Qualys - Earnings Call - Q1 2025

Executive Summary

• Q1 2025 delivered solid top-line and strong profitability: revenue $159.9M (+10% y/y), non-GAAP EPS $1.67, Adjusted EBITDA margin 47%; operating cash flow rose 28% to $109.6M (69% of revenue).
• Both revenue and EPS beat consensus; management raised FY25 revenue to $648–$657M and materially lifted FY25 GAAP EPS to $4.27–$4.57 and non-GAAP EPS to $6.00–$6.30, citing product momentum and operating discipline; Q2 2025 guidance implies 7–9% y/y growth with sustained profitability.
• Go-to-market pivot toward partners continues to execute: channel represented 49% of revenue (up from 45% y/y), international grew 16% vs 6% U.S.; management remains prudent on upsell/new logos amid budget scrutiny and longer cycles.
• Strategic catalysts: scaling mROC partner ecosystem, TotalAI enhancements for LLM security, and federal progress; management highlighted early ETM/ROC wins and confidence in platform-led consolidation as multi-year drivers.

What Went Well and What Went Wrong

What Went Well

• Robust profitability and cash generation: Adj. EBITDA $74.8M (47% margin), OCF $109.6M (69% of revenue), free cash flow $107.6M (67% margin) as operating leverage and collections drove upside.
• Channel and international outperformed: channel revenue +19% y/y to 49% mix; international +16% vs U.S. +6%, reflecting traction of partner-first strategy and broader execution outside the U.S..
• Product momentum across platform: Q1 highlighted ETM/ROC adoption, CNAPP (TotalCloud) wins, and new TotalAppSec launch; management sees platform consolidation and risk-led narrative resonating with CISOs.

Quotes:

• “Our Q1 results reflect the success of new product initiatives and demonstrate customer demand for natively-integrated cybersecurity risk management solutions.” — CEO Sumedh Thakar.
• “We are entering a new era for Cybersecurity Risk Management powered by real-time data, automation and AI… resulting in better-than-expected revenue growth, strong profitability and solid cash flow generation.” — CEO.
• “Adjusted EBITDA… was $74.8 million, representing a 47% margin, in line with last year.” — CFO Joo Mi Kim.

What Went Wrong

• Macro-driven upsell caution: Management cited pushback on expected upsells within renewals late in the quarter; no material deal slippage, but environment remains scrutinized.
• New business softness risk: Guidance assumes continued headwinds for new bookings contribution to revenue growth in 2025 as partner-led motions scale and budget scrutiny persists.
• Billings growth moderating with mix: Calculated current billings +7% y/y (vs revenue +10%), aligning with prior commentary that billings should mirror low-to-mid single-digit growth trajectory; company does not manage to billings.

Transcript

Operator (participant)

Ladies and gentlemen, thank you for standing by, and welcome to Qualys First Quarter 2025 Investors Call. At this time, all participants are in the listen-only mode. After the speaker's presentation, there will be a question-and-answer session, and to ask a question during this session, you will need to press star 11 on your telephone. You will then hear an automated message advising your hand is raised. If your question has been answered, to withdraw your question, please press star 11 again. Please be advised that today's conference is being recorded. I would like now to turn the conference over to Blair King, Investor Relations. Please go ahead, sir.

Blair King (Investor Relations)

Thank you, Michelle. Good afternoon and welcome to Qualys' First Quarter 2025 Earnings Call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO, and Joo Mi Kim, our CFO. Before we get started, I'd like to remind you that our remarks today will include forward-looking statements that generally relate to future events or future financial operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10Q and 10K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures.

A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks, and investor presentation are all available on the investor relations section of our website. With that, I'll turn the call now over to Sumedh.

Sumedh Thakar (President and CEO)

Thanks, Blair, and welcome all to our First Quarter Earnings Call. We are entering a new era for cybersecurity risk management powered by real-time data, automation, and AI. Against this backdrop, we executed well in this quarter, resulting in better-than-expected revenue growth, strong profitability, and solid cash flow generation. Fueled by customer insights, Qualys' mission is to bring innovative new security solutions to the market. With over 25 years of evolving our platform to meet the next generation of modern security challenges, we have established a strong track record of converting operational challenges into secular competitive advantages while maximizing lifetime value, ensuring frictionless outcomes at scale, and driving immediate ROI on security spend.

In doing so, we believe we have built a new security industry paradigm, which today leverages our powerful real-time data processing capabilities across more than 18 trillion data points on a natively integrated platform to help organizations streamline their cybersecurity risk management program with the Risk Operations Center, ROC. While a Security Operations Center, SOC, is used for detection of threat actors after a breach, the ROC is needed by organizations for proactive risk management to reduce the chance of breaches by deploying the cyber budgets where the highest risk of loss is. Unlike other CTEM solutions that only reveal exposures without providing effective remediation, Qualys' cloud-native enterprise risk management ETM solution is purpose-built to deliver a single comprehensive AI-powered orchestration layer unifying security findings from multiple Qualys and non-Qualys sources to implement an effective ROC.

By unleashing the scale of the Qualys platform, we ingest data from multiple sources, including Tenable, CrowdStrike, Wiz, normalize risk signals enriched with threat intelligence, analyze adversary behavior, and provide organizations with actionable enterprise-wide insights to prioritize and remediate cyber risk through a common language of business context and financial impact. This holistic approach uniquely ensures organizations not only understand their cyber risk in quantifiable terms but can take immediate action to reduce the risk that matters the most. With prospects of POCs more than doubling from last quarter and over 25 active POCs already underway since launching of GA a short while ago, we continue to see many parallels between this new market opportunity and the early days of VMDR launch, including significant greenfield opportunity and a growing demand. Embracing this momentum in the market, we further evolved our ETM solution through an expanding ecosystem of remediation solutions.

