Sign in

You're signed outSign in or to get full access.

Qualys - Earnings Call - Q3 2025

November 4, 2025

Executive Summary

  • Q3 2025 delivered a clean beat: revenue rose 10% to $169.9M and non-GAAP EPS increased 19% to $1.86; GAAP gross margin expanded to 84% and Adjusted EBITDA margin to 49%. Versus S&P Global consensus, revenue beat by ~2% and EPS beat by ~19% (see Estimates Context).*
  • Guidance raised: FY 2025 revenue to $665.8–$667.8M (from $656–$662M) and FY 2025 non-GAAP EPS to $6.93–$7.00 (from $6.20–$6.50). Q4 2025 guidance: revenue $172–$174M and non-GAAP EPS $1.73–$1.80.
  • Free cash flow inflected: Q3 FCF was $89.5M (53% margin) with $49.4M of buybacks; NRR remained 104% as upsell remained challenging, but channels drove 50% of revenue and international grew 15% YoY (US +7%).
  • Strategic catalysts: accelerating ETM adoption (up to 100% uplift vs VMDR), TrueConfirm exploit validation, QFlex pricing model, and FedRAMP High authorization expanding federal opportunities.

What Went Well and What Went Wrong

What Went Well

  • Strong top-line and profitability beat: revenue $169.9M (+10% YoY), non-GAAP EPS $1.86 (+19%), Adjusted EBITDA $82.6M (49% margin) with gross margin expansion to 84% GAAP/85% non-GAAP.
  • Channel and international momentum: channel mix rose to 50% (from 47%) with partner revenue +17% YoY; international revenue +15% vs +7% in the US.
  • Clear product and platform innovation: management emphasized the transition “from attack surface management to risk surface management using agentic AI-powered proactive risk management”. ETM pricing/packaging refined; “for every $1 of VMDR, ETM can drive an uplift of up to 100%,” with TrueConfirm included to validate exploitability before compromise.

What Went Wrong

  • Upsell traction mixed: NRR held at 104% (unchanged QoQ), as management noted “upsells remained challenging” despite improved gross retention.
  • Macro scrutiny on new business: Q4 guidance assumes continued budget scrutiny; billings expected to finish the year “a few percentage points below the revenue growth rate,” implying ~8% FY current billings growth.
  • Multi-quarter sales cycle evolution: while ETM enables faster POCs by ingesting third-party telemetry, some customers are still budgeting for next year, tempering near-term upsell conversion velocity.
View the full earnings report

Transcript

Operator (participant)

Good day, and thank you for standing by. Welcome to the Qualys third quarter 2025 investor call. At this time, all participants are in a listen-only mode. After the speaker's presentation, there will be a question-and-answer session. To ask a question during the session, you will need to press star 11 on your telephone. You will then hear an automated message advising your hand is raised. To withdraw your question, please press star one oneagain. Please be advised that today's conference is being recorded. I would now like to hand the conference over to your first speaker today, Blair King. Please go ahead.

Blair King (Head of Investor Relations)

Thank you, Brianna. Good afternoon, and welcome to Qualys's third quarter 2025 earnings call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO, and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements, and factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures.

A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks, and investor presentation are all available on the investor relations section of our website. So with that, I'd like to now turn the call over to Sumed.

Sumedh Thakar (CEO)

Thanks, Blair, and welcome to our third quarter earnings call. With threat actors continuing to reduce time to exploit at a fast pace, I believe the future of cybersecurity is moving from attack surface management to risk surface management using agentic AI-powered proactive risk management with business quantification and automated remediation. Against this backdrop, we continue to execute well in Q3, demonstrated by another quarter of solid revenue growth and profitability. Over the last couple of years, I have had the privilege of meeting with hundreds of CISOs, CIOs, and security leaders worldwide. From these conversations, one theme has stood out: the need to operationalize cyber risk management in business terms to align budget spend with business risk. CISOs are looking for a practical approach to consolidate tools where possible and empower their teams to use best of breed where it makes sense.

They want to seamlessly unify their security toolset into a centralized risk fabric that provides an alternative to single vendor platformization by operationalizing the management of multiple risk vectors to effectively measure, communicate, and ultimately remediate the organization's risk posture. The Risk Operations Center ROC, powered by Qualys ETM, delivers on this ask. At our recently concluded ROCON Risk Operations Conference in Houston, where we elevated the business risk conversation to feature a specialized CFO and board track, our customers validated this approach. With the broadening of the agenda for ROCON, the attendance was up 20% over last year's QSC event. While traditional security operations centers focused on detecting breaches after they happen, Qualys is pioneering the first agentic AI risk operations center ROC, a new category in cybersecurity designed to centralize an organization's response to threats before they impact the business.

Powered by our ETM solution, the ROC processes several petabytes of high-fidelity data every day, normalizes and correlates intelligence from both Qualys and non-Qualys sources, and equips AI and humans to collaborate in real time, detecting and responding to threats at machine speed. This isn't about more alerts; it's about actions that close blind spots before attackers can exploit them. Unlike traditional continuous threat exposure management CTEM tools that simply highlight the exposure but lack adequate native remediation capabilities, our differentiated ETM solution combines CRQ, CTEM, and native remediation operations to fix the risks that matter most quickly and at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable proactive risk reduction that boards and customers value.

Early adoption is already validating the model, with POCs continuing to convert to commercial deployments, underscoring both the scale of this opportunity and its parallels to the early days of VMDR. And we're not stopping there. Our R&D engine is continuing to deliver innovations, rapidly expanding our platform and positioning Qualys for a larger upsell opportunity. In doing so, Qualys is now extending several proven modular native capabilities into ETM, empowering organizations to harness them seamlessly across their entire attack surface. By demonstrating, by democratizing trillions of security exposures from both Qualys and third-party tools, including vulnerabilities, misconfigurations, and identities aggregated by our ETM solution, we are unleashing a sophisticated predictive platform that leverages a combination of Qualys through its framework, our TrueLens threat management capabilities, and a mission-ready agentic AI workforce operating autonomously from discovery to remediation with full ITSM integration.

