Qualys at William Blair Conference: Strategic Growth and Expansion

On Tuesday, June 3, 2025, Qualys (NASDAQ:QLYS) took center stage at the 45th Annual William Blair Growth Stock Conference. The company outlined its strategic shift from vulnerability management to a comprehensive cyber risk management platform. CEO Sumit Dakar and CFO Jume Kim conveyed optimism about future growth, emphasizing both opportunities and challenges in expanding their market presence and evolving their business model.

Key Takeaways

• Qualys is transitioning to a broader cyber risk management platform, introducing Enterprise TruRisk Management (ETM) and Risk Operation Center (mRoc).
• The company’s growth is heavily reliant on existing customers through new product adoption, focusing on profitable growth.
• Channel partnerships are a strategic focus, particularly in the cloud and federal sectors, with investments in FedRAMP High certification.
• Financial performance remains strong with a high gross margin of 84% and a significant portion of bookings from new products like Patch Management, CSAM, and LogoLens.
• The federal market is a key target for expansion, with channel partners playing a crucial role in new logo acquisition.

Financial Results

• Growth Drivers: Existing customers are the primary growth drivers, with 15% of LTM bookings from Patch Management, CSAM, and LogoLens.
• Gross Margin: Qualys maintains a robust gross margin of 84%, even with increased business through partners.
• Profitability Focus: The company emphasizes profitable growth, leveraging existing customer relationships for upselling opportunities.

Operational Updates

• Platform Evolution: Transitioning from point solutions to a comprehensive cyber risk management platform.
• ETM and mRoc: Key differentiators, enabling risk measurement and remediation across multiple tools; strong adoption noted.
• Channel Strategy: Over half of deals involve channel partners, with a shift towards proactive opportunity generation.
• Federal Expansion: FedRAMP High certification is pivotal for federal market growth, enhancing new logo acquisition.
• Cloud Security: Notable traction in cloud security, with partners bringing Qualys solutions to DevOps teams.

Future Outlook

• Upselling Focus: Enhancing risk management capabilities for existing customers to drive upsells.
• Channel Investment: Continued investment in channel partnerships to increase partner-driven deals.
• Federal Market: Targeting increased presence with FedRAMP High certification, leveraging channel partners.

Q&A Highlights

• Sales Productivity: Emphasis on building relationships with channel partners to enhance sales productivity.
• Channel Contribution: Channel partners are closing more deals for new logos compared to direct sales reps.

In conclusion, for a more detailed understanding of Qualys’ strategic plans and financial outlook, readers are encouraged to refer to the full conference call transcript.

Full transcript - 45th Annual William Blair Growth Stock Conference:

Jonathan Ho, Analyst, William Blair and Company: Stock conference. Today’s session is going to be with Qualys. My name is Jonathan Ho, and I’m the analyst for William Blair and Company. With us today are Sumit Dakar, the CEO, and Jume Kim, the CFO of the company. Before we begin, I’m required to inform you that a complete list of research disclosures is available as well as conflicts of interest at our website at www.williamblair.com.

We’ll have the company present an overview of the business followed by fireside chat. Sumed and Jumi, I’ll hand it over to you, just for the overview of Qualys. Thank you.

Sumit Dakar, CEO, Qualys: Thank you very much, all, for thank you for having us. Qualys, we have been, in the business for quite a while. We are cyber risk management, for a lot of large companies globally. We started with vulnerability management as, an area where we’ve been helping customers for the last many years. We’re one of the first SaaS providers to provide security around that.

In the last few years, we have expanded our portfolio into providing broader cyber risk management capabilities to our customers, expanding into, remediation, patch management, asset management, and then more recently into overall holistic, risk management with the risk operation center where we help customers collect their risk findings across their multiple, products and portfolios and provide them a business oriented view of their investment in cybersecurity. We’ve been a profitable company for the last many years, and that’s generally where we focus on is profitable growth. And we look forward to continuing our journey into overall cyber risk management and increasing sort of our footprint in that area.