In doing so, we have advanced our TruRisk eliminate agenda by enabling organizations to amplify third-party remediation tools with security insights from Qualys to prioritize patching or activate other compensating controls available through the Qualys platform. With this latest innovation, organizations can soon leverage a unified Qualys workflow with end-to-end automation, CMDB, and ITSM integration to prioritize rapid remediation across all environments from their patching vendors of choice. This is a strong competitive differentiator for Qualys, further neutralizes IT and SecOp procurement friction, and significantly expands our market opportunity by going well beyond Patch Management. Continuing this rapid pace of innovation, we're expanding our Qualys TotalAI and TruRisk capabilities to help organizations address the evolving threats associated with LLMs.

With this latest release, TotalAI brings full visibility across ML supply chain, data applications, and pipelines to detect malicious code, policy violations, and advanced multinodal exploits hidden within images, audio, and video files. By enhancing our AI security posture, AI SPM with native internal LLM scaling expands jailbreak detection and seamless integration into MLOps pipelines. We're equipping security teams with the agility and insight needed to protect modern AI-driven workloads from development all the way through runtime while building what we believe is the most advanced AI security solution available in the market. In addition, with the launch of Policy Audit and Audit Fix, we are now providing organizations of all sizes with the ability to streamline audit operations by providing audit readiness reporting and automated evidence collection across 450-plus technologies and over 1,000 out-of-the-box audit processes for frameworks like PCI, NIST, DORA, HIPAA, etc.

This solution addresses a growing area of focus and cyber spend for CISOs as they are under pressure to ensure their organizations don't fail audits while at the same time reducing their spend in audit readiness with automation, not only detecting the gaps but automation and also fixing them. Moving to our business update, we have hosted several risk quantification workshops attended by many of the most forward-thinking CISOs around the world in recent quarters, and the message is clear. Organizations are increasingly anchoring pre-breach cyber spend to quantifiable risk reduction in their business, which is easily articulated to boards and business partners. CISOs want a platform that speaks a unified language of risk while letting their teams choose their own tools with various components of the stack rather than trying to consolidate multiple vendors into a single platform.

This requirement necessitates a centralized risk fabric that seamlessly unifies the underlying tools of choice to effectively measure, communicate, and fortify an organization's risk posture while reducing complexity, operating cost, and time to remediation. As a result, our technologies are not only fueling new logolands but also helping to increase broader platform adoption, especially in the areas of VMDR, cybersecurity asset management, patch management, cloud security, and increasingly the ROC delivered through Qualys' ETM solution. With thousands of customers consolidating on Qualys' enterprise TruRisk platform, let me share a couple of recent wins which illustrate why these companies are turning to Qualys to help unify their security tools, quantify and remediate cyber risk in their environments, and achieve better security outcomes.

First, an existing global 100 multi-national media company with a rapidly growing multi-cloud and container environment determined that managing siloed tools added complexity to their operations, lacked integration, and misdetections while hindering their ability to assess risk and centralized remediation. This customer chose Qualys to transform siloed risk factors spanning core repositories, endpoints, identity, cloud, container, IT, IoT, and network assets into a cohesive real-time risk management solution by consolidating Qualys and non-Qualys data. This included purchasing eight Qualys modules and deploying ETM to begin operationalizing their ROC and consolidating ingested data from Wiz, resulting in a seven-figure annual booking steal, including a mid-six-figure TotalCloud CNAPP upsell. We are now quickly migrating numerous data sources in the Qualys platform and delivering a vendor-agnostic orchestration layer with full visibility of the attack surface, centralized risk assessment, quantification, prioritization, and remediation while unleashing the operational efficiencies of security stack consolidation.

Looking ahead, this customer is now in the process of planning to power its ROC with ETM across 30 separate entities worldwide. Further advancing our TotalCloud CNAPP momentum is another marquee seven-figure annual booking swing with a global 50 financial services company. This existing customer launched and initiated to strengthen its cloud and container security solution against advanced threats, close security gaps, and remediate risks with ITSM integration through a single dashboard. It also needed to meet increasingly stringent global regulatory requirements and extended its on-prem visibility to multi-cloud and container environments. Through its evaluation, this customer chose our TotalCloud CNAPP solution and is now leveraging the Qualys Enterprise TruRisk Platform for complete visibility across its entire attack surface to quantify and prioritize risk reduction initiatives and increase operational regulation and compliance.

Our growing leadership in the cloud market was further evidenced in GigaOm's radar report, ranking Qualys as a leading outperformer in cloud workload security. With customers beginning to perceive Qualys as a leading risk management platform that consolidates and orchestrates multiple security solutions and workloads, we are growing increasingly confident in our ability to drive long-term growth and gain market share. This confidence was again bolstered in Q1 with customers spending $500,000 or more with a growth of 6% from a year ago to 203. Consolidating workflows is not just happening with customers; it is also embraced and prioritized by our partners, underscored by an increasingly strong mix of new business and significant growth. As we continue to endorse our partner for sales, Motion Partner-led deal registration increased again in Q1.