This unique combination of capabilities identifies trending threats in real time, benchmarks risks against peers, assesses organizational impact, and quantifies risks in clear, actionable terms that matter most to the business. As a result, security and IT teams can continuously prioritize, ticket, and remediate threats based on organizational risk associated with emerging exposure targeting specific industries, asset types, and identities. We believe these most recent additions to our ETM solution further advance our differentiation in the market, enhance security operations, and significantly accelerate measurable outcomes for customers. Next up for our ETM solution, I'm particularly excited about yet another pioneering capability from Qualys, TrueConfirm. TrueConfirm flexes the power of our platform to confirm exploitability before customers become compromised.

Using automated validation at scale, we remove the guesswork for customers by running safe exploits over the network to confirm whether the attackers will succeed in their breach attempts while closing the gap between theoretical and actual exposure. This approach further allows customers to be laser-focused on prioritizing only exploitable blind spots for the next logical step, which is automated remediation with TrueRisk Eliminate. Our industry-leading capabilities are increasingly being recognized by our customers, partners, and third-party analysts. Specifically, at Black Hat, Qualys won two Pwnie Awards for our outstanding contribution to threat research underpinned by our strong leadership in threat intelligence and triage. Equally important, GigaOm recognized Qualys as the leader in patch management, a market Qualys pioneered with over 140 million patches deployed in the last year alone. While some competitors are only beginning to validate this strategy, Qualys has advanced well beyond patching.

TrueRisk Eliminate closes the unpatchable gap, enabling IT and security teams to automate an array of compensating controls when patches are deemed too risky to deploy or simply not available. And with adversaries increasingly exploiting vulnerabilities at AI speed, our umbrella of AI-based automated remediation solutions has evolved into a significant adoption layer, a distinctive competitive advantage, and opens new market opportunities for Qualys. Moving on to our business update. With customers spending $500,000 or more with us, growing 5% from a year ago to 211, let me share a couple of recent wins which illustrate why our organization is ready to centralize the response to cyber risk at turning to Qualys to help unify their security tools, quantify and remediate risk in their environments, and fortify their security operations.

In Q3, one of my favorite wins was with a global 700 customer that was previously only using Qualys for PCI scanning. This customer, like many organizations, were buried under fragmented telemetry manual spreadsheets and disconnected tools. With little automation, their teams were spending more time documenting than reducing risk and, consequently, were burdened by an onslaught of compliance audits. This customer chose Qualys to transform siloed risk signals, spanning code repositories, endpoints, identity, cloud, container, and network assets into a cohesive real-time risk management solution by consolidating Qualys and non-Qualys data. This included replacing their existing vulnerability management vendor and purchasing three additional Qualys modules, including ETM, to begin operationalizing their risk operations center with ingested third-party data, resulting in a mid-six-figure annual bookings upsell.

By consolidating these data sources into Qualys platform, we are delivering this customer a vendor-agnostic orchestration layer with full visibility of their attack and risk surface, centralized risk management, quantification, prioritization, and remediation, while unleashing the operational efficiencies of security stack consolidation aligned with acceptable risk parameters for the business. With our innovative technology, unmatched platform effect, and focus on reducing risk and friction, this underscores Qualys's ability to eclipse legacy siloed solutions and advance our leadership in the industry. It's also an outstanding example of how we are working with our managed risk operation MROC partners of choice to activate the ROC with new win business. For the next phase, this customer is evaluating our TotalCloud CNAPP solution and TrueRisk Eliminate solutions while also bringing additional third-party tools into Qualys platform, representing a significant upsell opportunity.

Further leveraging our MROC partner ecosystem to drive new logos was a new six-figure customer win with a major airline in the Middle East. This customer chose Qualys because of our unified detection and remediation capabilities with TrueRisk Eliminate. Nearly nine months after announcing GA with our ETM solution and over 28 POCs converting to commercial success already, we have gained valuable insights into ETM pricing and packaging. As a point of reference, we expect that for every $1 of VMDR, ETM can drive an uplift of up to 100% now that ETM will include cybersecurity asset management as well as other ETM feature enhancements such as those mentioned earlier and third-party data ingestion.

Given this, starting with our Q1 2026 earnings call, we will shift from reporting cybersecurity asset management LTM bookings to ETM customer penetration, as we believe ETM will be evolving into a key pillar of growth for Qualys over the next several years. Turning to our federal business, we achieved a high six-figure upsell with an existing large government agency. This customer had previously used multiple legacy and next-gen tools to manage a variety of risk management use cases across their security IT and DevOps team. In addition to the complexity of using multiple point products, this government agency has become increasingly frustrated with increasing costs associated with legacy on-prem deployments, the inefficiencies of operating siloed systems, and elongated remediation efforts.

With a distinct need to shift several monolithic workloads to micro-application across its hybrid environment on a FedRAMP High solution, this customer accelerated the consolidation of its security stack over 17 Qualys modules, including VMDR, Cybersecurity Asset Management, Total AppSec, TotalCloud, TrueRisk Eliminate, and Total AI. Today, this customer is leveraging a unified dashboard that provides them with a greater insight and automation than any of the competitive products they evaluated, while taking full advantage of the speed and scale of the cloud-native platform. This, alongside a significant seven-figure state win, is a testament to the strength we see in our federal, state, and local government business and the long-term growth potential of the market. Beyond these wins, we are also increasingly gaining leverage from our partner ecosystem. In Q3, partner-led deal registration increased, demonstrating the success of our partner-first sales motion.

