stated otherwise.

Turning to first quarter results. Revenues grew 10% to $175.6 million. The channel continued to increase its contribution, making up 52% of total revenue compared to 49% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 3%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. IGO, 15% growth outside the U.S. was ahead of our domestic business, which grew 6%. U.S. and international revenue mix was 55% and 45%, respectively.

In Q1, as expected, there was no meaningful movement in our net dollar expansion rate, closing the quarter at 104%, and slightly up from 103% last quarter. More importantly, we'd like to turn to a new metric that we plan to disclose going forward on a quarterly basis. net dollar expansion rate of customers with prior year purchase of ATM or CSAM subscriptions. We believe that this metric is currently the best indicator of success of our ATM strategic initiatives.

With ATM innovation having stemmed from strong customer demand. We anticipate ATM adoption to drive higher net dollar expansion rate. However, given that ATM adoption is still in its early stages, we have decided to include CSAM customers in this cohort so that the metric has more wait to it. In addition, as a reminder, ATM is essentially an upgrade from CSAM. So we believe that this is an appropriate baseline to track and measure going forward.

In Q1, the net dollar expansion rate of ETM CSAM cohort was 107%. As more customers move into this cohort. We hope to see consistent and meaningful improvement to our overall net dollar expansion rate and thereby driving accelerated revenue growth. Moving on to product mix. Our differentiated new products continue to drive growth.

First, ATM, CSAM combined made up 11% of total bookings and 14% of new bookings on an LTM basis in Q1, up from last year's 8% and 9%, respectively. Next, past management made up 8% of total bookings and 15% of new bookings on an LTM basis in Q1. This compares to 7% and 16%, respectively, in Q1 of last year. Lastly, total cloud made up 5% of total LTM bookings in Q1, unchanged from a year ago. We believe that these differentiated products, combined with increased contribution to bookings in 2026 and given our opportunity to increase market share and maximize share of wallet.

Reflecting our scalable and sustainable business model, adjusted EBITDA for the first quarter of 2026 was $83.3 million, representing a 47% margin, same as last year. Operating expenses in Q1 increased by 8% to $67.5 million, driven by investments in sales and marketing, which grew 17%. With this strong performance, EPS for the first quarter of 2026 was $1.95 per diluted share and our free cash flow was $93.6 million, representing a 53% margin compared to 67% in the prior year. In Q1, we continued to invest the cash we generated from operations back into Qualys including $1.7 million on capital expenditures and $53.9 million to repurchase $505,000 of our outstanding shares. Please commencing our share repurchase program in February of 2018. We've repurchased 11.2 million shares and returned $1.3 billion in cash to shareholders. As of the end of the quarter, we had $306.6 million remaining in our share repurchase program.

With that, let us turn to guidance, starting with revenues. For the full year 2026, we now expect revenues to be in the range of $721 million to $727 million, which represents a growth rate of 8% to 9%. This compares to prior guidance of $717 million to $725 million. For the second quarter of 2026, we expect revenues to be in the range of $177.5 million to $179.5 million, representing a growth rate of 8% to 9%. While we believe our approach to pre-breach, cyber risk management provides some installation and this ongoing macro volatility. This guidance continues to see no material change in our net dollar expansion rate. With moderate growth contribution from new business in 2026.

Shifting to profitability guidance. For the full year 2026 we expect EBITDA margin to be in the mid-40s, implying mid-teens increase in operating expenses and free cash flow margin in the low 40s. We expect full year EPS to be in the range of 7.44 to 7.65, up from the prior range of [ 7.97 ] to 7.45. For the second quarter of 2026, we expect EPS to be in the range of $1.73 to $1.80. Our planned capital expenditures in 2026 are expected to be in the range of $8 million to $12 million and for the second quarter of 2026 in the range of $1.2 million to $3.2 million.

As the impact of the macro economy is still unfolding, we are closely monitoring the business environment and adjusting our priorities accordingly. That said, considering the long-term growth opportunities ahead of us and our industry-leading margins and plan further room for investment. We intend to continue to responsibly align our product and marketing investments to focus on high-impact initiatives -- driving more pipeline, accelerating our partner program and expanding our federal vertical. As a percentage of revenue, we expect to prioritize an increase in investments in sales and marketing with more modest increases in engineering and G&A.

With that -- I would be happy to answer any of your questions.

[Operator Instructions]. The first question will come from Patrick Colville with Scotiabank.

In your prepared remarks, I mean, I think you did a really good job of conveying why risk quantification, I guess, testing whether an asset exploitable with run time context the ability to kind of patch and revalidate all make Qualys at low risk of AI disruption in the enterprise. But what I want to ask, though, is there's a lot of hype around anthropic Claude, [ Midos ], OpenAI, GPT 5.4, Cyber. Are they leading to more inbounds? And if so, like how will those inbounds and that kind of surge of interest translate into the financial model in 2026?

Yes, that's a great question. And I think our customers who are in this day in and day out, they understand pretty well that this is going to lead to more disclosures of patches and vulnerabilities from multiple vendors that they use. And I think the challenge is going to be more about -- as -- I mean on the positive side, I think these models are helping companies get better with finding these vulnerabilities themselves versus waiting for a tapers to find them, but it also means that they're going to lead to more catches being announced by our multiple vendors that the customers will have to deploy. And I think the challenge is going to be more that once the patches come out, attackers leveraging AI can reverse engineer those patches and find the exploits. And so it really becomes a game of how quickly can you apply the patch that the vendor is giving in a matter of hours and not wait for days and weeks as it happens right now? And -- that's where a lot of the conversations that we have had with our customers, we're seeing a lot of CISOs and customers reaching out to understand how our patch management capability and the remediation capability and exploit validation capability is really going to be helpful for them because they all need to provide an update to their Board in terms of how they are going to fight against the AI-induced attacks that are coming from these models getting better and the response cannot be we are going to do more manual remediation.

They need to have a response that anchors themselves in fighting autonomous AI attacks with autonomous remediation. And they see us as a trusted vendor having deployed 150 million patches already and 40 million of those already fully autonomously deployed. And so a lot of those conversations are positive right now. But of course, it's in early stage, and we need to work through to see how they take out of the conversations, how they go back to their boards to their IT teams partnered with the IT team. So happy with the activity, but a little too early right now to talk about how the impact is going to be on the pipeline and outlook.

As Joo Mi said, we're not considering any change from where we are right now in terms of the guidance. But we are happy to see the engagement that we are seeing from the inbounds that we're getting from customers trying to understand how basically can respond to this.

Very clear. And can I just -- I mean just to touch on that point. So I mean, Joo Mi, you very kindly last quarter provided us a soft guidance for 7% to 8% current billings growth in 2026 is the point you were trying to make in the prepared remarks that remains the case. No change to that level even with the strong 1Q performance and I guess, the positive vibes that Sumedh was just talking to?

Yes, that's correct. I think that if you take a look at our Q1 performance, it was a solid start to the year. We're very pleased with the Q1 outlook as well as what we anticipate for the rest of the year. However, we don't see any material kind of meaningful change for the full year today. So given that the baseline still remains at 7% to 8% for the current billings for the full year.

And our next question will come from Roger Boyd with UBS.

Sumedh, it was a strong quarter from a new customer add perspective, and particularly for 1Q, which is typically seasonally a little bit lower. Can you just talk about what's working right from a new logo perspective? And then everything you just kind of mentioned from a patch management remediation standpoint, to what degree is that sort of impacting the new customer conversation, any metrics you can give around attach rate of patch management or TruRisk eliminate would be great.

Yes, great question. And I think we kind of talked about right now where we are with patch management, sort of 8% of LTM overall bookings and 15% of new bookings, right? And I think definitely good execution by the team. Focused execution is key there. If you kind of recall our what we talked about at RSA, and a little bit before that, our focus on agent I agents as we went into last year. I mean, if you look at today, what everybody is talking about is how can we very quickly autonomously remediate things. And this is not accident that we are here right now. We have been delivering capabilities around patching, going beyond patching the exploit validation. And those messages have been resonating with customers.

And so I think -- this is leading to better conversations with customers as they look at. We are encouraged with the conversations we are having around ATM. I mean the thing is, look, at the end of the day, risk measurement and risk management is going to be critical because it's the number of patches that you have to deploy, explores as a company cannot just deploy all the patches. And so anchoring it back to risk is very important. So eliminating the right risk and the minimum amount of risk is important and to be able to get there, so you're not matching and fixing everything, creating more risk from an outage then becomes very important because ETM is the one that does the hyper prioritization. And for ETM to be successful, you need high-quality detection capabilities. I think one of the concerns that customers have brought up after these models have come out has been the question of false negatives, right? If you're using Tier 2 scanners, the time it takes to get signatures out and find the findings versus scanner like Qualys, where we are getting signatures of multiple times a day, we are adding capabilities to detect things to reduce the false negative is becoming very important.

And I think that -- those conversations are culminating in positive conversations for ETM, which is still early and ETM and eliminate conversations typically they do go hand-in-hand many times. And so I think while it's still early for ETM, we are encouraged by the conversations that we are having at this point. And so again, we have to work to continue the execution. Very happy with how Q1 went. But we're going to continue to work on executing with the opportunity that's in front of us. And like we said, our partners are working with us closely and we look forward to continuing our partners, bringing us additional sort of new logos and working with our existing customers with the MRO services which can get more value for existing customers through our partners to make sure that our upsell also continues to pick up.

That's really helpful. And then maybe just a quick 1 for Joo Mi. On Q-Flex, you talked about kind of building out this pipeline and identifying a customer pipeline to extend that procurement model to. Can you just talk about kind of the customers that you see as a good fit for Q-Flex, and any thoughts on when that kind of push could start this year?

Yes. So mostly, Q-Flex is targeted towards our enterprise customers who need that flexibility to potentially cover the forecast that they have anticipated for the full year. So as an example, what they're looking for is -- given that we continuously enhance our products and come out with newer products throughout the year, they want the comfort of having to prepurchase or pre-clinic to a higher amount that they might necessarily think that it's absolutely needed for the year. we've been talking with the select group of customers that have the budget that are willing to pre-commit to a higher credit with Qualys, with the ability to swap out different products and offerings and try out newer solutions throughout the year, we're pleased with the momentum that we have today, and we do plan to go GA with Q-Flex later this year.

And I would quickly activate that this is right now with what is happening is a good example of where a Q-Flex model will be helpful for a customer because we didn't have exploit validation earlier last year. But now that we have that, and we have with us driving more focus on patching Q-Flex customers through the year will have more flexibility in being able to use those credits to suddenly pivot towards patching more because there is a particular event that has come up. and not have to sort of keep going back from a procurement perspective. So like Joo Mi said, exciting early conversations with these large customers, and we look forward to working through with them this year and then kind of getting towards the GA by the end of the year.

And the next question will come from Kingsley Crane with Canaccord.

Med, I guess just to start off, I'm kind of curious how important is access to something like Midos preview just for your business at all? And then just in general, talking about the growing marketplace of genetic AI solutions, we've seen a pretty significant jump recently, even with just modeled GPT 4.7. But what is the future of that type of integration with agents for the platform? And like how relevant is inference is a line item for Qualys, if you look like 3 years out?

That's a great question. I think it's less about a particular model and more about the direction that these models are going, right? And so I think for us, it is -- we have been leveraging other open source models as well, and we're excited to now be part of the TAC program from OpenAI, which gives us access to 5.5 cyber, which is an equivalent model for the most parts to Midos as an example and also part of the verification program. And we have -- since we have really been doing a lot of exploit and validity research ourselves, these type of models, whether it be these 2 front end models or other open source models that have been using in my mind, are definitely something that help us do a better job of figuring out exploits that we can safely create for our customer environment. So that the customers can really test the exact scale through the Qualys platform. It also helps us do a much better job at figuring out the right patches or the right mitigations.

One of the key things that we have done at Qualys, has really put a lot of research energy into coming up with mitigations that don't need a patch, people whether your patches, but we reverse engineer patches to figure out maybe there are other mitigations that can be leveraged to make sure that these mitigations can help the customer deploy a compensating control on the machine without having to deploy an immediate patch, which is extremely valuable for them. When they only have a few hours to make a decision on mitigating a highly exploitable vulnerability.

And that research is definitely what we have been doing, as the models are progressing, these partnerships definitely help us accelerate and cover more and get more options to help our customers go through that. So I see that leveraging these models, either whether it's through research or integrating with them to pull findings from these models, so customers can actually take their core findings and run it through the millions of Qualys agents that they already have installed to find the actual instance of that. or whether it is overall our own Agentic AI solutions, we use different small language models, large language models to optimize the outcomes for whether it's chat, whether it's an AI agent that is taking action, I think that is something that we look forward to continuing to partner with whether it's open source or these frontier models. And I do think that for any solution that is going to be important to make sure that they leverage some form of AI capabilities. It's just that because we uniquely do the exploit validation and patching, we have a very interesting use case for use of these models.

That's really helpful. And for Joo Mi, it's great to see the continued efficiency in the business. You've talked about R&D growing a bit more modestly than sales and marketing this year. So a 2% growth year-over-year, is that about what we should expect for the rest of the year? And just like speaking bigger picture in such a dynamic time for the cybersecurity market, I mean what would get you to invest more in that line item? And then I understood that you're already very efficient there operationally. So I can appreciate that.

Yes. Currently, what we're forecasting is OpEx growth in the mid-teens. Sales marketing continued to grow well, up to 15% mark. Last quarter, it grew by 18% year-over-year. This quarter, 17% year-over-year. So with sales and marketing potentially ramping in the second half of the year, rest of it that we've allocated for the R&D for the most part. We do anticipate a significant investment -- we think that could be justified from a return perspective, especially with the AI investments that we continue to make in the business. So given that, we're guiding to mid-40s EBITDA margin, which is implied by mid-teens growth in OpEx.

And the next question will come from Jonathan Ho with William Blair.

I just wanted to better understand sort of the breach risk management opportunity, how maybe this changes from prior approaches? And what makes maybe Qualys better positioned than other competitors to offer this solution.

Yes, that's a great question, Jonathan. I think it's not that it changes from the prior approach from a Qualys perspective, we have been building and innovating around the ETM platform and the concept of -- Operations Center, the last couple of years almost in preparation for something like this where we will see significant number of vulnerabilities coming our way, but you cannot fix anything in an operation. And you cannot play a vulnerability -- you're trying to jump from one way over to another.

So the idea of creating a risk operation center and elementing that with ETM has been to make sure that we are creating an outcome where things are fixed for the customer in a matter of hours. And I think that's an approach that's different than a CSAM solution, which is waiting for collecting data from different scanners and then creating some reasoning, but then they don't actually do the patching. They pass it off to somebody else to do the patching, which again loses time as an example. And so what I think we are seeing is the opportunity here is having created sort of this end to end.

I mean what's interesting is you look at our demo that we did at RSA agent well, Agent well went from finding the vulnerability, validating the exploit, applying a mitigation and then revaluating the exploit that it is fixed in under 15 minutes. I don't know if any CSAM solution can really do that where you get an outcome of something being fixed. And then with ETM, we are focused on the CRQ aspect of it as well, right? Just because the vulnerability and patch count goes up significantly, customers still need to think of this in terms of the business and the budget that they've allocated as how much of a risk to the business do these vulnerabilities carry so that they can make better decisions on prioritization. And that's, again, the other aspect of our ETM solution being integrated now with a cyber insurance company, where if you have a good score on your a good score that demonstrates you are actually doing the right cadence of fixing your vulnerabilities. You can actually get a premium reduction for your cyber insurance, which is a positive thing for your business.

And so ETM really has been about taking the businesses modification, the CSAM, the traditional CSAM component but also pairing that with extra validation and remediation giving an end to an outcome. I think what we are seeing now more is the customers who have been interested in this are now feeling like this is the time that they really need to look at this more deeply because of the number of liabilities that are going to come their way. They feel like they're looking at a risk operation center ETM and the ability to maybe some of the resistance that people have had in the past against autonomous remediation or patch management. in the initial conversation that we have had in the last couple of weeks, we're seeing a bit of a change in the way people are thinking about this as given that the threat landscape has changed.

So in that sense, it's a positive outcome for us to say that instead of other solutions where somebody else is scanning, somebody else is pulling the data and somebody else is patching the ability to go from detecting, validating, fixing and revalidating under 15 minutes is something that is really desirable. And doing that at -- accuracy is very desirable for our customers. So I think it's more that the platform really was innovated and designed for this. And now we're excited to see sort of these early conversations we are having with customers that are more interested in looking at this now because of the push coming from these front-end models, detecting more vulnerabilities.

Excellent. Just 1 quick follow-up. Does Mitas potentially expand the number and types of assets that you would also cover as well as maybe accelerating sort of this adoption of more products on the platform to deal with increased complexity?

Yes. I think these models will be able to find vulnerabilities in any core base, right? And so I think that's where the comprehensive nature of the Qualys sensors, whether it is detecting vulnerabilities on network assets, right, like, let's say, the traditional assets which have agents on laptops and other servers, expanding that into network assets or network-based assets like firewalls and VPN devices or cameras that are on the network or IoT devices. We already covered that.

And then of course, we also cover cloud and container security and a lot of these. And so I think what we are going to -- what we are seeing right now is that customer interest in covering as much as possible more natively so that they can get quick scan results and not have to wait for hours to pull these scandals -- if they can do more and more of those natively. So I think given that the threat, whether your server is running on-prem or in a data center or if the server is running as a container in the cloud, the threat from a quick vulnerability exploitation coming your way, is similar the conversations do lead themselves to -- and in a way, the way team is designed, it is designed to pull data from all kinds of different capabilities, whether it's cloud or containers or others.

And so there is more willingness from customers to say, today, they are doing dashboard tourism. They have a separate dashboard for cord scanning, a separate dashboard for cloud, a separate dashboard for on-prem separate dashboard for endpoint. If there is a way to operationalize and consolidate all of these different types of assets into more of a unified workflow where agent AI is looking at it and making autonomous decisions by looking at the previous enterprise context and then minimizing and then executing the minimum remediations, that is really where the focus of the customers is.

So I think, again, how these conversations proceed will be interesting, but it does lead customers to say I don't have necessarily the time now to go to look at 8 different individual risk management dashboards when it comes to previous bridge management, if there is a way for me to pull different things, normalize all of that and quickly focus on the ones that matter the most and then actually validate with exploits and remediate those. That is the ideal solution.

And our next question is going to come from Rudy Kessinger with D.A. Davidson.

I guess I'm curious just on the ETM sales so far. Are you getting that full $1 uplift on those early sales so far? And then if we think about the 107% net expansion rate with those customers, I feel a little foggy on that you're saying that includes customers who purchased ETM in the past. I guess, does that expansion percentage include the upsell from the purchasing ETM? Or if you could just break down that number a bit further?

Yes. It's a little too early for us to comment on how much of the uplift actually is illustrative dollar uplift is based on more of a list price, the cohort of customers that have subscriptions to ETM is too small today. And so given that, what we decided to do was, the number that we disclosed, 107% that actually includes customers who purchased CSAM or ETM. And so the way that we calculate that number is 1 year ago from today, so Q1 of 2025, which customers had ETM or CSAM subscriptions. We took those customers and then the revenue that they generated in June of 2025. So that would be the denominator, but the same cohort of customers in Q1 of 2026 and looked at the revenue contribution from that group. And so we calculate that percentage, it doesn't just include the ETM or CSAM subscription. It's a total spend spent by those customers.

So what we're thinking is our hypothesis is these customers theoretically whether they have CSAM and then eventually later upgrade to ETM because ETM is essentially an upgrade from CSAM or they start to purchase ETM, these Florida customers will help to drive the total net dollar expansion rate eventually because they see the value in it they'll be stickier with us, and then they will -- a higher upsell. So that's part of the reason why we're tracking this metric internally to make sure that. one, we're successfully upgrading CSAM customers to the ETM consumers. And two, is that really generating the type of upsell that we're looking for.

Got it. That's really helpful. I must have misheard it earlier on. And then secondly, how should we what does sales productivity look like? How has that been trending in the last few quarters? And just given the increases in sales and marketing expense outpacing the revenue growth, is there a lot more marketing dollars in there? Or where is that investment going in sales and marketing?

Yes. Majority of the increase in sales and marketing is still driven by headcount. So if you take a look at our headcount growth, it was over 10% for the sales and marketing the ETM side last year. A part of the reason is because we do see a huge upside in the business. And because we are focused on moving the business from direct to indirect, as we work closely with our partners, we have different sales teams, whether it be a sales team focused on direct sales or sales team focused on ETM sales or sales teams that they are really focused on the channel management or relationship there. And so we do anticipate continued growth and continued investment in that team.

And so as a result, the productivity is not necessarily the traditional SaaS feel of it, it's not exactly where we think it will be in the future. We're working on it right now. There's room for increase in efficiency. I'm not seeing it there yet, like you pointed out, especially because we do see this is a time for us to invest more versus making sure that we scale that based on the productivity metric that we see today.

And our next question will come from Joseph Gallo with Jefferies.

I believe you mentioned that your guidance today reflects NRR kind of stays flat. The ETM NRR is 107% and expected to grow. So how should we think about the potential time line for acceleration of total NRR? And is there any pressures or offsets that we should think through that might keep that number flat over the next couple of quarters?

Yes. Our NRR has been around the 103%, 104% range for the last couple of quarters. And the reason why we're still assuming for the baseline, that to be the case, it's because ETM is still in the early stages. We don't anticipate a significant ramp in terms of the adoption of ETM that will result in the total company and our ROE to be ticking on materially this year.