In addition, we have now certified six leading partners who are actively marketing the delivery of our fresh new managed risk operations, MROC services, and just beginning their efforts to capitalize on a centralized and automated approach to pre-breach risk management on top of ETM. Further advancing our momentum towards a global ROC ecosystem, we look forward to certifying a few additional strategic partners in the months ahead who have already demonstrated a firm commitment to spearheading this new initiative with Qualys as their MROC partner of choice. Finally, as the federal government seeks to show efficiency and replace outdated and costly on-prem deployments from years past with modern cloud-native risk management solutions, we are especially excited to host our second annual federal conference in Washington, D.C., towards the end of this month.

We have recently made good progress advancing our FedRAMP High certification status, and we continue to believe we are on track to achieve authorized milestones later this year, fueling a new leg of growth for the company. In summary, Qualys is increasingly well armed with fresh new capabilities to further strengthen our strategic position as the partner of choice for customers ready to centralize their response to cyber risks, solve modern security challenges, and reduce costs. Looking ahead, we believe we will continue to outpace our competitors, extend our leadership in the market, and build upon an already strong foundation to drive durable long-term growth in the business. With that, I will turn the call over to Joo Mi to further discuss our first quarter results and look for the second quarter and the year ahead.

Joo Mi Kim (CFO)

Thanks, Sinay, and good afternoon. Before I start, I'd like to note that, except for revenues, all financial figures are non-GAAP, and the growth rates are based on comparisons to the prior year period unless stated otherwise. Turning to first quarter results, revenues grew 10% to $159.9 million. The channel continued to increase its contribution, making up 49% of total revenues compared to 45% a year ago. As a result of our continued commitment to leverage our partner ecosystem to drive growth, we were able to grow revenues from channel partners by 19%, outpacing Direct, which grew 2%. By GEO, 16% growth outside the U.S. was ahead of our domestic business, which grew 6%. U.S. and international revenue mix was 57% and 43%, respectively. In Q1, we were pleased to see some improvements in our gross retention rate.

However, growing macroeconomic uncertainty toward the end of the quarter presented an increasingly challenging upsell environment, with our net dollar expansion rate at 103%, unchanged from last quarter. In terms of product contribution to bookings, Patch Management and Cybersecurity Asset Management combined made up 15% of total bookings and 24% of new bookings on an LTM basis. Our cloud security solutions, TotalCloud CNAPP, made up 5% of LTM bookings. We credit this momentum to customer demand for a more comprehensive and contextual understanding of their expanding attack surface, supported by seamless integrated risk management and remediation workflows across all environments within a unified platform. Turning to profitability, adjusted EBITDA for the first quarter of 2025 was $74.8 million, representing a 47% margin, in line with last year. Operating expenses in Q1 increased by 10% to $62.5 million, primarily driven by investments in sales and marketing, which grew 15%.

Demonstrating our ability to innovate and invest in our long-term growth initiatives while remaining capital efficient, EPS for the first quarter of 2025 was $1.67, and our free cash flow was $107.6 million, representing a 67% margin compared to 57% in the prior year. In Q1, we continued to invest the cash we generated from operations back into Qualys, including $2 million on capital expenditures and $39.6 million to repurchase 292,000 of our outstanding shares. Since commencing our share repurchase program in February 2018, we repurchased 9.6 million shares and returned nearly $1.1 billion in cash to shareholders. As of the end of the quarter, we had $303.8 million remaining in our share repurchase program. With that, let us turn to guidance, starting with revenues.

For the full year 2025, we expect revenues to be in the range of $648 million-$657 million, which represents a growth rate of 7%-8%. This compares to prior guidance of $645 million-$657 million. For the second quarter of 2025, we expect revenues to be in the range of $159.7 million-$162.7 million, representing a growth rate of 7%-9%. While we believe our platform approach to cyber risk management provides some insulation against ongoing macro volatility, this guidance assumes increased business scrutiny and a more challenging environment for new business growth in 2025. Shifting to profitability guidance, given our strong Q1 performance, for the full year 2025, we expect an EBITDA margin in the low to mid-40s, implying a 15%-17% increase in operating expenses and a free cash flow margin in the mid-30s.

We expect full year EPS to be in the range of $6-$6.3, up from prior range of $5.5-$5.9. For the second quarter of 2025, we expect EPS to be in the range of $1.4-$1.5. Our planned capital expenditures in 2025 are expected to be in the range of $8-$11 million, and for the second quarter of 2025, in the range of $1.5-$3 million. We continue to believe organizations will increasingly adopt cloud-native full-stack security and compliance coverage to meet the demands of today's threat landscape and reduce costs. As the impact of the macroeconomy is still unfolding, we are closely monitoring the business environment and adjusting our priorities accordingly.

That said, considering the long-term growth opportunities ahead of us and our industry-leading margins implying further room for investment, we intend to continue to responsibly align our product and marketing investments to focus on high-impact initiatives aimed at driving more pipeline, accelerating our partner program, and expanding our federal vertical. As a percentage of revenues, we expect to prioritize increased investment in sales and marketing and engineering with a more modest increase in G&A, consistent with our commitment of balancing long-term growth and profitability. With that, Sinay and I would be happy to answer any of your questions.

Operator (participant)

Thank you. As a reminder to ask a question, please press star 11 on your telephone and wait for your name to be announced. To withdraw your question, please press star 11 again. The first question will come from Jonathan Ho with William Blair. Your line is open.