In addition, we have now certified nearly a dozen partners who are actively launching MROC services, leveraging ETM to deliver centralized automated pre-breach risk management. Momentum is building towards a global ROC alliance, and we expect to certify additional strategic partners in the coming months ahead who are committed to positioning Qualys as their MROC partner of choice. Further contributing to our platform growth is our flexible platform pricing model, which we are calling QFlex. We beta-tested QFlex in Q3 to help customers accelerate and maximize the adoption of the Qualys Enterprise TruRisk Platform. In less than a quarter after introducing this model, we're seeing notable customer interest and tremendous success. To give you an example, an existing Global 10 customer made a multi-year commitment under our QFlex program, increasing their annual bookings by over 50% while adding new modules to their subscription count with Qualys.

This win reflects our growing capabilities in risk management, and we expect the contribution from QFlex to continue to grow. In summary, our continuous innovation, early ROC deployments, strategic wins with federal customer and state agencies, momentum in partner-led initiatives, and the initial adoption of QFlex collectively underscore Qualys's strength in unifying risk management workflows, reducing operational complexity for customers, and addressing today's toughest security challenges. We believe these achievements not only validate our ongoing investments but also position Qualys as a trusted leader in pre-breach risk cyber risk management, setting the stage for durable growth and long-term success. With that, I will turn the call over to Joo Mi to further discuss our third-quarter results and outlook for the fourth quarter and full year 2025.

Joo Kim (CFO)

Thanks, Sumedh, and good afternoon.

Before I start, I'd like to note that, except for revenue, all financial figures are non-GAAP, and growth rates are based on comparison to the prior year period unless stated otherwise. Turning to third-quarter results, revenues grew 10% to $169.9 million. The channel continued to increase its contribution, making up 50% of total revenues compared to 47% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 5%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By GEO, 15% growth outside the US was ahead of our domestic business, which grew 7%. US and international revenue mix was 56% and 44%, respectively. In Q3, gross retention continued to improve. However, upsells remained challenging with our net dollar retention rate at 104%, unchanged from last quarter.

In terms of product contribution to bookings, Patch Management and Cybersecurity Asset Management combined made up 17% of total bookings and 28% of new bookings on an LTM basis. Our cloud security solutions, TotalCloud CNAPP, made up 5% of LTM bookings. Reflecting our scalable and sustainable business model, adjusted EBITDA for the third quarter of 2025 was $82.6 million, representing a 49% margin compared to a 45% margin a year ago. Operating expenses in Q3 increased by 5% to $64.9 million, driven by investments in sales and marketing, which grew 9%. As we remain focused on driving growth, we are mindful of where to further increase investments while optimizing returns in others, which resulted in an EBITDA margin exceeding our expectations in Q3. This demonstrates our ability to maintain high operating leverage, remain capital-efficient, while continuing to innovate and invest to support our long-term growth initiatives.

With this strong performance, EPS for the third quarter of 2025 grew 19% to $1.86. Our quarterly free cash flow was $89.5 million, representing a 53% margin compared to 37% in the prior year. Year-to-date free cash flow margin was 46% compared to 42% in the prior year. In Q3, we continued to invest the cash we generated from operations back into Qualys, including $901,000 on capital expenditures and $49.4 million to repurchase 366,000 of our outstanding shares. Since commencing our share repurchase program in February of 2018, we've repurchased 10.4 million shares and returned $1.2 billion in cash to shareholders. As of the end of the quarter, we had $205 million remaining in our share repurchase program. With that, let us turn to guidance, starting with revenues.

For the full year 2025, we expect revenues to be in the range of $665.8 million-$667.8 million, which represents a growth rate of 10%. This compares to prior guidance of $656 million-$662 million. For the fourth quarter of 2025, we expect revenues to be in the range of $172 million-$174 million, representing a growth rate of 8%-9%. While we believe our platform approach to cyber risk management provides some insulation amidst macro volatility, this guidance assumes continued budget scrutiny in a challenging environment for new business growth in Q4. Shifting to profitability guidance, we expect full year 2025 EBITDA margin in the mid to high 40s, and a free cash flow margin in the low 40s. We expect full year EPS to be in the range of $6.93-$7, up from prior range of $6.2-$6.5. For the fourth quarter of 2025, we expect EPS to be in the range of $1.73-$1.80.

Our planned capital expenditures in 2025 are expected to be in the range of $5.5-$7 million, and for the fourth quarter of 2025, in the range of $1.2-$2.7 million. With that, Sumedh and I would be happy to answer any of your questions.

Operator (participant)

Thank you. At this time, we will conduct the question-and-answer session. Please stand by while we compile the Q&A roster. Our first question comes from Roger Boyd of UBS. Your line is now open.

Awesome. Thanks for taking the questions and congrats on a nice quarter. Sumedh, can you just double-click on some of the pricing you mentioned around ETM earlier? I just wanted to be clear on that 100% upsell metric. Is that inclusive of what you have with cybersecurity asset management and patch?

Roger Boyd (Executive Director)

And just now, with the kind of packaging sort of figured out on that product, just your confidence in kind of the ability to start driving better upsell moving forward? Thanks.

Sumedh Thakar (CEO)

Yeah, that's a great question. So, from the way the pricing, we're looking at it is the ETM pricing is going to include cybersecurity asset management because, as we talk to our customers, for building any risk operation center, the foundation is asset inventory, and without that, you cannot succeed. And so that was a big feedback that came about. So that's included. What we have added also is the agentic AI capabilities for them to be able to augment their security team with AI agents so that they can really manage outcomes for cybersecurity within their spend and optimize because everybody's being asked about how they're optimizing their spend, even in cyber.

And the ability to have very focused threat intel that will allow them to validate exploits. So that's included. The upsell that we look forward to is then once they have used ETM to be able to get the inventory to be able to confirm that the exploit can work in their environment, then they purchase TrueRisk Eliminate, which includes patch as an example and mitigation, so that they can get that particular thing actually remediated. Because at the end of the day, we can create all kinds of visibility, but given that attackers are exploiting vulnerabilities, if you saw the recent Mandiant report in minus one day on an average, which is even before patches are coming out, the key is going to be about being able to remediate things and mitigate things even if you don't have a patch available.

