Qualys - Q4 2025
February 5, 2026
Transcript
Operator (participant)
Ladies and gentlemen, thank you for standing by. Welcome to Qualys's fourth quarter 2025 investor call. At this time, all participants are in a listen-only mode. After the speaker's presentation, there will be a question-and-answer session. To ask a question during the session, you will need to press star one one on your telephone. You will then hear an automated message advising your hand is raised. To withdraw your question, please press star one one again. Please be advised that today's conference is being recorded. I would now like to turn the conference over to Blair King, Investor Relations. Please go ahead.
Blair King (Senior VP of Investor Relations)
Thank you, Michelle, and good afternoon, and welcome to Qualys's fourth quarter 2025 earnings call. Joining me today to discuss our results are Sumedh Thakar, President and CEO, and Joo Mi Kim, our CFO. Before we get started, I'd like to remind you that our remarks today will include forward-looking statements that generally relate to our future events or future financial operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures.
A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release, and as a reminder, the press release, prepared remarks, and investor presentation are all available on the investor relations section of our website. With that, I'd like to now turn the call over to Sumedh.
Sumedh Thakar (President and CEO)
Thank you, Blair, and welcome to our fourth quarter earnings call. As threat actors continue to compress time to exploit, we believe the next phase of pre-breach risk management will be defined by an agentic AI-driven risk fabric with out-of-the-box business quantification and automated remediation to respond to the speed of these threats. Against that backdrop, we continue to execute well in Q4, demonstrated by another quarter of strong revenue growth and profitability. In my conversations with hundreds of CIOs and CISOs, as well as security leaders from many of the world's largest and most innovative organizations, one message has remained consistently clear. Reducing cyber risk isn't about detecting more exposures. It's about operationalizing a cyber risk management program that aligns spend with risk tolerance.
In doing so, CISOs are increasingly prioritizing the unification of fragmented security stack into a centralized risk fabric, one that serves as a credible alternative to single vendor platforms by bringing diverse risk vectors into a prioritized, measurable view of risk that their teams can confidently communicate and remediate at machine speed. That message was further amplified at our recently concluded ROCon conference in Mumbai, with attendance up over 30% from last year's event, as we again broadened the agenda to include a business track. And with the advent of AI, which is democratizing cybercrime and enabling adversaries to operate with unprecedented speed and sophistication, this need is only intensifying. As a result, we believe that the future of pre-breach risk management belongs to vendor-agnostic, agentic AI-powered solutions that continuously predict, assess, confirm, quantify, prioritize, and remediate risk across on-prem and multi-cloud environments.
Over the past years, we continue to execute relentlessly towards this vision, delivering meaningful platform innovation to help customers reduce risk faster, operate more efficiently, and stay ahead of an increasingly dynamic threat landscape. Accordingly, in 2025, we broadly expanded the Qualys ETM platform to third-party data and launched a powerful new orchestration layer that unifies Qualys and non-Qualys findings, applies our industry-leading threat intelligence, and delivers a business contextual, quantified view of risk with built-in prioritization and automated remediation. Building on this foundation, we introduced an agentic AI risk fabric that assesses and normalizes diverse internal and external data sources, applications, and machines. We extended these capabilities with a first-of-its-kind agentic AI risk management marketplace, enabling security and IT teams to quickly augment their existing workforce with highly specialized autonomous experts that significantly reduce time to remediation, increase accuracy, and reduce costs.
To further close security gaps, we again organically enhanced ETM with a natively integrated identity security posture management solution at a time when identities have become part of the new AI perimeter. Further flexing the power of our platform, we are now confirming exploits before customers are compromised. While traditional continuous threat exposure management solutions rely on a theoretical risk score and ignore mitigating security controls, ETM takes a fundamentally different approach. On a single platform, it uniquely detects vulnerabilities, validates exploitability, applies remediation, and revalidates exploits using Agent Val, agentic AI workflow. The net result is that Qualys is redefining how organizations manage pre-breach risk management. While competitors continue to focus on detecting vulnerabilities or mapping theoretical exposures, Qualys has moved decisively beyond that model.
We are pioneering the first agentic AI-native risk operation center, ROC, a new category in cybersecurity designed to centralize an organization's response to threats, spanning exploit confirmation to autonomous remediation. Powered by our ETM solution, the ROC presents a fundamental divergence from traditional CTEM tools. Competitors can point to exposures. They can't quantify cyber risk in dollar terms that matters most to the business, and they cannot adequately fix that. ETM fills that gap. This is what sets Qualys apart. We don't stop at detection and non-quantifiable prioritization. We natively integrate CTEM, exploit confirmation, risk quantification, and remediation operations into a single AI-powered workflow, leveraging both Qualys and non-Qualys data sources. In doing so, our architecture orchestrates and implements a perception reasoning action loop, enabling autonomous agents to collect real-time telemetry, reason through risk signals, plan response workflows, and execute actions.
This enables organizations to holistically predict emerging risks across infrastructure, cloud, application security, IoT, and identities, safely confirm probable exploits, prioritize threats based on business impact, remediate through patching or other compensating controls, and verify the effectiveness of the remediated tactic. This end-to-end vendor-neutral approach is catalyzing a paradigm shift in pre-breach cyber risk management, where customers aren't just seeing their risk holistically across the risk stack, they are validating it, quantifying it, and reducing it continuously and autonomously at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable proactive risk reduction that brings customer value. Armed with this fresh new set of capabilities and early momentum already validating this model, we are now laser-focused on accelerating ETM adoption through our VMDR customer base and positioning Qualys for larger upsell opportunities over time.
Moving to our business update, with customers spending $500,000 or more with us growing 4% from a year ago to 215, let me now share a couple of recent wins, which illustrate why organizations ready to centralize their response to cyber risk are turning to Qualys to help unify their cybersecurity stack, quantify and remediate risk in their environment, and fortify their security operations. First, an existing Global 50 customer was struggling under the weight of multiple unintegrated security tools, millions of vulnerabilities, and limited visibility into the overall risk profile. Traditional prioritization methods were unable to adequately filter critical findings, leaving security and IT teams without the necessary business context to act decisively.