Jonathan Ho (Research Analyst)

Hi, good afternoon, and congrats on the strong quarter. I just wanted to maybe understand a little bit better what your thoughts are around the macro environment, perhaps what you're seeing from customer spending so far, and maybe what underpins your confidence to tighten the guidance range a little bit higher.

Sumedh Thakar (President and CEO)

Yeah, I would say that at a high level, what we're seeing is similar to what we've seen the last couple of years, where cybersecurity still continues to be an important aspect of risk management for the company, and there is continued focus. However, as we have seen, there is more scrutiny on the spend. ROI of the spend is important, and we're seeing longer cycles because people are taking longer time to make the decision. I think that is what we continue to see right now. Of course, given more recent changes, there is a little bit of uncertainty, I would say, and a little bit of that is factored into how we're thinking about the rest of the year, though we haven't particularly seen anything specific yet.

We're just being prudent about sort of what we see now and a little bit of expectation around people scrutinizing things a little bit more and continuing to inspect budget spend, not just in cyber, but overall budget spend across the board with everything.

Jonathan Ho (Research Analyst)

Got it. In terms of your discussion of the ROC, can you talk a little bit about how that works from a customer journey perspective, what they maybe add to their existing solutions, and what that looks like from a financial perspective? Thank you.

Sumedh Thakar (President and CEO)

Yeah, that's a great question. I think really where everybody's struggling right now is all their investments across multiple tools are generating tons and tons of risk signals, and we routinely see that if you take vulnerabilities as an example, less than 5% of those vulnerabilities even have some form of potential immediate attack vector.

Customers, as they're trying to figure out how they don't end up with 10 different consoles from 10 different solutions when they look at risk, what we're seeing is our ability to take the Risk Operations Center idea of consolidating all assets from all tools, all findings, applying threat intelligence, providing contextual from a business perspective, adding dollar values to the business potential loss that they could have, and then providing remediation plans as well as board reporting is what is sort of the journey of a Risk Operations Center, and it starts with consolidation of assets. For us, what we are seeing with ETM, we're able to walk in to customers who today have multiple solutions and not necessarily start off with a conversation of replacing something that they have.

I took some of the vendor names that we are currently pulling data from, and we are able to say, "Look, if you have this particular VM solution, if you have this particular configuration solution, if you have this particular identity solution, you can keep that.

We can ingest the data from these tools and provide you a higher level visibility of what your actual risk is that is aligned with your dollar value risk from your business entities that you have, and then provide you reporting that you can take to the board and also to IT teams in terms of prioritizing what is the most important thing that they need to fix. What we're finding is that this approach is helping them partner with the IT team to not spend time on fixing hundreds and thousands of issues that actually are not exploitable or not attackable right now.

This is actually creating potential cost savings for the company in terms of not wasting developer time as well as not wasting IT teams' time on fixing things that are not immediately actionable and then going back and focusing on the things that are immediately actionable. From a customer journey perspective, they look at it as something that layers on top of what they have, so they do not need to work through a replacement plan, and they essentially pay an additional amount to Qualys for the cost saving that they end up getting in terms of consolidation and not having to waste time on fixing things that are not important. They are able to walk in and make a case for additional budget for a Risk Operations Center because they see the savings that are coming out from the outcome of the Risk Operations Center.

Jonathan Ho (Research Analyst)

Got it. Thank you.

Operator (participant)

The next question will come from Patrick Colville with Scotiabank. Your line is open.

Patrick Colville (Director and Equity Research Analyst)

Thank you, guys, for taking my question. I guess let me just ask one to Sumedh and Joo Mi. I mean, in your prepared remarks, there was a comment that macro at the end of the quarter was a challenge. I mean, were there any deals that pushed at the end of one Q into two Q or were pulled, or was that comment kind of in isolation and didn't have an impact on current billings?

Joo Mi Kim (CFO)

Yeah, there wasn't any material deals that were pushed or pulled in the current quarter. That was more of the commentary around the fact that, let's say, a customer that was set to renew in the quarter, we had anticipated a higher upsell rate potentially from that customer increasing their spend with us. We saw some pushback, and so that doesn't necessarily mean that it's a push; it's going to be closing Q2. It's in the quarter impact that I was calling out.

Patrick Colville (Director and Equity Research Analyst)

Okay, crystal clear. And congrats on all these terrific announcements made by Qualys at our SA conference. I want to actually touch on the announcement made by a competitor best known for endpoint security. They GAed a product expanding into network-based VM. I mean, would you mind just commenting on your thoughts on, I guess, other cybersecurity players moving into network-based VM and how Qualys is defending against these guys? Thank you.

Sumedh Thakar (President and CEO)

Yeah, great question. I think we're actually pretty happy to see that competitors are acknowledging that their current solutions, which are agent-only, are not enough to give customers a full view of what their overall attack surface is from a vulnerability perspective. While we haven't really seen that solution with any of our current customer engagements or prospect engagements, we've heard about it. To me, I think, as I have mentioned earlier, and even going back four or five years ago, Qualys really has been talking about the evolution of vulnerability management and less about finding more vulnerabilities that you're not able to fix and more about focusing on the ones that actually matter to the risk and then actually helping them remediate.

Our focus really has been about how do we help them prioritize and remediate the findings rather than just finding more findings which are not being fixed anyway. To that extent, we are taking data of those findings from the competitor and providing customers a higher value capability around taking that information, which is just a big blob of findings that are hard to decipher, and adding the right context with over 20 plus years of significant research that we have done in vulnerabilities and vulnerability exploitation and using that to provide additional value on top of that.

