Qualys Inc

NASDAQ:QLYS

Ladies and gentlemen, thank you for standing by, and welcome to the Qualys' Fourth Quarter 2020 Investor Conference Call. At this time, all participants are in a listen-only mode. After the speaker's presentation, there will be a question-and-answer session. [Operator Instructions] As a reminder, today's conference call is being recorded.

I will now turn the conference over to your speaker today, Vin Rao, Vice President, Corporate Development and Investor Relations. Sir, you may begin.

Good afternoon, and welcome to Qualys' fourth quarter 2020 earnings call. Joining me today to discuss our results are Sumedh Thakar, our interim CEO, and Joo Mi Kim, our CFO.

Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks, and investor presentation are available on the Investor Relations section of our Web site.

With that, I'd like to turn the call over to Sumedh.

Thank you, Vin. Thank you, and welcome everyone to our Q4 earnings call. Before we discuss our financial results, I wanted to say a few words about the separate announcement we issued this afternoon. As you have likely seen by now, we disclosed that Philippe Courtot is taking a leave of absence due to health issues unrelated to COVID-19. Please join me in wishing Philippe a speedy recovery.

In connection to this development, our Board of Directors has appointed me as the interim Chief Executive Officer. As those of you who have been following Qualys know, I've been with Qualys for nearly 20 years. I was appointed Chief Product Officer in June 2014 to lead the transformation of our platform transformation, and appointed President in October 2019. I have been working closely with Philippe for many years, and we share the same vision of transforming the way our customers secure and protect their organization's IT infrastructure and applications with best-in-class cloud-based IT security and compliance solutions. I have deep appreciation for the tremendous platform we have built, and I am honored to serve as Qualys' interim CEO. I look forward to working closely with the Board and the rest of the Qualys team to continue building on our strong business momentum and driving the company forward while Philippe is out.

Now, for my first task in this role, I'll walk you through our earnings results for the fourth quarter and full-year 2020. We are pleased to report another quarter of solid revenue growth and profitability. We also saw strong growth of our paid cloud agent subscriptions, which grew more than 80% year-over-year to 56 million. Very uniquely, our multi-function, light-weight Cloud Agent provides visibility across the entire hybrid environment, and is the underlying technology for a number of our IT, security, and compliance solutions that are natively integrated on our platform.

As a result, Qualys customers can deploy VMDR, (Vulnerability Management, Detection and Response), Multi-Vector EDR, (Endpoint Detection and Response), Policy Compliance, File Integrity Monitoring, Patch Management, Global IT Asset Inventory, and the upcoming XDR offering through a single agent, which differentiates us in our industry. In addition, we continue to expand our platform's capabilities to take response actions, enabling our customers to respond quickly to security issues in their environment. While the importance of vulnerability management for our customers remains high for them to be able to mitigate their risk, they are also looking for ways to quickly respond to these risks and threats. As these organizations continue to increase their focus on discovering all their hybrid IT assets, mitigating their risk and detecting and responding to ongoing attacks, Qualys platform, through single pane of glass, uniquely provides our customers ability to do a complete asset inventory and CMDB synchronization, mitigate their risk of breaches with capabilities like VMDR & Patch Management as well as detect and respond to attacks using our EDR and upcoming XDR solution.

With the release of our container runtime protection solution and the new SaaSDR as well as our upcoming Cloud Response solution, we are now expanding similar capabilities in other infrastructure environments as well giving customers additional opportunities to consolidate their security tools on to the Qualys Cloud Platform.

In terms of our newer paid solutions, we continue to see strong growth from our Patch Management solution. In Q4, a leading pharmaceutical firm selected our patch management application over several competing solutions, given its ability to easily and effectively patch remote endpoints without using the limited bandwidth available on their VPN gateways. They chose Qualys because of our ability to discover asset inventory, vulnerability management, and patch management through a single agent.

This quarter we also saw strong traction for our paid Global IT Asset Discovery and Inventory application with a large media conglomerate adopting the application to gain visibility of all their known and unknown assets across multiple environments, identify the end of life of their installed software, and synchronize with their ServiceNow CMDB.

Finally, we again saw robust growth for our Container Security application with adoption from a large global IT services company that has already deployed our vulnerability management, Patch Management, Global Asset Inventory, File Integrity Monitoring, and EDR solutions further consolidating their security stack with Qualys.

In terms of Product Innovation, we have continued to make strong progress on our product roadmap. Some key recent accomplishments include: Delivering a free 60-day integrated Vulnerability Management Detection and Response service to our customers quickly assess devices impacted by SolarWinds Orion vulnerabilities, SUNBURST Trojan detections, and stolen FireEye Red Team tools, and use the patch management capability to immediately fix their exposure with a single click using the same agent. We also enhanced Qualys Container Security Response Solution with the addition of deep visibility, runtime defense capabilities, and automated enforcement with delivery of Qualys Runtime Security.