So for this year, our baseline is that taking into consideration the macro factors, geopolitical conditions today, we do see some potential headwinds could be fully offset by the tailwinds that Sumedh had mentioned earlier, with the increase in demand given that our customers are willing to spend more with us increase in cybersecurity risk that we can definitely help to remediate. But with that said, all in all, our guidance assumes baseline case growth more or less in line, definitely from the current billings perspective, revenue, we've increased slightly just because of the beat that we saw in Q1. But overall, nothing has changed from the case that we saw earlier in February.

No, that's super helpful. And just as a follow-up. I mean you mentioned kind of geopolitic pensions. I think you made a comment in your opening remarks about closely monitoring the business environment and adjusting priorities accordingly. Is there any way to quantify, I guess, what you're seeing, is that mostly related to the war? Is there anything in terms of customer budgets and they're prioritizing AI spend today and not necessarily cyber. I'm just kind of curious what the actual math was behind some of those comments you made on macro? And if anything has changed over the last 90 days?

Yes. The way we're monitoring the situation is basically stemming from the conversations that we're having from our existing customers as well as new prospects. So when we're discussing potentially coming over to call us as a new customer or increasing their spend with us, whether in quarter cycle or at a quarter cycle. There could be disruptions during that discussion. So as an example, I would say that any announcement from OpenAI or entropic could be a disruption as we're talking through it. It could be a factor.

Now that could result in increase in sales from us, but it could increase the sales cycle. And so that's why we're taking a look at the scenario, there will be puts and takes. There will be some gains. There will be some offsetting factors. And that's why we thought that the baseline if you model it , the way we view it today is more or less fall in that range that we had calculated at the beginning of the year.

Yes. So far in terms of budgets, we haven't seen any real changes there from customers or any conversations directly when it comes to cyber, I think it's stayed roughly the same. But as Joo Mi said, just being prudent at sort of what potentially could -- we should look at in the future.

And the next question come from Shrenik Kothari [indiscernible].

Yes. Thanks -- so in light of the Frontier AI, a cache explosion and now at agent Vail to more broader remediation, you also emphasize the pathways patching which are -- remember, we've been specializing in and talking about in the past. So I know you talked about early customer conversations. Just really appreciate if you would let me point to some anecdote some proof points, how that can -- or it's become a real budgeted sort of operating priorities for customers over and above, typically as the products customers like conceptually, but just what's really changing and anything you can point to and I had a quick follow-up.

Yes. Like I said, I think I gave that example of we had -- we have been having quite a few customer conversations in the last few days, and I had a CEO a very large bank in Canada sort of got on the call and is like to basically look our challenge right now is to get things quickly key scanner right now and how -- who should we partner with for patching. And when I was able to explain to them we already do the eliminate part immediately, he was excited about that so that he would go talk to his board that they're partnering with a solution that is going to help them have the ability as needed to rapidly fix and patch things and not wait for the teams patching solution to take days and weeks to patch things. And so that led to an immediate conversation of starting an immediate POC as an example, right?

So again, it's early days. That's an anecdotal example. But we are seeing that pushback or resistance that we had for integrated patching and autonomous patching. In the early conversations is coming with -- like where they are asking, hey, do you have a patchy capability because that's what I need to be able to explain not that I'm finding more and scanning more or I'm taking my scanning and I'm passing it off to some other patching solution, which is taking even longer.

So that is an example of a good conversation that we had where our customers quite excited to have the ability to quickly find remediate -- quickly find exploit it verify it, patch it. in a matter of hours and be done so they can show that level of success rather than just finding more things. So that would be an example of just something that happened 2 days ago.

Great. That's super helpful, Sue. And just July, a quick follow-up. Just following up to Joe's question on NRR. And I just wanted to hear your thoughts on what sort of moves the needle for kind of this next leg of growth? I mean it still appears to be guiding off sort of a base case with no real assumed NRR movement, you, of course, have agent Vail and GA, there's better ETM mix, the continued strength in channel, international. So can you help us understand, is it mainly just prudent about the sales cycles as you mentioned, and you still need more proof points on monetization? Or there's also some legacy mix drag, which is playing a role in addition to you accelerating higher value attach or?

Yes. It's based on a historical track record of what we've been able to see. One of the reasons why we thought that this was the best metric that we could share with the investors today is because if you people look at our historical products, whether it be CSAM or otherwise, it does take a bit of time for our newer product to take to our customers. So as an example, CSAM wasn't actually launched in 2021. And if you take a look at the percentage contribution to bookings, ETM plus CSAM, currently make up 11% of bookings on an LTM basis. So you can understand that looking at the CSAM conversion or upgrade to ETF will likely take some time since ETM just went live, and it's been in GA for a little over a year. So given that, we're assuming that this will take time for more of our customers to adopt ETM, and that will translate to increase in spend that's meaningful enough for the total revenue growth.

And the next question will come from Brian Essex with JPMorgan.

I guess maybe one for you, Sumedh, on the back of the increased capabilities of foundation models in the security space, and thinking about where you're seeing vulnerabilities across the spectrum where you have operating systems, infrastructure, both package as well as custom applications and then OT environments. The spectrum of flexibility, if you will, across those different types of areas is -- can be materially -- particularly for hardware, some of it can't be patch it might have to be replaced, custom apps that have to be maybe need to be refactored. From your experience and what you're seeing from the foundation model companies, where is their expertise best placed for vulnerability discovery and potential exploitation? And how does that change the risk profile of your customers and how they may utilize your platform to mitigate those risks?

Yes. Great question. I think helping software developers find more vulnerabilities in their code is definitely one of the key things there that these models bring and which will definitely lead to more disclosure. But in theory, right, you could say that, well, if all software developers are able to find these vulnerabilities using the models, then you kind of don't necessarily have a 0-day problem because all these software developers who find them the code themselves before the attackers do and they will create patches, right?

And then customers just have to focus on applying those patches. I think the other capability, the frontier models are doing well is the ability to change low-level vulnerability exploits that maybe have a lower CVSS score and the customer might not have fixed those in the past because their score was low, but being able to chain a few of those to create an exploit. And that's where the advantage of the TruRisk platform is very solid because our true risk scoring, and we have demonstrated this multiple times that we are actually scoring low-level CVS vulnerabilities as very high, about 40 days before they get added into CSAM as an example.

So having the customers have that intelligence that we are bringing and to the environment to say, look, this is a low-level vulnerability, but it is prone to be used in an attack and making sure that, that is mitigated becomes important.

Now the third piece of what you mentioned is, I think it's perfectly fine to say that I'm not going to patch this because my risk is low. And that's a very individual organization level conversation that needs to happen, which, again, with ETM in the tourist platform, we are helping customers understand the context in their environment, understand the exploitability and make the determination that maybe it's perfectly valid to say we're not going to pass this because we have mitigating controls in place.

And that's where we were, again, ahead of the curve when a couple of years ago, we introduced the concept of patch list patching is the ability to deploy mitigations for some of these environments where, yes, you cannot necessarily patch an OT asset immediately like you would normally do, but maybe -- or even the regular assets with operating systems and packages but providing them a way to say, look, I think if you just delete this old DLL, which our agent can do for you. Deleting a DLL or making a change to a registry key or something simple like that can actually prevent exploit from running in that particular environment.

And so that is the third piece of it, which is perfectly valid with ETM to say a lot less than 1% of the vulnerabilities that are actually exploitable in your environment. And then these are the ones we don't need to fix because we validate it, they're not exportable, but then to also be able to say we actually have a way to mitigate this with a compensating control without deploying a patch makes it very interesting. In fact, one of the popular ones with our customers is we provide them the ability to see that the package that has the vulnerability is actually not being used on an asset for the last 18 months. So on installed is actually a better option than trying to patch it.

So it's -- that's why I call it the eliminated buffet, which gives customers multiple different choices because that's the goal is not a patch. The goal is to remediate and eliminate the risk. That's why the TruRisk eliminate with prioritization validation becomes so important.

Great. That's super helpful. And maybe if I could squeeze one in for Joo Mi on Q-Flex. It sounds like that the program is targeted at large enterprise customers are already spending a meaningful amount on the platform. But are you -- is there any potential for existing customers who may be ripe for migration to ETM where you could actually accelerate that migration by offering them Q-Flex as well?

There is. And so we are working with customers today. So we are working with a solid group of customers to -- so that they have an option of adopting Q-Flex today. And so it's not stopping. It's just that we are planning to go broadly GA with it by the end of the year. So we think that there is definitely a potential where that could help us to drive growth.

And we do have those conversations with customers who are looking to do ATM. We start the conversation with Q-Flex, which is well received, especially given this environment where so many new capabilities are coming, things are changing fast and they need the flexibility, even if you're not the largest enterprise you still need the flexibility to be able to move things around pretty quickly. And in fact, enterprises that don't necessarily have a cyber budget that is the size of the GDP for a small country actually have the most value in many times from being able to do these kind of automations and say like, I don't need to fix all these things because I've validated they're not relevant in my environment, no matter what different your model says.

Right. Makes a lot of sense.

This is all the time that we have for questions. We want to thank you for your participation. This will conclude today's conference call, and have a good evening.

Ladies and gentlemen, thank you for standing by. Welcome to Qualys' Fourth Quarter 2025 Investor Call. [Operator Instructions]. Please be advised that today's conference is being recorded. I would now like to turn the conference over to Blair King, Investor Relations. Please go ahead.

Thank you, Michelle, and good afternoon, and welcome to Qualys' Fourth Quarter 2025 Earnings Call. Joining me today to discuss our results are Sumedh Thakar, President and CEO; and Joo Mi Kim, our CFO.

Before we get started, I'd like to remind you that our remarks today will include forward-looking statements that generally relate to our future events or future financial and operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website. So with that, I'd like to now turn the call over to Sumedh.

Thank you, Blair, and welcome to our fourth quarter earnings call. As [indiscernible] continue to compress time to exploit, we believe the next phase of pre-breach risk management will be defined by an Agentic AI-driven risk fabric with out-of-the-box business quantification, automated remediation to respond to the speed of these threats. Against that backdrop, we continue to execute well in Q4 demonstrated by another quarter of strong revenue growth and profitability.

In my conversations with hundreds of CIOs and CSOs as well as security leaders from many of the world's largest and most innovative organizations, 1 message has remained consistently clear. Reducing cyber risk isn't about detecting more exposures. It's about operationalizing a cyber risk management program that aligns spend with risk tolerance. In doing so, CSOs are increasingly prioritizing the unification of fragmented security stack into a centralized risk fabric. One that serves as a credible alternative to single vendor platforms by bringing diverse risk vectors into a prioritized measurable view of risk that the teams can confidently communicate and remediate at machine speed.

That message was further amplified as our recently concluded [ Rakon ] conference in Mumbai with attendance up over 30% from last year's event as we again broadened the agenda to include a business truck and with the element of AI, which is demoralizing cybercrime and enabling adversaries to operate with unprecedented speed and sophistication, this meal is only intensifying. As a result, we believe that the future of previous breach risk management belongs to vendor-agnostic agentic AI-powered solutions that continuously predict, assist, confirm, quantify prioritize and remediate risk across on-prem and multi-cloud environments.

Over the past years, we continue to execute relentlessly towards this vision. Delivering meaningful platform innovation to help customers reduce risk faster, operate more efficiently and stay ahead of an increasingly dynamic landscape. Accordingly, in 2025, we broadly expanded the Qualys ETM platform, the third-party data and launched a powerful new orchestration layer that unifies Qualys and non-Qualys findings applies our industry-leading crecintelligence and delivers a business contextual quantified view of risk with built-in prioritization and automated remediation. Building on this foundation, we introduced an agent AR risk fabric that assesses and normalizes diverse internal and external data sources, applications and machines.

We expanded -- we extended these capabilities with the first-of-a-kind Agentic AI risk management marketplace, enabling security and IT teams to quickly augment their existing workforce with highly specialized autonomous experts that significantly reduce time to remediation, increase accuracy and reduce costs. To further close security gaps, we again organically enhance ETM with a natively integrated identity security partial management solution at a time when identities have become part of the new AI perimeter.

And further flexing the power of our platform, we are now confirming exploits the four customers are compromised, while traditional continuous threat exposure management solutions rely on a theoretical risk score and ignore mitigating security controls. ATM takes a fundamentally different approach on a single platform. It uniquely detects vulnerabilities, validates exploitability applies remediation and revalidate exploit using agent workflow. The net result is that Qualys is redefining how organizations manage previous risk management while competitors continue to focus on detecting vulnerabilities or mapping theoretical exposures, polishes moved decisively beyond that model.

We are pioneering the first Agentic AI native risk operation center rock, a new category in cybersecurity designed to centralize an organization's response to that spanning exploit confirmation to autonomous remediation. Powered by our ETM solution, the rock present a fundamental diversions from traditional CTM tools. Competitors can point to exposures. They can't quantify cyber in dollar terms that matters most to the business, and they cannot adequately fix step. ETM fills that gap. This is what sets Qualys apart. We don't stop at detection and non-quantifiable prioritization.

We natively integrate CTM, export confirmation risk quantification and remediation operations into a single air-powered workflow to leveraging both Qualys and non-Qualys data sources. In doing so, our architecture orchestrates and implements a perception reasoning action loop enabling autonomous agents to collect real-time telemetry reason through risk signals, plan response workflows and execute actions. This enables organizations to holistically predict emerging risk across infrastructure, cloud application security, IoT and identities, safely confirm probable exploits, prioritized threats based on business impact immediate through patching or other compensating controls and verify the effectiveness of the remediated tactic.

This end-to-end vendor neutral approach is catalyzing a paradigm shift in pre-breach cyber risk management, the customers aren't just seeing their risk holistically across the rest they are validating it, quantifying it and reducing it continuously and autonomously at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable proactive risk reduction that brings customer value. Armed with this fresh new set of capabilities and early momentum already validating this model, we are now laser-focused on accelerating ETM adoption through our VMDR customer base. and positioning Qualys for larger upsell opportunities over time. Moving to our business update with customers spending $50,000 or more with us growing 4% from a year ago to 215.

Let me now share a couple of recent wins which illustrate why organizations ready to centralize the response to cyber risk or turning to Qualys to help unify the security stack onefine remediate risk in their environment and fortify their security operations. First, an existing Global 50 customer was struggling under the weight of multiple unintegrated security tools millions of vulnerabilities and limited visibility into the overall risk profile. Traditional prioritization methods were unable to adequately fill up critical findings leading security and IT teams without the necessary business context to act decisively.

Consequently, this customer selected Qualys and launched a strategic initiative to unify the security stack by transforming silo risk signals spanning on-prem and multi-cloud environment into a cohesive identic AI-native risk management solution. This included expanding the ETM deployment to further operationalize the rock with ingested third-party data from several sources, resulting in a mid-6-figure annual bookings observed. By consolidating these data services into the Qualys platform, we are now delivering this customer a unified orchestration layer and full visibility of their attack surface.

Centralized reassessment quantification prioritization and regulation workflows while unleashing the operational efficiency of the stack consolidation. This expansion of the rock underscores the power of our platform and reinforces policy's ability to unify solutes signals, operate as an autonomous defense layer, strengthen customer outcomes aligned to the business risk tolerance and advance our leadership in the industry. Leveraging our Amrock partner ecosystem, we are also pulling new business into Qualys. During the planning stages of launching a new ATM POC with a Global 200 company in Latin America, we secured a 7-figure annual bookings upsell, which included our total cloud SNAP and Policy audit solutions. This win demonstrates the leverage of our partner-led motion and our ability to convert early engagements into meaningful multi-solution growth. Turning to our federal business.

We achieved a mid-6-figure expansion with 1 of the federal government's most visible shared security services utilized by several large government agencies nationwide, faced with an overwhelming volume of security issues that limited resources to continuously assess risk across augmented tools and manual workflows, this customer chose Qualys for its cloud native ramp high authorized platform to enable a centralized government program that quantitatively prioritizes risk with automated assessment, standard output and low operational overhead. Given the success of this deployment, we are now working towards a agency ATM rollout representing a significant upsell opportunity as the shared services team prepares to operationalize its risk operation center.

These results alongside another 6-figure upsell with a separate large fetal agency reinforce our program ability to align technical capabilities with operational outcomes that address modern security challenges and unders for the long-term growth opportunity in our federal business. Beyond these wins, we are also gaining more leverage from our partner ecosystem as we continue to endorse a partner for sales motion, partner-led deal registration increase again in Q4. reflecting deeper alignment and execution across the channel. In addition, with well over a dozen certified MRO partners actively launching new services Momentum continues to build towards a global Rock alliance, fueling our capability, furnishing transformative solution sales and bringing new business to Qualys.

Further contributing to our growth profile. In Q4, we continued beta test in Q-Flex to help customers accelerate and maximize adoption of the wallet ETM platform. Given the strong customer response and early success of this model, we plan to continue to focus on proactively identifying opportunities to leverage Q-Flex to enable select customers and partners to accelerate their adoption of wallet solutions in 2026. In summary, we are fundamentally changing our organizations managed [indiscernible] fiber risk by unifying stem with extra confirmation, risk quantification and automated remediation powered by an Agentic AI is fabric.

Our rapid pace of innovation and strategic investments are driving strong competitive differentiation, deeper rock adoption, broader engagements across large federal agencies, growing partner-led execution and initial Q-Flex success. Looking ahead to 2026, we'll continue our disruptive innovation, further advance our go-to-market investments and execute our rock vision with a balanced approach to long-term growth and profitability. With that, I will turn the call over to Jimmy to further discuss our fourth quarter results and outlook for the first quarter and full year 2026.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period unless stated otherwise.

We're pleased to report a healthy finish to the year. highlighting our continued execution, financial discipline and scalable business model. For the full year, we grew revenues by 10% to $669.1 million and achieved adjusted EBITDA margin of 47% and even with continued 14% growth in investments in sales and marketing. Net income and EPS grew 13% and 15% to $257.8 million and $7.07 per diluted share, respectively. And free cash flow reached $304.4 million or 45% of revenues, all of which exceeded our expectations for the year. Turning to fourth quarter results. Revenues grew 10% to $175.3 million.

The channel continued to increase its contribution, making up 51% of total revenues compared to 48% a year ago. Revenues from Channel Partners grew 17%, outpacing Direct, which grew 4%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. BGEO, 15% growth outside the U.S. was ahead of our domestic business, which grew 6%. U.S. and international revenue mix was 56% and 44%, respectively. With customers confirming their prioritization of security within IT budgets, we anticipate the selling environment in 2026 to remain similar to last year with a low to mid-single-digit growth in security spend persisting for the foreseeable future. Reflecting the sentiment, our gross dollar retention rate remained comfortably above 90%.

We saw a modest sequential decline in Q4 with our net dollar expansion rate at 103%, down from 104% last quarter. In terms of product mix, our differentiated new products continue to drive growth with all 3 of the following increase in contribution to bookings in 2025. First, cybersecurity Asset Management, combined with ETM made up 10% of total bookings and 13% of new bookings in 2025, up from last year's 8% and 9%, respectively. Next, patch management made up 8% of total bookings and 16% of new bookings in 2025, up from last year's 7% and 16%, respectively.

Lastly, total cloud made up 5% of total bookings in 2025, up from 4% a year ago. We believe that these differentiated products combined will continue to increase contribution to bookings in 2026, given our opportunity to increase market share and maximize share of wallet. Turning to profitability. Adjusted EBITDA for the fourth quarter of 2025 was $82.6 million, representing a 47% margin, same as last year's. Operating expenses in Q4 and increased by 11% to $68.9 million, driven by investment in sales and marketing, which grew 18%.

With this strong performance, fourth quarter of 2025 was $1.87 per diluted share, and our free cash flow was $74.9 million, representing a 43% margin compared to 26% in the prior year. In Q4, we continued to invest the cash we generated from operations back into Qualys, including $724,000 on capital expenditures and $44.7 million to repurchase 2 of our outstanding shares. Since commencing our share repurchase program in February of 2018, we've repurchased 10.7 million shares and returned over $1.2 billion in cash to shareholders.

As of the end of the quarter, we had $160.5 million remaining in our share repurchase program. We are pleased to announce that our Board has authorized another increase of $200 million to the share repurchase program bringing the total available amount for share repurchases to $360.5 million. With that, let us turn to guidance, starting with revenue. For the full year 2026, we expect revenue to be in the range of $717 million to $725 million, which represents a growth rate of 7% to 8%. For the first quarter of 2026, we expect revenues to be in the range of $172.5 million to $174.5 million, representing a growth rate of 8% to 9%.

This guidance assumes no material change in our net dollar expansion rate with moderate growth contribution from new business in 2026. Shifting to profitability guidance. For the full year 2026, we expect EBITDA margin to be in the mid-40s implying mid-teens increase in operating expenses and free cash flow more trend in the low 40s. We expect full year EPS to be in the range of $7.17 to $7.45.

For the first quarter of 2026, we expect EPS to be in the range of $1.76 to 1.83. Our planned capital expenditures in 2026 are expected to be in the range of $8 million to $12 million. And for the first quarter of 2026 in the range of $1.2 million to $2.6 million. In 2026, with respect to operating expenses, we plan to align our product and marketing investments to focus on specific initiatives aimed at driving our pipeline, accelerating our partner program and expanding our federal vertical. As a percentage of revenues, we expect to prioritize an increase in investments in sales and marketing with more modest increases in engineering and G&A. With that, Sumedh, and I would be happy to answer any of your questions.

[Operator Instructions]. And the first question comes from Jonathan Ho with William Blair.

Congratulations on the strong quarter. Can you talk a little bit more about some of your Flex offerings and how it potentially helps remove friction and perhaps encourages broader adoption of your platform?