So the pricing, to answer your question, is 100%. Up to 100% is what we see with the addition of VMDR ability to bring in CSAM, agentic AI, as well as ability to confirm exploitation. And then from there, the upsell will be they can upsell to eliminate so that it allows them to do more in terms of actually getting an outcome.

Roger Boyd (Executive Director)

Really helpful. Thanks for the call.

Operator (participant)

Thank you. Our next question is from Patrick Colville of Scotiabank. Your line is now open.

Patrick Colville (VP and Equity Research Analyst)

Thanks for taking my question, guys. I guess I want to ask two parts. One is on the Fed. I know the Fed is a more nascent notion for Qualys, but what are you guys seeing in the Fed, especially kind of in the first couple of weeks of 4Q, given the shutdown?

And then the other question I'd like to ask is about the competitive environment. And the reason I ask this one is it's the one we get most from investors. And it's like, is the competitive environment changing for Qualys given noise from vendors like CrowdStrike and others who are claiming to be entering the space and winning shares? So are you coming up against different companies now versus a year ago? And results speak for themselves, win rates seem high, but can you talk to that as well? Thank you.

Sumedh Thakar (CEO)

Yeah, that's a two-part question. So let me stay focused to answer both of them. So first one is on the federal side. As you already know, we're at our very, very early innings, and we made the investment and the commitment to get FedRAMP High, which has really created very, very powerful conversations.

I mean, I had the pleasure of actually being out in DC and having some very critical meetings there to start to have the conversation around Risk Operations Center, how it can help the government and essentially bring efficiency. And so you kind of have the DOGE, which is, of course, that is driving people to think more of efficiency in terms of how they can consolidate different things. And that's where the Risk Operations Center, as a way to eliminate fixing things that don't really matter to the risk, has really resonated well with our federal customers. Today, it's not just the spend of the tool; it is the amount of spend you put in remediating things that the tool is telling you, which is a waste of time and money if those things are not even exploitable.

So for us, what we are seeing is it's very exciting early conversations. We see lots of opportunities over the next few years. Of course, when you have the current scrutiny that is going on, sometimes people are taking a bit of a wait-and-watch opportunity. In other cases, we're actually seeing opportunities coming to us because of the focus on being able to be efficient in terms of the Risk Operations Center. So it's a mixed bag, but overall, from what we see right now, we don't have as much exposure for revenue to that. But we do see that this is an area that we have committed to invest over the next few years, and FedRAMP was our first step. And now, with our focus on the conference we did in DC, we are going to continue to invest in the federal space moving forward.

On the vulnerability management and competition side, I think I was really excited to see that Qualys got the leader position in GigaOm's patch management above many of the other vendors that have been out there. Because really, with what we have been seeing and what I saw a few years ago and why we have been talking about how vulnerability management is evolving, less about detecting more and more CVEs. Most people are barely fixing 5% of the CVEs that are being discovered because it's creating so much noise. So while there are other players that talk about discovering more CVEs, the focus for Qualys and what we are doing with the risk operation center has been about how we are helping customers really narrow down. And we did that at our conference.

ROCON Conference, where we showed a nice little representation of how 62 million findings after applying the right agent and threat intelligence went down to 2 million findings that really mattered in terms of any risk. And then further, after applying business context, went down to only 300,000. And so our focus has been shifting towards how do we help the customer actually pinpoint exactly what matters from a threat intel perspective, but then also how can we help them immediately fix it? Because if attackers are attacking things in four hours, you don't have time to go and create JIRA tickets and ServiceNow tickets and wait for other teams to use different patching solutions and different mitigation solutions to do that. And so what we're doing now, what we're seeing is really an evolution of that is customers really like our capabilities, accuracy of detection, etc.

But we have also opened up the platform now with ROC to be able to ingest data from other areas like OT or other EDR tools that might be collecting CVEs so that we can help customers actually narrow down that focus of what really matters. And the key exciting thing is for them to be able to get things fixed with Qualys, which is something that—and validating the exploit and then getting it fixed with Qualys is what is focused for most of our customers right now. So primarily, we see Tenable, Rapid7. Yes, occasionally we see some of the other tools that are talking about giving more CVEs, but customers are focusing more on how do we get the key things remediated quicker rather than discovering more, which they are not fixing anyway.

Patrick Colville (VP and Equity Research Analyst)

Thank you, Sumedh. That's super helpful. Thank you.

Operator (participant)

Our next question is from Mike Sickles of Needham. Your line is now open.

Great. Thanks for taking the questions, guys. I just wanted to double-check. And congrats on the quarter here. Was there any one-time benefits to revenue or CCB that we need to take into account on our side? And then secondly, as a follow-up. Jimmy, great to see the results. Net dollar retention obviously remains here at 104%. What needs to happen for that net dollar retention to actually start ticking up from where we are today? Thank you.

Joo Kim (CFO)

Yeah. With respect to CCB, nothing specific to call out. It was a solid quarter. As usual, you do get some benefits or negative impact from either Fed or Renault, but nothing material that we think that's specific to this quarter. So it was really a solid growth quarter from an execution standpoint.

Net dollar expansion rate, we'd love to get that up from 104% and upward. And this is part of the reason why Sumedh had commented on the fact that we've been really focused on making sure that we're delivering the message in terms of how ETM could be beneficial to our existing customers as well as new prospects. And so as we look to the quarter of customers that are up for renewal in each respective quarter, we're making sure that they understand the value that they could potentially see from. Whether they're looking to upsell from CSAM to ETM or cross-selling with adding ETM to their existing VMDR solution. We think that that could be a meaningful impact to our net dollar expansion rate.