Consequently, this customer selected Qualys and launched a strategic initiative to unify their security stack by transforming siloed risk signals, spanning on-prem and multi-cloud environment into a cohesive agentic AI-native risk management solution. This included expanding the ETM deployment to further operationalize their ROC with ingested third-party data from several sources, resulting in a mid-six-figure annual bookings upsell. By consolidating these data sources into the Qualys platform, we are now delivering this customer a unified orchestration layer and full visibility of their attack surface, centralized risk assessment, quantification, prioritization, and remediation workflows, while unleashing the operational efficiency of the stack consolidation. This expansion of the ROC underscores the power of our platform and reinforces Qualys' ability to unify siloed risk signals, operate as an autonomous defense layer, strengthen customer outcomes aligned to the business risk, business risk tolerance, and advance our leadership in the industry.
Leveraging our mROC partner ecosystem, we are also pulling new business into Qualys. During the planning stages of launching a new ETM POC with a Global 200 company in Latin America, we secured a seven-figure annual bookings upsell, which included our TotalCloud CNAPP and Policy Audit solutions. This win demonstrates the leverage of our partner-led motion and our ability to convert early engagements into meaningful multi-solution growth. Turning to our federal business, we achieved a mid-six-figure expansion with one of the federal government's most visible shared security services, utilized by several large government agencies nationwide. Faced with an overwhelming volume of security issues and limited resources to continuously assess risk across fragmented tools and manual workflows, this customer chose Qualys for its cloud-native FedRAMP High authorized platform to enable a centralized government program that quantitatively prioritizes risk with automated assessment, standard outputs, and low operational overhead.
Given the success of this deployment, we are now working towards a multi-agency ETM rollout, representing a significant upsell opportunity as this shared services team prepares to operationalize its risk operations center. These results, alongside another six-figure upsell with a separate large federal agency, reinforce our proven ability to align technical capabilities with operational outcomes that address modern security challenges and underscore the long-term growth opportunity in our federal business. Beyond these wins, we are also gaining more leverage from our partner ecosystem. As we continue to endorse a partner-first sales motion, partner-led deal registration increased again in Q4, reflecting deeper alignment and execution across the channel. In addition, with well over a dozen certified mROC partners actively launching new services, momentum continues to build towards a global ROC alliance, fueling our capability, harnessing transformative solution sales, and bringing new business to Qualys.
Further contributing to our growth profile, in Q4, we continued beta testing Q-Flex to help customers accelerate and maximize adoption of the Qualys ETM platform. Given the strong customer response and early success of this model, we plan to continue to focus on proactively identifying opportunities to leverage Q-Flex to enable select customers and partners to accelerate their adoption of Qualys solutions in 2026. In summary, we are fundamentally changing how organizations manage pre-breach cyber risk by unifying CTEM with expert confirmation, risk quantification, and automated remediation, powered by an agentic AI risk fabric. Our rapid pace of innovation and strategic investments are driving strong competitive differentiation, deeper ROC adoption, broader engagements across large federal agencies, growing partner-led execution, and initial Q-Flex success.
Looking ahead to 2026, we'll continue our disruptive innovation further advance our go-to-market investments, and execute our ROC vision with a balanced approach to long-term growth and profitability. With that, I will turn the call over to Joo Mi to further discuss our fourth quarter results and outlook for the first quarter and full year 2026.
Joo Mi Kim (CFO)
Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period, unless stated otherwise. We're pleased to report a healthy finish to the year, highlighting our continued execution, financial discipline, and scalable business model. For the full year, we grew revenues by 10% to $669.1 million and achieved adjusted EBITDA margin of 47%, even with continued 14% growth in investments in sales and marketing. Net income and EPS grew 13% and 15% to $257.8 million and $7.07 per diluted share, respectively. Free cash flow reached $304.4 million, or 45% of revenues, all of which exceeded our expectations for the year.
Turning to fourth quarter results, revenues grew 10% to $175.3 million. The channel continued to increase its contribution, making up 51% of total revenues, compared to 48% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 4%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By geo, 15% growth outside the U.S. was ahead of our domestic business, which grew 6%. U.S. and international revenue mix was 56% and 44%, respectively. With customers confirming their prioritization of security within IT budgets, we anticipate the selling environment in 2026 to remain similar to last year, with a low to mid-single-digit growth in security spend persisting for the foreseeable future.
Reflecting the sentiment, our gross dollar retention rate remained comfortably above 90%, but saw a modest sequential decline in Q4, with our net dollar expansion rate at 103%, down from 104% last quarter. In terms of product mix, our differentiated new products continue to drive growth, with all three of the following increasing contribution to bookings in 2025. First, CyberSecurity Asset Management, combined with ETM, made up 10% of total bookings and 13% of new bookings in 2025, up from last year's 8% and 9%, respectively. Next, Patch Management made up 8% of total bookings and 16% of new bookings in 2025, up from last year's 7% and 16%, respectively.
Lastly, TotalCloud made up 5% of total bookings in 2025, up from 4% a year ago. We believe that these differentiated products combined will continue to increase contribution to bookings in 2026, given our opportunity to increase market share and maximize share of wallet. Turning to profitability, adjusted EBITDA for the fourth quarter of 2025 was $82.6 million, representing a 47% margin, same as last year's. Operating expenses in Q4 increased by 11% to $68.9 million, driven by investment in sales and marketing, which grew 18%. With this strong performance, EPS for the fourth quarter of 2025 was $1.87 per diluted share, and our free cash flow was $74.9 million, representing a 43% margin, compared to 26% in the prior year.