Yes. Thank you very much. And that's a great question. We've talked about this last quarter as well. I think if you have to -- if you take that in relation to what we are doing with the risk operation center and how we're differentiating ourselves from the exposure management solutions is that the ability to detect all your assets, find your vulnerability ability to use genetic AI to actually not only prioritize those, which is what a lot of these exposure management solutions do, which is just giving you a score, we're leveraging the ability to use Agentic AI to confirm those exploits with the environment, which is very differentiated from what everybody does.

But then after that, actually, the ability to also remediate those. And so being able to get this end-to-end very quickly, very fast before attackers are leveraging AI to do the same for your environment. The Q-Flex proposal allows the customer at their pace to then be able to consolidate a lot of these capabilities on a single platform with Qualys and do that over a period of time during their subscription with us, which allows them to maybe initially start with more of that prioritization and confirmation, but then as the year goes by, it allows them then to leverage our eliminate capabilities more and more to be able to focus on getting the outcome of getting these things fixed.

And so what we're excited about is our conversations initially with the customers that have adopted this have been very positive in the fact that the security environment is not a static environment at the beginning of the year. It is continuously changing throughout the year. And the flexibility that pricing model offers them to actually be able to leverage different Qualys capabilities throughout the year as the threats change is a very big positive for them. So really happy with the feedback we have gotten in the beta phase. And at this year, 2026, we look forward to doing more of that and moving more towards the GA model for that.

Got it. Got it. And then just in terms of some of your comments around AI, I mean, clearly, you're seeing a lot of customer interest here. Can you maybe help us understand like where the customer is in terms of their AI journey? And also help us understand what that opportunity for Qualys. So if you start selling more of these Agentic products, AI sort of negative products, how do we think about how that can impact sort of net retention going forward?

Sure. I think a lot of people talk about AI is embedded in their platform. I think where we differentiate ourselves is that what we have done is introduced the concept of an AI agent marketplace within the platform, which allows the customers to actually augment their workforce, their security team, which we have talked about this for years that there's never been enough talent in the security space.

So the ability to get Agentic with an expert in patches as the ability to get Agent valve with an expert agents with skill sets that can autonomously make calculations and decisions on exploitation remediation. So the ability to say, look, I want to employ this particular agent on the platform to achieve a task, which otherwise would take me weeks and months to hire a consultant to get that outcome. What we've done with our agent AI capabilities is not only have those built in throughout the platform. But with Agentic, we can now actually have these agents that feel like they're really part of that team, and they can help you get those outcomes.

And the way we have really positioned this is that customers who are leveraging VMDR, they get a really high-quality list of findings. But then as they cross-sell into they get the ability to not only do the prioritization of these vulnerabilities but they get the HDK capabilities, which then allow them to do achieve different half. And as you look at how customers are thinking of head count, et cetera, in the AI world, these really help them get to those outcomes pretty quickly. And then, of course, in addition to that, with our total AI offering, we're also helping customers detect find and address vulnerabilities and misconfigurations that are coming up in the AI workload that they have. And so with that, we look forward to customers bringing more data around their own around their own AI solutions into Qualys ATM.

And we believe that the agent KI capabilities are a differentiator for customers to upgrade from or to cross-sell from the MDR into as well as looking at some of the other exposure management solutions where they just give you a score this will allow them to actually use an agent to get patching done pretty fast and pretty quickly. And so we see that, that differentiation can be the catalyst for customers to pick ATM over some of those other exposure management solutions about out there.

And the next question will come from Kingsley Crane with Canaccord.

Congrats on the quarter. You answered some of this in the prior response, but would just love to hear more about how Asian valves elevating ETM from an efficacy perspective. And just how [indiscernible] is reducing total net hours at the customer level and how that's resonating with customers?

Thanks. I wish -- unfortunately, the call is only an hour, but I can talk about this forever. But look, I think we have seen the history of this evolution back when [indiscernible] somewhat with this is like everybody is giving you theoretical scores, right, based on the vulnerability findings and CV as information that is out there. Unfortunately, a theoretical score does not actually mean that a high school does not mean that the customer may not have other controls in place. that mitigate that actual exploit from working in that environment.

They might have a firewall. They might have something else, memory protection that has enabled that typical scanner or a typical exposure management solution will not pick up. what [indiscernible] does, it leverages that decision-making, autonomous decision-making process to basically look at the findings, look at the scoring, but then actually the ability to run a very safe exploit against the asset. To confirm whether that vulnerability is actually exploitable in their environment on their machine or it is not, not just a theoretical score.

And what typically happens is when the security team gives these scores to the IT team, they spend a lot of time trying to chase down these findings only to feel like this was a false positive because, look, we already have a control in place and a lot of time is wasted in arguing back and forth. What the customers really want to be able to do is not waste their IT things time on fixing things that actually are not exportable in that environment. And the ability to for sure confirm by running an actual exploit in a safe manner that this is or is not exportable. It means that the IT teams will be saving significant amount of time not chasing down cost scores and we'll actually have a absolute confirmation that, yes, it is a very highly exploitable.

Well, nobody even I don't need to worry about it because I have other controls that are mitigating this. or it is highly exploitable [indiscernible] it, and I don't have a protection in the environment. So instead of us chasing scores, I can actually go and focus on fixing these and that's going to making a lot safer. So it's a significant time saving for the customer because of the ADI workflow, they can actually then significantly reduce the number of findings that they have. And the other thing is that once the exploit is confirmed on your environment, you don't have the time to create GRA tickets and ServiceNow tickets to them to help people go and manually make the remediation.

As soon as you know that this is exploitable in your environment confirm, you want to be able to use another agent to immediately kick off remediation and get it fixed and you feel a lot more comfortable because now you have confirmed that this is exploitable, it's not theoretical. So people are going to want to also save time and not leave the exposure open for a long time by being able to run that exploit and then also automatically run the remediation. And you cannot show up for the AI fight today with your [indiscernible] and your ServiceNow tickets. You got to be able to do automation and autonomous decision-making to get things fixed. And that's the differentiator.

H

Yes. It's really exciting times, and it's good that you're leading the way here. For Joo Mi, it's been a remarkable year for Qualys. You guided to 7% at the midpoint, entering last year, and you put up 10% and now you're guiding closer to 8% this year. How can we think about the levers for upside to growth this year?

Yes. 2025 was a solid year from an execution standpoint. It was a very exciting year for us with ETM having gone live at the end of 2024. We've had a significant number of discussions with our existing customers in terms of how we can increase value without them having to doubled their spend initially with us. And so in doing that and we're working through our partners, what we were able to do is finalize our pricing and packaging for ETM and identify our key products that are going to be levered for growth in the short term and the long term going forward as well.

So 2025, solid year with closing the year with another 10% growth or revenue, which we're really pleased about. Now when it comes to current billings, it came in line as expectations from last quarter with 2025 current billings growth of 8%. That's slightly lower than the 9% that we posted back in 2024 for current billings. So looking ahead to 2026, I think that's kind of more or less in line with what the baseline case is for us. Looking out, our guidance is really informed by what we see in the business today, the discussions that we're having, what we expect from the macro and in the spending environment.

With that said, we do anticipate significant upside. Given what Samad just covered, we have very exciting product discussions with existing customers as well as prospects. I think that we've gone ahead and really leverage our innovation and our power to really deliver what the customers are looking for and what the market is looking for. So we're excited about the outlook. But with that said, the baseline still remains to be around 7% to 8%.

And our next question will come from Rahul Chopra with Berenberg.

I have a couple of questions. I mean, I appreciate these are not your estimates, but if I look at 2023 market share data which you gave at the time you had market total market is 64 billion. In the current deck, you are talking about 53 billion market for 2026. At the same time, I can see previously, you had '28 market of, I think, something around 79 billion, 78 billion. Now '29 market is $75 billion.

My question here is that basically is the core market shrinking for VM and exposure management. I appreciate these are not your estimates, but I just wanted to understand what you're thinking about the core estimates in terms of the market itself, what is it doing? One.

The second question is, I wanted to understand your thoughts about the competitive landscape in [indiscernible], especially given the ServiceNow is acquiring [indiscernible]. Obviously, that's going to probably change some dynamics. So I wanted to hear your thoughts on that, please.

Sure. I think I've been in Qualys for 20-something years, and vulnerability management has definitely changed. And if you recall, we've been talking about that as the number of assets have increased the number of CBEs and software has increased. We're seeing that customers in the traditional way that vulnerability scanning was done is just generating way too much noise and vulnerability management has evolved, which we have called out many times. And that's the reason in the last few years, we've been focusing on shifting and focusing on the solutions that customers actually are looking for.

So as an example, when we innovated with Patch management, where the first vendor to do that. And even today, we're not seeing really much traction with others in matchmakers yes, not just vulnerability management doesn't mean you just scan and scan and scan if you cannot get it fixed. And so as that evolves, innovate, we came up with patch management as a capability we came with [indiscernible] Asset Management that was needed for a successful VM program. Now we have expanded that capability with agent with ETM because that's really what customers are looking for is how do you continue to triage that. And then adding a layer of of validation is another game changer in our mind from a vulnerability management perspective. And then along the way, we've also focused on how do we bring total cloud, which is a Snap solution that we have, which we're very happy with the traction that we're seeing with that. We're coming up with Agentic AI.

So for us, it is about how do we continue to track the areas that customers are focusing on and then how do we maximize our share of that spend that they have. and that's what you're seeing the provision in the innovation that we are going. And it's great to see that there is a focus and attention on the CTM exposure management marketplace, as you mentioned, with ServiceNow buying [indiscernible], which has been around for a long time. using passive capabilities to detect asset inventory, et cetera. But the reality, again, is that today, customers don't want just more vulnerability findings from these solutions that don't actually help you fix anything.

And so, what we are looking forward to is, again, autonomous workflows leveraging agent to get customers to fix things quickly, as you saw in the recent [indiscernible] report that the mean time to remediate over the last 5 years has gone from 63 days to negative 1 day. So today, again, with solutions like that, ServiceNow [indiscernible] and other solutions, do you have the time to create ServiceNow tickets and chase people down while attackers are having a free time exploiting your vulnerabilities. So what we feel pretty excited about with our customer conversations is the differentiation that we have that is allowing them to very quickly and accurately get to the things that actually matter to their business, put dollar value loss quantification numbers on it, get the validation and get the vulnerabilities fixed, and that is allowing us to differentiate, and that's where a lot of the conversations we're seeing are very positive in the focus of not just another exposure management solution, but moving towards a risk operation center.

And so our goal here is that, of course, security market keeps changing, et cetera. we're bringing solutions that we are looking forward to maximizing the share of the customer spend focused on the pre-breach side of the security and not necessarily the postpaid side.

And the next question is going to come from Nehal Chokshi with Northland Capital.

Yes. And nice color there on why the Army's acquisition by ServiceNow won't be impactful. It sounds like a key portion here is that basically, they're lacking patch management. So can you dive a little bit further here and explain why patch management has remained such a differentiator for Qualys here?

Yes. Thank you. I think today, if you see, right, like people are finding millions and millions of finding and the IT team does not want to be spending all their time in sort of innovating going out and fixing so many vulnerabilities without the proper context. And so what we're seeing is that -- and we talked about this a couple of months ago, that Qualys agents have been able to deploy 140 million patches just in the last 12 months. And in one of the recent GigaOm reports, we replaced as the #1 bench management vendor by the analysts. And so the reason why we're getting so much traction is that in the past, I remember when I joined Qualys scanning once a quarter and taking [indiscernible] to fix all your issues was considered. Okay. Today, when attackers are attacking you within 3, 4, 5 hours of the volumes being disclosed, you need that ability to quickly correlate CV figure out that it doesn't matter to your business or that it's not exploitable in that environment and actually get it fixed.

And so our success with patch management really has been a highly integrated solution with VM and not just a partnership where you're going out with some other separate solution and trying to bridge that gap is highly integrated solution that is quickly able to not only detect the vulnerability, or find whether it is actually exploitable in the environment. But then within a matter of minutes, it can actually fix and patch that particular issue. And so what we're excited about is to see the success of patch management in the last few couple of years, but also what we did end of last year is moved even further into providing customers more abilities to mitigate the risk of the vulnerability without patching.

And I like to call it [indiscernible] which is applying mitigating controls on the machine, which has given even more flexibility to our customers because sometimes you're worried about a patch breaking, something, how do you balance the worry of patch breaking something with the worry of getting exploited and many times because of our super deep research in the patch research landscape with our research analysts, we actually are able to figure out the way exploits are working and then find ways to apply mitigations on the machine so that the actual exploit can be blocked.

So at the end of the day, what is the point of all the spend you do in volubility scanning is to get the right things fixed before the takers get there. So the majority of the value that comes in that overall spend is really about the patching part. If you do not patch it, you can build all kinds of dashboards and there's a dashboard tourism going on right now, but those dashboards don't mean anything if you don't actually get it fixed before the backers get to it.

Okay. And Joo Mi, are there any headwinds leading to expectation of no change in MDR in your calendar 2016 guidance with the embedded new cantor side?

Yes. Our guidance is assuming no material change in net dollar expansion rate, you could see that it's always kind of gone up a quarter or down a quarter in the past couple of years. And right now, us being -- starting out the year ending 2025 at 103, we don't anticipate a material change Sara.

So why is that? Why are you expecting no change?

Our guidance is informed by what we're seeing in the pipeline today and what we're expecting based on our existing customers, what they anticipate buying moreover how they're thinking about spending more with Qualys in 2026. Our preliminary discussions and view into the outlook today implies that assuming kind of similar in line gross dollar retention, the expectations from an upsell standpoint and then, of course, a new business on what we expect to land from a new logo perspective, this is all informing our guidance and the way we look at things.

And that's the base case. Now our goal will be to continue to improve our execution on the ETM and rock the customers getting to know that. And that, to me, remains the upside in -- for the business is with federal now with our [indiscernible] we got and the federal space partners, et cetera. So I think that's kind of where we are with just assuming 103 as we see it right now, but we continue to work on the upside in the business that we can particularly have.

So does that imply that your expectations, the baseline expectations that ETM incremental penetration to installed base continues at this relatively slow pace that we're not hitting an inflection point yet?

I think it's very early. So like we said at the end of the last year where we had started with POCs. We're super encouraged with what we are seeing with the POCs and the conversion that we're having. But again, it's very early, right? We're talking about customers that are early adopters. So it's encouraging, but we're not -- we haven't had enough of those to really map out a confirmed trajectory of how that is going to go. So I think as we execute better in the first a couple of quarters, that's where we will get to understand even better now.

That's where, as Joo Mi talked about in the past, we will start to provide guidance on how ETM is going to how ETM is growing for us, starting the Q1 earnings call for 2026. And so that will allow you to sort of track where we're starting and then how we're going to go through the next couple of years on that big opportunity that we see right now.

And our next question will come from Rudy Kessinger with D.A. Davidson.

Joo Mi, I think you said in response to Jonathan's questions earlier. I think you said baseline remains around 7% to 8%. I'm not sure if you're referring to the revenue guide for this year or if that was also your expectation for roughly what we should expect for current calculated billings for the year.

I would say that we don't give a specific guidance for our current sales. But our expectation is our current billings growth rate will be more or less in line with our revenue growth rate of 7% to 8% for both for full year 2026.

Yes. Okay. Got it. And then just maybe kind of a follow-up to the past question. Certainly, it sounds like there's a lot of optimism about the early ETM interest and adoption and whatnot. But at the same time, it's still just being too early to maybe drive an improvement in the net expansion rate or the overall revenue growth rate. And I guess just I don't -- we've been hearing that for a few quarters now. Is -- I mean, what needs to go right, whether it's with the channel or utilizing QFlex? Is there a potential that this year we could see enough adoption that we do see expansion rate tick up or revenue accelerate? Or is that unlikely just based on the current pipeline?

Yes. I mean all of that needs to go right. I think we're -- I think we've done a lot of innovation. The products are coming out now, which is great. The agent value is going to be very interesting for us and the recent identity solution is also very interesting. I think a key part of our strategy definitely has been working partners. And so as an example, one of the key areas of focus right now where we are certifying more MRO partners as an example. And we are getting these partners up to speed and we're getting the partners trained and helping them create their offerings around the risk operation center.

And the idea here really is that these partners then with those services actually can bring us net new business can bring us upsell opportunities because they don't have to have a replacement conversation maybe with the existing vendor that they might have been selling for the last couple of years. They can actually create a service for risk management with MRO on top of their existing VM solution, as an example, by pulling that data into Qualys and then ETM and then charging the customer for the management and the consolidation of their various risk factors, et cetera.

So that's an area that we are looking forward to as that matures and as we are in the early days of getting those partners up to speed once those partners then start to take those offerings to their customers, that response will also help us see how that is gaining traction. Again, early conversations have been great. We've got to see that in the way that these customers -- these partners are bringing us some of their business. I think Q4 has been really a positive thing for when we are taking a customer who has VMDR and then converting over to ETM. That has actually been a really positive thing for customers so that they can kind of build in or certain amount of growth, and they can look at the ability to take the journey of a risk operation center at that pace.

And then, of course, we just got our [indiscernible] end of last year, so that's allowed us to have more conversations for the 2026 budget cycle for federal that obviously were not in line in time for 2025. So those conversations after Fed ramp high for '26, '27 are also going to be quite interesting for us. as potential upside. And so I think as Julie has provided sort of the guidance that we see as of now, we're excited about some of these things that can potentially create the opportunity for us to do better than that.

Thank you. And our next question will come from Matthew Hedberg with RBC Capital.

This is Mike Richardson on for Matt. keeping a little high level here. Anthropics new model release today, put an emphasis on cybersecurity and specifically, the model's performance for vulnerability discovery and patching. So I was just wondering if you could talk about what you believe these developments mean for Qualys. And maybe the cybersecurity industry more broadly as model providers look to potentially go deeper into cybersecurity.

Yes. Great question. I think today's announcement was great in terms of that -- understanding the fact that autonomous during the quoting process or when you look at the core for software and pointing Agentic AI to that, is definitely something that the attackers are looking to leverage, and they're leveraging as well to be able to discover vulnerabilities in the code base. Now having the ability to discover on nobody in an open source code is one thing, which is what Entropic is helping.

But once you find that this particular cohort has a particular vulnerability that could be exploited you need to go find all of the machines or any that software, all over the customers' environment internally, externally. And then the ability to test that after all the controls that the customer has put in place in their environment on that machine, is that actually exploitable each in usual customers' environment in each individual customer's machine. And that's the part where I think the topic development actually really helps again stress that and why after a particular vulnerability is discovered and exploit is discovered, why it is important to use a agent I type solution to very quickly validate that in your environment and then actually fix it and apply a fix autonomously because when you're using AI to find these particular vulnerabilities and trackers are going to -- are using the same model they are going to try to do their best to very quickly exploit those.

So we -- what we feel is we are empowering our customers with ETM and with somebody like [indiscernible] to actually stay ahead of the gap between Discover for vulnerability to the exploitation that we can actually leverage BPM with agent to then actually find this issue in their specific environment on their specific machine and then protect them very quickly by actually being able to patch that. And so that's really the main differentiator. So I think in a way, it's great to show the power of what AI is able to provide for the attackers to find issues in open source. And then it signifies even more the value of the ATM platform to actually find that during a run time and not just in the core base as one topic is doing today.

And the next question will come from Patrick Colville with Scotia Bank.

This is Joe [indiscernible] on for Patrick Colville. Can you help us understand -- I know you kind of touched on this, but can you help us just better understand the strategy you're taking to get customers to adopt not just vulnerability management, but also prioritization and patch management. And then I'm wondering, is there a way to think about what percentage of the customer base is just using that basic functionality of vulnerability management?

Yes, great question. I think if you kind of look at what we have been doing with patch management, by the way, and if you look at -- we're very happy to see the adoption of patch management, cybersecurity, asset management as the capabilities that sort of take that vanilla VMDR and add more execution around -- or execution for success around those list of CVEs, we're pretty happy and excited to see that.

And so today with the ability to provide customers with things like average exposure window, the ability to provide customers the way that, that particular only actually impacts their particular environment. As an example, your typical threat exposure management solutions will give you a score, a risk score, and they will say that this particular issue has a risk -- or this particular asset has a risk score of 900 or 1,000 and another one has a 750 and 1,000 which one we need fixed first.

If you just go by the risk core as an example, you're going to see that maybe that risk core of 900 or 1,000 is on a machine that makes you $2 million a year, but the $750 million is on one that makes you $500 million a year. Immediately our prioritization switches and is exactly the opposite of what your exposure management solution give you because now you added a dollar value. And once you have that and you know that you're potentially going to have a loss of $500 million because of the export of this vulnerability.

The next thing that customers want to be able to do is how quickly can I protect myself from making sure that I don't lose that $500 million. And that's where integrated patching and integrated mitigation solution like Qualys is super impactful for them because now they don't waste time because once attackers are starting to exploit vulnerabilities, it is just a -- you're sitting duck with an open window and the quicker you can close that window, the better it is going to be. And our customers are really seeing that. That's why the adoption of patch management has been increasing 140 million purchase in the last 1 year. is quite a milestone for us. And the ability to sort of give them that visibility to say that you can -- with this platform, you're not just exposing your exposure, you're actually fixing it is a great story. And our partners are also excited about the ability to not just provide services around more visibility the ability to actually be the partner for the customer that gets them an outcome of actually the risk reduced is a differentiator.