I think it's really leading to the customer having the choice that they can either use Qualys or if the other solution is something that satisfies their need for that particular environment, we will still be able to take that data, and we're already seeing consuming data from competitors. I think when the solution comes out, we will take a look at it and see how our customers feel about that. Having said that, we're not dependent on the customers leveraging Qualys scanner necessarily to find the vulnerabilities as we move forward with our focus on risk operation center and ETM.

Patrick Colville (Director and Equity Research Analyst)

Yeah, that's very clear. Keep up the good work. Thank you so much.

Operator (participant)

The next question comes from Kingsley Crane with William Blair. Line is open.

Kingsley Crane (Managing Director and Equity Research)

Hi, thanks for taking the question. I appreciated your comments on TotalAI. Curious how you would characterize the competitive market in AI SBM, and then how do you think security budgets are going to play out with respect to that market? Do you think that they need to lag as we wait for more upstream adoption, or are you already seeing some nice uptick? Thanks.

Sumedh Thakar (President and CEO)

Great question. Right now, everybody seems more in the exploratory phase rather than there's obviously some very, very early adopters, but I think overall, we feel like a lot of customers are just trying to understand the risk vectors that are coming out from potentially AI. They're looking at what are the solutions out there. I don't think this is more of a competitor thing as much as an educational phase that customers are going through as they're looking at various AI security solutions that are out there and trying to figure out where within the AI journey is the place that has the maximum risk from a business perspective that they need to mitigate. We have had some great conversations around TotalAI.

We already have a couple of customers that are engaged with POC with us on TotalAI in terms of being able to focus on LLMs that they're going to put out. Now with our new announcement that they will be able to run LLM scans within their dev environment means that they can actually test these LLMs in pre-production before they go out. The dynamic that is playing out right now is IT teams are ready to say, "Hey, here's a few LLMs we are ready to go to production with." They're asking the security team for a sign-off before they go, and the security team doesn't necessarily have a good knowledge or idea of what they can do from the sign-off perspective. With the Qualys TotalAI solution, it's like a point-and-shoot scanner.

You point it at the LLM, it gives you a green, yellow, or a red signal to say whether this LLM is good to go or not. That is the dynamic in terms of people who are evaluating, looking at it, and trying to figure out. I think the second dynamic is given that overall security budgets are not increased significantly even with the onset of AI, people are in the mode right now of trying to figure out what the potential loss that they could have from an AI security-related incident perspective and then using that this year to formulate their ask for budgets for next year.

While we will continue to see more interest and more adoption in terms of POCs this year and maybe a few customers signing up for a few more AI-related scans, I think this is a journey that is going to take a couple more years where people really have to go and make the case for why they need additional budget for AI security and then the willingness of the business to give them additional versus asking them to adjust against existing budget that's been allocated to them. I think that remains to be seen.

Kingsley Crane (Managing Director and Equity Research)

Thanks, Sumedh. That's really helpful. And then for Joo Mi, a quarter ago, we were looking at EPS guidance that was down year-over-year. Now we've meaningfully raised it this quarter. I think the midpoint is roughly flat from last year. But can you speak to what went into the change over the past quarter? I think last quarter you had called out investments in data centers and aligning some product marketing to break into federal. Just kind of curious any specific points that have changed. Thanks.

Joo Mi Kim (CFO)

Yeah. Last quarter, the guidance was informed by our annual planning. What we like to do is we'd like to set aside sufficient funds to be able to execute on the priorities that we had set at the beginning of the year. As we move through the quarter, you see that our EBITDA margin came in at 47% with our sales and marketing growing by 15%, which is a healthy growth in and of itself. With that said, looking back at Q1 performance and the achievements and the initiatives that we have set for ourselves for the rest of the year, we felt that the growth right now we're expecting on the OpEx is more along the lines of 15-17%.

What we've seen a great success or traction in is in our ability to work very closely with our partners, which may not really translate to a significant increase in sales and marketing spend this year. That kind of speaks to why the margin contraction is not as significant as what we had anticipated at the beginning of the year.

Kingsley Crane (Managing Director and Equity Research)

Okay, helpful. Thank you.

Operator (participant)

The next question comes from Rudy Kessinger with D.A. Davidson. Your line is open.

Rudy Kessinger (Managing Director and Senior Research Analyst)

Hey, thanks for taking my questions. I saw the LCM $500,000-plus ACV customer count actually dropped by four versus Q4. One of your competitors had called out record quarter seven-figure deals. At the same time, I heard you guys call out, I believe, improved gross retention. Were there any large customer losses or some downsell that pushed customers below that threshold or just any comment on that?

Sumedh Thakar (President and CEO)

Hey, Rudy, nothing out of the ordinary to call out for. Our win rates have been stable, and as you saw, we improved our gross retention. That metric you talk about is an LTM metric. We continue to see in some quarters, sometimes customers might have a downsell a bit that is then offset by a larger upsell with another customer, or that sometimes can drop them below the $500,000. I think we're glad to see that there continues to be growth in that area year-over-year. From our perspective, we're glad to see that with our focused efforts, we're seeing some good incremental improvement in our retention.

