QUALYS, INC.

QLYS
Real-time Estimate Cboe BZX - 11:56 2022-12-02 am EST
122.00 USD -2.35%

Transcript : Qualys, Inc. Presents at Citi’s 2022 Global Technology Conference, Sep-08-2022 07:30 AM

09/08/2022 | 07:30am

Presenter Speech
Fatima Boolani (Analysts)

Good morning. I know we have an early session today, so appreciate you all joining us. I'm Fatima Boolani, I jointly head up the U.S. software research effort. If you haven't seen me or heard from me already, it's nice to see you. And I'm very excited to kick off day 2 of Citi's Global TMT Conference with the management team at Qualys.

To my left, we have CEO Sumedh Thakar; and to his left, CFO Joo Mi Kim. Thank you so much for being here. I'm looking forward to a very exciting discussion. So I think just to kind of kick things off, and I think a good place to start is talking about the macro, right? I know you're not going to go this entire day talking about macro. So we'll start there.

Question
Fatima Boolani (Analysts)

I'd like to know, between the 2 of you, what have been the biggest deviations or surprises to you from sort of a business performance standpoint year-to-date and certainly versus your expectations?

Answer
Sumedh Thakar (Executives)

Yes. I would say that when we came up with the VMDR as a really strategic move a couple of years ago, the idea was that we kind of start to work to help our customers to consolidate their security stack. And that was pretty strategic for us. And the idea there was how do we help customers reduce the cost of their security programs by combining multiple capabilities in a single workflow. And so as we hear what's happening in the macroeconomic conditions, we're not immune to what's happening, but so far, we haven't seen that in terms of longer sales cycles, et cetera, we continue to monitor the situation. However, the conversations with customers are happening more in terms of existing customers looking at their vendors as they are being careful about their budget to see what additional value they can get from their existing vendors.

And so we are excited to have some of those conversations with existing customers who have been coming to Qualys and asking for adjacent capabilities to look at that, to see if that -- those are some of the things that they want to go with. And so I think for us, if you have the addition of patch management along with VMDR, Cybersecurity Asset Management as an adjacent capability and the initial growth we are seeing with that is exciting for us. And for us to see that there's 130 million patches being deployed with Qualys agents, where we sort of were pioneering in the terms of bringing vulnerability management, patch management together as a single workflow.

Because at the end of the day, when you find a vulnerability, the thing that you do is patch, right? And so having that ability -- so for us last quarter to see that, that was 5% -- patch management, that's 5% of our bookings. I think some of those trends that we are seeing right now are positive, and you were excited about that.

Question
Fatima Boolani (Analysts)

Sumedh, you're sort of unpacking an area that I'm very, very eager to hear more on is just sort of maybe zooming out this broader view on cybersecurity spending, spending health, spending patterns. I mean you talked to more CISOs than certainly I ever aspire to. But any nuanced views you can share on what really has evolved in the priority sequence of the cybersecurity budgetary wallets in the last call it, 12 months and even 24 months, because that would capture sort of pre through and hopefully now through COVID.

Answer
Sumedh Thakar (Executives)

Yes. I think the thing that we hear consistently with the CISOs is that they really want simplification and reduction of complexity and cost from their security programs, right? And so almost every CISO will tell you that they would love to have 1 or 2 platforms, not 50 solutions, reduce the number of agents. I think, so far, we're seeing that the cybersecurity budgets have stayed resilient despite macroeconomic conditions, but there is much more of a thought process going in from the CISOs in terms of do I need to go and get a bunch of other solutions? Can I look at my existing vendors to see if I can get some additional capabilities from them that is going to help simplify?

I think the Log4Shell was really eye-opening for a lot of CISOs in terms of realizing that when we had -- and this is some of the information that we looked at, the data that we saw that when you look at Log4Shell as an example, when everybody was all hands on deck, everybody was all hands on deck, it still took 17 days on an average to remediate Log4Shell and the compromises were happening in 48 hours. And so how can they really prioritize vulnerability management but look at it not just as how do I get a list of CVs that I have to send to another team, but how do we bring risk prioritization, really focus on what's causing risk and find ways to remediate things much quicker.

So essentially trying to stay ahead of the speed at which the attackers are able to compromise vulnerabilities, that's really been on the mind of the CISOs because if you can get better at that, then you have much less issues to deal with because you're really reducing your attack surface by ensuring that you know what you have and ensuring that you're patching all those capabilities. So some of the recent compromises like Log4Shell really has got the conversation more towards not do I do vulnerability management, but how do I actually fix things quicker and faster.