We recently introduced a brand-new extension to our platform called SaaS Detection and Response, (SaaSDR), which provides a single console for IT and security teams to gain continuous visibility, security, and compliance of critical SaaS applications like O365, G-Suite, Salesforce, as well as Zoom. This solution enables our customers to monitor the posture of their users and applications that have access to critical data in their SaaS environment, helping bridge the gap between on-prem as well as SaaS assets, again through a single platform.

We are also excited that we are expanding Qualys VMDR (Vulnerability Management Detection and Response) to enterprise mobile devices with the addition of Cloud Agent support for Android and iOS devices. As part of their digital transformation, organizations continue to leverage more and more handheld mobile devices to conduct business with access to critical data from these devices. This expansion allows our customers to track vulnerabilities and misconfigurations on these devices and take appropriate response actions. This builds on top of our other product accomplishments from earlier in 2020. Key amongst them are, shipping of Qualys Multi-Vector EDR, which leverages the Qualys Cloud Platform and Qualys Cloud Agent to detect ongoing threats on endpoints, conduct threat hunting, and take appropriate response actions. It further correlates threats with vulnerabilities providing unique capabilities for proactive mitigation from additional breaches. We also released a comprehensive inventory sync with ServiceNow Service Graph and Configuration Management Database, (CMDB), as part of the new Service Graph Connector Program, a new designation within their Technology Partner Program.

With the strategic launch of VMDR early last year, while is a unique all-in-one cloud-based application that automates the entire vulnerability management lifecycle across on-premise, endpoints, and cloud environments, brining vulnerability management, threat prioritization, and patching into a single end-to-end workflow with single agent.

Looking ahead, we are enthused about the additional solutions that we plan to introduce in 2021. The XDR platform expansion, which seamlessly integrates, and correlates data natively collected from all Qualys sensors with additional context from other third-party data sources. This powerful capability will let customers detect threats beyond endpoints. Qualys XDR will also orchestrate the various response actions, and help our customers reduce cost and complexity of deploying and managing SIEM and SOAR solutions. This capability is currently in private beta with select design partner customers, who have been working with us.

We also plan to expand support for Patch Management for Linux environments, so customers with Cloud Agents on these environments can also add Qualys Patch Management to these additional devices. We will continue adding additional capabilities to our Multi-Vector EDR such as Endpoint Protection Capability, (NYSEARCA:EPP), as well as expanding EDR support into Linux environments. We are working on a major update to our passive scanning technology that will significantly expand our coverage of Industrial Control Systems, Operational Technology environments, as well as detection of IoT devices.

We showcased these solutions at our very well-attended QSC user conference, which was a 12-day virtual event held in November 2020. Over 5,000 people across our customer base, partners, prospects, analysts and investors, and the media attended the event, and we received very positive feedback. The development of these native solutions at such a rapid pace is possible because of the massive investment we made in our cloud platform and our strong engineering talent base with over 900 employees now in Pune, India. These new initiatives open significant incremental market opportunities for us. They also allow our customers to easily and cost-effectively consolidate their stack of traditional enterprise security and compliance solutions, while providing them with a single-pane-of-glass view of all assets across on-prem, endpoints, cloud, SaaS, and mobile environments.

In terms of Go-to-Market, we are expanding relationships with existing partners. Our comprehensive platform with detection and response is becoming increasingly strategic for MSSP partners as they can provide multiple services and easy upsell to their customers, instead of focusing large amount of resources on building such a scalable platform themselves having to integrate multiple other point solutions.

Given the increased breadth of our product suite and the launch of VMDR and Multi-Vector EDR, we have now embarked on a few additional go-to-market initiatives that leverage the efficiency and effectiveness of our cloud platform. This is a key element of our profitable growth, driving value for our customers and shareholders. Our go-to-market activities in 2020 included: Leveraging our cloud platform for lead generation with free services. As an example, we launched our free Remote Endpoint Protection solution to help enterprises secure remote workforces by providing instant security assessment, visibility, and remote patching when it was difficult for them to do this using their enterprise solutions over VPN.

We expanded our reach into China by establishing a Private Cloud Platform and a partnership with Digital China, the largest value-added provider of integrated IT products, solutions and support for enterprises in China. We launched the Qualys UAE Cloud Platform in Dubai, which further expanded Qualys' global operations across these continents in that region.

We extended our partnerships with Deloitte Advisory, where Deloitte Advisory partnered with Qualys to integrate VMDR and Multi-Vector EDR into Deloitte Hong Kong Cyber's managed vulnerability services. Armor, a global MSSP, embedded Qualys VMDR into Armor Anywhere, an industry-leading cloud security platform. Our partnership with Armor also includes Qualys CloudView solution for compliance and security posture management of public cloud environment. We announced Cloud Agent's general availability on Google Cloud, providing customers with a one click workload security visibility in Google Cloud. Additionally, we natively integrated our Container Security Solution with Google Cloud Artifact Registry.

We expanded Vulnerability Management integration with Microsoft to also include Microsoft Azure Arc to allow customers to perform vulnerability scanning on servers outside of the Azure platform. We partnered with Infosys, a global leader in next-generation digital services and consulting, to integrate Qualys VMDR and Multi-Vector EDR into its Cyber Next Platform, a managed security service offering.