And that's kind of where we are looking forward to continuing our innovation around the exploit validation and the mitigation and touch management solution as well as awareness building around the risk operation center is an area for focus for us. And then along the way, risks come from cloud. They come from your standard virtual machines, they come from cloud. That's where we have focused a lot. They've come from identities. We have [indiscernible] that. They come from misconfigurations and we have policy audit for that, they come from AI now for which we have total AI as an example. So we continue to expand ways to bring more assets into ETM. At the same time, we continue to innovate on ways to absolutely get to the final outcome of actually releasing risk with automation and agent as fast as you can. And that honestly is really, in my mind, a big differentiator.

That makes sense. And if I could sneak in 1 more. I think you mentioned that you're still in beta testing for Q-Flex and that you're going to leverage it for select partners. Is that just timing? Or are you not planning to go customer-wide with that pricing model?

Yes. We went data with Q Flex last year. And so we understand how we could be very additive to -- so Court of customers. So we're rolling it out on a case-by-case basis because we want to create a win-win scenario for us. Right? If for a customer, we feel like they would really benefit and increase their spend with us by giving them this flexibility, we're more than happy to work with them. to whether it's through a partner or directly with us. For broadly speaking, we don't want to be in a situation where unintentionally results in a downsell for us.

And then also, they don't have the ability to try out other products because they they're maximizing their budget and thinking through it in that -- from that perspective. So right now, it's in beta, but in the longer term, we do plan on going to GA with that and potentially with a slightly tweaked structure.

And our next question will come from Yuan Kim with Loop Capital.

All right. Some, I think you touched upon some of my questions already, but how engaged our partners involving core VM renewals? Or are they or a lot of them, the newer partners are you attracted last year? Are they more about selling new products?

Yes. The MRO partners that we work with are pretty excited. We're starting to see these partners launch their own services for risk operation center, which obviously takes some time because they have to come up with the with the ushers for the services, staff them with the right experts for risk quantification, et cetera. But what they are excited about is that instead of just looking at, can I get another $0.05, $0.10 of margin on a dollar the ability to say that with RO, they can actually offer higher value services, the service you can offer to a CISO is here, we're going to give you a business oriented cyber risk visibility deck that you can take to your Board every quarter that's going to make you look very smart in front of the board is a significant value and they can charge multiple dollars, as an example, for those services around ETM, which they cannot necessarily do around other areas.

And with the agent capabilities built in, the partners are excited that, that actually can also reduce the spend that they have to do to staff there. services teams with people if they didn't take AI capabilities in the platform can get them a patch Tuesday report within 24 hours versus taking 2 weeks for a consulting to manually go and create associates to do things like that. So very exciting early conversations. We're already starting to see some interesting wins, though it's early days with new business and existing business with those partners that understand the risk story and positioning the broader risk management rather than just, okay, here's another list of vulnerabilities that I can provide you. Those conversations are very positive.

And so as I said, we're really focused right now on our GTM efforts around training these partners around partnering with them. and introducing them to customers as they introduce us to prospects, et cetera. And as that progresses, I'm excited about the potential that partners can bring customers to us, even if that customer might have another VM scanning solution, they can keep their solution, and they can actually bring that customer to us and the partner can make multiple dollars on every dollar of ETM that they sell for us.

Okay. Great. That's very helpful. Joo Mi, if you can remind us how renewals are lined up for the year, either skewed towards that could have second half of the year consistent with the prior years? Or with the newer products coming in, do you see some early renewals or renewals mix kind of changing up this year?

Right now, our expectation is that the seasonality remains the same. So same thing as what you saw in 2025, it will be skewed towards the second half of 2026.

And the next question will come from Junaid Siddiqui with Truist .

Great. Sumedh, you've talked about the risk operation centers focused on proactive risk management. versus the stock focused on detection after the breach being a major differentiator. Just wanted to ask, are you starting to see budgets flow more towards proactive security versus reactive detection and response?

Yes. Thanks, Junaid, for that question. We definitely see the conversations with our partners who said like, look, I've invested a lot over the last few years in EDR, XDR, post-rate solutions around SOC and -- and of course, there is some focus now on Agentic AI SoC solutions that they're looking at to improve that even further. But what they feel is that on the pre-breach side, they have invested, but they've invested in a bunch of, I call them, XPM tools, which is have DSP, SSP CSPM, but all of them are just giving you multiple dashboards.

And there is definitely a bit of a fatigue with these customers and saying these dashboards are not helping you prevent a breach. While I have put in place a protection on the post breach side to try to find attackers if I can do a better job and operationalize my workflow so that I can take all these findings from multiple tools. You have these core scanners, which are kind of like also service sometimes because they give you so many findings. The conversations definitely are moving in that.

There is a positive conversation on leveraging budget that they have or asking for more budget over the next couple of years. to move in that direction. And the early adoption of ETM that we are seeing is necessary -- essentially, we're going and getting budget that they are not always moving away from something that already budgeted for. So some customers have started to put budget aside for exposure management, so to say, or RBM, but when we show them Rock, which is much bigger than exposure management and much more than RBWM, they are actually able to work with us to shift on that budget. So I definitely feel like there is a more of a focus last year and into this year on we need to do a better job at proactive risk management. We've done a lot of work around the reactive side. Let's focus to get better on the proactive side.

And the next question will come from Jason Zhang with Wolfe Research.

Guys. This is Joshua Tilton from Wolfe Research. Can you guys hear me?

Yes, Josh.

Awesome. Sumedh, I want to follow up on your answer when you were asked about kind of entropic blank post today on cybersecurity. And then I just I want to reask the question, but I want to ask it in a much more simpler way. Is the way to think about it that a lot of the functionality that Anthropic was talking to was more around application security testing. And kind of some of the vulnerability discovery that happens before you would use a traditional VM tool. And again, I just play a security expert on TV. So if I'm thinking about it the wrong way, please let me know. But is that kind of the right way to think about it?

Yes. Right now, a lot of that focus is on looking at open source code and looking -- going to the code base to look at commit logs, et cetera, around that core to find the vulnerabilities in that particular code base now that core base is then compiled into some piece of application software, which then is running all over the place across millions of machines in different customer environments behind different firewalls, et cetera. So generally, that's sort of where we see while its focus is more around once those vulnerabilities are discovered or attack is starting to use those, how do we then quickly assess those in a run time rather than application code discovery time, which is where a lot of these AI agents are focusing on.

Makes total sense. And then maybe just a quick follow-up for Joo Mi. I think in the past, there's been several leadership changes throughout the years where there was always a plan to kind of invest to reignite growth. And I'm just curious, when we think about the EPS guidance for the full year, how do you think about the level of investment for '26 that's baked into that EPS guidance versus prior years when maybe you've had one of these kind of new CRO in place or other leadership roles being filled?

We're really pleased to start off the year strong with all key positions filled with a strong executive team who's tenured. So keeping that in mind, last year, we had guided to low 40s EBITDA margin coming off of 2020 for 47%. And so the implied gap or implied margin contraction was significantly higher than what you're seeing today. out the year 2025 with 47% EBITDA margin. We're guiding to mid-40s for EBITDA. So a slight contraction, but it's not as significant as what we had guided to at the beginning of 2025.

This does conclude today's question-and-answer session, and this also concludes today's conference call. Thank you so much for participating, and you may now disconnect.

All right. We'll get going here. But thank you all for joining the UBS Tech and AI Conference Day 2. I'm Roger Boyd. I cover cybersecurity here. Pleased to have the management team from Qualys. Sumedh Thakar is President and CEO; and Joo Mi Kim over there is Chief Financial Officer. So thank you both for being here.

Thank you for having us, Roger.

Awesome. I wanted to start high level, and I felt like this debate kind of came about. It's been brun for a while, but I think it manifested last earnings. And one of your peers noted that the AI threat landscape is maybe exposing the limits of traditional reactive security. I guess what's your take on that? Is there more need? I think this fits into where you've taken the platform, but is there more need for preventative security, more fireproofing versus firefighting? And how does that align with kind of the exposure management platform you've been building out?

Yes, that's a great question. And I think we're happy to see that there is validation beyond just what we have been talking about the last couple of years. I don't think it's a zero-sum game. I think reactive security is important to detect threats that are in your environment because there's going to be different ways that they can get in. However, we see more and more focus from customers on also ensuring that the proactive security mechanism, which is essentially risk management is done properly because that does help reduce the alert fatigue that you see on the reactive side, right?

If you're not doing much on preventing or protecting, you're going to see a lot more activity happening and that creates that. And so where we have seen the last few years, people focus on this idea of a SOC, which is a Security Operations Center for reactive security, once somebody is in the environment, how do you find them and how do you neutralize them? It's a bit of a different mindset, a bit of a different architecture that is needed. And that's really a great validation for what we have been talking about the last year or so, which is the idea of a ROC. So you have the SOC, which is for the reactive, but then the Proactive Risk Management today when you have risk factors coming from so many different sources, you have code scanning, cloud scanning, endpoint scanning and you also have identity, you have misconfigurations.

So I think this idea that you need to take a more balanced approach towards not only having a Security Operations Center that helps you detect threats that are already in the environment, and balancing some of your spend on ensuring that you're also proactively looking at risk management. That's really been what we have been talking about. And so the idea that you have to really triage through millions and millions of risk factors to really identify the ones that matter to your business and then get those fixed, that's exactly what the Risk Operations Center does, right?

Like you cannot have a whack-a-mole approach to risk management. You need an operationalized process and not just talk about the technical aspects of the risk, but how does that pertain to the business, right? Just because you have a high risk score, maybe it's a very high risk score for a business entity that makes $5 million a year versus a medium risk score for an entity that makes $500 million a year. That is a whole different perspective.

And at Qualys, we have been evolving from vulnerability management where vulnerability detection, which was really the focus -- key focus for risk management many years ago, continues to be the focus for risk management, but then evolving that into the fact that at the end of the day, remediation is what matters, right? Just what I call is dashboard tourism where you have so many different dashboards of posture management, but if you don't get it fixed, it doesn't matter. We have evolved a few years ago being sort of the first one in this space to come up with this idea of patching with the same solution, resonated really well with our customers, 140 million patches deployed in the last year.

And now a broader risk management focus where we are allowing customers to sort of enhance their SOC by having an adjacent ROC, which allows them to put the concept of risk in the equation of the business and then actually getting an outcome of fixing things is really resonating well with our customers. And so we're pretty excited about the future opportunity that is being created with that.

Where do you think we are in kind of the demand curve for enterprises really adopting this approach? And how do you think that kind of evolves? I know 3Q was a pretty strong quarter for you. Do you feel like we're starting to see this? And then conversely, like what else could potentially drive more mind share around this? I think we were talking last quarter about the regulatory environment, potentially some opportunity there, especially in Europe with NIST 2. What do you think continues to drive people towards this framework?

I think it's a framework that is emerging with Risk Operations Center, and we're seeing very good traction primarily because CISOs are struggling many times with communicating with the Board because the business language is not there. We talk about deal scrutiny on cyber, primarily that is coming from inability to explain in business terms how additional investment in cyber is going to lead to better outcome for risk management for the company.

And so with our -- when we hired Rich Seiersen as our Chief Risk Technology Officer, and he went out and started doing board workshops -- Board reporting workshops for CISOs, we saw a huge amount of CISOs wanted to come to that, right? If we said, let's talk about the latest and greatest vulnerability, you're not going to see that kind of a traction there. So we're excited. It's early days. As we talked about, we opened up our platform. We're taking data from other scanning solutions as well.

And then the remediation aspect of opening up our remediation capabilities beyond patch management into a wider, what I call as a remediation buffer where you can do multiple different ways to remediate the findings is something that we are looking forward to, over the next couple of years. I think in addition to that, we're also excited about the beta that we have done with our Q-Flex pricing, which is allowing customers to be more flexible in the way that they are able to basically use more Qualys capabilities and customers might really want to use patch, but then they struggle with procurement team sometimes.

So if they have the ability to buy the Q-Flex capability and then change it as they need every quarter, that gives more flexibility for them, but also good for us because if a customer can easily try out a Qualys solution, then they are more likely to buy additional credits for that. So we're excited about that capability. And then we are also seeing that with our FedRAMP High Certification that we just got a couple of months ago, that is opening up similar conversations in the federal space because government efficiency is very important. And a lot of times what the Risk Operation Center is doing is not about what you should fix. It's also telling you what you don't need to fix right now.

Yes. If your IT team can reduce the number of things that they are fixing by 10%, 15%, that's time that you're giving back to the department, time that you're giving back to the business. And so that -- all of that is underlying our new partner program, which we call as the Managed Risk Operations program, which is mROC. So similar to MDR on the reactive security side, proactive security, we see that there are going to be room for services, which our partners can provide, working with a CISO to say, "Hey, we're going to give you a Board -- a report that you can take to the Board that's going to make you look very good in front of your Board. There is a demand for that. And so these kind of are some of the key things that we are excited about in addition to, of course, we have Cloud Security seeing some good traction, et cetera. But when I look out over the next few years, I think it's federal space, the ATM conversations and the mROC traction is what is going to drive growth for us.

Cool. Makes sense. I wanted to double-click on third quarter for a second. A pretty nice quarter, double-digit billings growth and revenue growth, net retention stabilized. How would you frame that? And I guess in the context of it, what's going on in the demand environment? It felt like you've been fairly vocal about some of the headwinds you've seen over the past year around asset count. Are those starting to fade? Are budgets starting to unlock after a rocky kind of first half of the year? What's going well?

I think I'll let Jimmy talk about some of those aspects. But I mean, from my perspective, the demand environment has remained the same. I think we'll continue to see scrutiny for the deals. I feel like we have gotten better at executing in the given environment. And so every quarter is a bit different, and we saw that we did a little bit better than expected on the new business in Q3.

Upsells were not as well as we would have liked to. Retention was a little bit better than what we thought. Overall, conversations were positive. I think customers are -- we see better retention because we feel like customers are actually looking at the Qualys future capabilities that they're going to bring and they want to say, like let me continue to invest in Qualys now because then I can take advantage of a lot of things that are coming out there, whether it's Agentic AI or it's the ability to confirm and fix exploits, et cetera. That's what's sort of kind of driving that Q3 sentiment.

But of course, we have to see how that evolves into Q4. Is this something that we see new business, net retention rate has stabilized at 104%. We want to, of course, work towards the next few years to get that above 104%, we can -- so that we can leverage our existing customer base to upsell them to cross-sell them to ETM. Those are some of the things that we're looking at. But from a Q3 perspective, I thought we were pretty happy with the outcome for Q3, and that was kind of the mix of things that drove that.

Yes. I think that focused execution really paid off in Q3, and we were pleased to see that, especially when you were looking at new logo acquisitions, I know that the historical track record for us has been -- it's been relatively lumpy. Last year, really strong new bookings growth. I think the first half of this year, it wasn't as strong. We've seen a challenging first half. And so Q3 for it to come in better than what we had anticipated from new logo acquisition front, we were very excited about that.

With that said, the majority of our growth historically has been driven by existing customers. So net dollar expansion rate at 104%, very stable. We're pleased with the performance. But what we're hoping is with the key initiatives that will slowly end up picking up next year. And like Sumedh mentioned, key initiatives for us is really focusing on ETM, enabling our sales team, making sure that our partners know the value prop, how to really pitch to the end customers and working hand-in-hand with them to really accelerate that adoption and penetration of ETM, which we do plan to disclose starting in Q1 of next year because it is a critical area for us that we're driving towards.

In addition, I think some of the other areas that we're focused on right now is FedRAMP High that we had achieved. We're hoping that we'll see that kind of momentum play out at the end of next year due to the budget cycle. Other areas as Sumedh mentioned already is Q-Flex, flexible pricing model, which should help us existing customers, select customers who've been asking for it were the ones who beta tested and really great reception. I think that there are multiple different levers that could really help to drive that net dollar expansion rate upwards next year.

Yes. Cool. Just to touch on new logos. You mentioned it being kind of lumpy in the past. What have you seen, and I think this manifested in 3Q, but what have you seen from a sales efficiency standpoint, sales productivity standpoint? I know you've been working through a Chief Revenue Officer change. I think there's a semipermanent result at this point. What do you feel like you can carry forward on the sales efficiency side?

I think that right now, we do see some low-hanging fruit. It's not at a place that where we think that it's producing the productivity that we were hoping to achieve, which kind of makes sense given that the new bookings growth is not really there right now for us. And so what we're trying to do is we understand the reasons why. We have a number of newer products out there. Like even ETM when we went GA with that at the end of last year, there's other further enhancements that we introduced this year, including Agentic AI capabilities, we're also talking about the TruConfirm.

And so we're making sure that our sales reps are up to speed in real time, getting the right training. And so we're -- and that we're able to give them appropriate feedback in terms of what's working well in the market and making sure that given that 50% of our business is now coming through the channel side, we also have that partner enablement team, right, really focused on making sure that are we in sync with our partners? Are they really set up to succeed with us? And I think that once everything is kind of in order and we're better prepared for that, it should result in a more kind of stable, consistent new bookings growth.

Yes. I actually wanted to go to channel next. And I think the focus there has been pretty impressive. And to your point, it's now almost 50% of revenue, growing faster than overall revenue. That's been a pretty concerted effort over the past couple of years to kind of better engage that community, see that market, do you feel like you're at that point now where they can be a value multiplier and create new business and bring in the deals? Or is there still more engagement, more education you need to do there?

I think we have been on a journey, right? When we started 2, 3 years ago with this program, we had a lot of low-hanging fruit, just having a better program for deal registration, et cetera. I think that has evolved more into partners working closely with us, then there's gift to get and all of that. I think the -- for me, the critical phase of this is really the focus on creating the mROC partner program. And that's really where the ability for our partners and for us essentially to work with our partners where mROC partners can provide -- because it sounds very good when I say that I can give you a report to the CISO that you can talk about your business to the Board, but they don't know how to get and do that. So that needs a consultative approach, and that is where our partners who are mROC certified partners can come in and they can talk to the CFO of the company. They can talk to the CIO come out with a report and say like this is how we're going to do that, right?

And so with that, it's -- what it will allow our partners to do is instead of having a conversation of us versus our direct competitor and a replacement conversation, now an mROC partner who has potentially sold a competing solution can still keep their computing solution, but they can now actually bring the Qualys ETM on top of that and then additionally make revenue from services that they can offer because they're able to pull data from the competing solution into Qualys.

And I think what we believe right now is that, that is what will drive additional net new logo growth, the ability for us to succeed with ETM is then a partner can provide the consultative services that are required to make the transition from MDR into ETM. So we are excited about the opportunity. So right now, it's all about doubling down, helping the mROC partners come up with their offerings and working with them to create the brochure so that they can take it to their customers, working on training their team on how to position and sell these services, et cetera.

And then creating that partnership where maybe there are some direct customers that want to move to ETM that we can actually bring the mROC partner in. And in return, they will be bringing us net new additional logos. And so that's really where we're looking forward to. Like we don't have a specific mix that we're targeting right now, but we do look forward to making that mROC program successful, which we believe can help us improve our net new logo count, et cetera. That's going to be the focus for us.

Yes. I wanted to move to Q-Flex and you were talking about this earlier, but it's been kind of -- it's been beta testing for a little bit now. Can you just expand on what you've seen out of that program? And it seems like it's having a material impact on bookings. You're getting larger commitments. How do you think about that behavior kind of evolving from here? And it felt like there's maybe more confidence in kind of the bundles you had, and this is an easier way to upsell into some of the different tiers there. What's kind of the future for Q-Flex?

Yes, it is an exciting capability, really primarily driven by customers asking us for it. And I think it's a win-win situation because customers for them, a lot of times, the challenges that Qualys comes up with a new capability like Agentic or patching or mitigation, customers are excited, but they are in the middle of the year. And so now they have to wait for another 6 months to adopt the Qualys solution at the time of renewal so that they can make the budget and then they can work with procurement and stuff like that.

So for them, the ability to have a pricing that allows them to shift based on the Qualys modules that they would like to use based on their priorities is great. I think it's good for us because if we can get a customer to -- who needs an AI scan to be done for a compliance reason like in the next week, they can immediately start using the Qualys' total AI capability, which allows us to have more opportunities that they will expand that what they tried into additional assets in the future, et cetera.

So again, early days, we are better tested with a few customers. It's -- we talked about an example where we saw a pretty nice 50% uplift for a customer who moved to Q-Flex pricing. Not that we expect that for every customer, but we do -- we are excited about the opportunity that, that creates independently, but also combining that Q-Flex with ETM then gives the customer just a lot more flexibility in terms of being able to use capabilities like eliminate, et cetera, to actually get outcomes without having to specifically commit to quantities for a particular module, number of assets upfront. They can actually move that around as needed. So we do think that this is another lever for us as we get into next year to get some additional points of interest and growth from the customers that we have.

Got you. I wanted to talk about public sector and U.S. Fed a little bit. You mentioned it before, but the ROI-based selling motion seems like it's starting to catch on there. What have you seen there? You now have FedRAMP. What is kind of the pathway to further growth there? And maybe talk a little bit about the consolidation opportunity. I think we talked about the fact that having patch management remediation is a pretty big differentiator in that market.

Absolutely. What we saw -- and we started really concentrated focus on federal the last couple of years in investment, getting a conference out there last 2 years, getting a better team, we're investing in other areas. But I think in the last few quarters, we've talked about certain federal wins, and they were primarily wins where we were replacing an incumbent on-prem scanning solution and an incumbent on-prem patching solution with a combined FedRAMP moderate Qualys solution that was doing both of those in the same.