Question
Fatima Boolani (Analysts)

That's a great segue to my next question. Just with respect to your core bread and butter market, which is one vulnerability management and vulnerability assessment. There has been a lot of variability in the overall market growth. And there have been certain dynamics that have been accelerants to the market growth and then certainly, there have been factors that have detracted from some of that growth. So maybe if we can get a little bit more granular about what's exactly happening in the core VA market that's sort of expanding the addressable market opportunity and what the competitive landscape shifting has done is just to kind of better put our arms around behavior and behavior in that market.

Answer
Sumedh Thakar (Executives)

I think for us, we continue to see really good conversations, interactions and demand from our customers for VMDR, especially given that VMDR consolidates multiple different capabilities together in one flow. And so as the CISOs conversation is sort of shifting from not just how do I find [ all ] kind of vulnerabilities to how do I actually help prioritize and fix the most important ones that will reduce natural risk. That's really where we see that when we go with VMDR, and you can see some of that in last quarter when we talked about how new customers coming to Qualys for vulnerability management that also end up purchasing patch management and cybersecurity asset management.

So when they're looking to rearchitect their stack, they are not just saying, can I swap out my scanner one-to-one with another scanner, they're looking at what is out there that is actually going to help them find their assets that's actually going to help them prioritize those viabilities and also, to a certain extent, fix those. And so the focus, again, is looking at more solutions, in my opinion, like VMDR, which are actually helping do these things in a single workflow rather than just saying I'm going to go get another scanner that's going to give me a long list of CVs that I then have to go figure out because that takes time you figure out what needs to be done and actually do -- and actually patching it, which means that the amount of time that you're exposed in your attack surface stays open for much longer.

So one of the things that we talked about last quarter as well was when customers were -- Qualys customers who are using Qualys for scanning and another tool for patching versus those who are using Qualys for scanning and Qualys for patching look at the [ CISO ] top 10 vulnerabilities that they have really most exploitable. Those customers who are using a combined solution were able to reduce the risk 60% faster because they were just able to cut out a lot of the process. And so if you are in a position where you could look at something that is going to be exposed for 60% less time, that ultimately is the goal of our CISO, and how do I reduce the risk, how do I find and report on multiple vulnerabilities.

Question
Fatima Boolani (Analysts)

Joo Mi, just to maybe put a more qualitative lens on this. Last quarter, it was a quarter in which you saw some of your best bookings performance in some time. Your -- on an LTM basis, your average deal size increased by 17%. So in the context of what Sumedh just shared around the importance and the appetite for consolidation, maybe what are some of the other sort of factors contributing to the strong financial performance and what seems like you're bucking the trend of elongating sales cycles that some of your peers have seen?

Answer
Joo Mi Kim (Executives)

To that point, I think that -- so when we first launched VMDR, it was really a strategic decision for us. And what we decided to do at that time was to prioritize a long-term gain versus a short-term potential return on the revenue. And I think that's really paying off for us. Because what we're seeing right now is, even despite the headwinds that all the companies are seeing, we still remain very resilient even within the cybersecurity space with the tailwinds coming. And to Sumedh's point, we have always believe that everyone's going to lean more towards the consolidation.

I think the criticality of the coverage, combined with the fact that everyone is looking at their budget, I don't think the security budget is being reduced, but everyone is looking for that additional justification to see what they can get more of. And I think with VMDR, as we continue to lead with that product, it's been some time, and the timing of it actually is great for us because patch management has been out for a few years. VMDR has also been out for a few years. And for us, it's always taken a couple of years, some time for newer products to take adoption. And it's kind of all coming together at a time when our existing customers as well as prospects are looking for a way to get that cost efficiency with a volume discount going to one vendor to make it even easier.

And so with the patch management, it was the first quarter that we shared. It was a milestone for us. With a newer product like patch management making a more than 5% of total bookings and 9% of new bookings coming from patch management is really indicative and testament to how we think about our business and how we're differentiating from a product perspective. And I think that's really helping us to see that upside when at a time that I think a lot of our peers are having some difficulties.

Question
Fatima Boolani (Analysts)

What are you doing from a product perspective and maybe even a go-to-market sale of incentive or compensation perspective to enhance increased module adoption and certainly for newer modules like VMDR and then we'll get to tax surface management in a second. But what are some of the sort of technological mechanisms and go-to-market mechanisms you have in place? Do you make it a no-brainer agent consolidation outcome for your customers?