While looking forward to 2021, we plan to meaningfully expand our sales and marketing efforts, given our increased number of solutions, including our game-changing VMDR and Multi-Vector EDR, as well as our upcoming XDR offerings. Similar to our efforts on the cloud platform, we are building a marketing platform. We have recently hired a CMO, and are expanding our marketing awareness initiatives for the C-levels as well as our lead generation capabilities, leveraging our platform and increasing virtual events.

On the sales front, we are expanding our quota carrying sales headcount or technical account managers as we call them, and have recruited an EVP of Field Operations for Americas, a VP of New Business for the U.S., VP of Strategic Alliances for System Integrators, and a VP and GM for our SME/SMB business. In addition, we are also planning to hire a CRO, Chief Revenue Officer this year. We will also continue to invest in R&D and operations as well as other support functions as we continue to scale the organization in anticipation for future growth. We believe these investments will set us up well for long-term and profitable growth. We believe the world after COVID-19 is going to be different. Companies are going to be more focused on reducing costs, while increasing business flexibility, which is going to significantly accelerate the transition to cloud-based solutions.

Increasing adoption of our cloud agents and our passive scanning technology, combined with the breadth of our solutions that span across the entire hybrid environment enables us to offer customers greater visibility, accuracy, and scalability. This positions Qualys well to enable customers to consolidate their security, IT and compliance stacks with us, providing risk mitigation and threat detection and response on the same platform, while also drastically reducing their overall spend.

In conclusion, Qualys continues to clearly move well beyond vulnerability management and increase its competitive advantage. We are optimistic that the adoption of our newer solutions, including Patch Management, Multi-Vector EDR, Container Security and upcoming XDR, which solve meaningful problems for our customers, will provide us the opportunity to increase bookings growth over the long-term. In summary, we believe that we are now well-positioned to expand our revenues with existing customers as well as continuing to expand our customer base for the years to come.

With that, I'll turn the call over to Joo Mi to discuss our fourth quarter financial results and the full-year fiscal 2021 guidance.

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that, except for revenue, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period, unless stated otherwise.

We're delighted with our increasing cloud agent subscriptions, which lays the foundation for future revenue growth and industry-leading profitability. Our Q4 financial and operational highlights include: Revenues for the fourth quarter of 2020 grew 12% to $94.8 million. Looking forward, we expect Q1 2021 calculated current billings growth to be negatively impacted by the timing and amount of prepaid multi-year subscriptions as well as shorter duration invoicing. Our average deal size decreased 3%. Excluding strategic alliance deals, (normalizing for the impact of channel customers coming off an OEM relationship), deal size increased 6%. Paid cloud agent subscriptions increased to 56 million over the last twelve months, up from 50 million for the 12 months ended in Q3 2020. And 29% of VM customers up for renewal in the quarter renewed into a VMDR subscription. Excluding strategic alliance deals, VMDR adoption was 35%, similar to Q3.

Our scalable platform model continues to drive superior margins and generate significant cash flow. Adjusted EBITDA for the fourth quarter of 2020 was $43.4 million, representing a 46% margin versus 44%. Q4 EPS grew 13%. And our free cash flow for the fourth quarter of 2020 increased 27% to $31.9 million, representing a 34% margin. In Q4, we continued to invest the cash we generated from operations back into Qualys including $6.9 million on capital expenditures for operations, including principal payments under capital lease obligations, and $34.8 million to repurchase 352,000 of our outstanding shares.

Looking back on the year, we are proud to have continued our product leadership while meaningfully growing earnings and cash flow for our shareholders. In 2020, we released several new products, features and enhancements. Cloud Agent adoption grew over 80%, from 31 million Cloud Agents subscriptions to 56 million. We grew EBITDA by 23% and achieved record EBITDA margins of 47%. We utilized $126.7 million of our cash to repurchase approximately 1.3 million of our outstanding shares. And finally, we grew EPS by 25%.

We remain confident in our business model, driven by our foundation of nearly 100% recurring revenues, and an expanding suite of applications. Looking to 2021, we are excited about the revenue growth opportunities from our new solutions, including VMDR, Patch Management and Multi-Vector EDR. We expect full-year revenue in 2021 to be in the range of $399.0 million to $402.0 million, which represents a growth rate of 10% to 11%.

In terms of 2021 profitability, we expect to maintain industry-leading margins leveraging our highly profitable operational model, while preserving the ability to further invest to drive future revenue growth. We expect full-year non-GAAP EPS in 2021 to be in the range of $2.60 to $2.65.

For Q1, we expect revenue to be in the range of $94.8 million to $95.4 million, which represents a growth rate of 10% to 11%. We expect non-GAAP EPS in Q1 to be in the range of $0.68 to $0.70. We expect first quarter of 2021 capital expenditures from operations to be in the range of $6 million to $7 million and full-year 2021 to be in a range of $30 million to $35 million. As Sumedh mentioned, we are very excited by the robust adoption of VMDR and the launch of our Multi-Vector EDR solution, and we remain optimistic about the company's future. We feel very confident during this period of uncertainty due to the value provided by our Cloud Platform as well as our underlying highly scalable and profitable operational model.