Now that we -- a couple of months ago, we got FedRAMP High, that makes us one of the only FedRAMP High platforms that can do asset inventory, vulnerability detection and patching all in the same platform. So that has led to conversations with agencies now, which is just starting, of course, with federal, it has its own cycles. But it's starting to have these conversations where the conversation of the consolidation is going beyond just the efficiency of 2 agents with 1. It's going into saying, well, if ETM can actually help me figure out what I don't need to fix, then I have a case that I can go from a [indiscernible] perspective, federal efficiency perspective that if I can deploy a solution like this, I don't need to immediately replace my incumbent on-prem solution. It gives me a path to replacing it over the next few months or year.

But I also have a story to tell that says that by implementing a solution like this on top of the existing vendor, we're actually able to reduce the number of findings that IT is fixing by a magnitude of 40%, 50% or more, and then that can directly be translated into dollars efficiency saved for the Federal Government if their IT teams can -- don't have to waste that much time in fixing things that don't really have an exploit right now and nobody is attacking them, then they can leverage that conversation.

And so we're seeing a lot of good traction in those conversations where people are saying, wow, I could actually bring you on top of my existing tools. I can replace these 2 things right now and 2 things later. So we're excited about it. I think now the conversations that are starting now can potentially have impact in the next 2, 3 years. That's how federal cycles go. But the FedRAMP High conversation is certainly opening up very interesting doors for us.

Yes. I know federal fiscal 1Q has been off to kind of a rocky start, but I presume there's not a huge expectation for business in your calendar 4Q. Any thoughts about kind of that opportunity kind of expanding, developing over the next year? I know this is going to be a multiyear journey, but can that start to be a contributor this federal fiscal year?

Yes, I think nothing to call out for Q4 right now from that perspective. I think the conversations are ongoing for the 2026 and 2027 spend and the budgets that they have. I think we need some more time to see how those firm up whether some of those conversations will result in deals in September of '26? Or is it something that's going to happen more in September of '27. But I think it's an opportunity that we feel is big enough for us to continue to have that investment that we have started with FedRAMP High and getting into looking at getting more of those share of the spend that they have on the federal side by showing them more efficiency.

Cool. Okay. I want to chat about margins for a minute. I think Qualys has had this reputation of being very, very prudent on investments and certainly industry-leading margins. How do you think about that balance between growth and profitability? Obviously, it seems like there's a little momentum here in the third quarter. Any guardrails to think about as we think about the margin profile in the back -- in the 4Q and into 2026?

I think that if you take a look at our margin profile, one of the reasons that we benefited in this current year is the fact that we are going partner first, which should give us some room on the sales and marketing side. We don't necessarily have to invest as heavily given that we are leaning more towards partners for them to bring us new deals as well as working with them on existing deals as well.

With that said, there's always opportunities given that there's so much upside in the business. There are multiple different growth levers that we're looking at today. We are going through the 2026 planning cycle. And as expected, there -- given that there are so many initiatives in ways that we can invest back into the business, we are making sure that we prioritize, making sure that we have initiatives set aside that we have the capacity to handle it and making sure that we can maximize the potential return as we look into 2026. We do have a lot of room, and so we should be able to finalize our planning process and then be able to share a little bit more color at the next earnings.

Got it. Okay. And then from a go-to-market standpoint, it seems like there's clearly an intention and desire to invest more in the channel over time. How do you think about kind of the direct side of that business? Is there room to expand their capacity efficiency?

I think there's always room to improve on the efficiency. And so for us, one of the reasons why we were able to maintain such high margins is regardless of what the margin profile looks like, we just posted 49% EBITDA margin. We don't put aside the fact that we do see in our own internal operations ways to increase efficiency, right, whether it's leveraging AI or making sure that our teams are enabled and trained in a way that makes sense for them to more efficiently conduct their roles and responsibilities and also putting aside the fact that we have to find the right people for the right roles, whether it's hiring from outside or internal promotions.

We recently just had 2 internal promotions, which is great for the morale, great for the company. And so we're -- as we're looking to execute more efficiently going forward, we do plan to invest prudently as well as making sure that we don't miss out an opportunity to gain that operational efficiency.

Yes. Cool. As we think about kind of the growth opportunity in the next year, what are the key milestones we should be watching, the key metrics. In the past, we've been tracking Cybersecurity Asset Management and Patch Management. It feels like the platform is becoming a little more cohesive. What should we be watching to kind of understand kind of the next leg of that journey?

I think we're really focusing on ETM as our. So one of the things we talked about is starting Q1, we'll start disclosing some of the information around the adoption of ETM. We don't expect it right now to be material, but that would be something that we would be looking to continue to track. And so I think that's really where we feel like the next few years is going to be working on getting our MDR customers to not only cross-sell to ETM, but also be able to bring additional assets into Qualys, which ultimately will give us more capabilities and modules that we can sell to them.

Maybe just to close, I've been asking a lot of companies this over the week. How do you feel adoption of AI is going? And from your customer conversations, how do you think about selling security on top of AI? I think it's an interesting situation where you're selling a solution that potentially introduces friction into initiatives around just broader AI adoption. And how do you feel that conversation is different when you look at heavily regulated customers versus not and large companies versus small?

Yes. I think the AI adoption by companies is not an option, right? It's just -- it's happening anyway. I think customers really look at 2 things, right? One is what are the capabilities I need to make sure that my AI adoption is secure. And that's where with the Identity Management Solution that we just talked about recently or TotalAI, we're helping customers sort of get a quick view of like, is this safe to go out there, right? Is it -- can it be jailbroken? Can it be something where you can do injection and things like that, right?

I think a lot of the customers are leveraging MCP as a way to really accelerate AI. MCP just adds another layer on top of your existing services. So you still have to worry about the security of your existing solutions, and now you have to layer on MCP. The second thing where I see a lot of opportunity and customers are excited about is the leveraging Agentic AI as part of their security operations and risk operations.

So with our introduction of Agentic AI as a marketplace type capability, instead of just saying I have a chatbot, you can ask any questions, we have taken this deliberate approach of like here's agent Sarah, who's an expert in patch. Here's agent John, who's an expert in ransomware. Here's somebody who's an expert in Attack Surface Management. That is actually helping customers think of like, wow, I can actually use AI in my security operations.

I can augment my team of 10 people with 3 more agents. If I were to go and get a consultant to help me with ransomware, that's going to take me a long time to find a consultant and then get them up to speed. And -- but here, I can just hire a consultant right into the platform, which is an agent to AI agent, and it's going to give me an outcome. So I think in general, there is excitement about that. I do think that part of ETM value prop will be, by the way, by adopting this, you can actually get more efficiency with your team and you can maybe potentially reduce the number of people you have to hire, which anyway is a challenge with not having enough talent in Cybersecurity right now.

Got it. Cool. Well, we'll wrap it there, but thank you both for an engaging conversation. Thank you.

Thank you very much for having us.

Good day, and thank you for standing by. Welcome to the Qualys Third Quarter 2025 Investor Call. [Operator Instructions] Please be advised that today's conference is being recorded.

I would now like to hand the conference over to your first speaker today, Blair King. Please go ahead.

Thank you, Briana, and good afternoon, and welcome to Qualys' Third Quarter 2025 Earnings Call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO; and Joo Mi Kim, our CFO.

Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements and factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website.

So with that, I'd like to now turn the call over to Sumedh.

Thanks, Blair, and welcome to our third quarter earnings call. With threat actors continuing to reduce time to exploit at a fast pace, I believe the future of cybersecurity is moving from attack surface management to risk surface management using Agentic AI-powered proactive risk management with business quantification and automated remediation.

Against this backdrop, we continue to execute well in Q3 demonstrated by another quarter of solid revenue growth and profitability. Over the last couple of years, I've had the privilege of meeting with hundreds of CISOs, CIOs and security leaders worldwide. From these conversations, one theme has stood out, the need to operationalize cyber risk management in business terms to align budget spend with business risk. CISOs are looking for a practical approach to consolidate tools where possible and empower their teams to use best-of-breed where it makes sense. They want to seamlessly unify their security tool set into a centralized risk fabric that provides an alternative to single vendor platformization by operationalizing the management of multiple risk vectors to effectively measure, communicate and ultimately remediate the organization's risk posture.

The Risk Operations Center, ROC, powered by Qualys ETM delivers on this ask. At our recently concluded ROCon, Risk Operations Conference in Houston, where we elevated the business risk conversation to feature a specialized CFO and Board track, our customers validated this approach. With the broadening of the agenda for ROCon the attendance was up 20% over last year's QSC event.

While traditional security operations centers focused on detecting breaches after they happen, Qualys is pioneering the first Agentic AI Risk Operations Center, ROC, a new category in cybersecurity designed to centralize an organization's response to threats before they impact the business. Powered by our ETM solution, the ROC processes several petabytes of high-fidelity data every day, normalizes and correlates intelligence from both Qualys and non-Qualys sources and equips AI and humans to collaborate in real-time detecting and responding to threats at machine speed. This isn't about more alerts. It's about actions that close blind spots before attackers can exploit them.

Unlike traditional continuous threat exposure management CTEM tools that simply highlight the exposure, but lack adequate native remediation capabilities. Our differentiated ETM solution combines CRQ, CTEM and native remediation operations to fix the risk that matter most quickly and at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable proactive risk reduction that Boards and customers value.

Early adoption is already validating the model with POCs continuing to convert the commercial deployments, underscoring both the scale of this opportunity and its parallels to the early days of VMDR. And we're not stopping there. Our R&D engine is continuing to deliver innovations, rapidly expanding our platform and positioning Qualys for a larger upsell opportunity. In doing so, Qualys is now extending several proven module native capabilities into ETM, empowering organizations to harness them seamlessly across the entire attack surface.

By demonstrating -- by democratizing trillions of security exposures from both Qualys and third-party tools, including vulnerabilities, misconfigurations and identities aggregated by our ETM solution, we are unleashing a sophisticated predictive platform that leverages a combination of Qualys TruRisk framework, our TruLens threat management capabilities and a mission-ready Agentic AI workforce operating autonomously from discovery to remediation with full ITSM integration. This unique combination of capabilities identifies trending threats in real time, benchmarks threats against peers, assesses organizational impact and quantifies risks in clear, actionable terms that matter most to the business.

As a result, security and IT teams can continuously prioritize ticket and remediate threats based on organization risks associated with emerging exposure, targeting specific industries, asset types and identity. We believe these most recent additions to our ETM solutions further advance our differentiation in the market, enhance security operations and significantly accelerate measurable outcomes for customers.

Next up for our ETM solution, I'm particularly excited about yet another pioneering capability from Qualys, TruConfirm. TruConfirm flexes the power of our platform to confirm exploitability before customers become compromised. Using automated validation at scale, we remove the guesswork for customers by running safe exploits over the network to confirm whether the attackers will succeed in their breach attempts while closing the gap between theoretical and actual exposure. This approach further allows customers to be laser-focused on prioritizing only exploitable blind spots for the next logical step, which is automated remediation with TruRisk Eliminate.

Our industry-leading capabilities are increasingly being recognized by our customers, partners and third-party analysts. Specifically at Black Hat, Qualys won Two Pwnie Awards for our outstanding contribution to threat research underpinned by our strong leadership in threat intelligence and triage. Equally important, GigaOm recognized Qualys as the leader in Patch Management, a market Qualys pioneered with over 140 million patches deployed in the last year alone.

While some competitors are only beginning to validate this strategy, Qualys has advanced well beyond patching. TruRisk Eliminate closes the unpatchable gap, enabling IT and security teams to automate an array of compensating controls when patches are deemed too risky to deploy or simply not available. And with adversaries increasingly exploiting vulnerabilities at AI speed, our umbrella of AI-based automated remediation solutions has evolved into a significant adoption layer, a distinctive competitive advantage and opens new market opportunities for Qualys.

Moving on to our business update. With customers spending $500,000 or more with us growing 5% from a year ago to 211, let me share a couple of recent wins, which illustrate why organizations ready to centralize the response to cyber risk are turning to Qualys to help unify their security tools, quantify and remediate risk in their environments and fortify their security operations. In Q3, one of my favorite wins was with a Global 700 customer that was previously only using Qualys for PCI scanning. This customer, like many organizations, were buried under fragmented telemetry manual spreadsheets and disconnected tools. With little automation, their teams were spending more time documenting than reducing risk and consequently were burdened by an onslaught of compliance audits. This customer chose Qualys to transform siloed risk signals, spanning code repositories, endpoints, identity, cloud container and network assets into a cohesive real-time risk management solution by consolidating Qualys and non-Qualys data.

This included replacing their existing vulnerability management vendor and purchasing 3 additional Qualys modules, including ETM to begin operationalizing the risk operations center with ingested third-party data resulting in a mid-6-figure annual bookings upsell. By consolidating these data sources into the Qualys platform, we are delivering this customer a vendor-agnostic orchestration layer with full visibility of their attack and risk surface, centralized risk management, quantification, prioritization and remediation while unleashing the operational efficiencies of security stack consolidation aligned with acceptable -- within acceptable risk parameters for the business.

With our innovative technology, unmatched platform effect and focus on reducing risk and friction, this will underscore Qualys' ability to eclipse legacy siloed solutions and advance our leadership in the industry. It's also an outstanding example of how we are working with our managed risk operation, mROC partners of choice to activate the ROC with new win business. For the next phase, this customer is evaluating our TotalCloud native CNAPP solution and TruRisk Eliminate solutions while also bringing additional third-party tools into Qualys platform, representing a significant upsell opportunity.

Further leveraging our mROC partner ecosystem to drive new logos was a new 6-figure customer win with a major airline in the Middle East. This customer chose Qualys because of our unified detection and remediation capabilities with TruRisk Eliminate. Nearly 9 months after announcing GA with our ETM solution and over 28 POCs converting to commercial success already, we have gained valuable insights into ETM pricing and packaging. As a point of reference, we expect that for every $1 of VMDR, ETM can drive an uplift of up to 100% now that ETM will include Cybersecurity Asset Management as well as other ETM feature enhancements such as those mentioned earlier and third-party data ingestion. Given this, starting with our Q1 2026 earnings call, we will shift from reporting cybersecurity asset management LTM bookings to ETM customer penetration as we believe ETM will be evolving into a key pillar of growth for Qualys over the next several years.

Turning to our federal business. We achieved a high 6-figure upsell with an existing large government agency. This customer had previously used multiple legacy and next-gen tools to manage a variety of risk management use cases across their security, IT and DevOps team. In addition to the complexity of using multiple point products, this government agency has become increasingly frustrated with increasing costs associated with legacy on-prem deployments, the efficiencies of operating siloed systems and elongated remediation efforts.

With a distinct need to shift several monolithic workloads to micro application across its hybrid environment on a FedRAMP high solution, this customer accelerated the consolidation of its security stack over 17 Qualys modules, including VMDR, Cybersecurity Asset Management, TotalAppSec, TotalCloud, TruRisk Eliminate and TotalAI. Today, this customer is leveraging a unified dashboard that provides them with a greater insight and automation than any of the competitive products they evaluated while taking full advantage of the speed and scale of cloud-native platform. This, alongside a significant 7-figure state win are a testament to the strength we see in our federal state and local government business and the long-term growth potential of the market.

Beyond these wins, we are also increasingly gaining leverage from our partner ecosystem. In Q3, partner-led deal registration increased, demonstrating the success of our partner-first sales motion. In addition, we have now certified nearly a dozen partners who are actively launching mROC services, leveraging ETM to deliver centralized automated pre-breach risk management. Momentum is building towards a global ROC alliance, and we expect to certify additional strategic partners in the coming months ahead who are committed to positioning Qualys as their mROC partner of choice.

Further contributing to our platform growth is our flexible platform pricing model, which we are calling Q-Flex. We beta tested Q-Flex in Q3 to help customers accelerate and maximize the adoption of the Qualys Enterprise TruRisk platform. In less than a quarter after introducing this model, we're seeing notable customer interest and tremendous success. To give you an example, an existing Global 10 customer made a multiyear commitment under our Q-Flex program, increasing their annual bookings by over 50% while adding new modules to their subscription count with Qualys. This win reflects our growing capabilities in risk management, and we expect the contribution from Q-Flex to continue to grow.

In summary, our continuous innovation, early ROC deployment, strategic wins with federal customer -- and state agencies, momentum in partner-led initiatives and the initial adoption of Q-Flex collectively underscore Qualys' strength in unifying risk management workflows, reducing operational complexity for customers and addressing today's toughest security challenges. We believe these achievements not only validate our ongoing investments, but also position Qualys as a trusted leader in pre-breach risk -- cyber risk management, setting the stage for durable growth and long-term success.

With that, I will turn the call over to Joo Mi to further discuss our third quarter results and outlook for the fourth quarter and full year 2025.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period, unless stated otherwise.

Turning to third quarter results. Revenues grew 10% to $169.9 million. The channel continued to increase its contribution, making up 50% of total revenues compared to 47% a year ago.

Revenues from channel partners grew 17%, outpacing direct, which grew 5%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By geo, 15% growth outside the U.S. was ahead of our domestic business, which grew 7%. U.S. and international revenue mix was 56% and 44%, respectively. In Q3, gross retention continued to improve. However, upsells remain challenging with our net dollar expansion rate of 104%, unchanged from last quarter.

In terms of product contribution to bookings, Patch Management and Cybersecurity Asset Management combined made up 17% of total bookings and 28% of new bookings on an LTM basis. Our cloud security solutions, TotalCloud CNAPP made up 5% of LTM bookings. Reflecting our scalable and sustainable business model, adjusted EBITDA for the third quarter of 2025 was $82.6 million, representing a 49% margin compared to a 45% margin a year ago.

Operating expenses in Q3 increased by 5% to $64.9 million, driven by investments in sales and marketing, which grew 9%. As we remain focused on driving growth, we are mindful of where to further increase investments while optimizing returns and others, which resulted in EBITDA margin exceeding our expectations in Q3. This demonstrates our ability to maintain high operating leverage, remain capital efficient while continuing to innovate and invest to support our long-term growth initiatives.

With this strong performance, EPS for the third quarter of 2025 grew 19% to $1.86. Our quarterly free cash flow was $89.5 million, representing a 53% margin compared to 37% in the prior year. Year-to-date, free cash flow margin was 46% compared to 42% in the prior year. In Q3, we continued to invest the cash we generated from operations back into Qualys, including $901,000 on capital expenditures and $49.4 million to repurchase 366,000 of our outstanding shares. Since commencing our share repurchase program in February of 2018, we've repurchased 10.4 million shares and returned $1.2 billion in cash to shareholders. As of the end of the quarter, we had $205 million remaining in our share repurchase program.

With that, let us turn to guidance, starting with revenues.

For the full year 2025, we expect revenues to be in the range of $665.8 million to $667.8 million. which represents a growth rate of 10%. This compares to prior guidance of $656 million to $662 million. For the fourth quarter of 2025, we expect revenues to be in the range of $172 million to $174 million, representing a growth rate of 8% to 9%.

While we believe our platform approach to cyber risk management provides some insulation in macro volatility, this guidance assumes continued budget scrutiny in a challenging environment for new business growth in Q4. Shifting to profitability guidance. We expect full year 2025 EBITDA margin in the mid- to high 40s, net free cash flow margin in the low 40s. We expect full year EPS to be in the range of $6.93 to $7, up from a prior range of $6.2 to $6.5. For the fourth quarter of 2025, we expect EPS to be in the range of $1.73 to $1.8. Our planned capital expenditures in 2025 are expected to be in the range of $5.5 million to $7 million and for the fourth quarter of 2025 in the range of $1.2 million to $2.7 million.

With that, Sumedh, and I will be happy to answer any other questions.

[Operator Instructions] Our first question comes from Roger Boyd of UBS.

Awesome. Congrats on a nice quarter. Sumedh, can you just double-click on some of the pricing you mentioned around ETM earlier. I just wanted to be clear on that 100% upsell metric. Is that inclusive of what you have with cybersecurity asset management and patch? And just now with the kind of packaging sort of figured out on that product, just your confidence in kind of the ability to start driving better upsell moving forward.

Yes, that's a great question. So from the way the pricing we're looking at it is the ETM pricing is going to include Cybersecurity Asset Management because as we talk to our customers, for building any Risk Operations Center, the foundation is asset inventory and without that, you cannot succeed. And so that was a big feedback that came about. So that's included. What we have added also is the Agentic AI capabilities for them to be able to augment their security team with AI agents so that they can really manage outcomes for cybersecurity within their spend and optimize because everybody has been asked about how they're optimizing their spend even in cyber.

And the ability to have very focused threat intel that will allow them to validate exploits, so that's included. The upsell that we look forward to is then once they have used ETM to be able to get the inventory to be able to confirm that the exploit can work in their environment. Then they purchase TruRisk Eliminate, which includes patch as an example and mitigation so that they can get that particular thing actually remediated. Because at the end of the day, we can create all kinds of visibility, but given that attackers are exploiting vulnerabilities, if you saw the recent Mandiant report in minus 1 day on an average, which is even before patches are coming out, the key is going to be about being able to remediate things and mitigate things even if you don't have a patch available.

So the pricing, to answer your question is 100% -- up to 100% is what we see with the addition of VMDR ability to bring in CSAM, Agentic AI, as well as ability to confirm exploitation. And then from there, the upsell will be they will -- they can upsell to eliminate so that they -- it allows them to do more in terms of actually getting an outcome.

Our next question is from Patrick Colville of Scotiabank.

I guess I want to ask 2 parts. One is on the Fed. I know the Fed is like a more nascent notion for Qualys, but what are you guys seeing in the Fed's, especially kind of in the first couple of weeks of 4Q given the shutdown. And then -- and the other question I'd like to ask is about the competitive environment. And the reason I ask this one is the one we get most from investors. And it's like is the competitive environment changing for Qualys, given noise from vendors like CrowdStrike and others who are claiming to be entering the space and winning share. So are you coming up against different companies now versus a year ago? And results speak for themselves, win rates seem high, but can you talk to that as well?