Answer
Joo Mi Kim (Executives)

Yes. So one thing that we actually did make a change to when we launched VMDR, Cloud Agent has always been a Trojan horse strategy. So when we first came out with Cloud Agent years ago, we made it such that if you purchase our VM solution, you had a decision to make. You had to be that -- what has to be justified, you purchased VM, do you want to pay, let's say, 20% to 25% uptick on that VM to purchase Cloud Agent. And then once Cloud Agent is deployed, then you can try at other products, which is another step function.

With VMDR, what we allow the customers to do is we eliminated that for them. We packaged it in a way that you're really not going to see the value of Qualys unless you have VMDR, which includes Cloud Agent, which includes Threat Protect. So as a starting point, we made that smoother, we simplify the sales process because Cloud Agent is already included. There's no reason why you shouldn't deploy it. And once that's deployed, you can use and leverage other solutions more easily. So I think that's really helped from a seamless kind of the sales cycle, definitely allowed us to better position ourselves to our customers because it's easier for them to see it and then buy it, try it out first.

Answer
Sumedh Thakar (Executives)

I would say they're being a fully cloud-based and SaaS solution really make -- because it's a single platform, whenever customers really need to adopt or try newer solutions through the product itself, they are able to do that because once they have a single agent that it's very quick for them to try and enable an additional capability. And we talked a couple of quarters ago about example of a large customer, 350,000 employees. Everybody working remotely, their laptops are Qualys VMDR agent. They wanted to look at patch management. It were just a flip of a switch in the back end and all their 350,000 assets were immediately downloading and deploying patches.

And so from the way that we also are able to show the value to our customers, it's much quicker because, again, it's a single platform, single agent solution, which makes it much easier than having multiple different acquisitions and trying to make those work for the customer.

Question
Fatima Boolani (Analysts)

So as you think about sort of monetizing the portfolio, and I know you all have a very heavy modular portfolio, I think I lost count just to how many modules you have, and I know you gave some good metrics around that. So maybe you can remind us. But as you sort of think about the most seamless and most accretive ways to drive wallet share expansion. How would you sort of prioritize it between more modules per customer versus more tax surface coverage per customer? And how do those 2 factors weigh against one another?

Answer
Sumedh Thakar (Executives)

So we did launch our external attack surface management capability recently, but the way we look at it is, if you look at last couple of years, Qualys has made a big focus on asset inventory as a core capability that is needed for cybersecurity programs. And so our Cybersecurity Asset Management provides customers with an in-depth view of their internal asset inventory. So instead of coming out with attack surface as another paid add-on module that customers would have to purchase, we simplified the stack, really, which is what everybody is looking for.

So for us, this external attack surface is just another way of inventorying something that's invisible from the outside versus what's visible from the inside. So you can prioritize that. So we sort of added that as part of our Cybersecurity Asset Management capability, which gives us the opportunity for our customers and our salespeople to not just have a conversation about how can I find the 100 assets that are externally exposed to talking about a much broader capability of Cybersecurity Asset Management that is helping them see internal and the external side of their asset inventory.

And so then it becomes a much more powerful capability for them because there are multiple other features that come with that. And it simplifies because they don't have to go buy something for external separately, something for internal separately. So that consolidation of decent capabilities in sort of groups of capabilities a customer can buy. So there's a bunch of capabilities that come under Cybersecurity Asset Management, a bunch of capabilities under VMDR. So our focus has really been how do we continue to make sure that good growth that we're seeing with adoption of VMDR about 43% of our customers have adopted VMDR. How do -- does that continue?

Because with VMDR, we are focusing more on combining capabilities so that they can see that rather than talking about individual modules. So if you look at a very high level, there's really 3 main capabilities in cyber that everybody looks at. One is finding all your assets and knowing what you have. Second is how do you combine -- how do you manage your risk by reducing the risk so nobody gets into your network. The third is how do you monitor that if somebody is in your network so you can take action. Really, everything just comes down to 1 of those 3 things, right?

And so Cybersecurity Asset Management, VMDR and then our EDR capability really provide on a single platform that ability to get that more holistic view other than talking about individual modules, it's really aligning the way the cyber experts are looking at things.