Thank you so much.

Thank you.

Operator (participant)

Our next question is from Kingsley Crane of Canaccord Genuity. Your line is now open.

Kingsley Crane (Equity Research Senior Analyst)

Hi. Thanks for taking the question, and congrats on a really great quarter. If we think about agentic AI within the risk operation center, total AI within VM, and then the CNAPP suite, that all requires significant development resources. So how are you prioritizing R&D spend across those initiatives, and just what metrics do you use to evaluate resource allocation? Thanks.

Sumedh Thakar (CEO)

Yeah, that's a great question. And I think it's really the focus for us on investment in R&D and sales and marketing, right? And so at the beginning of the year, we started with the plan to hire a CRO from a sales perspective and put focus on hiring more engineers, etc., to be able to deliver on all the capabilities that we're talking about.

And I think as we have, I'm pretty happy with our focused execution, with the level of investments that we have made, and the way Sean, who is our VP of Global Sales, has executed with the team to give us a solid quarter. And so the focus for us now is to really, from a sales marketing perspective, to focus on working with Sean and team so that we can. Get efficiencies from what we are seeing cross-functional between our sales team or product management team, etc. And then. On the R&D side, we have had really good success with leveraging AI internally within our. Own development efforts. And as an example, we have pretty much stopped hiring anybody in QA anymore. We are seeing 20%-25% efficiency gain with our best engineers. And ironically, it's actually the best engineers who are getting the most benefit out of using AI.

And so in a way, with all the things that we are doing with adding AI into the Risk Operations Center, AI is benefiting us in adding those without significant increase in our R&D expense. And so I think at this point, the way we are looking at it is we're going to continue to leverage AI. And of course, we're going to invest back in our business, but no need really at this point for us to look at hiring CRO as the team is executing well focused with what our goals are.

And then on the R&D side, again, we, of course, if you see the innovations that are coming out at a pretty rapid pace, we will, of course, continue to invest in R&D, but it's all going to be looked at from the lens of what kind of investment we will make in terms of people versus AI tools and how those tools are going to give us the required efficiency or, I would say, unexpected efficiency in some cases. And so we're excited about what we're going to be able to do from both adding the Risk Operations Center agentic AI capabilities while internally also using agentic AI across the board, not just in R&D, but also in sales and other areas as well.

Joo Kim (CFO)

And just to add to that, we are extremely focused on making sure that we have the right team structured and the focused areas.

From a product development standpoint, we have different teams working on whether it be total AI or ETM. And because of that, we are continuing to increase the hiring, the R&D, the engineers. It's just that the geographic mix of incremental hires has shifted more to be in India, which has helped from an R&D expense standpoint. But we are making sure that we're working across the different orgs or different functional areas within the engineering team to make sure that we're prioritizing in the right manner.

Kingsley Crane (Equity Research Senior Analyst)

Really helpful. Thank you.

Joo Kim (CFO)

Thank you.

Operator (participant)

Our next question is from Shrenik Kothari of Baird. Your line is now open.

Shrenik Kothari (Senior Research Analyst)

Yeah. Thanks for taking my question and echoing my congrats to the team. Sumedh, the two TrueConfirm announcements definitely sound like a step function moving from, as you said, the risk going to automated exploit validation and at scale. Just curious.

Do you envision this also becoming sort of a pillar like ETM as in monetizing it standalone, or do you think of it as becoming an on-ramp to move customers into broader ETM? And then just with the POCs converting and all the large enterprise consolidations you talked about, how should we think about the ETM trajectory ahead? And I'll quick follow for Joo Mi.

Sumedh Thakar (CEO)

That's a great question. And look, I mean, I think I'll say that at the end of the day, for risk management, you only manage your risk if you have eliminated the right risk, right? Just building dashboards and, as I said, dashboard tourism is not helping with just visibility. And so at the end of the day, for that to happen, you need to have three things.

You need to be able to collect data from multiple sources so you can get a broader picture of the view. And you're applying threat intelligence, and you're seeing some of the traditional CTEM, which has been around for many years. Some of the CTEM solutions are just giving you, "Oh, we consolidated the data, and here it is." And so they are giving you a theoretical view of what might be exploitable in the environment. But we TrueConfirm, included as part of ETM, we are going a step further relative to these CTEM visibility-only platforms, giving them the ability to actually confirm. And that's included as part of ETM. It's not an additional upsell, but that helps us differentiate from the CTEM-only solutions, gives them the ability to confirm in their environment that an exploit actually works.

And then the upsell from there is really, and that's kind of how we look at the beachhead for converting our customers from VMDR to ETM, is that that conversion then will allow us to upsell them to the actual eliminate capability. Because again, like I said, if attackers are looking at starting to exploit vulnerabilities even before patches are being made available. It is really about speed. And so you need to be able to quickly detect the vulnerability. You need to be able to then confirm that it is exploitable in your environment rapidly. And then the next logical step has to be an automated AI-driven fix so that you can get it fixed before the attackers get there. And that's really where the Risk Operations Center is not just a CTEM solution. It really is more than a CTEM solution, which is just giving you dashboards.

Shrenik Kothari (Senior Research Analyst)

Got it. Super helpful. And Jimmy, very quickly, Sumedh mentioned the AI driver for automated remediation and orchestration scale into the model, ROC partner delivery, again, also reducing the heavy lifting internally. Just curious, as partners increasingly monetize these services, how should we think about incremental leverage. And how are we thinking about that? Thanks.

Joo Kim (CFO)

Yeah. I think that ROC will really help us to grow the top line because how we see the new product and value proposition in terms of the customers being able to really see how ETM could help them from a risk management standpoint, they will need assistance from the partners to really make sure that they're implementing the tool they're utilizing in the appropriate way and they're maximizing the ROI from their respective customization that's required from the organizational standpoint.