In Q4, we continued to invest the cash we generated from operations back into Qualys, including $724,000 on capital expenditures and $44.7 million to repurchase 328,000 of our outstanding shares. Since commencing our share repurchase program in February 2018, we've repurchased 10.7 million shares and returned over $1.2 billion in cash to shareholders. As of the end of the quarter, we had $160.5 million remaining in our share repurchase program. We're pleased to announce that our board has authorized another increase of $200 million to the share repurchase program, bringing the total available amount for share repurchases to $360.5 million. With that, let us turn to guidance, starting with revenue.
For the full year 2026, we expect revenues to be in the range of $717 million-$725 million, which represents a growth rate of 7%-8%. For the first quarter of 2026, we expect revenues to be in the range of $172.5 million-$174.5 million, representing a growth rate of 8%-9%. This guidance assumes no material change in our net dollar expansion rate, with moderate growth contribution from new business in 2026. Shifting to profitability guidance, for the full year 2026, we expect EBITDA margin to be in the mid-forties, implying mid-teens increase in operating expenses and free cash flow margin in the low forties. We expect full year EPS to be in the range of $7.17-$7.45.
For the first quarter of 2026, we expect EPS to be in the range of $1.76-$1.83. Our planned capital expenditures in 2026 are expected to be in the range of $8 million-$12 million, and for the first quarter of 2026, in the range of $1.2 million-$2.6 million. In 2026, with respect to operating expenses, we plan to align our product and marketing investments to focus on specific initiatives aimed at driving more pipeline, accelerating our partner program, and expanding our federal vertical. As a percentage of revenues, we expect to prioritize an increase in investments in sales and marketing, with more modest increases in engineering and G&A. With that, Sumedh and I would be happy to answer any of your questions.
Operator (participant)
Thank you. As a reminder, to ask a question, please press star one one on your telephone and wait for your name to be announced. To withdraw your question, please press star one one again. The first question comes from Jonathan Ho with William Blair. Your line is open.
Jonathan Ho (Partner)
Hi, good afternoon, and congratulations on the strong quarter. Can you talk a little bit more about some of your, Q-Flex offerings and how it potentially helps remove friction and perhaps encourages broader adoption of your platform?
Sumedh Thakar (President and CEO)
Yeah, thank you very much, and that's a great question. So, you know, we've talked about this last quarter as well. I think if you take that in relation to what we are doing with the Risk Operations Center and ETM, and how we're differentiating ourselves from the exposure management solutions, is that the ability to detect all your assets, find your vulnerabilities, ability to use agentic AI to actually not only prioritize those, which is what a lot of these exposure management solutions do, which is just giving you a score. We're leveraging the ability to use agentic AI to confirm those exploits in the environment, which is very differentiated from what everybody does, but then after that, actually the ability to also remediate those.
And so being able to get this end-to-end very quickly, very fast, before attackers are leveraging AI to do the same for your environment, the Q-Flex proposal allows the customer at their pace to then be able to consolidate a lot of these capabilities on a single platform with Qualys and do that over a period of time during, you know, their subscription with us, which allows them to maybe over initially start with more of that prioritization and confirmation. But then as the year goes by, it allows them then to leverage our eliminate capabilities more and more to be able to focus on getting the outcome of getting these things fixed.
And so, what we're excited about is our conversations initially with the customers that have adopted this, have been very positive in the fact that, you know, the security environment is not a static environment at the beginning of the year. It is continuously changing throughout the year. And the flexibility that the pricing model offers them to actually be able to leverage different Qualys capabilities throughout the year as the threats change, is a very big positive for them. So really happy with the feedback we have gotten in the beta phase. And, at this year, 2026, we look forward to doing more of that and moving more towards the GA model for that.
Jonathan Ho (Partner)
Got it. Got it. And then just in terms of some of your comments around AI, I mean, clearly you're seeing a lot of customer interest here. Can you maybe help us understand, like, where the customer is in terms of their AI journey, and also help us understand what that uplift opportunity looks like for Qualys? So if you, if you start selling more of these agentic products, you know, AI, you know, sort of native products, you know, how do we, how do we think about, you know, how that can impact sort of net retention going forward? Thank you.
Sumedh Thakar (President and CEO)
Sure. Yeah, I think a lot of people talk about, you know, AI is embedded in their platform. I think where we differentiate ourselves is that what we have done is introduce the concept of a AI agent marketplace within the platform, which allows the customers to actually augment their workforce, their security team, which we have talked about this for years, that there's never been enough talent in the security space. So the ability to get Agent Sarah, who's an expert in patches, the ability to get Agent Val, who's an expert agent with skill sets that can autonomously make calculations and decisions on exploitation remediation.
So the ability to say, "Look, I want to employ this particular agent on the platform to achieve a task, which otherwise would take me weeks and months to hire a consultant to get that outcome." What we've done with our agentic AI capabilities is not only have those built in throughout the platform, but with agentic AI, we can now actually have these agents that feel like they're really part of that team, and they can help you get those outcomes. And the way we have really positioned this is that, customers, you know, who are leveraging VMDR, they get a really high-quality list of findings. But then as they cross-sell into ETM, they get the ability to not only do the prioritization of these vulnerabilities, but they get the agentic AI capabilities, which then allow them to achieve different tasks.
You know, as you look at how customers are thinking of headcount, et cetera, in the agentic AI world, these really help them get to those outcomes pretty quickly. And then, of course, in addition to that, with our local AI offering, we are also helping customers detect, find, and address vulnerabilities and misconfigurations that are coming up in the AI workload that they have. And so with that, we look forward to customers bringing more data around their own agentic AI solutions into Qualys ETM. And we believe that the agentic AI capabilities are a differentiator for customers to upgrade from or to cross-sell from VMDR into ETM, as well as looking at some of the other exposure management solutions where they just give you a score.
This will allow them to actually use an agentic AI to get patching done pretty fast and pretty quickly. And so we see that differentiation can be the catalyst for us, for customers to pick ETM over some of those other exposure management solutions that are out there.
Jonathan Ho (Partner)
Thank you.