Yes, that's a 2-part question. So let me stay focused to answer both of them. So first one is on the federal side, as you already know, we are at our very, very early innings, and we made the investment and the commitment to get FedRAMP high, which has really created very, very powerful conversations. I mean I have the pleasure of actually being out in D.C. and having some very critical meetings there to start to have the conversation around Risk Operations Center, how it can help the government and essentially bring efficiency. And so you kind of have the dose, which is, of course, that is driving people to think more of efficiency in terms of how they can consolidate different things, and that's where the Risk Operations Center as a way to eliminate, fixing things that don't really matter to the risk has really resonated well with our federal customers.

Today, it's not just the spend of the tool. It is the amount of spend you put in remediating things that the tool is telling you, which is a waste of time and money if those things are not even exploitable. So for us, what we are seeing is -- it's a very exciting early conversations. We see lots of opportunities over the next few years. Of course, when you have the current scrutiny that is going on, sometimes people are taking a bit of a wait-and-watch opportunity. In other cases, we're actually seeing opportunities coming to us because of the focus on being able to be efficient in terms of the Risk Operations Center. So it's a mixed bag.

But overall, from what we see right now is we don't have as much exposure revenue to that part. We do see that this is an area that we have committed to invest over the next few years and FedRAMP was our first step. And now with our focus on the conference we did in D.C., and we are going to continue to invest in the federal space moving forward.

On the vulnerability management and competition side, I think if you -- I was really excited to see that Qualys got the leader position in GigaOm's Patch Management above many of the other vendors that have been out there. Because really with what we have been seeing and what I saw a few years ago and why we have been talking about how vulnerability management is evolving, less about detecting more and more CVEs. Most people are barely fixing 5% of the CVEs that are being discovered because it's creating so much noise.

So while there are other players that talk about discovering more CVEs, the focus for Qualys and what we are doing with the Risk Operations Center has been about how we are helping customers really narrow down and we did that at our conference, ROCon Conference, where we show a nice little representation of how 62 million findings after applying the right agent in threat intelligence went down to 2 million findings that really mattered in terms of any risk. And then further after applying business context went down to only 300,000. And so our focus has been shifting towards how do we help the customer actually pinpoint exactly what matters from threat intel perspective, but then also how can we help them immediately fix it, because of attackers are attacking things in 4 hours, you don't have time to go and create Jira tickets and ServiceNow tickets and wait for other teams to use different patching solutions and different mitigation solutions to do that.

And so what we're doing now, what we're seeing is really an evolution of that is customers really like our capabilities, accuracy of detection, et cetera, but we have also opened up the platform now with ROC to be able to ingest data from other areas like OT or other EDR tools that might be collecting CVEs. So that we can help customers actually narrow down that focus of what really matters and the key exciting thing is for them to be able to get things fixed with Qualys, which is something that -- and validating the exploit and then getting it fixed with Qualys is what is focus for most of our customers right now.

So primarily, we see Tenable, Rapid7. Yes, occasionally, we see some of the other tools that are talking about giving more CVEs. But customers are focusing more on how do we get the key things remediated quicker rather than discovering more which they are not fixing anyway.

Our next question is from Mike Cikos of Needham.

I just wanted to double check and congrats on the quarter here. Was there any onetime benefits to revenue or CCP that we need to take into account on our side? And then secondly, as a follow-up, Joo Mi, great to see the results. Net dollar retention obviously remains here at [ 104 ] what needs to happen for that net dollar retention to actually start picking up from where we are today?

Yes. With respect to CCP, nothing specific to call out, it was a solid quarter. As usual, you do get some benefit or negative impacts from out-of-cycle renewals, but nothing material that we think that's specific to this quarter. So it was really a solid growth quarter from an execution standpoint. Net dollar expansion rate, we'd love to get that up from [ 104 ] and upward, and this is part of the reason why Sumedh had commented on the fact that we've been really focused on making sure that we're delivering the message in terms of how ETM could be beneficial to our existing customers as well as new prospects. And so as we look to the cohort of customers that are up for renewal in each respective quarter, we're making sure that they understand the value that they could potentially see from whether they're looking to upsell from CSAM to ETM or cross-selling with adding ETM to their existing VMDR solution, and we think that, that could be a meaningful impact during the dollar expansion rate.

Our next question is from Kingsley Crane of Canaccord Genuity.

Congrats on a really great quarter. If we think about Agentic AI within the risk operations center, TotalAI within VM and then the CNAPP suite, they all require significant development resources to how are you prioritizing R&D spend across those initiatives? And just what metrics do you use to evaluate resource allocation?

Yes, that's a great question. And I think it's really the focus for us on investment in R&D and sales and marketing right? And at the beginning of the year we started with the plan to hire a CRO from a sales perspective and put focus on hiring more engineers, et cetera, to be able to deliver on all the capabilities that we're talking about. And I think as we have -- I'm pretty happy with our focused execution with the level of investments that we have made and the way Shawn, who is our VP of Global Sales, has executed with the team to give us a solid quarter. And so the focus for us now is to really, from a sales and marketing perspective to focus on working with Shawn and team. So that we can get efficiencies from what we are seeing cross-functional between our sales team, our product management team, et cetera.

And then on the R&D side, we have had really good success with leveraging AI internally within our own development efforts. And as an example, we pretty much stopped hiring anybody in QA anymore. We are seeing 20% to 25% efficiency gain with our best engineers. And ironically, it's actually the best engineers who are getting the most benefit of using AI. And so in a way, with all the things that we are doing with adding AI into the Risk Operations Center, AI is benefiting us in adding those without a significant increase in our R&D expense. And so I think at this point, the way we are looking at it is we're going to continue to leverage AI.

And of course, we're going to invest back in our business. But no need really at this point for us to look at having CRO and the team is executing well focused with what our goals are. And then on the R&D side, again, we, of course, are -- if you see the innovations that are coming out, is a pretty rapid pace, we will, of course, continue to invest in R&D, but it's all going to be looked at from the lens of what kind of investment we will make in terms of people versus AI tools and how those tools are going to give us the required efficiency or I would say, unexpected efficiency in some cases. And so we're excited about what we're going to be able to do from both adding the Risk Operations Center, Agentic AI capabilities while internally also using Agentic AI across the board, not just in R&D, but also in sales and other areas as well.

And just to add to that, we are extremely focused on making sure that we have the right team structured in the focus areas from a product development standpoint. We have different teams working on, whether it be a total AI or ETM. And because of that, we are continuing to increase the hiring, the R&D, the engineers. It's just that the geographic mix of incremental hires has shifted more to be in India, which has helped from an R&D expense standpoint, but we are making sure that we're working across it different orgs or different functional areas within the engineering team to make sure that we're prioritizing in the right manner.

Our next question is from Shrenik Kothari of Baird.

Echoing my congrats to the team. Sumedh, the TruConfirm announcement definitely sounds like a step function moving from, as we said, the risk scoring to automated exploit validation and at scale. Just curious like -- do you envision this also becoming sort of a pillar like ETM as monetizing it standalone? Or do you think of it as becoming an on-ramp to move customers into broader ETM. And then just with the with the POCs converting and all the large enterprise consolidations you talked about, like how should we think about the ETM trajectory ahead? And then I have a quick follow-up for Joo Mi.

That's a great question. And look, I mean I think I would say that at the end of the day for risk management, you only manage your risk if you have eliminated the right risk, right? Just building dashboards and as I said, dashboard tourism is not helping with just visibility. And so at the end of the day, for that to happen, you need to have 3 things. You need to be able to collect data from multiple sources so you can get a broader picture of the view and your you're applying threat intelligence and you're seeing some of the traditional CTEM, which has been around for many years.

Some of the CTEM solutions are just giving you, we consolidate the data and here it is. And so they are giving you a theoretical view of what might be exploitable in the environment. But with TruConfirm included as part of ETM, we are going a step further relative to the CTEM visibility-only platforms, giving them the ability to actually confirm and that's included as part of ETM. It is not an additional upsell, but that helps us differentiate from the CTEM only solutions, gives them the ability to confirm in that environment that the exploit actually works. And then the upsell from there is really and that's kind of how we look at the beachhead for converting our customers from the MDR to ETM is that, that conversion then will allow us to upsell them to the actual eliminate capability.

Because again, like I said, if attackers are looking -- are starting to exploit vulnerabilities even before patches are being made available, it is really about speed. And so you need to be able to quickly detect the vulnerability, you need to be able to then confirm that it is exploitable in your environment rapidly. And then the next logical step has to be a automated AI-driven fix. So that you can get it fixed before the attackers get there. And if we -- and that's really where the Risk Operations Center is not just a CTEM solution, it really is more than a CTEM solution, which is just giving you dashboards.

Got it. Super helpful. And Joo Mi, very quickly, Sumedh mentioned about the AI driver for automated remediation and orchestration scale into model mROC partner delivery again also reducing the heavy lifting internally. So just curious, as partners increasingly monetize these services, how should we think about incremental leverage and how we're thinking about that.

Yes. I think that mROC will really help us to grow the top line because how we see the new product and value proposition in terms of the customers being able to really see how ETM could help them from a risk management standpoint, they will need assistance from the partner to really make sure that they are implementing the tool they're utilizing in the appropriate way and they're maximizing the ROI from their respective like customization that's required from the organizational standpoint.

So with working hand-in-hand with the partner to help us accelerate the top line growth for us, we think that we will get some leverage from a margin perspective, but really the unit economics, we don't really see a material shift there. I think we're already seeing some kind of benefit as we continue to shift more of our business to the partner side and then layering on top that mROC, professional services or additional implementation help that customers might see will help to accelerate that revenue growth and the ETM penetration.

And Shrenik, just to kind of add to what Joo Mi said, I called that out as an example in our earnings calls where an mROC partner, brought this new logo opportunity to Qualys in the Middle East, one of the largest airlines because they were excited about, not because of just a margin here or there, they were excited about the ability to provide high-value risk management services to their customer. If they brought that customer to Qualys versus just selling them some other VM scanner that would just give them more findings and they would have to do a lot of work to provide value on top of that. So that strategy around mROC partners are bringing not just ETM, but they're also bringing us other customers, other deals with the understanding that these engagements with Qualys will lead to services revenue for these companies.

Our next question is from Junaid Siddiqui of Truist Securities.

Great. As you pivot more into a platform play, are you seeing any changes in sales cycles from customers?

I mean, I think nothing notable to call out for. I think on the -- there's good and bad, right, at times for us to be able to show the value of the platform by ingesting data from tools that they already have. Can be a win instead of saying, you need to do a deployment of our agents and scanners everywhere to see the value that Qualys brings and then the pricing kind of allows them to think about maybe eliminating their existing solution over a period of time.

And so I think today, I think so far, we are in the early days, but we're seeing, especially with the ROCon Conference that we had and the partner advisory -- I mean -- sorry, the product advisory board where we had a lot of the top banks out there. I think the feedback is a lot of excitement around the Risk Operations Center as a focus area rather than just kind of trying to do a like-to-like scanner to scanner replacement and the time and effort it takes. This is something that they feel like it's something that they can justify in terms of moving quickly now, of course, it is something that is new. Everybody is looking at it this year.

So it is allowing them to figure out how they're going to budget. Some people have the budget now, some people are looking at it to budget for next year's purchases. And so -- but overall, the conversation has been pretty positive. And I think the goal for us is to not only existing customers not only bring the Qualys findings into ETM, but that value they get out of that is going to encourage them to bring a lot of other findings and other assets that are not currently in Qualys.

And so we are seeing that with some of the early adopter customers. They started with bringing Qualys VMDR findings into ETM, but then quickly pivoted after seeing the value to bringing sometimes twice as many assets into Qualys as they had before from other tools, increasing the license count for ETM. So that's kind of how we're looking at it as we progress is that it's going to help us be much quicker in POCs and we don't have to walk away if a customer already has a competing VM scanner. We can actually just ingest the data, show them the value -- show them the business value and then grow from there rather than doing prolonged POCs that involve deployment of agents and scanners, which ultimately they see the value in that, but it is sometimes -- just takes a longer cycle. So I think net-net, I think will -- it's early days. We'll see how it develops. But so far in the initial engagements we have had, it's been pretty exciting and fairly quick moving.

Our next question is from Joshua Tilton of Wolfe Research.

Congrats on a great quarter. I've been bouncing around a few calls, so I'm actually going to ask a pretty high-level question. And my question is, we have the privilege of covering 3 publicly traded vulnerability management vendors, and you guys are all kind of growing at different rates. And I guess my question to you is, are the deltas in your growth rate a function of things changing within the VM market and therefore, some of you are growing faster, taking share, growing slower within VM, or the delta in the growth rates because some of you have taken these broader platform plays and you have these non-VM products better separating the growth between these 3 players? And if it's the latter, I guess, can you just help us understand which of the product -- the non-VM products for you are really driving the separation and growth that we're seeing at Qualys versus some of the other players?

I would just say that some of us have just have an awesome organic platform. That's why we are growing at a different pace. But having said that, look, I think, we've talked about this for a few years, VM has been changing and people are less focused on just scanning and more focused on prioritization remediation, and that's why we pivoted towards, if you recall, Patch Management a few years ago and we got GigaOM giving us that #1 spot in their analysis for Qualys, which was a great achievement for us just within 4 years, getting to #1 of our established players.

We're also pivoting more with ETM towards the ability to not just -- not only collect data from multiple tools as well as our own tools, but also ability to prioritize with threat intel. We have award-winning threat intelligence, and we talked about that. And then the ability for us to actually confirm the vulnerabilities exploitable by exploiting it and then getting it fixed. And so what we are seeing, and we have been reporting on how Eliminate and Patch Management has been growing as a percentage of our LTM bookings. And then we've also talked about now that our focus on ETM and how starting at the earnings call for Q1, we're going to focus more on the penetration for ETM in our customer base, which is elevating from VMDR to ability to give them a broader Risk Operations Center and then the upsell from that is going to be the Eliminate capabilities to get things fixed.

And so I -- with the engagement that we have with our customers, there is a big focus from customers on business alignment of cybersecurity spend, the ability to look at risk from a business perspective. And what we are doing now in the organically developed platform that we have that integrates so many different things together, I think, is helping customers get a very quick and simplified view of their actual risk and the ability to actually remediate before attackers get there versus competitors have multiple acquisitions with multiple separate tools that don't really work with each other. And they're not able to get that kind of -- in my belief, they're not able to get the kind of response that we are able to give very quickly whenever there is something going on, and that's the feedback that we have been getting from customers.

Sumedh, you had me at organic platform. But maybe just a follow-up for Joo Mi. If I missed it, I apologize, but any way to think about how we should expect billings growth to finish or current billings growth to finish this year?

Yes. I think that Q4 because it was a very strong quarter, a tough compare for last year. We do expect current billings to be a few percentage points below the revenue growth rate ending the year. So maybe if you think about it from the like 2025 full year current billings growth at around 8%.

Our next question is from Jonathan Ho of William Blair.

This is Garrett Burkam on for Jonathan. I was just wondering if you could walk us through how you're thinking about contribution from your new and continued product innovations like including AI and new modules around VMDR and mROC versus just continuing to upsell and cross-sell your existing installed base? And then also, can you just talk about how customer conversations are going with your mROC solution at this point? Just what traction you're getting there?

Sorry, I didn't get the first part of the question again. So you're asking for contribution from...

Yes, like new modules and new customers versus upselling your existing base in your existing modules?

Yes. Look, I think every customer is a different part of the journey. So we don't really break it out by individual modules. I think we have been giving color on the contribution of TotalCloud, which is our cloud native CNAPP solution. We're happy to see the progress it is making in early days, but it was 5% of the bookings for the quarter. And then you also have -- we called out Patch Management and Cybersecurity Asset Management, which has been the focus for us the last couple of years, and we're happy with the penetration there.

But we're also now pivoting more towards the Risk Operations Center, ETM solution that we talked about and our goal is going to be just like we did from VM to VMDR a few years ago, really up level our customers from VMDR to ETM solutions. So which we have a very nice existing installed base of vulnerability management customers that we can work on upselling them and cross-selling them to ETM, which by the way, will include Cybersecurity Asset Management already. And then next step above that, we'll be upselling them to Eliminate solution to actually get things fixed. And so conversations have been super positive around Risk Operations Center, as I said in the earnings script, one of the big differentiators for us has been the CRQ and the business focus on risk management rather than just giving technical scores, and that was underscored at our ROCon Conference in Houston where we added a business track, separate business track for cybersecurity, which had sessions with CFOs and Board members and insurance companies.

And actually, because of that, we had a 20% increase in attendance because people were really focused on making sense out of from a business perspective. So the conversations with customers are on Risk Operations Center, ETM solution from Qualys has been that they really like that we're not just a CTEM solution, giving them dashboards. We're actually natively fixing issues for them rapidly as well as we're giving them AI-based intelligence around the business and for their particular industry, what is the risk of ransomware? How much money could they lose, why should they fix this particular vulnerability versus not fix another vulnerability.

So it's been very positive feedback, and we're excited about that. And so I think, as we get into the next year, we are really putting a focus on ETM and as part of that we have made some internal promotions to align well with our go-to-market strategy there with product management and Jonathan, our CISO, also really working on helping us as a GM for our risk operations solutions to really bring all of our teams to executing more towards ETM and getting the benefit out of upselling our customers to ETM. And that's what we see in the Q1 earnings call, we'll be starting to focus on the opportunity ahead of us.

In addition, of course. One of the reasons is like there's a lot of CNAPP solutions out there. We see the resonation -- what is resonating with customers with our CNAPP solution. There's not so much individual features, but it is, again, the ability to bring the cloud risk as part of the holistic business risk. And so yes, other CNAPP solutions can tell you how many open buckets that you have after the public. But if you ask them, what does that mean, how in dollar value lost to your company, if one of them is compromised. There don't have answers to that. And so our cloud security solution is actually integrated from a risk perspective to give that business quantification, and that's what the feedback that we're getting from customers. And so as I look into next year, our focus is going to be on ETM as the big focus to cross-sell our customers.

It's going to be continued investment for long term in the federal market. Focus on the continued innovation that we have with Eliminate capabilities. And then all of that is going to be underpinned by our work that we are doing with mROC partners which I think is going to contribute even more to scale our business in 2026.

Our next question is from Joseph Gallo of Jefferies.

This is [ Anec Bevin ] on for Joe Gallo. Really strong quarter. Can you just share some color on where exposure management is in terms of budget prioritization in 2026? And can we expect billings to track in line with your noted 8% for 2025?

I think I'll answer the first part is we're seeing definitely customers are looking to invest in proactive risk management solutions. And as I said, that the Risk Operations Center where exposure management is part of that in business quantification. With the feedback and response that we're getting from customers. This is definitely an area that they are focusing on in all the conversations that we had with this year.

I think a lot of customers see the Risk Operations Center and the Security Operations Center, ROC and SOC kind of working closely with each other because there is a lot of fatigue currently on the SOC side because of too many alerts. And the feeling is that if they can focus on better prevention in the first place that can reduce the number of alerts and reduce the fatigue that they see in the SOC and people are looking to balance in the early conversations, while I don't have an exact percentage right now. we will see how it evolves in next year.

People do talk about balancing their cybersecurity budgets between proactive risk management versus just reactive after the fact that somebody is in your network, and there's -- a lot of that has happened in the past. And it's ultimately you cannot do away with one or the other. You need both, so that you can proactively reduce risk while having the monitoring needed, if there is a compromise to block that. But there is definitely a focus on customers to prioritize the split between those because again, if they don't prioritize what they are fixing accurately, then they're asking and wasting their IT teams resources and fixing things that don't actually matter while at the end, getting more alerts in their SOC.

So from that perspective, we are seeing conversations around the Risk Operations Center and exposure management is one part of that. We are definitely trending where customers are liking this ability to think about how much they spend into proactive risk management in terms of business risk and how much risk they would have, which is what I talked about in my keynote as well as ROCon is moving from a attack surface management to risk surface management. You can spend a lot in covering your attack surface, but the risk of loss was only $50,000 and you spent $500,000 to your attack surface. That's not a great business equation. So that's what we are hearing and we're seeing from our customers in terms of billings, Joo Mi?

No, I think that 8% that we believe that we'll be able to achieve in 2025 for the full year is on track.

Our next question is from Rudy Kessinger of D.A. Davidson.

Just a clarification on that last question, Joo Mi. You said that 8% billings for this year is "on track." Is that to imply that you think you can do 8%-ish again next year? Or can you just clarify that, please?

Yes. So right now, I mean, billing has the tendency to be very lumpy. So for this year, we think that we're going to end the full year at 8%, which implies a lower current billings growth rate for Q4 given the tough compare to 1 year ago. In terms of next year, it's a little bit too early to tell in terms of 2026, what we think that we'll be able to achieve. A lot of it will depend on what we'll be able to close the year at when it comes to the net dollar expansion rate. And we are monitoring very closely in terms of the newer product adoption to give us a better sense and clarity into what we think that we should be anticipating for 2026 growth rate.

Got it. Okay. And then you guys had some pretty decent results in the last few quarters now. Growth has been stable at 10% the last 4 quarters, I believe, on revenue. You've got NRR stable at 104%. What -- I guess, what would you need to see to maybe give you guys confidence in maybe declaring that you can deliver a stable 10% plus growth over the next couple of years?