Jonathan Ho, Analyst, William Blair and Company: Excellent. Excellent. Just to kind of kick things off, you know, we’ve seen a lot of changes in the vulnerability management market over the past few years. Can you maybe level set for the audience how vulnerability management is evolving and where the growth opportunities lie in the future for the company?

Sumit Dakar, CEO, Qualys: That’s a great question. I think vulnerability management continues to be a cornerstone for any risk management strategy for from a cyber perspective. As we saw in the Verizon data breach report, it continues to be a key vector that attackers leverage to get into, systems and jumping off point. So what we have seen, however, is the last many years as the number of, assets and number of software that people are deploying has grown significantly. The number of vulnerabilities that are being detected has also grown exponentially.

And the challenges that customers have been facing has been evolving in VM. And when we introduced VMDR a few years ago, it was really not about so much about how many vulnerabilities you can detect, but how can you very quickly remediate those vulnerabilities because the amount of exploitation time was reducing, and attackers have been actively exploiting these vulnerabilities quicker and faster. So we were at the time, you know, we came up with this idea of patch management as a way to help expand vulnerability management into the area of remediation, which for us has been very exciting. We saw last year, 2024, Qualys agents deployed a 10,000,000 patches for our customers, so clearly a story that’s resonating. I think what has happened now is continued expansion of VM into cloud, environment and other environments means that customers today end up with significantly more number of vulnerabilities than actually the ones that cause risk, And that’s where the customers tend to struggle with the plethora of findings that they have and not knowing exactly which ones are causing risk to their business and taking a business oriented approach towards which ones they should fix, which ones they don’t need to fix right now.

That’s where we’re seeing that vulnerability management has been evolving more and more into broader risk management. And customers today really need a way to figure out, of all the millions of findings that they have, which ones actually cause risk to their environment. And we just recently we with a customer in a POC, we imported almost 65,000,000 findings across their different tools, and only 300,000 of those findings actually had any way for exploitation or any way of getting being attacked. And so helping customers for customers, they they really want a way to quickly get to that small percentage of findings that actually cause risk and then a way to remediate those risks very quickly. And that’s kinda how the journey of vulnerability management has continued, where it has expanded in newer infrastructure while at the same time prioritization and remediation have become the key focus for vulnerability management.

Jonathan Ho, Analyst, William Blair and Company: Excellent. Excellent. On the financial model, can you maybe describe for us what the growth and margin algorithm look like for Qualys moving forward? And specifically, can you help us understand how much of that growth can come from existing versus new customers?

Jume Kim, CFO, Qualys: Yeah. For Qualys, historically, most of our growth was driven by our existing customer base, and that’s due to the fact that we’ve been focused on introducing new products, expanding our target addressable market. And we’ve been we’ve seen great success there with 15% of our LTM bookings coming from Patch Management, CSAM and our new customer, LogoLens, actually due to the fact that we’ve really introduced newer products in addition to patch management and CSAM. We’ve also talked about the ETM. And so moving forward, we think I think for the next couple of years, we still believe that our existing customers will be the primary driver of our growth.

With that said, we are looking to land new logos, and we’re seeing some success this year with our new strategy, our new value proposition from a risk operation model perspective where we’re really providing a solution to the customers, not just from identifying vulnerabilities, but really coming up with a true solution that works for the market.

Jonathan Ho, Analyst, William Blair and Company: That makes that makes a ton of sense. Maybe switching gears a little bit to sort of the product side of things. When we look at the enterprise true risk solution, you know, what makes up the solution? What challenges are you trying to solve? You know, how does this sort of extend the Qualys story over time?

Sumit Dakar, CEO, Qualys: The the real challenges really are, you know, as customers try to figure out when they have a certain amount of budget for cybersecurity, where across their multiple toolset do they need to focus that on? And, what what has in the past been a very best practices based approach, today, more and more CSOs are under question by CFO, by the board to really justify the ROI of cybersecurity, and cybersecurity ROI comes from showcasing how much risk has been reduced. And a lot of times, we see that CSOs are struggling even to articulate how much risk they have. So if if cybersecurity is a risk management exercise, you cannot articulate how much risk to the business you have in terms of how much money you would lose if there is a cyber attack and where should you focus on to reduce that risk of, the attack happening. Today, they have a set of dashboards that give them top tens from multiple tools, but they can’t really articulate what is the potential risk to my retail banking as an example across multiple tools.