With that, Sumedh and I are happy to answer any of your questions.

Thank you. [Operator Instructions] Our first question comes from Daniel Ives with Wedbush. Your line is open.

[Technical difficulty] things well with Philippe, and send regards. So look, just back to the business, can we just talk about in terms of this environment that we're seeing across the board in terms of increased cyber security spend, larger deals, both the enterprise and federal. Just talk about where you guys are positioned there, I mean is that something that you're seeing in terms of giving you increased confidence for the year? Thanks.

Yes, I think what we're seeing right now is that a lot of our customers, especially if you see some of the recent attacks, they are really looking at solutions that are going to help them detect their issues quicker [technical difficulty] faster and take response actions so that they can mitigate this because otherwise the plethora of point solutions that are out there, it takes a long time for them to be able to find the breaches that are going on or the misconfigurations that lead to these breaches. And today, we feel that with the platform which focuses on both aspects of security, which is the risk mitigation as well as the threat detection and response capability, we feel like our platform is well positioned for that.

And in our conversations with our customers and when, as I mentioned, a couple of examples where customers are adding capabilities of patch management to those agents that already have VMDR, as an example, or looking to add EDRs so that they can consolidate that agent and get to the point of getting the information across these different solutions quickly, they see the value in what we are doing. And obviously, as they look to ingest the Qualys platform and integrate that into their current environment, this is something that we work with them. Some of it is part of the free services so they can see the value of the platform and what it brings to them.

So we feel that the customers will be looking at a solution like Qualys essentially to consolidate their solutions, not just from a perspective of spend, but also just being able to get to the issues for security quicker and faster rather than spending large amount of dollars on putting together these point solutions through SIEM, et cetera, and then having a lot of analysts having to weed through those to find the issues that they have.

Great, thank you.

Thank you. Our next question comes from Yun Kim of Loop Capital Markets. Your line is open.

Thank you. Again, sorry to hear about Philippe, and hope for a quick recovery. Joo Mi, quick question on the guide. It looks like based on your Q1 guidance and guidance for the year, you are expecting a somewhat consistent year-over-year growth through the year, with 10% to 11%. But shouldn't we expect to see VMDR adoption kind of being a tailwind for the revenue growth, the lead starting in second-half of the year, just trying to better understand if there are other dynamics to the lead growth that we're not thinking about.

Yes, so it's true that with the newer solutions, we're very optimistic about VMDR Patch Management, even Multi-Vector EDR, which is newer. However, the adoption of newer product and when it's going to translate into revenue is a bit uncertain. And historically what we've guided to when setting the annual revenue guidance, really we look at our current bookings and pipeline to inform our guidance. And because of that this is, the visibility that we have right now, in Q1, the guidance that we have is basically what we expect to achieve based on the opportunity that we see ahead. And then for the latter half of the second-half of the year, it's a little bit too early to tell, but we thought that it was prudent to guide to the 10% to 11% growth for the full-year.

And if can add to that, VMDR is definitely something that we see customers really asking for it. And we see that it takes them some time based on their environment to deploy VMDR, but once they have that, and which drives the adoption of the agent, we are seeing, as I gave that example, and also earlier in the year we saw some customers are able to move very quickly to add additional services within a couple weeks. In other cases, customers do take time to integrate that into their security portfolio before they can then move on to additional capabilities so that VMDR forms the base for.

Okay, great. And Sumedh, first, congrats on the CEO appointment. Clearly the VMDR adoption is going well. You have the big XDR launch coming up. At least from the product perspective, you guys have definitely become a full platform provider now. So the next step is you'll go to market, and obviously the sales force ramp. In your prepared remarks there is a lot of hiring plan, but can you give us some insight into how aggressive you are planning to add the sales capacity this year? And also, any update in regards to your go-to-market plans in the hyperscale and cloud environment such as trying [indiscernible] and is that -- are those channel, the hyperscale and cloud environment, that channel largely driven by new customer adds? Thanks.

Yes, so I think first to address on the sales motion, I think as you saw, we've already started on the hiring. As I mentioned, we have hired an EVP for Field Operations in the U.S., and a VP for new business in the U.S., VP and GM for SME, SMB business. And then, as I mentioned, we'll also be hiring a Chief Revenue Officer this year. And there's many other things that we're doing, so it's not just hiring of the sales people. Of course, we plan to increase the count of our quota carrying sales folks, but in addition we've also really bolstered our marketing platform hiring a CMO. We also hired a few heads of product -- VP of Product for cloud and VMDR, and a few of these other areas, really to help package better the platform, work with our sales team for better sales enablement.