Well, we're certainly working towards that. I think the key growth vectors we see right now are converting our VM customer base to -- VMDR customer base to ETM is an area of focus, creating upsell with Eliminate on that. We continue to see very -- a lot of interest for our cloud security solution. And I think with a long-term federal opportunity that we are focusing on, we have really good conversations with Risk Operations Center on the federal side as well. I think those are the areas that we continue for sort of short-term, medium-term and long-term growth, which is again underpinned by our focus on mROC partnerships. But we're really laser-focused next year on our VMDR to ETM conversion and the upsells will Eliminate.

Our next question is from Yun Kim of Loop Capital Markets.

Congrats on a solid quarter. Sumedh, on the Enterprise TruRisk Management, ETM, is that primarily a big deal sales motion? Or is it just a combination of a bunch of products that could be purchased and deployed in multiple phases and collectively that could lead to 100% uplift over time. Just want to get a better understanding of that 100% plus uplift commentary.

Yes, I think we feel and with the early response from customers, we feel like we can hold up to, of course, 100% of the VMDR because we're adding them -- we are providing them AI capabilities, Agentic AI capabilities, marketplace built in, where they can essentially bring on an AI agent as part of their team for 4 weeks as they're focusing on an audit or for 3 weeks as they are triaging the ransomware related vulnerabilities. And so CSAM is also included in that. Ability to test exploits is also included in that. And so we feel like that's something that is going to be helpful for customers, primarily it is VMDR, CSAM plus all the new capabilities that I highlighted, or what is focused on that now.

We also talked about Q-Flex and I think a lot of this is going to go hand-in-hand as we start seeing scale next year. A lot of these customers who are looking to buy ETM are also going to be interested in our Eliminate platform and also be interested in cloud. And so the Q-Flex is what sort of you talked about is from an ability to provide them a way to try and use different Qualys modules that make sense to them instead of having to go through multiple purchase cycles through the year and we are going to see a combination of the Q-Flex pricing with ETM cross-sells are the focus for us as we get into next year.

Okay. Great. Looking forward to ETM adoption next year, given that it sounds like it's going to have big impact. Just -- Sumedh, you haven't done any acquisition in a while or anything sizable. If you can just give us an update on your view on acquisition strategy. Obviously, you guys are performing very well. The business overall is stable. You got this ETM kicking in starting next year. Obviously, you're very proud of your organically growing platform, but you must see a strategic opportunity to expand your offering to get to that place faster than organically, are you tempted at all given how dynamic the market is evolving?

Look, we are always open to all kinds of different opportunities to look at organic small acquisition, some larger acquisition potential as well. That makes sense. We definitely come more from -- we want to give our customer an organic experience with the platform. Having said that, we have done tuck-in acquisition in the past where if there is a fit with our platform, we're not shy of looking at something larger. But currently, with the way we are executing, focusing -- and one of the things that happens with ETM now is that we are able to increase the asset count that the customer has with Qualys by actually bringing data from other tools and may not necessarily need them to essentially buy that particular capability from Qualys, as an example, right?

Like now with ISPM identity solution, as an example, that we have as part of ETM, we can pull an identity from Okta and AD and others, and we don't necessarily have the customer to us -- to maybe acquire an AD security company. We can work with companies out there while that increases the asset count in Qualys. And so these dynamics keep changing, and we see efficiencies coming out of AI. We are seeing ability for us to look at various players in the market, how they are doing. And we continue to stay focused on our road map from an organic experience for our customers while also keeping an eye on the industry and looking at whether it's going to be a smaller or a larger acquisition, we're definitely continuing to be open to that.

Thank you. This now concludes the question-and-answer session. Thank you for your participation in today's conference. This does conclude the program. You may now disconnect. Goodbye.

Ladies and gentlemen, thank you for standing by. Welcome to Qualys Second Quarter 2025 Investors Call. At this time, all participants are in a listen-only mode. [Operator Instructions] Please be advised that today's conference is being recorded. I would now like to turn the conference over to Blair King, Investor Relations. Please go ahead, sir.

Thank you, Michelle. Good afternoon, and welcome to Qualys' Second Quarter 2025 Earnings Call. Joining me today to discuss our results are Sumedh Thakar , President and CEO; and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. .

Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as reminder, the press release, prepared remarks and investor presentation, were all available on the Investor Relations section of our website.

So with that, I'd like now to turn the call over to Sumedh.

Thank you, Blair, and welcome to our second quarter earnings call. In Q2, we continue to execute well. resulting in another quarter of solid revenue growth and profitability. In this new era of cybersecurity driven by advanced data analytics automation and AI, Qualys's pioneering a new risk operation center category in cybersecurity and redefining our organizations managed by risk. While traditional security operations center saw focus on detecting breaches after they happen. The rock is built for prevention.

Qualys' cloud-native ETM enterprise tourist management solution powers this transformation. With over 18 trillion data points processed in real time, we have unleashed the power of our platform to integrate and normalize signals from both Qualys and non-QualyS tools, excluding CrowdStrike securities work [indiscernible] tenable and with. Unlike other continuous threat exposure management solutions that simply highlight exposure and lack effective remediation or business context, Qualys ETM solution is a powerful orchestration layer aggregating both Qualys and noncore security findings applying Threat Intelligence and delivering a unified business contextual view of risk with holistic prioritization and automated remediation.

This business aligned approach to pre-breach cyber risk management continues to resonate strongly with customers and boards and positions Qualys at the forefront of [indiscernible] in cybersecurity. One defined not just by the detection of the vulnerabilities, but by measurable proactive, automated risk reduction at scale. With active POCs already converting after announcing GA just a short while ago, we continue to see many parallels between this new market opportunity and the early days of our VMDR launch, including a significant greenfield opportunity and growing demand.

With our latest announcement yesterday, we are very excited to introduce Qualys' later game-changing vision for the future of Cyber is management with the launch of a fully reimagined Agent AI platform built on a unified fiber to seamlessly manage cyber risk across multi-vendor environment. At its core, every cyber risk AI agent represents a specialized autonomous AI fabric equipped to automate complex business processes and autonomously adapt to customers' environment by accessing diverse internal and external data sources, applications and machines.

These agents achieve complete end-to-end outcomes for sub-security teams. Available in a first-of-a-kind agent AI marketplace for risk management. CISOs can now quickly augment their team with highly specialized autonomous experts that can bring down the time to remediation, increase accuracy and reduce costs. Users can use out-of-the-box cyber risk agents available in the marketplace, interactively create their own specialist agents or leverage third-party agents for our -- from our partners that can be added to the marketplace in the future.

Further advancing our remediation focus beyond patching, we are also introducing new capabilities to our TruRisk eliminate umbrella of remediation solutions. Now organizations can quickly determine trending risks to that environment. The estimated impact of a breach on a particular asset and the probability of successfully applying a patch. If applying Apache deem the significant operational risk of the business, security and IT teams can alternatively choose to automate array early of compensating controls to prevent an incident from occurring.

Embedding Qualys' AI assistant directly into remediation workflows is a significant adoption level, a strong competitive differentiator opens new market opportunities well beyond patch management. Continuing this rapid pace of innovation, we are further broadening our ATM solution and bringing natively integrated identity security posture management, ISPM to market at a time when identities have become part of the new perimeter. Compromised credentials are central to nearly every major cyber attack today Qualys solution is aimed at helping organizations stay in front of adversaries by continuously analyzing identity systems for misconfigurations, excessive privileges and toxic combinations with assets.

By unifying the identity risk surface, we eliminate silos and hub securities visualize amenity exposure and remediate risk before attaches escalate privileges or laterally. Spanning devices, cloud workloads and applications, Qualys now provides holistic protection using Qualys and normal data sources across key identity touch points max to asset criticality and backed by real-time remediation through a single native integrated platform. These innovative new approaches to cybersecurity risk management, along with several others we are showcasing at Black Hat this week, allow our customers to reduce complexity and cost achieve better outcome and create multidimensional path for durable long-term growth in our business.

Moving on to the business update. Over the last several months, I have personally met with many customers, prospects and partners, and the message has remained resoundingly clear. Organizations are increasingly anchoring pre-breach cyber spend to solutions that articulate and demonstrate a measurable impact on cyber risk rather than consolidating around a single vendor CISOs are seeking platforms. There are a lot of flexibility across their secured stack while unifying this through a common framework. This requires a centralized risk habitat, which brings together diverse tools and enables teams to uniformly assess, prioritize and remediate risk. With a 25-year track record of converting operational challenges for customers into strong competitive advantages, we are well positioned to capitalize on the evolving market opportunities.

In Q2, this success was demonstrated by the number of customers spending $500,000 or more growing 7% from a year ago to [ 212 ]. It was also evidenced by notable industry endorsements in the market we help pioneer. Qualys VMDR with TruRisk and total cloud were voted the best vulnerability and cloud security posture management solution, respectively, at the 2024 SC Awards in Europe. IDC named Qualys a major player in [ Snap and Koping Coal ] recognized Qualys as a leader in SNAP and a market leader in our tax service management.

Let me share a couple of recent wins, which illustrate these accolades and reflect why companies ready to centralize their response to cyber risk are turning to Qualys to help unify their security tools quantify and immediate risk in their environments and achieve better security outcomes. First, a global fintech company determined that managing silo tools added complexity to their operations lack integration and misdetection, which hindered their ability to assess risk and centralized remediation. This customer chose Qualys to transform siloed risk signals spanning, core depositories, endpoint, identity, cloud container IT and network such into a cohesive real-time risk management solution by consolidating Qualys and non-Qualys.

This included purchasing 7 Qualys modules, including ATM to bring -- to begin operationalizing their risk operation center with ingested data from strike it side and is resulting in a 7-figure annual bookings deal. By consolidating these data sources into the Qualys platform, we are now delivering this customer, a vendor-agnostic orchestration layer with full visibility of their attack surface centralized risk assessment, quantification, prioritization and remediation while enlishing the operational efficiencies of security stack consolidation aligned with acceptable risk parameters for the business.

Another marquee win was a large federal government agency previously using multiple legacy and next-gen solutions to manage a variety of risk management use cases across their security and DevOps teams. In addition to the complexity of using multiple products, this government agency was frustrated with increasing costs associated with outdated on-prem deployments from last several years. Looking to migrate to a cloud native solution that meets the CISA binding operational directives, are now in the process of replacing 2 of their existing vendors in a high 6-figure annual booking deployment using 10 Qualys modules, including Cybersecurity Asset Management, VMDR, patch management and, [ total ] cloud.

Through this highly strategic and competitive win, the customer is now able to leverage unified dashboards across nearly a dozen separate bureaus that provides them a greater insight and automation that can -- that any of the competitive products that they are evaluated while taking full advantage of the speed and scale of the integrated platform. with out-of-the-box support for CDM within the CISA framework, we are now working towards a Phase II agency-wide rollout of the cybersecurity asset management solution, presenting a significant upsell opportunity for us.

Beyond this win, we are pleased to announce Qualys has recently received Agency Authorization for Fed Ramp High. With this authorization, Qualys is the only FedRAMP high platform offering inventory, vulnerability management, patch management, CSPM, container security and EDR in a single unified workflow across hybrid environments. As government agencies increasingly transition workloads from on-prem environments to the cloud, the achievement marks a significant milestone and establishes Qualys as the only modern alternative to legacy scanners for federal, state and local agencies. Our authorization consolidated platform and continued investment in public sector expansion underscores our commitment to this market and positions Qualys well to drive long-term incremental growth. That momentum was on full display at our Second Annual Public Sector Risk Conference, Cyber Risk Conference in May where we were especially encouraged by the strong turnout and positive feedback to the concept of a risk operation center to bring efficiency to government agencies instead of playing risk vacuole with multiple siloed legacy solutions.

Investing in our partner ecosystem remains a key pillar of our growth agenda. Through our strategic technical alliances program, we are driving deep technology integrations, whole-selling opportunities and demand generation programs. We believe this expanding ecosystem bolsters our capacity, harnesses transformative solution sales and brings new business to Qualys. Additionally, we have advanced our global Rock ecosystem by certifying 3 new strategic partners who wanted to partner with Qualys to bring the rock to their customer base. With growing channel momentum and a growing pipeline of fresh new analog services being offered to customers, we look forward to sharing some exciting new wins in the upcoming quarters.

With more and more customers and partners beginning to perceive Qualys as a leading pre-breach risk mitigation management platform, that consolidates and orchestrates multiple security solutions and workflows, I am pleased to announce [ May Mitchell ] as our newly appointed CMO pipeline creation, growing module adoption, winning new business and vagilizing the AI native rock are key priorities. With me at [indiscernible] and her long experience in cybersecurity, we are intensifying our marketing activities and increasing focus on ramping top-of-funnel initiatives and enhancing brand awareness to help drive adoption of the Qualys platform to new heights.

To further accelerate awareness and unleash new Qualys capabilities for customers, I'm also pleased to announce the launch of our Qualys platform pricing model, where we enable customers to purchase Qualys units providing access to the entire platform and flexibly utilizing Qualys modules of their choice over the course of their subscription term. Instead of purchasing Qualys modules individually organizations now adopt the products they need today and in the future through a frictionless process design to flexibly replace existing technologies and seamlessly switch between Qualys modules.

Customers are expressing strong enthusiasm for this new pricing model, and we believe it will further enhance long-term customer loyalty and drive larger lands, reduce cost and bolster cyber resilience over time with more customers adopting more Qualys solutions faster. In summary, Qualys is well armed with fresh new capabilities and new agency authorized FedRAMP high solution for government wide use, strong channel momentum and flexible platform pricing to help customers unify pre bridge risk management workloads, reduce costs and address today's stock security challenges with trusted innovation and early adoption we're strengthening our position as the partner of choice for customers ready to centralize the response to cyber risk and believe we have to outpace our competitors extend our thought leadership and build upon an already strong foundation to drive durable long-term growth in the business.

With that, I will turn the call over to Joo Mi to further discuss our second quarter results and outlook for the third quarter and full year 2025.

Thanks, Samedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period unless stated otherwise. .

Turning to second quarter results. Revenues grew 10% to $164.1 million. The channel continued to increase its contribution, making up 49% of total revenue compared to 46% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 4%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. [indiscernible] 15% growth outside the U.S. was ahead of our domestic business, which grew by 7%. U.S. and international revenue mix was 57% and 43%, respectively. In Q2, despite ongoing macroeconomic uncertainty, our growth retention rate and upsell execution improved with our net dollar expansion rate of 104%, up from 13% last quarter.

In terms of product contribution to bookings, patch management and cybersecurity asset management combined made up 16% of total bookings and 26% of new bookings on an LTM basis. Our cloud security solutions, total cloud [ Sina ] made up 5% of LTM bookings. Turning to profitability. Adjusted EBITDA for the second quarter of 2025 was $73.4 million, representing a 45% margin compared to a 47% margin a year ago. Operating expenses in Q2 increased by 15% to $67.7 million. driven by investments in sales and marketing and R&D.

Demonstrating our ability to innovate and invest in our long-term growth initiatives while remaining capital efficient. ETMs for the second quarter of 2025 grew 11% to 1.68. Our free cash flow was $32.4 million, representing a 20% margin compared to 33% in the prior year due to fluctuations in working capital. Normalizing for this, first half 2025 margin was 43% compared to 45% in the prior year. In Q2, we continue to invest the cash we generated from operations back into Qualys, including $1.3 million in capital expenditures and $49.2 million to repurchase $375,000 of our outstanding shares. Since commencing our share repurchase program in February 2018, we have repurchased 10 million shares and returned over $1.1 billion in cash to shareholders.

As of the end of the quarter, we had $254.6 million remaining in our share repurchase program. With that, let me turn to guidance, starting with revenue. For the full year 2025, we expect revenue to be in the range of $656 million to $662 million, which represents a growth rate of 8% to 9%. This compares to prior guidance of $648 million to $657 million. For the third quarter of 2025, we expect revenue to be in the range of $164.5 million to $167.5 million, representing a growth rate of 7% to 9%.

While we believe our platform approach to cyber risk management provides some insulation as macro volatility, this guidance assumes continued budget scrutiny in a challenging environment for new business growth in 2025. Shifting to profitability guidance for the full year 2025, we expect an EBITDA margin in the range of low to mid-40s, applying a 15% to 17% increase in operating expenses and a free cash flow margin in the mid-30s. We expect full year EPS to be in the range of 6.2% to 6.5%, up from the prior range of $6 to $6.3 million.

For the third quarter of 2025, we expect EPS to be in the range of 1.5% to 1.6%. Our planned capital expenditures in 2025 are expected to be in the range of $7 million to $9 million for the third quarter of 2025 and the range of $1 million to $3 million. We continue to believe organizations will increasingly adopted both stack security and compliance coverage to meet the demands of today's threat landscape and reduce costs. As the impact of the macro economy unfolds, we are closely monitoring the business environment. We'll continue to adjust our priorities accordingly. That said, considering the long-term growth opportunities ahead of us, and our industry-leading margins implying further room for investment. We intend to continue to responsibly align our product and marketing investments to focus on high-impact initiatives aimed at driving more pipeline, accelerating our partner program and expanding our federal vertical.

As a percentage of revenues, we expect to prioritize increased investments in sales and marketing and engineering with a more modest increase in G&A consistent with our commitment to Qualys's long-term growth and profitability. With that, Sumedh, I would be happy to answer any of your questions.

[Operator Instructions]

And the first question comes from Jonathan Ho with William Blair.

Congratulations on the strong results I wanted to maybe start out with the macro environment and you get a sense from you of what some of the puts and takes are out there and especially relative to your ability to raise guidance, how we should think about sort of the conservatism that's baked in?

I think at a high level, as Joo Mi mentioned, right, the environment is kind of stable right now, but it continues to be challenging. So deal scrutinies there. I think customers are overall just a little bit more wait and watch to see how the impact of some of the current conditions is going to be on their spend through the rest of the year. And so we're just being factoring that in right now in the way that we are thinking, we're not assuming anything getting better from an environment perspective. So it's more assuming that it's going to continue kind of as is.

Yes. And from our perspective, in Q2, we did see slight improvement in net dollar expansion rate, moving up to 104%. We've been at 103% for several quarters in a row and are low was at 102% a year ago. And so we are optimistic that we were able to make an improvement from both the growth retention as well as upsell perspective this quarter, which kind of indicates that the market and the selling environment is actually not worsening. We see an opportunity to sell more of our newer products, have more conversations with their customers. And although the new business continues to be challenging, and we expect that to continue throughout 2025, do see some upside when it comes to expand with our existing customers. .

Excellent. And just in terms of a follow-up, can you help us understand how maybe the [indiscernible] messaging has been performing just given the challenges of selling sort of new platforms in the environment, we may be resonating the most with customers and causing them to choose to go in the [indiscernible] direction.

That's a great question. I think a lot of partners are providing sort of SOX/MDR services. It's a bit of a saturated market. And for them, this threat detection after the breach has happened is what they are focused on. And so what partners are excited about is being able to go back to those partners who have a SOC to those customers who have a SOC and being able to position a new solution and new services, which is proactively managing your risk and helping prevent a lot of them sort of provide some managed vulnerability service here or there, but there is no -- and then there is cloud and then there is identity. And so when you look at risk management, there is sort of no easy holistic service that a lot of them are offering. And so what [indiscernible] does is part of the managed risk operation center concept, they can go to the customers that have SOC and say, hey, we now have a new capability that you can upsell to, which allows you to implement a similarly operationalized risk operation center environment built on the Qualys platform and it does not require them to switch out solutions that they are potentially using for cloud security for entity that this is something that can be built on top of that.

And so they're excited about that because this is -- this allows them to create services and services revenue is very interesting for them rather than just a few points here or there on the the price of the individual SKU. And so in some cases, can potentially add $5 of service to $1 of ATM that they could sell as a representative example, right? And so -- that is where we are seeing these partners are excited. Of course, they have to build out new services and they have to build new practices to be able to do that. but the excitement of being 1 of the few [indiscernible] partners that actually is able to offer this service is very interesting for them because that differentiates them from the other 200 players that are only offering MDR.

And our next question will come from Roger Boyd with UBS.

Joo Mi, I was wondering if you could just help us kind of bridge the gap between revenue and billings growth. I know that's not a metric you guide to, but you've previously given some directional color about the growth of those 2 numbers being in the same ballpark. Just trying to get a sense of the difference there, what you're seeing from a billings front, anything to be mindful of around deal timing given RPO bookings look, I think, pretty strong this quarter. Anything else to be mindful there of FX or anything else would be great.

Yes. The revenue is lagging. I would say that current billings on an LTM basis could be indicative of the bookings performance, which is more of a leading indicator. So I understand the focus on the current billings. At the beginning of the year, what I have kind of given an indication for current billings at around like 6% to 8%, in line with the revenue growth guidance, 6% to 8% at the beginning of the year.

For current billings, I would say that still remains true probably the best indicator there or a guidance I can give at the time. Now on the revenue side, you could see that we've outperformed booking 10% growth rate for Q1 and Q2, guiding to 7% to 9% for Q3. And so what that implies is current billings going up from 7% to 8%, 7% in Q1 looks like. We closed it at 8%. But in the second half, because of the tougher comparison relative to second half of last year, we are anticipating it to kind of come down to land around 6% to 8% for the full year for current billings.

Got it. That's helpful. And then just as a follow-up, Sumedh, Nice to see FedRAMP high. Just any insight into kind of your expectations for the federal vertical in 3Q. My gut assumption is that it's probably difficult to think that can be super impactful in the next quarter, but would love to get kind of your view on the opportunity there. .

Yes, for sure, right. I think expecting any federal movement happening within a few weeks of us getting the FedRAMP high would be a little bit too much expectation. But I think -- so see, for us, this has been a long-term focus and investment that we have been making. And as anybody who goes for FedRAMP, FedRAMP High will tell you this is a significant investment to really get there. And so we're super excited to now have that FedRAMP High platform that does vulnerability management, patch management and cloud security. And so that really is going to open us up opportunities.