Operator (participant)
Thank you. The next question will come from Kingsley Crane with Canaccord. Your line is open.
Kingsley Crane (Managing Director)
Hi, congrats on the quarter. You answered some of this in the prior response, but would just love to hear more about how Agent Val is elevating ETM from an efficacy perspective, and just how Agent Val is reducing total man-hours at the customer level and how that's resonating with customers. Thanks.
Sumedh Thakar (President and CEO)
Thanks, Kingsley. I wish, unfortunately, the call is only an hour, but I could talk about this forever. But look, I think we've seen the history of this evolution, you know, back when, you know, Kenna came up with this. It's like, everybody's giving you theoretical scores, right? Based on the vulnerability findings and CVE information that is out there. Unfortunately, a theoretical score does not actually mean that a high score does not mean that the customer may not have other controls in place that mitigate that actual exploit from working in their environment. They might have a firewall, they might have something else, memory protection that is enabled, that a typical scanner or a typical exposure management solution will not pick up.
What Agent Val does is leverages that decision-making, autonomous decision-making process to basically look at the findings, look at the scoring, but then actually the ability to run a very safe exploit against the asset to confirm whether that vulnerability is actually exploitable in their environment, on their machine, or it is not, not just a theoretical score. What typically happens is when the security team gives these scores to the IT team, they spend a lot of time trying to chase down these findings, only to feel like, "Oh, this was a false positive, because look, we already have a control in place," and a lot of time is wasted in arguing back and forth. What the customers really want to be able to do is not waste their IT team's time on fixing things that actually are not exploitable in their environment.
The ability to for sure confirm by running an actual exploit in a safe manner that this is or is not exploitable. It means that the IT teams will be saving significant amount of time not chasing down ghost scores and will actually have a absolute confirmation that, yes, it is a very highly exploitable vulnerability, but I don't need to worry about it because I have other controls that are mitigating this, or it is highly exploitable, attackers are using it, and I don't have a protection in my environment. So instead of just chasing scores, I can actually go and focus on fixing these, and that's gonna make me a lot safer. So it's a significant time saving for the customer. Because of this agentic AI workflow, they can actually then significantly reduce the number of findings that they have.
And you know, the other thing is that, once the exploit is confirmed, on your environment, you don't have the time to create Jira tickets and ServiceNow tickets to then have people go and manually make the remediation. As soon as you know that this is exploitable in your environment, confirmed, you want to be able to use another agent to immediately kick off remediation and get it fixed. And you feel a lot more comfortable because now you have confirmed that this is exploitable, it's not theoretical, so people are gonna want to also save time and not leave the exposure open for a long time by being able to run that exploit and then also automatically run that remediation. And, you know, you cannot show up for the AI fight today with your Jira tickets and your ServiceNow tickets.
You got to be able to do automation and autonomous decision-making to get things fixed, and that's the differentiator.
Kingsley Crane (Managing Director)
Yeah, it, it's really exciting times, and it's good that you're, you're leading the way here. For Joo Mi, it's been, it's been a remarkable year for Qualys. You guided to 7% at the midpoint entering last year, and you put up 10%, and now you're guiding closer to 8% this year. How can we think about the levers for upside to growth this year? Thanks.
Joo Mi Kim (CFO)
Yeah, 2025 was a solid year from an execution standpoint. It was a very exciting year for us, with ETM having gone live at the end of 2024. We've had a significant number of discussions with our existing customers in terms of how we can increase value without them having to double their spend initially with us. And so, in doing that and working through our partners, what we were able to do is, you know, finalize our pricing and packaging for ETM and identify our key products that are going to be levers for growth in the short term and the long term going forward as well. So 2025, solid year with closing the year with another 10% growth for revenue, which we're really pleased about.
Now, when it comes to current billings, it came in line with expectations from last quarter, with 2025 current billings growth of 8%. That's slightly lower than the 9% that we posted back in 2024 for current billing. So looking ahead to 2026, I think that's kind of more or less in line with what the baseline case is for us. Looking out, our guidance is really informed by what we see in the business today, the discussions that we're having, what we expect from the macro and then the spending environment. With that said, we do anticipate significant upside. Given what Sumedh just covered, we have very exciting product discussions with existing customers as well as prospects.
I think that we've gone ahead and really leveraged our innovation and our power to really deliver what the customers are looking for and what the market is looking for. So we're excited about the outlook, but with that said, the baseline still remains to be around 7%-8%.
Operator (participant)
Thank you. Our next question will come from Rahul Chopra with Berenberg. Your line is open.
Rahul Chopra (Equity Analyst)
Yes, thank you. I have a couple of questions. I mean, I appreciate these are not your estimates, but if I look at 2023 market share data which you gave, at that time you had market- total market as $64 billion. In the current deck, you're talking about $53 billion market for 2026. At the same time, I can see, previously you had 2028 market of, I think something around $79 billion, $78 billion. Now, 2029 market is $75 billion. My question here is that basically, is the core market shrinking for VM and, and exposure management? I appreciate these are not your estimates, but just wanted to understand, what you're thinking about the core estimates in terms of the market itself, what is it doing? One.
The second question is, I wanted to understand your thoughts about the competitive landscape in more general, especially given the ServiceNow is acquiring Armis. Obviously, that's going to probably change some dynamics. So I wanted to hear your thoughts on that, please. Thank you.
Sumedh Thakar (President and CEO)
Sure. Yeah, I think, I've been in this Qualys for 20-something years, and vulnerability management has definitely changed. And if you recall, we've been talking about that as the number of assets has increased, the number of CVEs and software has increased. We're seeing that customers in the traditional way that vulnerability scanning was done is just generating way too much noise and vulnerability management has evolved, which we have called out many times. And that's the reason in the last few years, we've been focusing on shifting and focusing on the solutions that customers actually are looking for. So as an example, when we innovated with Patch Management, we're the first vendor to do that. And even today, we're not seeing really much traction with others in Patch Management.