Question
Fatima Boolani (Analysts)

Just from the standpoint of the net dollar expansion rate metrics that you shared, I think, at 110%. Clearly, there's a lot of accretion that you're driving from the installed base. But what needs to happen to continue to push this metric higher, particularly as you absorb a lot of these independent discrete modular capabilities in 1 of these 3? And so what would be the catalyst to get that 110 to kind of 120, 125, 130?

Answer
Joo Mi Kim (Executives)

I think that 110 is a really healthy kind of number for us just because 1 year ago, it's only 104%. And I think that 2 things kind of high-level drew that VMDR, which is very strategic for us, helped with the retention as well as upsell and cross-sell. And then a newer product like Patch Management, which really differentiates us in the market. And with that making up over 5% of bookings, you can kind of see how that's impacted. And the great thing about Qualys is we already have multiple products that are already out there, some of them not previously in the roadmap even with CSAM being relatively new.

EDR and XDR are also very new. Huge target addressable market. So if you think of it that way, if once those products start taking adoption with our existing customers, I think that the -- with the potential upside could be much greater than what we currently see with even Patch Management.

Question
Fatima Boolani (Analysts)

How do you think about the pricing strategy? I know a lot of your peers have sort of taken on pricing increases just by way of a response to general cost inflation. So just inflationary environments, take MSRPs up, right? So I'm curious what approach you've taken in terms of rolling out pricing increases to the base? And to what extent, within the confines of the very traditionally and narrowly defined vulnerability management market, how have -- maybe those price increases are not impacted some of the pricing or discounting dynamics in the market, if you can kind of pair those 2 together?

Answer
Joo Mi Kim (Executives)

Yes. Historically, we've always had the sales philosophy where we've never really [indiscernible] on it heavily, because we really truly believe in the value that we bring to the end customers. And so given the market dynamics and the competition that we were facing a couple of years ago, this is where before we launched VMDR, we had a healthy amount of discussions within our executive team, as well as with our customers and prospects and looking at the market in general.

How should we priced VMDR? We had an opportunity, and this is where I said that we decided to focus on the long-term gain versus a short-term return. We could have priced VMDR much higher, and that would have resulted in an uplift in revenue in that year. But what we thought about was -- because it's so strategic for us, we wanted to optimize and really drive adoption. Faster adoption will lead to higher retention rate, higher upsell, higher cross-sell. And we priced it in a way that allowed our customers to see, okay, VMDR upgrade makes sense for us now, and I can see ourselves growing with Qualys in the future.

Because what we've seen before was we had so many different solutions out there. And we've had feedback from customers saying, look, I think that we can definitely buy VM with you for the coverage that we need right now. But in a few years, if I want to buy ThreatPROTECT, if I want to buy like some of your other products, it's just not going to work for us, right? So keeping that in mind, we really want to price it based on value, based on what we think we can bring to the people. With VMDR, we were able to bring a great product that we think is game changing and the price that's reasonable for the customer. They might be paying a little bit more if they only had 1 solution with us before, but they might be paying a little bit less.

Right now, you're looking at a couple of years now that's really resulted in a higher spend overall with our LTM average spend of 17%. And that's how we think about pricing at the end of the day. And because we're so highly profitable, it affords us to have that capability even in this inflationary market, right? We haven't increased prices for our products because, frankly, we haven't had a need to. With our newer products out there, how we're thinking about increasing the average spend per customer is them buying more with us, which could be coming from the asset coverage or buying additional solutions.

Answer
Sumedh Thakar (Executives)

And I would add to that, that in this environment, it helps really the conversations and sort of discounting the conversations can become more about value because now we can talk about, okay, Cybersecurity Asset Management can be added in addition with VMDR, which will give you even better value for the similar spend that you have or the small additional increase in the spend. So having these additional capabilities that are well adopted by customers, I think it helps in those conversations right now.

Question
Fatima Boolani (Analysts)

Sumedh, I haven't forgotten you ran the product organization at Qualys for quite some time. So when you take a step back and sort of think about maybe a natural bucketing of some of your solutions instead of creating a menu of so many modules for your customers that it can get overwhelming, right? So as you think about sort of these natural bundles and buckets you've created on those 3 pillars that you talked about, when you take a step back, are there any white spaces in the model that remain that you feel that you don't really have an answer from a technology or a product standpoint that you're kind of thinking about?