So with working hand in hand with the partners to help us to accelerate the top line growth for us, we think that we will get some leverage from a margin perspective, but really the unit economics, we don't really see a material shift there. I think we're already seeing some kind of benefit as we continue to shift more of our business to the partner side. And then layering on top that ROC professional services or additional implementation help that the customers might see will help to accelerate that revenue growth and the ETM penetration.

And just to kind of add to what Joo Mi said, I called that out as an example in our earnings call there.

An ROC partner brought this new logo opportunity to Qualys in the Middle East, one of the largest airlines, because they were excited about not because of just the margin here or there. They were excited about the ability to provide high-value risk management services to their customer if they brought that customer to Qualys versus just selling them some other VM scanner that would just give them more findings. And they would have to do a lot of work to provide value on top of that. So that strategy around ROC partners are bringing not just ETM, but they're also bringing us other customers, other deals with the understanding that these engagements with Qualys will lead to services revenue for these companies.

Shrenik Kothari (Senior Research Analyst)

Great. Thanks a lot, Sumedh. Joo Mi, appreciate it.

Operator (participant)

Thank you. Our next question is from Junaid Siddiqui of Truist Securities. Your line is now open.

Junaid Siddiqui (Equity Research Analyst)

Great.Thank you for taking my question. As you pivot more into a platform play, are you seeing any changes in sales cycles from customers?

Sumedh Thakar (CEO)

I mean, I think nothing notable to call out for. I think on the good and bad, right, at times for us to be able to show the value of the platform by ingesting data from tools that they already have. Can be a win instead of saying you need to do a deployment of our agents and scanners everywhere to see the value that Qualys brings. And then the pricing can allow them to think about maybe eliminating the existing solution over a period of time.

And so I think today, I think so far, we are in the early days, but we're seeing, especially with the ROCON conference that we had and the partner advisory—I mean, sorry, the product advisory board where we had a lot of the top banks out there—I think the feedback is a lot of excitement around this risk operation center as a focus area rather than just kind of trying to do a like-to-like scanner to scanner replacement and the time and effort it takes. This is something that they feel like is something that they can justify in terms of moving quickly. Now, of course, it is something that is new. Everybody's looking at it this year. So it is allowing them to figure out how they're going to budget. Some people have the budget now. Some people are looking at it to budget for next year's purchases.

And so, but overall, the conversation has been pretty positive. And I think. The goal for us is to not only existing customers not only bring the Qualys findings into ETM, but that value they get out of that is going to encourage them to bring a lot of other. Findings and other assets that are not currently in Qualys. And so we are seeing that with some of the early adopter customers. They started with bringing Qualys VMDR findings into ETM, but then quickly pivoted after seeing the value to bringing sometimes twice as many assets into Qualys as they had before from other tools, increasing the license count for ETM.

So that's kind of how we're looking at it as we progress, is that it's going to help us be much quicker and POCs, and we don't have to walk away if a customer already has a competing VM scanner. We can actually just ingest the data, show them the value, show them the business value, and then go from there rather than doing prolonged POCs that involve deployment of agents and scanners, which ultimately they see the value in that, but it is sometimes just take a longer cycle. So I think NetNet, I think it's early days. We'll see how it develops. But so far, in the initial engagements we have had, it's been pretty exciting and fairly quick moving.

Junaid Siddiqui (Equity Research Analyst)

Great. Thank you.

Thank you. Our next question is from Joshua Tilton of Wolfe Research. Your line is now open.

Joshua Tilton (SVP, Equity Research)

Hey, guys. Thanks for sneaking me in and congrats on a great quarter. I've been bouncing around a few calls tonight, so I'm actually going to ask a pretty high-level question. And my question is. We have the privilege of covering three publicly traded vulnerability management vendors, and you guys are all kind of growing at different rates. And I guess my question to you is, are the deltas in your growth rates a function of things changing within the VM market, and therefore some of you are growing faster, taking share, growing slower within VM? Or are the delta in the growth rates because some of you have taken these broader platform plays and you have these non-VM products that are separating the growth between these three players?

And if it's the latter, I guess, can you just help us understand which of the non-VM products for you are really driving the separation and growth that we're seeing at Qualys versus some of the other players? Thanks.

Sumedh Thakar (CEO)

I would just say that some of us just have an awesome organic platform. That's why we are growing at a different pace. But having said that, I think the. Look, I think we've talked about this for a few years. VM has been changing, and people are less focused on just scanning and more focused on prioritization, remediation. That's why we pivoted towards, if you recall, patch management a few years ago, and we got GigaOm giving us that number one spot in their analysis for Qualys, which was a great achievement for us just within four years, getting to number one over established players.

We're also pivoting more with ETM towards the ability to not only collect data from multiple tools as well as our own tools, but also ability to prioritize with threat intel. We have award-winning threat intelligence, so we talked about that. And then the ability for us to actually confirm the vulnerability is exploitable by exploiting it and then getting it fixed. And so what we are seeing, and we have been reporting on how eliminate patch management has been growing as a percentage of our LTM bookings. And then we also talked about now about our focus on ETM and how starting at the earnings call for Q1, we're going to focus more on the penetration for ETM within our customer base, which is elevating from VMDR to ability to give them a broader risk operation center.

And then the upsell from that is going to be the eliminate capabilities to get things fixed. And so with the engagement that we have with our customers, there is a big focus from customers on a business alignment of cybersecurity spend, the ability to look at risk from a business perspective. And what we are doing now and the organically developed platform that we have that integrates so many different things together, I think, is helping customers get a very quick and simplified view of their actual risk and the ability to actually remediate before attackers get there versus competitors have multiple acquisitions with multiple separate tools that don't really work with each other, and they're not able to get that kind of response that we are able to give very quickly whenever there is something going on. And that's the feedback that we have been getting from customers.