Yes, not just vulnerability management doesn't mean you just scan and scan and scan if you cannot get it fixed. And so as that evolved, we innovated. We came up with patch management as a capability. We came up with cybersecurity asset management that was needed for a successful VM program. Now, we have expanded that capability with agentic AI, with ETM, because that's really what customers are looking for, is how do you continue to triage that? And then adding a layer of validation is another game changer in our mind from a vulnerability management perspective. And then along the way, we've also focused on, you know, how do we bring TotalCloud, which is a CNAPP solution that we have, which we're very happy with the traction that we're seeing with that.
We're coming up with agentic AI. So for us, it is about how do we continue to track the areas that customers are focusing on, and then how do we maximize our share of that spend that they have? And that's what you're seeing, the progression and the innovation that we are going. And you know, it's great to see that there is a focus and attention on the CTEM exposure management marketplace. As you mentioned, with ServiceNow buying Armis, which has been around for a long time, using passive capabilities to detect asset inventory, et cetera. But the reality again is that today, customers don't want just more vulnerability findings from these solutions that don't actually help you fix anything.
And so, what we are looking forward to is, again, autonomous workflows leveraging agentic AI to get customers to fix things quickly, as you saw in the recent Mandiant report, that the time, mean time to remediate, over the last five years has gone from 63 days to -1 day. So today, again, with solutions like that, ServiceNow, Armis, and other solution, do you have the time to create ServiceNow tickets and chase people down while attackers are having a free time, exploiting your vulnerabilities?
So, well, what we feel pretty excited about with our customer conversations is the differentiation that we have that is allowing them to very quickly and accurately get to the things that actually matter to their business, put dollar value loss quantification numbers on it, get the validation, get the vulnerabilities fixed. And that is allowing us to differentiate, and that's where a lot of the conversations we're seeing are very positive in the focus of not just another exposure management solution, but moving towards this cooperation center. And so our goal here is that, of course, security market keeps changing, et cetera. We're bringing solutions that we are looking forward to maximizing the share of the customer spend, focused on the pre-breach side of the security and not necessarily the post-breach side.
Rahul Chopra (Equity Analyst)
Okay, understood. Thank you very much.
Operator (participant)
Thank you. And the next question is going to come from Nehal Chokshi with Northland Capital. Your line's open.
Nehal Chokshi (Managing Director)
Yeah, thank you. And nice color there on why the Armis acquisition by ServiceNow won't be impactful. It sounds like a key portion here is that basically they're lacking patch management. So can you dive a little bit further here and explain why patch management has remained such a differentiator for Qualys here?
Sumedh Thakar (President and CEO)
Yeah, thank you. I think today, if you see, right, like, people are finding millions and millions of findings, and the IT team does not want to be spending all their time in sort of investigating, going out and fixing so many vulnerabilities without the proper context. And so what we're seeing is that, and we talked about this a couple of months ago, that Qualys agents have been able to deploy 140 million patches just in the last 12 months. And, in one of the recent GigaOm reports, we were placed as the number one patch management vendor by the analyst.
The reason why we are getting so much traction is that in the past, you know, when I remember when I joined Qualys, scanning once a quarter and taking 30 days to fix all your issues was considered okay. Today, when the attackers are attacking you within three to five hours of the vulnerabilities being disclosed, you need that ability to quickly correlate a CVE, figure out that it doesn't matter to your business or that it's not exploitable in your environment, and actually get it fixed. Our success with patch management really has been a highly integrated solution with VM and not a, you know, just a partnership where, you know, you're going out with some other separate solution and trying to bridge that gap.
It's a highly integrated solution that is quickly able to not only detect the vulnerability and find whether it is actually exploitable in your environment, but then within a matter of minutes, it can actually fix and patch that particular issue. And so what we're excited about is to see the success of Patch Management in the last few couple of years, but also what we did end of last year, is moved even further into providing customers more abilities to mitigate the risk of the vulnerability without patching. And I like to call it patchless patching, which is applying mitigating controls on the machine, which has given even more flexibility to our customers. Because sometimes you're worried about a patch breaking something, how do you balance the worry of patch breaking something with the worry of getting exploited?
And many times, because of our super deep research in the threat research landscape with our research analysts, we actually are able to figure out the way exploits are working and then find ways to apply mitigations on the machine, so that the actual exploit can be blocked. So at the end of the day, what is the point of all the spending you do in vulnerability scanning? Is to get the right things fixed before the attackers get there. So the majority of the value that comes in that overall spend is really about the patching part. If you do not patch it, you can build all kinds of dashboards, and there's dashboard tourism going on right now, but those dashboards don't mean anything if you don't actually get it fixed before the attackers get to it.
Nehal Chokshi (Managing Director)
Okay, thank you. Joo Mi, are there any headwinds leading to expectation of no change in NDR in your Q2 2026 guidance, that's embedded in Q2 2026 guidance?
Joo Mi Kim (CFO)
Yeah, our guidance is assuming no material change in net dollar expansion rate. You could see that it's always kind of gone up a quarter or down a quarter in the past couple of years. And right now, us being, starting out the year, ending 2025 at 103, we don't anticipate a material change to that rate.
Nehal Chokshi (Managing Director)
Why is that? Why are you expecting no change?
Joo Mi Kim (CFO)
Our guidance is informed by what we're seeing in the pipeline today and what we're expecting based on our existing customers, what they anticipate buying more over how they're thinking about spending more with Qualys in 2026. Our preliminary discussions and view into the outlook today implies that assuming kind of similar in-line growth dollar retention, the expectations from an upsell standpoint, and then, of course, a new business, what we expect to land from a new logo perspective, this is all informing our guidance and the way we look at things.
Sumedh Thakar (President and CEO)
That, that's the base case, and our goal will be to continue to improve our execution on the ETM and ROC, get the customers getting to know that, and that, to me, remains the upside in for the business is with federal, now with our federal impact that we got and the federal space, partners, et cetera. So I think that's kind of where we are with just assuming 103 as we see it right now, but we continue to work on the upsides in the business that we could potentially have.