Rudy Kessinger (Managing Director and Senior Research Analyst)

Got it. Okay. Joo Mi, apologies, I joined the call a bit late. I just want to understand maybe some of the increased conservatism that guides the macro for the remainder of the year. I guess, are you now expecting net retention rate to maybe come down a point or two versus kind of staying flat at the 103%? What are you expecting on a new logo bookings standpoint for the rest of the year, I guess, versus prior guidance and versus last year?

Joo Mi Kim (CFO)

The only real change as indicated by the annual revenue guidance, Rudy, right now what we're seeing in the business today is at the end of the close to the end of the quarter, we did see some pushback and some impact from the macro. What that resulted in is even with the lower than what we would have liked the upsell rate to be, it was more than offset by the fact that our retention rate was a little bit better. All in all, we did end the quarter at 103%. We are assuming 103% will pull throughout the rest of the year. We do expect to continue to see some headwinds in the new bookings and its ability to contribute to revenue growth. Hence, we're guiding to a revenue growth rate of 7-8% for the full year.

Operator (participant)

The next question comes from Trevor Walsh with Citizens. Your line is open.

Trevor Walsh (Director and Senior Equity Research Analyst)

Great. Hi, team. Thanks for taking the questions. Sumedh, maybe for you, could you just walk us through how you're thinking about the MROC kind of rollout with partners and how you're gaining mindshare with them when they've got a lot of different managed services that they are probably trying to bring to market? With that, why just the six to start? There's probably a lot of other players you could go after out there to partner with. Is there more to follow or how are you thinking about just onboarding of those things?

Sumedh Thakar (President and CEO)

Yeah, that's a really good question. We're pretty excited about this because, as you know, the last three years or so, we have really been focused on a partner strategy and a partner-first strategy. You can see that in the numbers and the way the business is moving more towards partners. Part of that, we really felt like we wanted to do something that was meaningful to our partners and was not just about a few points here or there in terms of resell. When we talk to some of the partners, as you said, they have managed services today, but a lot of their managed services are around MDR, which is becoming more and more commoditized or price-sensitive because everybody's offering some sort of an MDR service. However, MDR services are post-breach detection, right?

Is there somebody in my environment that I can detect and be able to alert and take action by looking at data from all of the different tools? That is a different architecture. When we talked to our partners, they felt like they did not have really great services from a managed service perspective other than sort of point solution type services for scanning service as a managed service or patching as a managed service. When we introduced the concept of a Risk Operations Center, it was also pretty clear that implementing the Risk Operations Center, we have a great platform that we have with ETM that consolidates all these findings. However, the customer does need help with risk quantification, putting dollar value terms in terms of how their business is evolving with the risk card. They need some help with connectors.

They need help with actively monitoring risk because today the issue is they have millions and millions of findings, which out of those, once Qualys has prioritized, truly actually impact their environment by looking at their environment. So sort of a risk monitoring service and then ultimately a risk remediation service. These are fairly new services that most MSSPs do not have when we talk to them. They were excited about the ability to launch new or different services in the market rather than just launching another MDR, which is pretty saturated. From that perspective, we wanted to work closely and prioritize with the partners that truly understand the vision and are investing together with us in terms of their resources, hiring the right people on their side for quantification type services, and working with us to provide a tightly bundled service.

Today, we focused on those first six. These are the launch partners. There are a few others we're talking to as well. The ability, the excitement for them is, can they make a few more dollars of services on a dollar of Qualys ETM that they sell is the exciting part for them. We are going to continue to work with selected strategic partners that are really working closely, investing rather than just sort of making it available on the shelf and they're reselling. That is really the focus.

Our thought there is that MROC partners will be more excited to bring more customers to Qualys because that will allow them to create more dollars of services versus maybe a competitor who is competing with them on services or offering professional services and does not provide a lot of capability to add additional services on top of just reselling. It is a very strategic move for us, and we are excited to see globally multiple partners actually signing up and excited about this.

Trevor Walsh (Director and Senior Equity Research Analyst)

Awesome. That's great. Appreciate all the color there. Joo Mi, maybe just one quick follow-up for you kind of along the same lines. I think last quarter, you had mentioned some gross margin pressure as these partner programs are rolled out, but it looks like at least from just the results in this quarter that you were a little bit ahead of kind of where expectations generally were around gross margin. Is that just a function of maybe these partner programs still kind of basically still launching until you're not seeing the kind of added gross margin requirements there? Do you have kind of a new perspective on kind of where gross margin should track kind of heading into the rest of the year?

Joo Mi Kim (CFO)

Yeah. We had talked about the gross margin contraction primarily due to the data center operations investment that we plan to continue to make throughout the year. That really has not changed. From the pressure on the partner side, I think that we have actually seen it. We do not expect it to be material. If you take a look at our revenue, it continued to tick up with 49% of our revenue coming from the channel side. From that perspective, unless there is any meaningful change to the pricing or incentive program, which we do not foresee for this year, we kind of see no impact on gross margin due to our partner initiatives.

Trevor Walsh (Director and Senior Equity Research Analyst)

Awesome. Thanks both. Appreciate the time.

Operator (participant)

The next question comes from Joshua Tilton with Wolfe Research. Your line is open.

Joshua Tilton (SVP and Equity Research)

Hey, guys. Thanks for taking my questions. I have two, and I will also apologize if they've been addressed just jumping around on a few calls tonight. My first question is on billings. I think it's kind of been asked a few times, but I'm just going to be a little bit more direct. Was the billings growth that you saw in the quarter in line, below, or above your expectations for the quarter? Going forward, how should we think about billings growth relative to revenue growth and specifically to Q given the interesting comp from last year?