And I think the notion that there is a single pane of glass from a single vendor is not something that we don’t see in the market really happening. Customers still like to empower their teams to pick the best tool for the specific job, maybe for container security or OT security. It’s not the same vendor that is providing them all those capabilities. So how can they operationalize the risk management exercise? In the past, we have seen people do that from a SOC perspective, where security operations center were used to operationalize threat hunting and taking action once the attacker is in the environment.

Customers have struggled to really give a holistic view of the risk in a proactive environment where you don’t have an attack, but there are so many risk factors. Which ones actually are being actively attacked by attackers, which what they’re talking about in the dark web, which ones actually have exploits available. So with the risk operation center, what we’re seeing is that customers are seeing a need to bring all of their assets together from from multiple sources, all their findings together, applying threat intelligence, but applying business context, and then creating remediation and reporting all sort of in a one. That’s where we introduced the concept of a risk operation center. And the ETM, which is Enterprise Tourist Management, is Qualys’ ability to provide a risk operation center to customers where they can, and it is not based on a single vendor.

It’s now the ability for us to, to walk into a customer who has other tools and actually not have a replacement conversation, have a conversation about taking the data from their multiple tools and providing them a higher level strategic value, which they can create reports that they can take to the board that showcase that x amount of dollars are at risk and what is the current probability of that happening across their multiple tool set. This has really been a game changer from our perspective in the way that customers look at what the risk operation center bring them rather than just another tool that is giving them top tens on the specific thing that they are looking at. And so for the customers is that ability to measure the risk, to be able to communicate it to the board and the CFO, and then the ability to show that ROI, and then the ability to remediate that risk is all operationalized in a single platform while using different tools that they prefer for the specific solutions that they need for the specific infrastructure that they have.

Jonathan Ho, Analyst, William Blair and Company: Yeah. It makes a ton of sense that the Qualys story is evolving from point solution to platform and encompassing multiple areas that you can cover, you know, as that broader platform opportunity. When we think about sort of platform adoption, you know, how does this compare with what you’ve seen with something like VMDR where you’ve extended the product set and how much of an uplift do you potentially see in deals where customers take on that broader solution?

Sumit Dakar, CEO, Qualys: We’re pretty excited that as we went GA a couple of months ago, the adoption that we’re seeing in terms of POCs that are ongoing, the number of customers that are engaged, The level at within the customer, it’s really a lot of the CSOs are themselves engaged in these conversations, which was not necessarily the case in the past when it was just vulnerability management. So that’s been very, encouraging for us. I and the way we see that is just the way when we came up with VMDR as a game changer where we evolved vulnerability detection into a broader area of asset management remediation, etcetera. We feel like now it’s similar, evolution that is happening from an industry and platform perspective where now we are, going back to our existing customers who, have Qualys and maybe other set of tools and be able to give them and go to all of them and be able to showcase them the higher value of a risk management risk reporting, not talking the language of vulnerabilities, but talking the language of dollars and the business impact, etcetera. And so that’s exciting for us because we can go to all of our existing customers and provide them this sort of a risk management capability, which is resonating well.

And it’s also helping customers really have the conversation to their board as well, as we saw with the partnership we announced with Diligent, so that board can actually see how the platform adoption is giving them something that is meaningful to them. So with that, what we’re seeing is that customers are encouraged to then buy additional capabilities from Qualys because they get all of that in a risk view rather than top 10 views that they’re getting from different dashboards. And so we see that as something that is driving our audit compliance capability. It is driving our cloud security capability. It is driving our new Total AI, which is our AI security.