And so, a combination of all of those things is what we are optimistic about will drive the expansion in the revenue. And I think that's really the strategy there, and in terms of just how we are going to proceed there in the future. As far as the GCP and the Azure environment goal, I think that's -- since a lot of it is about built-in capability, and this is where our platform really quickly allows these customers who are moving into the cloud environment to be able to leverage not just vulnerability management, but patching, in some cases, the cloud environments hosting critical data, like FedRAMP, they need file integrity monitoring, they need EDR.

So, we are well-positioned to provide those once they get the agent. So what we are focused with Google, and Azure, and everyone is the backend integration of getting our agent integrated and just talk about those announcements that happened in 2020, is to get that backend integrated into their platform, so then the customers who -- it could be an -- and we see a mix. Sometimes it's like new customers who are looking to quickly build a solution, they leverage the built-in capability. In other cases, existing customers do take a hybrid approach, where they leverage Qualys platform for certain capabilities. They have the built-in integration in Azure so that they can provide their end-users quick visibility into what they need to fix. Whereas the security team is then able to look at the visibility of the overall security portfolio within the Qualys console.

So we feel that as more organizations are moving into more real cloud native re-architecture of their solution, I think we provide a pretty robust integration, and also the opportunity to add more capabilities quickly, because then that agent is seamlessly dropped on to those virtual devices running in those environments.

Great, thank you so much for that detailed answer, and congrats on the appointment again, Sumedh.

Thank you.

Thank you. Our next question comes from Matt Hedberg of RBC Capital Markets. Your line is open.

Great, thanks for taking my question, and our thoughts go to Philippe as well. You guys when SUNBURST and SolarWinds hit, you guys had a lot of really helpful press releases out sort of talking about the benefits of the Qualys platform. And obviously it didn't impact your Q4 revenue, but I'm curious if you could talk about, has it aided pipeline generation, and I would assume you're probably not including it in your guidance, but if you just talk about, if that's helping kind of the go-to-market pipeline initiative?

Well, it's like two -- sort of like two-prong approach, right? One is obviously we put out these services just like we did with the free and point security solution. We put these services staff first and foremost to help our existing customers, get a handle of their environment maybe able use modules that they don't have some Qualys right now haven't purchased, but then we able to use that to mitigate the risk. So, when we did that 60-day free service around a solar gate, we -- was really unique is that not just where we providing the detection of these vulnerabilities that were part of the FireEye stolen tools, which we -- as we published was like in the millions that are out there.

We also provided the ability for these customers to leverage the Qualys Patch Management capability for free to immediately patch those vulnerabilities, right? So that's the big difference, and it's not just where you're saying, "Hey, you run a scan and you see the findings where we focus on is, if you already have Qualys agent and you're not using Patch Management here, we turn it on. And within a few hours, you're able to patch these hosts for these vulnerabilities, and you can see the ease of use of that platform."

And while obviously that generates additional lead and things like that, the goal there really for us is to establish that, let's call it like a proof-of-concept or a credibility with our customers, help them see the ease at which that they can leverage the additional capabilities on Qualys once they already have a VMDR, or if they can quickly move to VMDR, and they can grow from there. And once that is established, at the end of the day that that doesn't necessarily mean that the customer is immediately going to purchase that solution, but what it does is that it creates the foundation for them to understand that they have a solution already in place that they can move quickly, whenever there maybe existing solution is coming up for renewal or replacement. And so, we look at it more just creating that opportunity to showcase to them the capabilities of the platform. And as you know, we don't really push our customers to being a subscription service to buy, buy, buy, immediately. We really work with them on their schedule and their comfort, but the key there for the free services, which is a key part of our go-to-market is just being able to have that ability to showcase to them, "Hey, if you already have an agent within a couple of hours, you can see the EDR events for that on these critical systems."

That's helpful. And then I just wanted to ask, or kind of dig into kind of core VM growth. Obviously, you're seeing a lot of growth. You talked about Cloud Agent subscription growth of 80%, and there's a lot of new products that are launching, but I guess my question is with a 10% to 12% or 10% to 11% guide this year, I mean, I kind of think of that as kind of like the VM growth rate. Is there something that's suppressing VM a bit, I mean, is it a COVID headwind, just trying to get a better sense of how you're thinking about sort of like core growth. Obviously, you've got growth outside of that, this aiding, but just kind of core VM would be helpful?

Well, I mean the core VM really we changed the game for VM last year, right, with VMDI. And so, where VM was really in the past just about can you tell me a list of CVs has really been transformed by Qualys VMDR and do a single capability which includes the prioritization and the ability to fix those issues as well. And that's why you see the excitement in our customers to move to a Vulnerability Management Solution that does all of those together in a single agent, as an example, right? But obviously when they look at that and they want to move to that, it does, they may have an existing Patch Management solution, Patch Management team that is different from the security team. So there's a process that they go through to work through with these customers -- sorry, with their teams internally to figure out the right way where maybe they may -- in some cases, they may start a smaller for Patch Management in certain areas in cases we see Patch Management is driving the VMDR sale as well. In some cases, the customer takes time to integrate VMDR into their solution and in last year we also saw in some cases. We had a customer that was able to move to Qualys patching because they already had VMDR for 250,000 assets within two weeks. So it's just different for different customers based on where they are and their journey, their environment. So, in some cases, we saw that with COVID, their remote endpoint need for patching drove quicker adoption of patch management. In other cases, teams are taking longer to go through their process of implementing these solutions.