Obviously, right now, you kind of have a mixed bag with some folks kind of waiting to see how things progress with the cost reduction, others are seeing this as an opportunity to change out their incumbent vendors to new solutions and FedRAMP High coming at this time. bodes well in my mind for opportunities that will get created over the next few quarters because now we could go in, we could basically showcase what we are the modern solution that is FedRAMP High. And so as they are looking for efficiency and moving out of legacy on-prem solutions, their options are non-FedRAMP High solution in the cloud or a FedRAMP High with Qualys. And so I think that is an advantage in my opinion for us, and we look forward to leveraging that. I'm also looking forward to a lot of other commercial companies that actually are FedRAMP high or looking to get FedRAMP High, need FedRAMP High solution, and you have a lot of big companies who are looking for that.

And so that puts us in an interesting opportunity, again, where it's not just the government agencies themselves, but we can also see potential pipeline buildup from commercial entities that are currently in the process of trying to go FedRAMP High and want to switch to a solution that is also FedRAMP High because there currently is no other solution that can do like FedRAMP High management as an example, right? So I don't really expect anything immediately in this quarter. But I think with the momentum that we're seeing, our investment in the federal side of the conference that we did and now getting FedRAMP High. I think this is key for us, as I have mentioned in the last few quarters as well that federal over the next couple of years can be an important area of growth for us.

And our next question will come from Kingsley Crane with Canaccord. .

And echo congrats on a really strong quarter. Nice to hear about Qualys flex pricing. I think this has been something you've been considering for a while. I want to hear more about what kinds of impacts we could expect as a result, like perhaps larger commitments. And just want to clarify any of the large deals in the quarter were flex pricing. .

Look, it's early days right now, but the feedback that we have gotten has been very positive, right? So we want to get this out and we want to get some of these deals close. But overall, today, a customer buys VMDR, then they are interested in trying patch management, like that's a whole process that they have to go through to buy that additional SKU win.

So as we move into this pricing, it essentially, if they buy any number of pricing, it gives them access to all Qualys modules, right? They have access to it. Of course, if they want to use it, they have to buy additional units to be able to leverage those. And so for somebody who is maybe focusing on vulnerability management, they want to try a patch management, they can just do that now with the flex pricing without really having to go and get a whole new SKU purchase, et cetera. So that is where it's exciting for them is that they can look at the utilization, they can try and new capabilities. And then as they like those capabilities that they can actually buy more units to be able to use those capabilities at scale.

And that's really where we see the opportunity. And so we are looking forward to seeing the kind of uplift that we can get because that can get a customer interested in buying fewer additional units so that they can leverage broader platform capabilities right as they do the purchase. So that's the hypothesis and the way we are seeing the early conversations with customers, but we still need to get a few of those deals closed and then we'll give updates as we see the progress happening, but it is definitely something that we see as a key aspect over the next year or 2 for us to push forward so that we can create upsells. And also for net new customers is we're seeing customer net must also coming in buying multiple modules upfront, as you can see, cybersecurity asset management, patch management already 26% of bookings for net new customers, like that will give them opportunity to leverage newer capabilities and more capabilities, which then allows them to potentially buy more units as they roll that out.

Great. Yes. I mean the model -- it's great for customers good for you. And so for Joo Mi, so you just brought on May Mitchell and we're talking about investing in more key marketing initiatives. Of course, we've had some pretty significant earnings upticks over the past 2 quarters on the guide. So I mean should we expect that some of these are really going to be more of a focus in fiscal '26?

I would say that we're ready to get started because we've kind of built the momentum because if you take a look at our sales and marketing for the first half of this year. It's grown by 15% year-over-year and then even in the R&D front, we grew by 8% in Q1. We ramped that up to 15% because R&D also included product management. And the entire GTM team has been working very closely together to make sure that we work on the value proposition, how we're positioning our product to not just our sales reps, but more importantly, a partner-first approach. So we are really working with the entire team, including the engineers to make sure that are we working on the right product enhancements? Are we messaging it correctly and then really focus on partner marketing front and so we do anticipate the increase in sales and marketing investments up from the 15% level that we saw in Q2 and then same thing on the R&D side. .

And the next question will come from Rudy Kessinger with D.A. Davidson. .

The revenue -- Joo Mi, the revenue outperformance historically has been pretty minimal in your quarters last 4 quarters now, you've beaten on revenue by about 2%. Is there any more color you can add to that? Just what's driving that relative to your guidance? Have you guys just adopted a more conservative guidance framework in general is because of the macro conservatism or any professional services revenue potentially driving that upside?

Yes. It's not professional services, but I definitely had to do with the fact that when we first guided to revenue at the beginning of the year, there was a good amount of uncertainty in the business with respect to macro as well as if you're taking a look at our current billings kind of the trajectory of historical performance and with our revenue coming down, we wanted to make sure that, look, if I'm looking at a potential range of outcomes, for the business, given that we are pivoting significantly into ATM, a new platform play introducing new products and the difficulty that we've had with expanding the spend with our existing cost centers that we were looking at a more conservative scenario. And it could have gone that way, but thankfully, as you see by our performance, we've done really well the first half.

I think the team has worked really hard to make sure that we're making up or kind of all the underperformance, if you will, like that we saw at the end of last year with our CMO in place, and we're continuing to look for our new CRO, we are hoping that we will continue to make good progress on this going forward through the end of 2025 and hopefully, we'll be able to make some meaningful improvements in 2026.

Okay. That's helpful. And then on current calculated billings, TTM current calculated billings, it sounds like you are still expecting 6% to 8% year. What would be the drivers of upside to that figure and irrespective of where it lands, should we still look at TTM billings as the go-forward indicator of next 12 months revenue growth as we exit this year and go into '26?

Yes. I think that would be the best proxy at this point, if you're thinking about 2026 revenue. But on current billings, I would say that higher probability of us outperforming with our existing customers, given our newer products, like, for example, our net dollar expansion rate did increase to 104%, up from 103%. If you were to call out 2 areas where it could -- the additional growth could come from new land versus existing customers, I would say the latter. .

And the next question comes from Trevor Walsh with Citizens.

Sumedh, maybe to start with you, great to see the product development that you're working on as far as AI agents in the marketplace and kind of all the ways in which that can I guess, boost the platform. There's been a lot of activity in that space, I guess, AI security just generally kind of M&A-wise this week given Black Hat and others. Just curious kind of what your overall take is on that space given some of that -- those announcements and just as a product person yourself, how you feel about building versus buying there and if this is somehow different in the space the pace at which some of these tools are kind of moving and growing that, that might get you off the fence to do something around the same lines or if it were thinking you can do it kind of organically internally?

Yes. Thank you for that question. I was like with 4 questions saying and nobody's asked about AI, so excited about it, but it's super exciting, right? If you get a chance to really go through that. I think the way we have positioned and created this capability is really bridging that gap between like the agent AI being some piece of core somewhere versus sort of having a marketplace or you feel like you're actually able to hire a patch choose expert who knows absolutely end-to-end hard to coordinate scans how to coordinate assessment, how to coordinate prioritization, how to coordinate reputation and gets all of that thing done all in one, and they have a name, they have a persona, you can rate them. .

And so that's been super exciting for us. And we have been really able to get that. We've been working on it for a few months. But 1 of the things that are happening in AI, in general, is the advancement of technology is happening at a rapid base, right? And not to get too much into the depth of it. But if you look at like RAG came out a year or so ago and now what we are leveraging is in big ways MCP protocol, right? Like the -- then the model context protocol. MCP allows customers to much more rapidly take their existing solutions and use them with overall AI agents because they add a layer of context on top of their existing APIs and existing databases and existing data stores, right? And so that allows us to do this much, much quicker than what we have. And so I think AI security is following that same that as AI concepts and AI protocols are evolving so fast.

People are also trying to figure out what does that mean, right? If we were looking at RAC security where you are bringing all of your data into 1 single vector database, maybe a few months ago, certainly, you have MCP, which is sort of bringing a new layer. Now bringing the new layer of MCP doesn't mean that your existing data store and all of that does not have to have the traditional security, it still needs to have the security that you need to. And so what our team is doing is really rapidly tracking sort of these enhancements and new capabilities that are coming out in AI and responding accordingly. And that's where we came up with Total AI few months ago when people were running LLM in their own environment. And now we're seeing LMs being run at least the foundational LLMs being leveraged by from backlog as a service. And so -- we're pivoting quickly to provide capabilities around MCP protocol, MCP discovery and MCP mapping as well as MCP authentication authorization capabilities.

So I think there's always opportunities for us to look at players that are upcoming, but it's just so dynamic right now that we also want to wait and watch as we develop our own solutions to see which direction is going to be the stable direction for some of these AI capabilities to go. .

That makes total sense. Maybe a quick follow-up for you, Joo Mi, just more of a clarification. So now that you have the FedRAMP high in place, I know that some of the investments in the past around sales and marketing were to build out the public sector team. So do you feel like those investments now are just kind of waiting to deliver on the ROI of those? Or will there still be as part of that increased spend you noted going forward, kind of public sector pieces or elements to that? .

There are definitely pieces just because we are making sure that all investments that we made to achieve FedRAMP High already been made. But with that said, there is maintenance, and there's also GTM efforts. Marketing effort to make sure that we just opened up the DC offer to make sure they -- our customers know that we have a presence in DC. And so we'll be working very closely with our marketing team to make sure that we have all the opportunities out there. I think that from a meaningful booking perspective, it won't happen until next year. But we've been ready. I think it's just about execution at this point.

And the next question comes from Patrick Colville with Scotia Bank. .

This is Joe Vandrick on for Patrick Colville. Sumedh, that global fintech win you highlighted is a great example of consolidation on the platform. So how often are your conversations turning it into multiproduct platform deals versus customers just buying a module to solve the specific pain point?

The way the space is evolving is very interesting, right? There are opportunities for consolidation with -- in certain areas with the vendor, and you see that happening with CNAPP, where -- in the past, it used to be multiple cloud security solutions are not going under 1 umbrella. But we also see that customers are not necessarily looking to have every single capability from the same vendors. So there are areas and vendors that they trust for certain use cases, and they want to stick with those vendors.

And so what we see when we are talking to customers is a combination of in areas where they are like, hey, look, I want to consolidate vulnerability and patching and some of those cloud things with you. But for IDBS, want to continue to Okta and for EDR I'm still using CrowdStrike and want security score for third-party management. And so that's kind of where -- and that deal that I highlighted was great because we saw a bunch of modules they took from Qualys, but then they also took the ETA module, which allows them to bring third-party data from their existing solutions to consolidate into a single fabric to get a single view of their risk. And so that's what we are excited about is like while it's early days, if the customer wants to consolidate certain capabilities, we have a bunch of those modules and in the cases where they don't necessarily want to consolidate right now. We don't have to walk away. We still have an APM solution that they can purchase to take the data from the existing modules and actually provide better value of the investment in some of these third parties and in 1 of the conferences in BC, I showcased this sort of a funnel view where we took 65 million findings across CrowdStrike, Qualys Security Scorecard and after we applied the risk operation center, paradigms, threat detection and business context, it went from $65 million overall finding to $2 million that actually mattered and then after we applied the business context, this went down to $300,000 that actually were adding business risk to the customer. And that kind of an outcome from a risk operation center really was exciting for them so they could get the value without having to do a vendor replacement and going through that process, they could combine Qualys modules with third-party data and get real meaningful outcome and value for the Board.

That's helpful. And then maybe 1 for Jim. And you guys mentioned an improvement in gross retention and net retention. So I'm wondering if you attribute that mostly to the macro environment? Or is that driven by improved execution or maybe a little bit of those?

I would say it's hard to parse in it, but it's probably a little bit of both because if you're talking about our our net dollar expansion increasing this quarter relative to last quarter, it's a of customers that were up for renewal in this quarter. And from the discussions that we were having, it's not just that we start today. We typically start discussions like throughout the entire year, like definitely at least a quarter before the intended renewal date.

And what we've seen is, I think that there's less of a macro headwind today than we saw definitely at the beginning of the year. So with our continued execution, continue having multiple discussions of our new products and the value, how we're evolving as a company and how our product, we said it makes sense for them, especially with what's upcoming with the new pricing model, it's really resonating with our existing customers.

And our next question will come from Joshua Tilton with Wolfe Research .

Two for me. The first 1 is, Sumedh, unless I misheard you, I think you spoke to some channel initiatives that you to drive some large deals in the second half -- is there anything you can elaborate on those large deals? Is it new customers? Is it existing customers expanding? And more importantly, are these deals baked into your revenue outlook and your 6% to 8% billings growth expectation for the full year? And then again, I have a follow-up.

Yes. No specific deals when I talked about strategically is the risk operation center concept is resonating well with the CISOs of the partners' customers. And they are working with us to get the mROC certification and then mROC services deployed in our catalog and for them to be able to sell those. And what we are seeing is the conversations are driving their customers to look at consolidation of certain areas as well as purchasing Qualys licenses on top of existing solutions as well. And so we are -- we are looking forward to working with them for new business deals and taking some of our existing direct customers as we work with them to see if they have the right contacts that we can upsell to additional capabilities, but nothing specific at this point that we are talking about or baking in anything additional as part of that. This is a more of long term initiative and we are looking forward for our partners to start to help us build that pipeline, which obviously is going to take some time and closing their pipeline will take some more time.

Super helpful. And then maybe my second one, just more of a clarification, just a follow-up to question. New CMO, lots of exciting product announcements. It sounds like you guys are going to invest behind this to drive some additional growth. Are the investments that you plan to execute? Are they fully baked into the second half? Or is this should we start to see these investments ramping next year.

Right now, we are starting the 2026 budget and planning cycle, but what we're planning to execute to is what we had planned at the beginning of this year it's fully baked into the guidance. And the way we're seeing kind of the traction and the increase in investments quarter-over-quarter, it -- we saw some nice improvement with respect to investments in product management as well as the sales and marketing. We do see more room and for us to take advantage of the current opportunities ahead with the newer employees in seed. And so we plan to continue to invest and hence, we were guiding to the 15% to 17% increase in OpEx growth.

And the next question comes from Shrenik Kothari with Bard. .

Congrats on the great results. Some, you mentioned, of course, identity become the leading vector and the new periphery and now with the formal introduction of ISPM which because potentially seems like it can be an anchor for broader Zero Trust side rock, mROC. So just curious what advantages do you think Qualys brings to identity risk that allows you to compete here natively against other players? And what monetization potential you see in identity risk management controls. Then I had a quick follow-up. .

Still a lot of value that we add is our understanding in how our tax work and how vulnerabilities and escalation or privileges are tied to identities. And so for a while, we are focused on hosts and assets and servers and containers. And the second part of that is the partial view of the identity and how that creates a combination that can add additional risks, right? So particular asset with a particular vulnerability. It also has an identity that has certain issues.

Now the risk is compounded as an example. And so the main differentiator that we bring is not necessarily that we are going to be identity service provider or like that. But pulling in the identity posture view into the risk operation center, tying that identity with the risk that we see coming from the infrastructure, the risk that we see coming from third-party integrations and the risk that we see coming from any of the other sources like misconfigurations, cloud, et cetera, how do you bring a holistic view of that identity and as it ties to the assets themselves? And is it tied to the vendors? And how does that create a compound risk is really our main focus.

And so it's not necessarily for that we are going to replace some of the provider that they might have identity, there's more how we integrate with the provider that they have for identities and then provide them a better view of the risk which is not siloed only for identity, but it's actually a combined view of the identity and the asset together with the context of the threat actors for utilizing that. That's really the focus.

And quick follow-up for Joo Mi. So net dollar retention ticked up. Just looking out and looking forward, I know, Joo Mi, you had talked about potential sort of floor around 103%. How much headroom do you see just looking at -- I know it's backward looking, but the pipeline trends convergence, for the NDR and just from the rock adoption from the pricing model shift, just deeper sort of multi-model attaches with the platform model here? Just curious how you're thinking about going forward.

I do see an upside there because if you take a look at our low, it was at 102% a year ago. And when we were hoping that would be the trough. And since then, we've been kind of holding on study at 103%. We did increase to 104%. Now if you -- if you're looking at our historical net dollar expansion rate in the most recent year, the highest we've seen was at 111% a few years back. And so given the ROC, given the flex pricing, given newer products that we've just launched, I do anticipate that to continue to tick up, not consistently to I'm not calling that. I think that for this year, I'm just assuming that new meaningful improvement in net dollar expansion rate in the current guy, but with that said, that is something that we will be taking a look at very closely for next year's guidance. .

The next question will come from Mike Cikos with Needham .

I just wanted to cycle back to the improved commentary we're hearing today on upsell activity. Is there a way for you guys to parse out -- I know if I go back Q1 to towards the end of the quarter, we saw customers look to delay or weaker upsell activity than what was initially expected. How many of those customers came back to the table, did all of them come back in during this June quarter? And was there a catch-up, so to speak, when we think about the results we have here today?

No. It doesn't quite work like that for us. Typically, what happens is there's a core of customers that are up for renewal because majority of our deals are 1-year renewal. So if you think about the customers that were up for renewal in Q1, what we would talk -- what would we be talking to them about is a renewal set of products in a dollar amount and then plus the upsell side.

Like let's say you were spending $100,000 with us, and you had a 10% increase in budget. How would you like to allocate that? Would you like to purchase more of existing products, let's say, VMDR? Would you like to try a newer product that you haven't had before for patch management, as an example, so we will be having those discussions with those core of customers up for renewal in that quarter. And typically, we would follow up with them, but -- it's not a meaningful percentage of customers who come back the quarter after to say all of a sudden, they have increase in budget and they like to do a second upsell. So what you're seeing for Q2 is really the score of customers that are up for renewal in Q2.

Okay. And then improved 2Q upsell activity, then was that in any way a reflection of the macro? Or what did you guys do from an internal process standpoint to drive that behavior, whether it was from partners or direct?

Majority of our discussions currently are focus on partners. I would say that it applies still more to new land with existing cars that working very closely with partners as our existing GTM team to make sure that we're having the right conversations with the right set of customers. I think that it's not necessarily due to 1 versus another. I think the macro from our perspective definitely hasn't worsened. I think there weren't any surprises in the quarter in the quarter when you're looking at external factors. We are getting better in terms of making sure that how we're communicating with our existing customers, how they should be thinking about public products and adopting newer products as well as utilizing their existing subscription, we've been getting better at it. And so I think all of it kind of contributed to the slight uptick in the net dollar expansion rate. .

And our next question will come from Brian Essex with JPMorgan.

Two for me. I guess, one, Sumedh, I think you alluded to maybe making some progress on the Chief Revenue Officer front. It's great to see the addition of many of the team. Just wondering what your time line would be around that and how that might impact some of the go-to-market initiatives you might have. .

Yes, as soon as I find the perfect one. I think my focus was the last few months to really make sure we get the marketing team in shape because I think for us, all the messaging around risk operation center is key for us to grow in the future. Like I said, we have a pretty good team under that -- from a sales perspective, that's been working well as you're seeing improving our performance. And we look forward to -- as we continue to talk and interview people. I think we -- I don't have a time line right now.

I'm honestly just looking to find the right fit for us as we move more of partner-led approach, so we need a CRO that's going to be focusing more on partners rather than building a direct sales force, et cetera. And I think from that perspective, it's not that necessarily we're holding back too much on the -- like we are continuing to invest in the business. And of course, when we have we will work through and figure out kind of what the strategy change, if anything, is needed, whether that falls and then any investment changes we'll follow according to that.

Got it. Super helpful. And maybe a quick housekeeping question for Joo Mi. FX really moving around a lot this quarter. Just wondering what the impact was, I guess, both on the revenue side. And then on the cost side of the business as you see it and what we should expect, should we see the same, I guess, devaluation of the dollar towards the back half of the year? .

Yes. For us on both fronts, whether you're looking at the top line or the expense line, it wasn't material for us is because we do hedge both. And so what we'll do is we are monitoring it. And when it becomes meaningful, we will call it out. .

And the next question will come from Rob Owens with Piper Sandler. .

Aidan on for for Rob. You touched on this a bit earlier, but can you speak to how channel and customer education efforts with the newer products and partners that track relative to expectations? And what are some of the hurdles that may still exist there with newer solutions and AI advancements? .

No, I think the response has been great as 1 of the key strategic changes we made up from getting this information out to customer perspective last year, we hired Rich Sison as the Chief Risk Technology Officer. He's authored to measure anything in cybersecurity. And that has led to a lot of CES workshops around board risk reporting, and this has really been very helpful for us for top of the funnel activities, we're getting a lot of direct CISO conversations, and they are hearing about the conversation of the risk operation center. We're doing these workshops along with partners in many countries where the partner will bring their customers and which will go on top. And so I think those are all positive indicators.

Again, that the concept of a ROC is new and they may not have budgeted for it. And so Typically, once they come, they like the idea, they want to talk to the Board. We work them then that goes into a demo that goes into a POC and then that helps them sort of figure out, okay, I had budgeted for this this year, how can I work on getting a budget that then I can get done purchase the following year. So that's sort of where we're at in the journey. Super excited about the engagement we're seeing at the top and happy with the conversions we're seeing right now as well. And we have good things in the hopper. And so now it's about how do we get those closed. So I think getting this out to the right people is something I think we're doing well. I think now it's about how do we scale that and how do we get more people to close those deals.

There are no further questions at this time. This will conclude today's conference call. Thank you for your participation, and you may now disconnect.