Answer
Sumedh Thakar (Executives)

Yes. I think that's a great question. So when we look at, as I mentioned earlier, right, when I step back, look at what security professionals are looking at, they're really looking at those 3 areas, right? How do I know everything that I need to cover, which is their inventory capability, which is where kind of created the umbrella of Cybersecurity Asset Management as one workflow solution. The second is risk management. How do I -- once I know the asset I have, how do I make sure that I'm doing everything to reduce the risk. So that's where sort of VMDR, Patch Management, Configuration Management, our new customer remediation module fall into that.

So a lot of the things that are needed, whether it's in the CICD pipeline or whether it's at one time, can be taken care of under that umbrella. And then the third part is detection and response, right? This is where your EDR and your XDR sort of fall into place. And then you have to do that for your end points, for your on-prem assets and then for cloud and containers. And so there's multiple different levels that we are doing these things at. And so launch of External Attack Surface Management to me was really interesting because when you -- now with that, when you deploy Qualys platform, the outcome that you get from that is the risk reduction.

So with the external attack service management, you can know all your external assets. With CSAM, you know all of your internal assets. With VMDR, you now discover all the vulnerabilities, you prioritize them with the true risk capability. And then with Patch Management, you fix it. So relative to other competitors in the VM space, the outcome you get from their solution is a dashboard or a report. With Qualys, you can really get those fixed and reduced, right? So we continue to look at capabilities just like we did with external attack surface where, as customers give us feedback, really look to say like, hey, this is something that we can pretty quickly add.

So the ability for us to do customer remediation was another capability we recently added because based on customer feedback, they said patching is great for majority, but there's always the 5% where we need to do something custom on the assets. So can Qualys help us with that. So I think those 3 are the broader umbrellas. And within that, we are always looking at what are the additional capabilities that we can bring to the platform that are going to simplify their ability to discover devices, fix and manage the risk and then monitor for threat and take response.

Question
Fatima Boolani (Analysts)

You mean theoretically, as a customer through their cybersecurity maturation and journey with you, as they add those incremental pillars of capabilities from you, what type of theoretical sort of ACV or wallet uplift can you potentially realize? So if $1 is spent on your solutions that help find and discover assets in the environment, what does the risk mitigation set of capabilities, if added on, what type of ACV lift would that bring to the table?

Answer
Joo Mi Kim (Executives)

Yes. Great question. And this is actually one of the reasons why when we did the target addressable market analysis, the VM space is relatively small, and this is part of the reason why we decided to enter additional markets like EDR and XDR which is huge. It's multiples of where we were basically in. And so you're looking at a huge opportunity there. As an example, VMDR, you're paying $1 per asset for VMDR, you have a potential to pay another $1 for Patch Management just based on pricing alone. So you're looking at a customer spending $1 with us, that's going to $2 with patch management. If you add CSAM, that could be another $0.50 uplift. So $1 to $2.5.

And so there's a huge opportunity with even the existing product that we're starting to see the initial stages of ramping. EDR and XDR, a little bit further out, but they could be more expensive. This is where I think that the upside for us is [ huge ] with the products that are already out there. From a customer perspective, though, this is very attractive because we're both winning if they come to us, because they'll naturally get that [ BDP ] pricing discount with us having to discount our existing products.

So for example, if a customer had VM with us and they decided to go to another vendor for Patch Management, they won't get the volume discount. But if they come to us, it will be cost efficient for them. It will be easier for them to use using one platform and they will benefit from having a customer where we really own from end to end, right? They have one vendor to go to when they see an issue. They don't have to say, well, I think it's a vulnerability identification problem. I'll go to Qualys. Oh, I need to automate patch, I have to go to another vendor. You know that they come to us and we'll take care of them.

Question
Fatima Boolani (Analysts)

How have you, at a very high level, thought about the pricing strategy for nontraditional ephemeral transient sort of cloud services like containers as well that need to be protected, which, by the way, could be very seasonal or very burst or may not be enduring, right? So how has that contributed to how you think about volume discounts? Because that changes the game if 50% of what you contract for is only going to exist for 6 months, let's say?

Answer
Sumedh Thakar (Executives)

Yes. I think this is a hot topic of conversation as everybody is looking to get into more cloud and more container and trying to figure out and it's the balance between trying to manage the burst and the costs that come with it versus what traditional enterprises are used to as having a predictable model at the beginning of the year to know how much you're going to spend? And I think would -- currently, what we see most customers are sort of looking to settle on is sort of an average usage rather than looking at peaks and valleys.