Joo Mi Kim (CFO)

Yeah. Current billings, because we do not manage to it, we do not really have necessarily expectations for the current quarter. What we did comment on is last quarter, we did expect current billings to be more or less in line with the annual revenue growth rate guidance of 6-8%. 7% current billings for the quarter was not a surprise to us. I would say that even though we do not actively manage to it, if you were to look for a color for the annual current billings growth, it will be more or less the same as our prior guidance of 6-8%.

Joshua Tilton (SVP and Equity Research)

Super helpful. Maybe just one follow-up here. I think in response to a question about the bottom line beat, you talked about how your plans for the year talk about some potential investments that you guys go into the year setting yourself cushion for in case you can execute. I guess from your perspective, what would it take to ignite growth on the direct side of the business to kind of trend towards or be more in line with what you're seeing on the partner side?

Joo Mi Kim (CFO)

I think for the direct side of the business, we are not expecting an acceleration on that side just because we are taking the partner-first approach for this year, whether it's from a new business perspective as well as existing customer perspective. What this year we're really focused on is making sure that we're building the channel partner team in-house as well as working closely with our top partners to come up with different programs and initiatives so that they can help us with lead generation as well as us kind of discussing with them for our existing Qualys customers who are currently direct with us where it makes sense for them to go indirect where the partners could add more value. For us, it's about the partner kind of driving growth versus trying to moderate the deceleration on the direct side.

Joshua Tilton (SVP and Equity Research)

Makes sense. Thank you, guys. Appreciate it.

Operator (participant)

The next question comes from Shrenik Kothari with Baird. Your line is open.

Shrenik Kothari (Senior Research Analyst)

Hey, yeah, congrats, team. Thanks for squeezing me in. Again, I was running a bit late, so apologies. Wait, you disclosed the TotalCloud CNAPP kind of now 5% of bookings and mid-six-figure CNAPP deal in that seven-figure analyzed deal. Can you help kind of break down the elements of that win? How are you differentiating in what is arguably a target space, right, with revenue rates? Did the, I believe you said, the audit readiness message, integrated risk, all of that is serving as a key wedge? Just curious how it is translating to wins and how fast overall the CNAP is growing and is it mostly greenfield? I had a quick follow-up.

Sumedh Thakar (President and CEO)

Yeah. We're still early days with the cloud solution. I think we're happy with having reached that 5% LTM as a percentage of our bookings. Again, shows that our solution is at the level, our investment in getting our sales force trained and our partners working with us is working, even though it's early days. As you said, the market is crowded. I think customers have different requirements. It's not that every customer has the exact same requirements for cloud. What we see is that there are times when customers prefer to take the program that they have built with Qualys all these years. Also, from the auditor perspective, just expand that into the cloud. In some cases, they might want to go with some other provider for some part of the cloud and still continue with Qualys on the workload side.

Today, our approach really is we have a pretty mature solution now that is offering all kinds of different capabilities, including CSPM, including cloud identity management. We have attack path and now toxic combinations. We're seeing those wins when we're going head to head, depending on what that particular customer wants. In some cases, we see the customers adopting Qualys for one part of the environment and maybe somebody else for CSPM. I think the exciting thing for us is that with the ETM risk operation center solution, we have customers where they might be using a different cloud provider for part of their cloud estate.

We're actually now able to bring the data from that cloud provider in Qualys to give the customer a unified view of all of their different capabilities, whether it's on laptops, whether it's on their on-prem environments, whether it's on their cloud. They are able to see a unified view of the risk. For us, wherever it makes sense for the customer to leverage our cloud native solution, we're working with them. In some cases, it's a partnership with other providers. In some cases, they are using other providers. We're still able to look at potential revenue from them because we're pulling the findings and data, adding meaningful context to the vulnerability and misconfiguration side of it.

To your point on the audit readiness, this is what we see as a big area of focus and spend for CSOs, where part of it is on risk management, but the other part of the spend for budget for them is around audit readiness, ensuring that they do not fail audits because that is fully within your control as an organization to make sure that you do not fail your audit by putting the right controls in place. The audits are costly, whether it is in the cloud or whether it is on-prem, and the amount of work that goes into manually collecting evidence. Once the auditor is on board, they go and ask you to find some data.

We're seeing the combination of Qualys, not just about finding buckets, but also helping them put the findings in the bigger context of risk, but also in the context of audit readiness so that they can be completely prepared for audits, is helping drive that focus on saying, "Maybe we should just leverage the Qualys plugin for cloud security." If it's not and they have something else, we're more than happy to take the data, which we're already seeing in the current POC, where we are taking data from other cloud providers already and giving the customer single view.

Shrenik Kothari (Senior Research Analyst)

Got it. Thanks a lot, Sumedh. Very helpful. And Joo Mi, just quick follow-up to some of the previous line of questioning. You have definitely added on to the long-standing margin discipline, targeting, of course, low 40s, a bit of margins. Just as you're shifting your bookings overall towards higher value, kind of module CNAPP, Patch Management, just curious how are you deciding? Also, Sumedh, feel free to chime in as kind of how to deploy the incremental OpEx along the lines of kind of new sales leadership, kind of investments in TotalCloud, which is going to accelerate that, just broader S&M and product. Just curious how you're thinking about it.