Joshua Tilton (SVP, Equity Research)

Sumedh, you had me at organic platform. But maybe just a follow-up for Joo Mi. If I missed it, I apologize. But any way to think about how we should expect billings growth to finish or current billings growth to finish this year?

Joo Kim (CFO)

Yeah. I think that Q4, because it was a very strong quarter, a tough compare for last year, we do expect current billings to be a few percentage points below the revenue growth rate ending the year. So maybe to think about it from the 2025 full year current billings growth at around 8%.

Joshua Tilton (SVP, Equity Research)

Super helpful. Thank you.

Operator (participant)

Thank you. Our next question is from Jonathan Ho of William Blair. Your line is now open.

Hi. This is Garrett Brookman for Jonathan Ho. Thanks for taking my question.

I was just wondering if you could walk us through how you're thinking about contribution from your new and continued product innovations, including AI and new modules around VMDR. And our ROC versus just continuing to upsell and cross-sell your existing install base. And also, can you just talk about how customer conversations are going with your our ROC solution at this point and just what traction you're getting there? Thanks.

Sumedh Thakar (CEO)

Sorry, I think at the first part of the question again, so you're asking for contribution from other?

Yeah. Yeah. Like new modules and new customers versus upselling your existing base and your existing modules?

Yeah. Look, I think every customer is a different part of the journey, so we don't really break it out by individual modules. I think we have been giving color on the contribution of TotalCloud, which is our cloud-native CNAPP solution.

We're happy to see the progress it is making in the early days, but it was 5% of the bookings for the quarter. And then we've called out patch management and cybersecurity asset management, which has been the focus for us the last couple of years, and we're happy with the penetration there. But we're also now pivoting more towards the Risk Operations Center ETM solution that we talked about. And our goal is going to be just like we did from VM to VMDR a few years ago, really up-level our customers from VMDR to ETM solutions, which we have a very nice existing install base of vulnerability management customers that we can work on upselling them and cross-selling them to ETM, which, by the way, will include cybersecurity asset management already.

And then next step of all that will be upselling them to the Eliminate solution to actually get things fixed. And so conversations have been super positive around Risk Operations Center. As I said in the earnings script, one of the big differentiators for us has been the CRQ and the business focus on risk management rather than just giving technical scores. And that was underscored at our ROCON conference in Houston, where we added a business track, separate business track for cybersecurity, which had sessions with CFOs and board members and insurance companies. And actually, because of that, we had a 20% increase in attendance because people were really focused on making sense out of from a business perspective. The conversations with customers around Risk Operations Center and ETM solution from Qualys has been that they really like that we're not just a CTEM solution giving them dashboards.

We're actually natively fixing issues for them rapidly, as well as we're giving them AI-based intelligence around the business. And for their particular industry, what is the risk of a ransomware? How much money could they lose? Why should they fix this particular vulnerability versus not fix another vulnerability? So it's been very positive feedback, and we're excited about that. And so I think as we get into the next year, we are really putting a focus on ETM. And as part of that, we have made some internal promotions to align well with our go-to-market strategy there with product management and Jonathan oversees. So really working on helping us as a GM for our risk operation solutions to really bring all of our teams to executing more towards ETM and getting the benefit out of upselling our customers to ETM.

And that's what we've seen in the Q1 earnings call. We'll be starting to focus on the opportunity ahead of us. In addition, of course, one of the reasons is there's a lot of CNAPP solutions out there. We see the resonance - what is resonating with customers with our CNAPP solution is not so much individual features, but it is, again, the ability to bring the cloud risk as part of the holistic business risk. And so, yes, other CNAPP solutions can tell you how many open buckets that you have out to the public. But if you ask them, "What does that mean in dollar value loss to your company if one of them is compromised?" They don't have answers to that. And so, our cloud security solution is actually integrated from a risk perspective to give that business quantification.

And that's the feedback that we're getting from customers. And so, as I look into next year, our focus is going to be on ETM as the big focus to cross-sell our customers. It's going to be continued investment for long term in the federal market, focus on the continued innovation that we have with the eliminate capabilities. And then all of that is going to be underpinned by our work that we are doing with MSSP partners, which I think is going to contribute even more to escalate our business in 2026.

Operator (participant)

Thank you. Our next question is from Joseph Gallo of Jefferies. Your line is now open.

Hi, guys. This is Anik Bamonon for Joe Gallo. Really strong quarter. Can you just share some color on where exposure management is in terms of budget prioritization in 2026? And can we expect billings to track in line with your noted 8% for 2025?

Sumedh Thakar (CEO)

I think I'll answer the first part. We're seeing definitely customers are looking to invest in proactive risk management solutions. And as I said, the risk operation center, where exposure management is part of that and business quantification, with the feedback and response that we're getting from customers, this is definitely an area that they are focusing on in all the conversations that we had this year. I think a lot of customers see the risk operation center and the security operation center, ROC and SOC, kind of working closely with each other because there is a lot of fatigue currently on the SOC side because of too many alerts. And the feeling is that if they can focus on.

Better prevention in the first place, that can reduce the number of alerts and reduce the fatigue that they see in the SOC. And people are looking to balance in the early conversations. While I don't have an exact percentage right now, we will see how it evolves in next year. People do talk about balancing their cybersecurity budgets between proactive risk management versus just reactive after the fact when somebody is in your network. And a lot of that has happened in the past. And ultimately, you cannot do away with one or the other. You need both so that you can proactively reduce risk while having the monitoring needed if there is a compromise to block that.

But there is definitely a focus on customers to prioritize the split between those because, again, if they don't prioritize what they're fixing accurately, then they're asking and wasting their IT team's resources and fixing things that don't actually matter while at the end getting more alerts in their SOC. So from that perspective, we are seeing conversations around the risk operation center and where exposure management is one part of that are definitely trending where customers are liking this ability to think about how much they spend in proactive risk management in terms of business risk and how much risk they would have, which is what I talk about in my keynote as well at ROCON. It's moving from attack surface management to risk surface management.