Thank you very much.

Thank you. Our next question comes from Shebly Seyrafi of FBN Securities. Your line is open.

Yes, so thank you very much. Can you talk about the potential for the company to reaccelerate growth to the mid-teens? I know you're waiting for the new products to ramp. But when they all ramping, whether it's maybe later this year or early next year, do you think the potential is there to grow in the mid-teens?

Obviously, we've really been focusing on as you saw in the platform right now just the core VM and VMDR, but also you saw some of the new services that we announced like SaaS and getting into additional environments. So what our focus has been is to get that platform to the level where as customers are looking to consolidate maybe in a few months later this year, early next year, whenever that is that we have all of the capabilities lined up for them to be able to move into the Qualys platform. And so we are hopeful with all of these changes and that additional global market initiative that we have put in place. We are hopeful for an acceleration of growth in the near -- in the next few years.

Okay. And also your percentage of VM customer is up for renewal, who renewed with VMDR. I think it didn't really grow that much. It was like 35% adjusted the same as last quarter. Why do you think it didn't grow? And where do you see that percentage going to be say the end of the year?

So I think we think that 35% is a good percentage of an adoption for our customers, especially when you have customers that are larger. So it really depends in that particular quarter, what is the mix of customers that is up for renewal. So if those customers who have for whatever reason are going to take time to, because as you see with VMDR, it's not just the vulnerability management feet that comes with additional capabilities like asset inventory and patch deduction and a prioritization. So the customers need to also be able to ingest, and that capability into their current security program. And so, that may need some resource on their side to lineup maybe developers to get API calls, et cetera. So it just depends on that quarter what mix of customers comes up and what they are ready to do as you know we don't really push, push, push from them to do it because it's a subscription-based business, but what we do expect obviously is that, we already had these people converted. So as the next quarters come around, the convergence will build on top of the existing conversions that we've already done, right. So obviously we see that through the next few quarters, we will see more and more of our customer base getting converted to VMDR.

Thank you.

Thank you. Our next question comes from Erik Suppiger of JMP Securities. Your line is open.

Question and again I send our best wishes for a speedy recovery for Philippe. The hiring, it sounds like you're going to step up hiring in sales, but my impression was just you've been hiring as quickly as you could in sales in the past. What are you going to do to accelerate your hiring efforts there?

Yes, so I think, we've - as you saw already in the last couple of quarters with the list of the key hires that we have done, we have already started on that journey to accelerate the hiring in the sales and marketing, right. So we have some key folks hired not just on the sales side, but also, as I mentioned, on the VPs product side, who are going to help the sales enablement as well as bringing in the CMO and bringing in additional headcount on the quota carrying sales people, but part of that, as I mentioned, like we are also going to be hiring Revenue Officer who will come in and have a focused approach towards accelerating our revenue. And what are the various things that we can do, in addition to these hires that we have done to do a better approach to our customers, positioning our platform, positioning our portfolio, and having them look at Qualys as an option to their existing security solutions. So that's really the direction that we're going and we've already started on that journey today.

Then how are you looking at operating margin in terms of longer term targets? Are you going to be right now you're in the Upper 30s, where do you think that your longer-term target will fall with if you're going to be stepping-up some of your investments?

Yes, so I mean this year, we set a record EBITDA margin of 47%. We think about it is, we really have an industry leading margin, and we're focused right now, it's better balancing growth with profitability, we don't see a scenario where we wouldn't have industry leading margins regardless. So we said before was, even with an increase in investment, as Sumedh has talked about in sales and marketing, R&D, as well as customer support and operations and G&A, we think that our EBITDA margin at the end of the day will be above 40% range. And that was an acceleration in revenue, which will come in turn, following the investment, I think that we will still be have a really great profile and a very optimistic because especially with the traction that we've been able to meet, with hiring the sales leadership, as well as marketing leadership, we do think that acceleration will be happening on the hiring front, as long as we have the leaders in place.

Okay, and you said it will be around 40% or above 40%. Did you say?

Yes, it'll be above 40%.

Okay, very good, thank you.

Thank you. Our next question comes from Sterling Auty of JPMorgan. Your line is open.

This is Matt, on for Sterling, thanks for taking the question. You mentioned a few metrics, excluding a channel partner that turned off your OEM solution, just wondering if you could elaborate a bit more on that, and if there was any impact to the quarter in terms of revenue, and how is that affecting your guidance for the next quarter? Thanks.