Joo Mi Kim (CFO)

Yeah. The way we're thinking about it is at the beginning of the year, we do go through the number of initiatives, whether it's from a product development standpoint, the engineering effort, the investment that we have to make on the R&D side, as well as operations and data centers, in addition to the sales and marketing, the go-to-market. It's basically based on what we think that we'll be able to achieve in the current year, what the goals we've set up for ourselves, and then the risk-weighted, adjusted target, if that makes sense. Because of that, we have set aside significant flexibility for us to execute on a number of initiatives if we have the bandwidth to do it. Aside from that, we did take into consideration that if we were to onboard a new CRO, there will be some kind of re-evaluating some of the initiatives.

We want to make sure that we have enough funds available for us to make some bets that are appropriate for our vision today.

Shrenik Kothari (Senior Research Analyst)

Got it. Appreciate it. Thanks a lot.

Operator (participant)

The next question comes from Yun Kim with Loop. Your line is now open.

Yun Kim (Managing Director)

Thank you. Hey, Sumedh. On your channel strategy around MSP partners, how long does it take for these MSP partners to ramp? Also, are these MSP partners you're initially focused on, are they targeting certain customer segments, like primarily targeting SMB or mid-markets?

Sumedh Thakar (President and CEO)

Yeah. Look, these are new services, right? This is not like MDR, where it's a well-known service. As they are ramping up, they are also figuring out operationally on their side what are the investments that they need. They're making those investments to make sure that they're able to work with the customers that need this kind of a view. There is excitement around that. I think the time it takes, we're already engaged with a couple of partners who are part of these POCs, who brought us these POCs. We're seeing the excitement, and we're seeing that engagement already. I think the what was the last part of the question? I forgot. Sorry.

Yun Kim (Managing Director)

Just are these partners kind of focused on certain customer segments? Are they primarily targeting SMBs or mid-market?

Sumedh Thakar (President and CEO)

Yeah. I think overall, I feel like the Risk Operations Center solution will pretty much work for anybody who has more than three security solutions, which is pretty much everybody at this point. However, I think the number of findings and the amount of triage that they have to go through to figure out those findings, I think that is a lot more of high priority for the larger customers right now. Most of the POCs that we see engagement are large enterprises that have multiple tools, multiple solutions, and are really struggling to convince their IT teams to focus on fixing things, as well as they are struggling with showing ROI of large spend to their CFO and to their board.

That is kind of where we are seeing initial target focus for these customers to the MSSPs is the large customers that have a bunch of these large tools and a large number of assets.

Yun Kim (Managing Director)

Okay. Great. Thanks for that. Hey, Joo Mi, if you can remind us how renewals are lined up for the rest of the year, do you expect the typical seasonal pattern like we saw over the last couple of years, or do you see certain renewals kind of shifting between first half and second half?

Joo Mi Kim (CFO)

Yeah. I would say assume the same seasonality as the prior year.

Yun Kim (Managing Director)

Okay. Great. Thank you so much.

Operator (participant)

The next question comes from Rob Owens with Piper Sandler. Your line is open.

Rob Owens (Managing Director and Senior Research Analyst)

Yeah. Good afternoon. Thanks for taking my question. Just a quick one on geographic mix. I guess more so from the standpoint, if I look over the last year, North America has been very soft for you guys, growing low to mid-single digits, while internationally, you've actually put up some pretty reasonable results. Can you just parse your success internationally and why domestically it's been so difficult for you guys? Thanks.

Sumedh Thakar (President and CEO)

I would say at the high level, international tends to be more partner-oriented business. As we are focusing more on working with our partners and channel partners and moving business with them, we're naturally seeing a little bit more success where already it's a much more partner-oriented thing. I think we do see opportunity for continuing to improve our execution in North America with our partners.

That is where part of the MROC services and aligning up with creating abilities for them to be able to provide more services around Qualys can be that sort of a catalyst that we are working with them to see if, as we bring our existing direct accounts in North America to them, how do we do a gift-to-get where they're able to bring us additional new business that we do not have today in return for moving some of these customers to them. Those are the motions that we are going through right now, and we are looking forward to executing on some of these and improving how we can get this business in North America as well.

Rob Owens (Managing Director and Senior Research Analyst)

Thank you.

Operator (participant)

Our next question comes from Oscar Saavedra with Morgan Stanley. Your line is open.

Oscar Saavedra (Equity Research Associate)

Hi. Thank you for taking my question, and congrats on a great quarter. Joo Mi, regarding partners, can you give us an update on performance in terms of lead generation and pipeline generation? How has that been tracking against your internal expectations? When we think about the guidance, to what extent is it assuming that that continues to improve, or is it assuming still similar to what you're seeing in the current quarter? Thank you.

Joo Mi Kim (CFO)

Yeah. We've been satisfied with the progress that we've been making on the partner side. Relative to the direct business, we've seen pipeline increase, success in increasing the deal reg. In our guidance, what we're kind of assuming is not a meaningful improvement from what we see today. It's kind of stay the course, given that we are expecting an increase in budget scrutiny given the macro. We've adjusted. We've taken that into consideration when setting guidance. With that said, we are very happy with the progress that we're making with partners. We kind of are hoping that once the macro improves, we will see meaningful improvements there.

Oscar Saavedra (Equity Research Associate)

Very clear. Thank you very much.

Operator (participant)

There are no further questions at this time. This does conclude the Q&A session and today's conference call. Thank you for participating, and you may now disconnect.

Joo Mi Kim (CFO)

Good.