Nehal Chokshi (Managing Director)
So does that imply that your expectations, the baseline expectations of ETM, incremental penetration to install base continues at this relatively slow pace, that we're not hitting an inflection point yet?
Sumedh Thakar (President and CEO)
I think it's very early. So, like we said, at the end of the last year, where we had, you know, started with POCs, we are super encouraged with the what we are seeing with the POCs and the conversion that we're having. But again, it's very early, right? We're talking about customers that are early adopters. So it's encouraging, but we're not, we, we haven't had enough of those to really map out a confirmed trajectory of how that is going to go. So I think as we execute better in the first, you know, couple quarters, that's where we will get to understand even better now. That's where, as Joo Mi has talked about in the past, we will start to provide guidance on how ETM is going to.
How ETM is going for us, starting the Q1 earnings call for 2026. And so that will allow you to sort of track where where we're starting and then how we're going to expand through the next couple of years on that big opportunity that we see right now.
Nehal Chokshi (Managing Director)
Okay, thank you.
Operator (participant)
Thank you. And our next question will come from Rudy Kessinger with D.A. Davidson. Your line's open.
Rudy Kessinger (Managing Director and Senior Equity Research Analyst)
Hey, great. Thanks for taking my question. Joo Mi, I think you said in response to one of Jonathan's questions, earlier, I think you said baseline remains around 7%-8%. I'm not sure if you were referring to the revenue guide for this year or if that was also your expectation for, you know, roughly what we should expect for current calculated billings for the year.
Joo Mi Kim (CFO)
I would say that, you know, we don't give a specific guidance for current billings, but our expectation is that current billings growth rate will be more or less in line with the revenue growth rate, so 7%-8% for both for full year 2026.
Rudy Kessinger (Managing Director and Senior Equity Research Analyst)
Yeah. Okay, got it. And then just, you know, maybe kind of a follow-up to the last question. Certainly, it sounds like there's a lot of optimism about the early ETM interest and adoption and whatnot. But at the same time, it's still just too early to maybe, you know, drive an improvement in the net expansion rate or the overall revenue growth rate. I guess just, you know, I don't know, we've been hearing that for a few quarters now. I mean, what needs to go right, whether it's with the channel or utilizing Q-Flex, you know, is there a potential that this year we could see enough adoption, that we do see, you know, expansion rate tick up or revenue accelerate, or is that unlikely just based on the current pipeline?
Sumedh Thakar (President and CEO)
Yeah, I mean, all of that needs to go right. I think we've done a lot of innovation. The products are coming out now, which is great. The Agent Val is gonna be very interesting for us. And the recent identity solution is also very interesting. I think a key part of our strategy definitely has been working with partners. And so, as an example, one of the key areas of focus right now, where we are certifying more mROC partners, as an example, and we are getting these partners up to speed, and we're getting the partners trained and helping them create their offerings around the Risk Operations Center.
And the idea here really is that these partners, then with those services, actually can bring us net new business, can bring us upsell opportunities because they don't have to have a replacement conversation maybe with the existing vendor that they might have been selling for the last couple of years. They can actually create a service for risk management with mROC on top of their existing VM solution, as an example, by pulling that data into Qualys and then ETM, and then charging the customer for the management and the consolidation of their various risk factors, et cetera. So that's an area that we are looking forward to as that matures and, you know, as we are in the early days of getting those partners up to speed.
Once those partners then start to take those offerings to their customers, that response will also help us see how that is gaining traction. Again, early conversations have been great. We got to see that in the way that these customers or these partners are bringing us some of their business. I think Q-Flex as being really a positive thing for when we are taking a customer who has VMDR and then converting them over to ETM. That has actually been a really positive thing for customers so that they can kind of build in sort of certain amount of growth, and they can look at the ability to take the journey of a Risk Operations Center at that pace.
And then, of course, we just got off FedRAMP High end of last year, so that's allowed us to have more conversations for the 2026 budget cycle. For federal, that obviously we're not in time for 2025, so those conversations after FedRAMP High for 2026, 2027 are also going to be quite interesting for us as potential upside. And so, I think as Joo Mi has you know, provided sort of the guidance that we see. As of now, we're excited about some of these things that can potentially create the opportunity for us to do better than that.
Operator (participant)
Thank you. And our next question will come from Matthew Hedberg with RBC Capital. Your line's open.
Mike Richardson (Analyst)
Hey, guys. This is Mike Richardson for Matt. Thanks for taking the question. You know, keeping it a little high, high level here, you know, Anthropic's new model release today put an emphasis on cybersecurity and specifically the model's performance for vulnerability discovery and patching. So I was just wondering, you know, if you could talk about what you believe these developments mean for Qualys and maybe the cybersecurity industry more broadly as model providers, you know, look to potentially go deeper into cybersecurity. Thanks.
Sumedh Thakar (President and CEO)
Yeah, great question. I think today's announcement was great in terms of that, understanding the fact that, autonomous AI during the coding process or when you look at the code of a software and pointing, agentic AI to that, is definitely something that the attackers are looking to leverage, and they're leveraging as well, to be able to discover vulnerabilities in the code base. Now, having, the ability to discover a vulnerability in an open source code is one thing, which is where Anthropic is helping. But once you find that this particular code has a particular vulnerability that could be exploited, you need to go find all of the machines running, that software all over the customer's, environment, internally, externally.
And, then the ability to test that after all the, the controls that the customer has put in place in their environment on that machine, is that actually exploitable, each individual customer's environment in each individual customer's machine? And that's the part where, I think this, the Anthropic development actually really helps, again, stress the reason why after a particular vulnerability is discovered, an exploit is discovered, why it is important to use an ETM agentic AI-type solution to very quickly validate that in your environment and then actually fix it and apply a fix autonomously. Because when you're using AI to find these particular vulnerabilities and bad attackers are using the same model, they are going to try to do their best to very quickly exploit those.