You can spend a lot in covering your attack surface, but if the risk of loss was only $50,000 and you spend $500,000 to your attack surface, that's not a great business equation. So that's what we are hearing and seeing from our customers. In terms of billings.

Joo Kim (CFO)

No, I think that 8% that we believe that we'll be able to achieve in 2025 for the full year is on track.

Thank you.

Operator (participant)

Thank you. Our next question is from Rudy Kessinger of D.A. Davidson. Your line is now open.

Rudy Kessinger (Managing Director, Senior Equity Research Analyst)

Hey, great. Thanks for squeezing me in here. Just a clarification on that last question, Jimmy. You said that 8% billings for this year is "on track." Is that to imply that you think you can do 8%-ish again next year, or can you just clarify that, please? Yeah.

Joo Kim (CFO)

So right now, I mean, billings has a tendency to be very lumpy. So for this year, we think that we're going to end the full year at 8%, which implies a lower current billings growth rate for Q4, given the tough compare to one year ago. In terms of next year, it's a little too early to tell in terms of 2026, what we think that we'll be able to achieve. A lot of it will depend on what we'll be able to close the year at when it comes to the net dollar expansion rate. And we are. Monitoring very closely in terms of the newer product adoption to give us a better sense and clarity into what we think that we should be anticipating for 2026 growth rate.

Rudy Kessinger (Managing Director, Senior Equity Research Analyst)

Got it. Okay. And then you guys have had some pretty decent results the last few quarters now.

Growth has been stable at 10% the last four quarters, I believe, on revenue. You've got NRR stable at 104%. I guess what would you need to see to maybe give you guys confidence in maybe declaring that you can deliver stable 10%-plus growth over the next couple of years?

Sumedh Thakar (CEO)

Well, we're certainly working towards that. I think the key growth vectors we see right now are converting our VM customer base to VMDR customer base to ETM is an area of focus, creating upsells with Eliminate on that. We continue to see a lot of interest for our cloud security solution. And I think with long-term federal opportunity that we are focusing on we have really good conversations with the Risk Operations Center on the federal side as well.

I think those are the areas that we continue for sort of short-term, medium-term, and long-term growth, which is, again, underpinned by our focus on ROC partnerships. But we're really laser-focused next year on our VMDR to ETM conversion and the upsells with Eliminate.

Operator (participant)

Thank you. Our next question is from Yoon Kim of Loop Capital Markets. Your line is now open.

Yoon Kim (Managing Director)

All right. Great. Congrats on a solid quarter, Sumedh. On the Enterprise TruRisk Management ETM is that primarily a big deal sales motion, or is it just a combination of a bunch of products that could be purchased and deployed in multiple phases and collectively that could lead to 100% uplift over time? Just want to get a better understanding of that 100%-plus uplift commentary.

Sumedh Thakar (CEO)

Yeah, I think we feel with the early response from customers, we feel like we can hold up to, of course, 100% of the VMDR because we're adding them, we are providing them AI capabilities, agentic AI capabilities, marketplace built-in where they can essentially bring on an AI agent as part of their team for four weeks as they're focusing on an audit or for three weeks as they are triaging their ransomware-related vulnerabilities. And so CSAM is also included in that. Ability to test exploits is also included in that. And so we feel like that's something that is going to be helpful for customers. Primarily, it is VMDR, CSAM, plus all the new capabilities that are highlighted are what is focused on that.

Now, we also talked about QFlex, and I think a lot of this is going to go hand in hand as we start seeing scale next year. A lot of these customers who are looking to buy ETM are also going to be interested in our Eliminate platform and also be interested in cloud. And so. QFlex is what we talked about is from our ability to provide them a way to try and use different Qualys modules that make sense to them instead of having to go through multiple purchase cycles through the year. And we are going to see a combination of the QFlex pricing with ETM cross-sells are the focus for us as we get into next year.

Yoon Kim (Managing Director)

Okay. Great. Looking forward to ETM adoption next year, given that it sounds like it's going to have a big impact.

Just Sumedh, you haven't done any acquisition in a while or anything sizable. If you can just give us an update on your view on acquisition strategy. Obviously, you guys are performing very well. The business overall is stable. You got this ETM kicking in starting next year. Obviously, you're very proud of your organically grown platform, but you must see a strategic opportunity to expand your offering to get to that place faster than organically. Are you tempted at all given how dynamic the market is evolving?

Sumedh Thakar (CEO)

Look, we are always open to all kinds of different opportunities to look at organic small acquisition, some larger acquisition potential as well. That makes sense. We definitely come more from we want to give our customer an organic experience with the platform.

Having said that, we have done tuck-in acquisition in the past where if there is a fit with our platform, we're not shy of looking at something larger. But currently, with the way we are executing, focusing, and one of the things that happens with ETM now is that we are able to increase the asset count that the customer has with Qualys by actually bringing data from other tools and may not necessarily need them to essentially buy that particular capability from Qualys as an example, right? Like now with IAM identity solution as an example that we have as part of ETM, we can pull in identity from Okta and AD and others, and we don't necessarily have the customer to us to maybe acquire an AD security company. We can work with companies out there while that increases the asset count in Qualys.

And so these dynamics keep changing, and we see efficiencies coming out of AI. We are seeing ability for us to look at various players in the market, how they are doing. And we continue to stay focused on our roadmap from an organic experience for our customers while also keeping an eye on the industry and looking at whether it's going to be a smaller or a larger acquisition. We're definitely continuing to be open to that.

Yoon Kim (Managing Director)

Okay. Great. Thank you so much.

Operator (participant)

Thank you. This now concludes the question-and-answer session. Thank you for your participation in today's conference. This does conclude the program. You may now disconnect.

View Q3 2025 Earnings Summary