Because the same question If you are going to invest in AI security, how much is the risk from your AI, and how much should you invest in AI security? Because that money is going to come from some other place that you’re not going to invest. And so what we see is that the conversations are leading not only to customers looking at upgrading currently to ETM by bringing additional data for the assets where they have Qualys, but we are also seeing additional assets now coming into Qualys that in the past they were not covering with Qualys because they have another tool, and we don’t have to have the replacement conversation. It’s also driving more module adoption from Qualys’ perspective.

And so it’s early days right now, but we are encouraged to see what we are seeing. And think the uplift is not just a linear another dollar on the dollar because it’s also bringing new assets and it’s also bringing additional modular adoption based on where the customer is at. So I think because we’ve just started down this journey, the next few quarters, we’ll get a better idea of that kind of an uplift. But as you can see, it’s not just an, incremental, you know, 15% on on the existing. It is really something that can be meaningful, is is how we see it over the next few years.

Jonathan Ho, Analyst, William Blair and Company: Yeah. With that larger dollar capture, it seems like you’re becoming much more strategic to a customer. Can you talk a little bit about how, you know, as the customers expand their adoption of your platform, do they start to also look for additional capabilities? And you’ve spoken about, in particular, the mRoc solution and the offerings that are there, that you can offer with partners. And can you speak to how managed services are being used by customers and what opportunity that brings to Qualys to engage with those partners?

Sumit Dakar, CEO, Qualys: Yeah. That’s a great question. And as you have probably seen the last, two, three years, partners, and pivot to partners is a major part of our strategy, which, know, if you look at the numbers also, we’re doing, we’re happy with what we’re seeing in terms of our indirect business and how it is growing nicely. And, part of the strategy is the introduction of center. If you look at the MDR side, security operations center have had MDR services, but it is post breach.

Somebody is in the network. Let me go find who is in the network. But we see similar capabilities can be offered by managed service providers to look at the customer’s environment and provide them a risk monitoring service. A risk monitoring service is different than a threat monitoring, which is some attacker is in the environment. So because our partners are excited about bringing new solutions to the market as managed services where they, of course, see that they make more dollars rather than just resell, and we are in in enabling that.

And we don’t compete with our partners, so we don’t offer any services. That’s really where the partners see that they can now leverage Qualys to, ATM to bring data from their existing solutions that they might have sold to the particular customer in the past and create a new service that they can offer. And we believe that this capability and encouraging partners and enabling them to make additional services revenue will then encourage them to take Qualys to more of their existing customers than just the VM capability. So we see that the mRock capability is going to help partners have more conversations about Qualys because they are going to make more services dollars on the solution and would also encourage additional module adoption and they don’t have to have a conversation of replacing some of the tools that they might have sold to the customer in the past.

Jonathan Ho, Analyst, William Blair and Company: Excellent, excellent. Just in terms of go to market, there’s been a significant focus on the channel now and I think it’s over half the deals or close to half the deals are now involved the use of the channel. Where does the mix potentially go from here and is the channel now being more proactive in terms of bringing you new opportunities? Has it been more sort of just fulfillment or helping you, you know, sort of, you know, upsell into the existing base? Just trying to understand how the dynamic evolves over time.

Sumit Dakar, CEO, Qualys: Yep. I when we started a couple of years ago, we are we would it’s been a journey. And I think, you know, moving to a channel is, of course, a multiyear journey. But we we did some of the low hanging fruits initially, you know, just better working with the partners, having resources aligned with them. We have hired more on the account management side from a partner perspective, more training to the partners.

We’re marketing from the partner perspective. So we have been making those investments and we continue to see with Embark that partners will be more encouraged to bring customers to Qualys. We don’t necessarily are we’re not targeting any specific mix at this point, but we are encouraged to see that over the last few quarters, multiple quarters consistently that mix has been changing towards more of the partner side, and we expect to continue to see that happen as we invest with our partners. And I think that’s that really is a key part of our go to market strategy because with the direct business that we have, we see that as an opportunity to bring more partners to take that direct business with Qualys by bringing additional upsells on those accounts in areas where we may not have the relationship with the existing customer because it’s a cloud deal as an example. We also see that because we are helping them make additional services revenue that this will also encourage partners to bring us net new deals, which will help us with our new business as well.