What we feel is we are empowering our customers with ETM and with somebody like Agent Val, to actually stay ahead of the gap between discovery of a vulnerability to the exploitation, that we can actually leverage ETM with agentic AI Val to then actually find this issue in their specific environment, on their specific machine, and then protect them very quickly by actually being able to patch that. And so that's really the main differentiator. So I think in a way, it's great to show the power of what AI is able to provide for the attackers to find issues in open source. And then it highlights even more the value of the ETM platform to actually find that during runtime and not just in the code base, as Anthropic is doing today.
Mike Richardson (Analyst)
Thank you.
Operator (participant)
Thank you. The next question will come from Patrick Colville with Scotiabank. Your line is open.
Joe Vandrick (Equity Research Associate Director)
Thanks. This is Joe Vandrick on for Patrick Colville. Sumedh, can you help us understand, I know you, you kind of touched on this, but can you help us just better understand the strategy you're taking to get customers to adopt not just vulnerability management, but also prioritization and patch management? And then I'm wondering, is there a way to think about what percentage of the customer base is just using that basic functionality of vulnerability management?
Sumedh Thakar (President and CEO)
Yeah, great question. I think if you kind of look at what we have been doing with patch management, by the way, and if you look at, we're very happy to see the adoption of patch management, cybersecurity asset management as the capabilities that sort of take that vanilla VMDR and add more execution around or execution for success around those list of CVEs. We're pretty happy and excited to see that. And so today, with the ability to provide customers with things like average exposure window, the ability to provide customers the way that that particular vulnerability actually impacts their particular environment.
As an example, your typical threat exposure management solutions will give you a score, a risk score, and they will say that this particular issue has a risk, or this particular asset has a risk score of 900 on a 1,000, and another one has a 750 on a 1,000, which one will you fix first? If you just go by the risk score as an example, you are going to see that, maybe that risk score of 900 on a 1,000 is on a machine that makes you $2 million a year, but the 750 is on one that makes you $500 million a year. Immediately, your prioritization switches and is exactly the opposite of what your exposure management solution gave you, because now you added a dollar value.
Once you have that and you know that you're potentially going to have a loss of $500 million because of the exploit of this vulnerability, the next thing that customers wanna be able to do is, how quickly can I protect myself from making sure that I don't lose that $500 million? That's where a integrated patching and integrated mitigation solution like Qualys is super impactful for them, because now they don't waste time. Because once attackers are starting to exploit vulnerabilities, it is just a, you know, you're a sitting duck with an open window, and the quicker you can close that window, the better it is going to be. Our customers are really seeing that. That's why their adoption of Patch Management has been increasing.
140 million patches in the last one year is quite a milestone for us. And the ability to sort of give them that visibility, to say that, you know, you can, with this platform, you're not just exposing your exposure, you're actually fixing it, is a great story. And our partners are also excited about the ability to not just provide services around more visibility, the ability to actually be the partner for the customer that gets them an outcome of actually the risk reduced, is a differentiator. And that's kind of where we are looking forward to continuing our innovation around the exploit validation and the mitigation and patch management solution, as well as awareness building around the risk operations center, is an area of focus for us.
And then along the way, risks come from cloud. They come from, you know, your standard virtual machines. They come from cloud. That's where we have TotalCloud. They come from identities. We have ISPM for that. They come from misconfigurations, and we have Policy Audit for that. They come from AI now, for which we have TotalAI as an example. So we continue to expand ways to bring more assets into ETM. At the same time, we continue to innovate on ways to absolutely get to the final outcome of actually reducing risk with automation and agentic AI as fast as you can. And that, honestly, is really, in my mind, a big differentiator.
Joe Vandrick (Equity Research Associate Director)
That makes sense. If I could sneak in one more. I think you mentioned that you're still in beta testing for Q-Flex, and that you're gonna leverage it for select partners. Is that just timing, or are you not planning to go customer-wide with that pricing model?
Joo Mi Kim (CFO)
Yeah, we went beta with Q-Flex last year, and so we understand that how it could be very additive to a cohort of customers. So we're rolling it out on a case-by-case basis because we wanna create a win-win scenario for us, right? For our customers who we feel like they would really benefit and increase their spend with us by giving them this flexibility, we're more than happy to work with them through whether it's through a partner or directly with us. For broadly speaking, we don't wanna be in a situation where unintentionally it results in a down sell for us, and then also they don't have the ability to try out other products because they're maximizing their budget and thinking through it in that from that perspective.
So right now it's in beta, but in the longer term, we do plan on going on to GA with that and potentially with a slightly tweaked structure.
Joe Vandrick (Equity Research Associate Director)
Thank you.
Operator (participant)
Thank you. Our next question will come from Yun Kim with Loop Capital. Your line's open.
Yun Kim (Managing Director)
All right. Thank you. Sumedh, I think you already touched upon some of my questions already, but you know, how engaged are partners involved in core VM renewals? Or are they, or a lot of them, the newer partners that you attracted last year, are they more about selling new products?
Sumedh Thakar (President and CEO)
Yeah, the mROC partners that we work with are pretty excited. We're starting to see these partners launch their own services for Risk Operations Center, which obviously takes some time because they have to come up with the brochures for the services, staff them with the right experts for risk quantification, et cetera. But what they are excited about is that instead of just looking at, you know, can I get another 5 cents, 10 cents of margin on a dollar, the ability to say that with ROC, they can actually offer higher value services. The service you can offer to a CISO is, "Hey, we're gonna give you a business-oriented cyber risk visibility deck that you can take to your board every quarter.
That's gonna make you look very smart in front of the board," is a significant value, and they can charge, you know, multiple dollars, as an example, for those services around ETM, which they cannot necessarily do around other areas. And with the agentic AI capabilities built in, the partners are excited that that actually can also reduce the spend that they have to do to staff their services teams with people, if agentic AI capabilities in the platform can get them a Patch Tuesday report within 24 hours versus taking two weeks for a consultant to manually go and create Excel sheets to do things like that. So very exciting early conversations.