So most of the times, customers will sort of make an estimate on not what the peak is going to be, but on an average, on a monthly basis, how many containers or how many virtual machines do I see live that are actually running. And so we try to -- with our pricing, we just essentially pack the value to what the value that the customer is getting from the number of assets that they have rather than looking at the peaks and the valleys and trying to do much of a dynamic because customers, then they don't have the predictability for the spend that they really would like.

And so we continue to look at that. We also are well embedded in Azure as an example, where it's a different model where it's an embedded capability as a partner where customers go to Azure, and they transact through Azure when they were the new vulnerability management directly. So we're basically very flexible with being a cloud platform. It really work with as customers, buying patterns are changing and they're trying to figure out themselves, which selection that they want to go. We have that flexibility in our model to work with them.

Question
Fatima Boolani (Analysts)

Before we kind of dive into the competition discussion and the competitive landscape discussion, I did want to have a conversation with you about DevSecOps, AppSec, [ ShiftingLeft ], security shifting left. I think at the outset, you sort of alluded to some of these dynamics in your commentary as it relates to sort of risk mitigation across an IT landscape that looks so much different today than it did 5 years ago. And so just specifically from the standpoint of apps no longer being built in a monolithic fashion, where does Qualys' value proposition, shine? And how does it maybe compare to the sort of new age of DevSecOps company that are kind of bubbling up right now and sitting kind of in the work bench of the developer who's code scanning. And I guess, ultimately, what I'm asking you is this whole notion of supply chain security, how do you fit into that paradigm?

Answer
Sumedh Thakar (Executives)

I think that a lot of companies, as they're looking at cloud or shifting to the cloud, if you really -- however, at the end of the day, you look at that, them, they're getting compromised because of misconfigurations and vulnerabilities, right? So no matter what technology is changing, the basic mode of what you need to do haven't really changed that much. Now, what is happening is, with the awareness and as I was a developer 20 years ago, awareness of security was really low at that time, right? But today, with DevSecOps, the awareness of security practices is much better. The automation is much better that allows us to make sure that we are shifting as left as possible to reduce the risk that you have by finding out what kind of applications or libraries that you're including, trying to eliminate as many vulnerabilities as you can on the -- in the CICD pipeline.

However, that has not resulted in customers not looking at the run time environment because you could have somebody go in, make some change, and new vulnerability can pop up on a running machine. So we continue to provide ways with our scanning capabilities for customers to scan their images in their AMIs in the CICD pipeline well before they go into production, but then also in the production environment with the agent with the scanner. They can also monitor live to make sure that nothing is popping up that is newly released they need to hear about.

So while we provide capabilities like looking at your software composition analysis, et cetera, on the far left, it's not really stopping people from also monitoring their production environment live. So I think it's more like capabilities that we have are getting extended on the -- in the CICD pipeline and just providing newer and different ways to reduce the risk as early as possible. But with the reduced risk, you still have a certain amount of risk and people want to have a holistic approach. And so the capability like VMDR, we don't really differentiate, okay, this is a CICD only or that. So we kind of give a much bigger play for them to leverage Qualys capabilities wherever they seem fit in moving more shifting on the left or more shifting on the right.

And so it's fairly dynamic from our standpoint because it's the same technology that they're using, no matter where they're using.

Answer
Joo Mi Kim (Executives)

People don't talk about shifting right enough. Can you just sort of talk about that -- it's always shifting left.

Answer
Sumedh Thakar (Executives)

Yes, because it's like saying right, if you're sure that you have no vulnerabilities, you would never need a patch, but that's not true, right?

Question
Fatima Boolani (Analysts)

Just I'd be remiss if we didn't talk about the competition and the competitive landscape, especially because as you've evolved the portfolio and grown it, it's sort of put you more in the crosshairs of some new competitors that you maybe didn't see before. So at least in the core market, maybe you can share some observations on market share dynamics and how VMDR is sort of helping improve your competitive positioning. And then I'm very curious to kind of get your perspectives on the EDR XDR landscape because there is a lot of discussion and a lot of conversation from endpoint security vendors there and network security vendors there who are sort of making their way, so core VM space dynamics? And then in some of these newer areas, who you expect to -- or who you run into and who you expect to run into more?