Yes, it's not a trend, it's actually just normalizing for channel customers, we're coming to right off of an OEM relationship. So for example, under a strategic alliance deal, we had one partner, where it wasn't OEM relationships. That partner had multiple different customers, the endpoints, and they decided to come direct. And so obviously, that did end up the number of renewal deals up for renewal in Q4. And so normalizing for that noise, it ended up being about 35% IBM customers were up for renewal into quota renewed into the VMDR. And if you take a look at on the dollar impact as well, it's trending nicely. So it wasn't a negative impact at all.

Great, that's fair, helpful for clearing that up. Just a follow-up question, there's a big jump in long-term deferred this quarter, we're just trying to see if you could provide any additional color on that impact and should we kind of expect a higher level of long-term deferred as an overall part of the mix? Thanks.

Yes, that's really driven by customer. So what we've seen is with VMDR, we've seen that average contract length has been trending up. And that's actually demonstrated by the RPO is disclosed in our 10-Q and then 10-K. It's been going on. And I think that's a testament to how our customers really see the value in our product, and they're not afraid to sign up for more than a year. And so that that really drove an increase in long-term deferred, but it's not something that we push on customers like Sumedh said, it's really up to the customer. And so as they're willing to sign up for more than a year, it's great to they lock it in, lock the pricing, it's better for them, and that's reflected in our financials.

Great, thanks guys.

Thank you. Our next question comes from Nehal Chokshi of Northland Capital. Your line is open.

Yes, thank you. So I just want to double-click on the 1Q '21 guidance in the context of your short term billings growth of 12% and 10% for the full-year or maybe it was the other way around. Anyhow, it seems like good billings, good billings on the short-term billings basis, and excluding the strategic relationship that you talked about, which is not affecting anything at all. In reality, it just seems like I want to understand, why are you guiding to a deceleration in revenue growth, given the robust short-term billings that you saw in the most recent quarter?

Yes, the current billings tend to fluctuate, if you take a look at the customer subscription base first, our revenues amortize over 12 months, so our current billing impact earlier in 2020 is actually taking place and having an impact in Q1 as you may recall, for example our current billings increased by 7% in Q2, kicked up to 8% in Q3 and then Q4 was strong to 12%, but there are puts and takes, they're a natural fluctuation. And if you just take a look at the revenue amortization schedule, it ends up being that based on total revenue, which approximately 85% is already booked based on the prior ASV, right. And so, this is the visibility that we have right now, ending the quarter or estimating the quarter will end at about 10%. And then the other factor that I want to highlight is typically Q1 is lighter, just because of the number of days that gets impacted. So this quarter, especially in terms of the year-over-year, we're losing, we're losing a day and in the quarter-over- quarter, we're losing two days, and so that that actually impacts the revenue guidance as well.

I see that's helpful. And then Slide 15 is a recurring slide that you guys have, but the data from there does look good. It does attest to increasing spend due to platform approach. Is it possible that you're seeing elevated customer churn in the SME segment that that particular slide does not necessarily capture?

In terms of retention, honestly, we've seen very strong retention, strong growth, I think that's what's really been impacted from COVID is new and potentially upsell, but in terms of our retention rate, nothing significant has changed, and we haven't seen a downward trend in both enterprise or SMEs.

Okay, thank you.

Thank you. Our next question comes from Hamza Fodderwala of Morgan Stanley. Your line is open.

Thank you for taking my question. And I'd also like to extend my best wishes to Philippe on a speedy recovery. Sumedh, my first question for you, kind of a follow-up to the solar wind question, I want to drill into IT asset discovery specifically, right, because that's one area, I think we've heard a lot about coming out of the supply chain attack, really trying to figure out kind of what assets are exposed? Can you talk a little bit about the prioritization of that service? Specifically, I know you're not going to see anything in your pipeline. Right away that attack was, this happened in December. But I'm wondering, in terms of your customer conversations and when you speak to customers, both solar winds, is that something that comes up a lot?

Yes, absolutely, this is something that we're hearing a lot from our customers, because if you look at a little bit of the mechanics of the attack, there was the supply chain, where the software came in, and trojanized software, but then there was also lateral movement within the environment, there was lateral movement into the environment. So, there was elements of Office 365 accounts that went back and forth between the email and the Office 365 environment, as well as the agent that was in-house. And so the first thing that everybody really stumbled on is to say, what do I have in my environment? Where do I have this trojanized software, when before I get into knowing whether I have one of these or issues or not, and that's where that asset inventory and the ability for us to give them one of the most accurate views of their inventory within the entire environment.

That includes assets that are managed and unmanaged, with a combination of our agents and passive scanner, really that conversation is coming up more and more and also leading into conversation about what am I running was, that end-of-life software that I'm running, what do I need to do about that, what where I find end-of-life software or trojanized version, what assets is that particular asset speaking to in the environment. So that's where that combination and this was the point I was trying to make earlier is that our first approach is going to be, well, I need to find, and I need to find is there is an impact, right? That's where your threat detection and response, which is your EDR to XDR solutions that are going to come into play. Then I need to make sure that I'm taking all of the remediation actions to be able to make sure that I'm mitigating my risk by identifying other devices in the environment that may not be properly configured that can be leveraged for lateral movement, et cetera.