We're already starting to see some interesting wins, though it's early days, with new business and existing business with those partners that understand the risk story and positioning the broader risk management rather than just, "Okay, here's another list of vulnerabilities that I can provide you." Those conversations are very positive. And so as I said, we're really focused right now on our GTM efforts around training these partners, around partnering with them, and introducing them to customers as they introduce us to prospects, et cetera.
And as that progresses, I'm excited about the potential that partners can bring customers to us, even if that customer might have another VM scanning solution, they can keep that solution, and they can actually bring that customer to us, and the partner can make multiple dollars on every dollar of ETM that they sell for us.
Yun Kim (Managing Director)
Okay, great. That's very helpful. Joo Mi, if you can remind us how renewals are lined up for the year, either skewed towards second half of the year, consistent with the prior years? Or, with the newer products coming in, do you see some early renewals or renewals mix kind of changing up this year?
Joo Mi Kim (CFO)
Right now, our expectation is that the seasonality will remain the same. Same thing as what you saw in 2025. It will be skewed towards the second half of 2026.
Yun Kim (Managing Director)
Okay, great. Thank you so much. That's it.
Operator (participant)
Thank you. The next question will come from Junaid Siddiqui with Truist. Your line is open.
Junaid Siddiqui (Investment Analyst)
Great. Thank you for taking my question. Sumedh, you've talked about the, you know, risk operations center's focus on proactive risk management, versus the SOC's focus on detection after the breach, being a major differentiator. Just wanted to ask, you know, are you starting to see budgets flow more towards proactive security, versus reactive detection and response?
Sumedh Thakar (President and CEO)
Yeah, thanks, Junaid, for that question. We definitely see the conversations with our partners who have said like, "Look, I've invested a lot over the last few years in EDR, XDR, you know, post-breach solutions around SOC." And of course, you know, there is some focus now on agentic AI SOC solutions that they're looking at to improve that even further. But what they feel is that on the pre-breach side, they have invested, but they have invested in a bunch of I call them XPM tools, which is I have DSPM, I have SSPM, I have CSPM, but all of them are just giving you multiple dashboards. And there is definitely a bit of a fatigue with these customers and saying, "These dashboards are not helping me prevent a breach.
While I have put in place a protection on the post-breach side to try to find attackers, if I can do a better job and operationalize my workflow so that I can take all these findings from multiple tools, you know. You have these code scanners, which are kind of like false positive service sometimes because they give you so many findings. The conversations definitely are moving in that there is positive conversation on leveraging budget that they have or asking for more budget over the next couple of years to move in that direction. And the early adoption of ETM that we are seeing is a necessary, you know, essentially, we're going and getting budget that they are not always, you know, moving away from something they're already budgeted for.
So some customers have started to put budget aside for exposure management, so to say, or RBVM. But when we show them ROC, which is much bigger than exposure management and much more than RBVM, they are actually able to work with us to shift on that budget. So I definitely feel like there is more of a focus last year and into this year on, "Hey, we need to do a better job at proactive risk management. We've done a lot of work around the reactive side. Let's focus to get better on the proactive side.
Junaid Siddiqui (Investment Analyst)
Great. Thank you.
Operator (participant)
Thank you. The next question will come from Jason Jang with Wolfe Research.
Joshua Tilton (Senior VP of Equity Research)
Hey, guys, it's Joshua Tilton from Wolfe Research. Can you guys hear me?
Sumedh Thakar (President and CEO)
Yes, Josh.
Joshua Tilton (Senior VP of Equity Research)
Awesome. Sumedh, I want to follow up on your answer, like, when you were asked about kind of Anthropic's blog post today on cybersecurity. And I wanna re-ask the question, but I wanna ask it in a much more simpler way. Is the way to think about it that a lot of the functionality that Anthropic was talking to was more around application security testing and kind of some of the vulnerability discovery that happens before you would use a traditional VM tool? And again, I just play a security expert on TV, so if I'm thinking about it the wrong way, please let me know. But is that kind of the right way to think about it?
Sumedh Thakar (President and CEO)
Yeah. Right now, a lot of that focus is on looking at open source code and looking, going through the code base to look at commit logs, et cetera, around that code to find the vulnerabilities in that particular code base. Now, that code base is then compiled into some piece of application of software, which then is running all over the place across millions of machines in different customer environments, behind different firewalls, et cetera. So, generally, that's sort of where we see, while its focus is more around once those vulnerabilities are discovered or attackers starting to use those, how do we then quickly assess those in a runtime rather than application code discovery time, which is where a lot of these AI agents are focusing on.
Joshua Tilton (Senior VP of Equity Research)
Makes total sense. And then maybe, just a quick follow-up for Joo Mi. I think in the past, you know, there's been several leadership changes throughout the years where, you know, there was always a plan to kind of invest to reignite growth. And I'm just curious, when we think about the EPS guidance, for the full year, how do you think about the level of investment for 2026 that's baked into that EPS guidance versus prior years, when maybe you've had one of these kind of, you know, new CRO in place or other leadership roles being filled?
Joo Mi Kim (CFO)
Yeah, we're really pleased to start off the year strong with all key positions filled, with a strong executive team who's tenured. So keeping that in mind, last year, we had guided to low 40s EBITDA margin coming off of 2024, 47%. So the implied gap or implied margin contraction was significantly higher than what you're seeing today. We closed out the year 2025 with 47% EBITDA margin. We're guiding to mid-40s for EBITDA. So slight contraction, but it's not, it's not as significant as what we had guided at the beginning of 2025.
Joshua Tilton (Senior VP of Equity Research)
Makes a lot of sense. Thank you so much, guys.
Joo Mi Kim (CFO)
Thank you.
Operator (participant)
Thank you. This does conclude today's question and answer session, and this also concludes today's conference call. Thank you so much for participating, and you may now disconnect.