Answer
Sumedh Thakar (Executives)

Yes, I see when you talk about market, it's a very subjective term, right, for investors it's different, for customers, it's different. For vendors, it's different. So look, for me, I think at the very basic, when you look at security, almost never would you deploy an EDR agent on an asset that you're not doing vulnerability management and patching on. Because if you're not trying to even reduce the risk by looking at vulnerabilities and patching them and knowing the inventory, which means from a customer perspective, when they look at securing an asset, they want to know what's running on that asset. They want to know what are the risks associated with it and how do I mitigate those, and then they want to make sure that nothing is popping up on the device that is getting compromised, so you can monitor that.

And there is really no reason to have multiple different agents to do the same thing. So if you really look at it from that perspective, the market, as I would say, would really like to see a single solution that is able to do all of these things together in one because that is the more beneficial thing from a customer perspective. So if I look at more of the core VM market, I think with VMDR, we sort of upped the game by coming up with a game-changing solution that is consolidating many different aspects of vulnerability management, which is the 4 stages of discovering the asset, finding the inventory, discovering the vulnerability, prioritizing and fixing into one sort of a single solution, which, in our opinion, is working well from a customer perspective as they look to speed up the remediation, as they look to get more value out of their vendor.

So VMDR, in that sense, is really looking at the risk mitigation side of it, right? And then CSAM, which is a Cybersecurity Asset Management is a capability that we feel is not -- we don't see that much from anybody else out there. So that's again creating something very interesting for them to really make their risk mitigation program better by knowing what they have. And so when we start to look at, even though currently everybody looks at EDR and XDR are siloed solutions that are deployed by themselves. Ultimately, for us, our EDR solution can also patch. So it's the same agent that can also patch. And we don't see that right now, right, where others are really focusing only on this side or only on that side.

And so the opportunity remains to align with what customers would really like to see eventually is to do their consolidation and really have one agent that can do all of that. And so we see the opportunity there to -- instead of competing with vendors individually on one capability, EDR only or patching only or VM only, we feel, with what we are putting together, we have the ability to go and say we can consolidate all of that and get better value and better speed in mitigating risk and speed in detecting and responding to threats that are on the device.

Question
Fatima Boolani (Analysts)

Joo Mi, just with the last few minutes we have, just talking about sort of the investment constructs and the investment philosophy from here. You're slated to reinvest pretty heavily in the back half of this year. So 2 part -- 2 quick parter there. You all have been at the forefront of driving a lot of sort of headcount efficiencies with big technology centers in India. So the first part is, have we more or less peaked in terms of driving the efficiencies from those moves in terms of technological and R&D center? And secondarily, as we think about the broader macro environment, more aspirations to invest in addressing your big new TAMs, how is that sort of influencing how much you're hiring, how responsive you're going to be to pulling back hiring if things do start to change more materially in the environment? So just some finer points on sort of the investment philosophy from here.

Answer
Joo Mi Kim (Executives)

Yes. So investment, we've said for multiple years that we will continue to increase investments just because of the opportunities are there. We're always looking at it from the ROI perspective. Is there a return? Are we investing enough to balance the growth with profitability? And we're still in the, I would say, kind of the earlier innings. We do see more opportunities where we can increase investments, not just on sales, marketing -- product marketing because there -- the opportunity is so great.

In terms of the cost efficiencies, I think that we'll continue to see that relative to our peers. Because one of the advantages that we have is we do have a great presence in Pune, Sumedh is from Pune, and we've been very successful. And I think that with the larger team that actually helps us with retention and attracting great talent. And we'll continue to see that as a focus on product development as well as go-to-market strategy in terms of the newer product. What's great from that perspective is they're already out there. Selling additional products or cross-sells are obviously cost efficient than kind of new logo acquisition per se.

We are looking at all fronts, whether we're driving new local acquisition from direct sales force or partnering with partners. We talked about the new partnership programs that we launched earlier this year. So we will continue to assess and take our same kind of approach, and we're being cautious about how we invest, how much we plan to continue to increase investment. I think that for us it's always been true, though, as being equal, we believe that we will continue to have the industry-leading margins relative to our peers, and we're putting aside either macroeconomic geopolitical conditions and that will continue to be true for Qualys.

Question
Fatima Boolani (Analysts)

Great. I think with that, it's an excellent way to cap off our discussion. I wanted to thank you for being brave and early this morning. I appreciated our conversation. So thank you very much.

Answer
Joo Mi Kim (Executives)

Thank you.

Answer
Sumedh Thakar (Executives)

Thank you.

S&P Capital IQ 2022
Copier lien
All news about QUALYS, INC.
3h ago
11/14
11/07
11/07
11/04