And if you tie in our SaaS release that we just did, which gives you the configuration of your Office 365, Zoom, Salesforce, et cetera. So now you add this other element that also makes sure that as customers move into hybrid environment, they're able to see a much more holistic picture, the platform be -- definitely the starting point for all of that is that global asset inventory. And the fact that it is bundled as part of the platform and that they will have to go and get another solution to deploy for finding their inventory is definitely helpful and that's what we hear from our customers.

Got it. Thank you. And then just maybe a follow up on go to market, you announced a number of leadership appointments, right. You're looking for a CRO currently. I'm wondering who was the de facto head of sales before. I mean, was it Philippe? And also do you think that this is a function of maybe of adding capacity? Or do you think that there has to be sort of more changes in the sales organization structure?

Yes, I mean, Philippe, was the de facto head for sales. However, I was very involved working with Philippe on -- with the field as well. And I think, it's a combination as we mentioned, right. So there's -- our model -- we are very strong believers in our model of the hunters and the farmers. We're not changing that to go and push more and more where customers go new products. However, bringing a CRO, bringing that leadership is going to help us find additional ways to focus on where we can approach customers, which customers can be tracked for targeting for upsells, et cetera. So while there -- obviously, there will be some changes in the way that the new CRO or the new leadership that is coming in is looking to find as an example ways to have more of connect with C-level executives, right. So that we can evangelize the power of the overall platform rather than just the vulnerability management approach that we have taken. So I think there will be obviously newer ideas that we will be looking at and looking to implement, but fundamentally what we have been working on, we do believe in that base and the power of that model.

Thank you very much.

Thank you. [Operator Instructions] Our next question comes from Brian Essex of Goldman Sachs. Your line is open

Good afternoon and thank you for taking the question. And I would like to extend my thoughts for a speedy recovery for Philippe as well, hope all is well with him. Maybe, Joo Mi, I know that in the past, you've talked about some hesitation about investing in sales and marketing and bringing on new reps in a period of economic volatility. Maybe could you talk a little bit about what you're seeing and maybe Sumedh chime in as well in terms of what you're seeing? I guess that's different now that gives you a little bit more confidence that you can onboard reps and headcount, the sales and marketing organization where they could ramp efficiently and they might be productive and they'll hit expectations.

I think -- and Joo Mi will obviously answer that part, but where I see right now is that a big part of this is more and more of our newer services are -- have much toward and are coming to fruition and our customers are adopting them and seeing that interest and the speed of adoption in the cases where they have VMDR already. So that obviously drives our thought process on -- we feel that -- if you look at File Integrity Monitoring, Container Security, Patch Management, some of these things are really starting to show a very good tracking with our customers and upsell to them. And so I think that is also a part of when we look at bringing additional leadership headcount is -- or how -- where are we and how ready our customers as well.

Got it, and maybe for Joo Mi -- so helpful, thank you for that. Joo Mi if we think about the level of margin contraction we'll see this year is as you invest in sales and marketing in R&D. What is -- how should we think about, the level of balance to growth and margin expansion going forward? In other words, is there a framework that you're looking at with respect to being able to deliver margin expansion after a year of may be call it recovery, and we might see better growth in 2022?

Yes, the way we think about it is, it's not something that we -- it's new to us, where we've done it before, because if you take a look at the company history, like for example, in our investor that we show the [case] [Ph] from 2017. Back in 2017 our current billings were almost 21% right. And at that point in time, our EBITDA margin was 37%. If you take a look at the EBITDA margin now, we're at 47%. And so you could argue that, we could definitely do a better job in balancing growth with profitability. We should definitely invest more. And that margin expansion was really driven by the sales and marketing under spend, relative to that point back in 2017. So in 2017, the sales and marketing at percentage of revenue was 26%. That is now down to 17%. With that said, given our scalable business model and our infrastructure and how we've grown, we don't think that we have to go up as high. And that's why we think that our EBITDA margin will be above 40%, but we understand that mostly before we invest more in sales and marketing that will return and translate into a billing's growth and then eventually revenue.

Got it, that's helpful. Thank you very much.

Thank you. I'm showing no further questions at this time. I'd like to turn the call back over to Sumedh Thakar for any closing remarks.

Well, thank you everyone for attending our earnings call and for all the questions, and we hope that you are safe. We really feel very fortunate to be well-positioned with our cloud platform in an environment where there still are a lot of point solutions that are focusing only on one aspect of security, whether it's just EDR or just Vulnerability Management. Today we really work hard to build a platform that is providing multiple different capabilities now including SaaS DR and that with the VMDR with Multi-Vector EDR, SaaS DR for coming XDR solution. We continue to invest in expanding the capabilities of our platform and aggressively developing new solutions. Additionally, we are also focused on growing our revenues and maintaining our industry leading profitability, while creating long-term value for our shareholders. I hope all of you remain safe and healthy. Thank you very much.

Thank you. Ladies and gentlemen, this does conclude today's conference. Thank you all for participating. You may now disconnect. Have a great day.