And so we see across the board that that strategy is gonna continue, and we are going to evolve that and invest more in the channel side over the next few years. And we continue to expect to see that mix change, though we’re not necessarily targeting a specific mix. But we do feel like given the success we’re seeing from the partner perspective, we do see partners right now are bringing us now additional deals. Are helping us with upsells and we expect to double down on that and continued investment in that direction.

Jume Kim, CFO, Qualys: And what’s something that’s really positive for us is it is really a long term strategy that we thought through. Earlier last year that we thought that, you know, it made sense for us to go to partners when it comes to new logo acquisitions because of the success rate. They were able to close higher rates of deals that were in play when it came to new logo acquisition because instead of our sales reps going out there and saying that we’re the vendor of choice and Qualys has the best product, it was much more impactful for our channel partners who go out there and market to the to the, the customer base and say that, you know, here’s why you should go with Qualys for this solution. Right? And so but in addition to that, what we decided to do was really work with partners so that they understand that, we have stakes in the game too as in we’re willing to take our existing customers who are currently direct over to the partners if we think that there is a way for us to win with higher upsell, higher spend from the customer base.

And so naturally, you’re going to slowly see that shift more and more going towards indirect versus direct. So we expect that to happen and the good thing is, you know, we are monitoring our gross margin and potential impact on the unit economics as more of our business shifts to the partner side, and still we’re holding on to that 84% really high gross margin, and we haven’t seen that margin contraction from that side even though our business has more shifted to the partner.

Sumit Dakar, CEO, Qualys: And that’s critical for us, the partner strategy in the two areas that we are excited about for growth potential for Qualys in the future. One is cloud, where we are seeing nice traction in early stages with the cloud security, And that’s really where the partners are bringing us to the DevOps teams that we may not have direct access to. And so we’re happy to see that as well as we see a huge potential for us in the future around the federal business because we have a very small federal presence right now. But with our focus on FedRAMP and our investment in the federal side, partners are going to be a key part of making sure that we are expanding well into the federal business as we’re waiting for our FedRAMP high, which should be coming pretty soon. One with that, we will be continuing our partner strategy from a federal perspective, which is, again, a huge area for potential growth for us.

Jonathan Ho, Analyst, William Blair and Company: Yeah. Yeah. Can we you know, with the federal discussion, maybe dig a little bit into that opportunity set? And what does FedRAMP really mean for you? Is this a hunting license?

Is this an opportunity to go into a broader set of agencies? Think you’ve also developed some of your channel resources there too. So can you just give us a bit more detail in terms of your operations there?

Sumit Dakar, CEO, Qualys: Yeah. I think with our investment in federal, the last few years, we’re we’ve been seeing good growth and good success even though it’s smaller numbers initially because of federal moderate, which we got. I think Qualys has one of the highest number of ATOs from a FedRAMP perspective. If you go to their website, you will see the number of agencies that actually support Qualys, which is pretty good to see. And that has sort of kick started our federal journey over the last few years.

And now with FedRAMP high, it definitely gives us a higher level of security standards that the federal agencies are looking for. And so it allows us to expand into additional agencies that require a higher standard from security providers. And once we get that FedRAMP high, that will make us one of the only FedRAMP high vendors that provide vulnerability and patch management in in a combined solution. So we’re excited to have conversations. We’re already seeing customers waiting to use that as a way to move.

Know, right now, there is a big push from an efficiency perspective in the federal government, and they we believe that this will be a great opportunity for them to showcase moving away from their existing on prem sort of old deployment that’s not very efficient to a much more nimble FedRAMP high, new provider that they can use to show efficiency gains, etcetera. So we see potential in that space, and we are going to continue to invest there. And FedRAMP High definitely becomes a key point for us just in terms of getting attention and hunting new logos. I mean, by just by definition, given how small our current presence is in the federal, a lot of what we are going to see in the federal is new logos coming our way.

Jonathan Ho, Analyst, William Blair and Company: Just just quickly, like, how long does it take to get to FedRAMP High? Like, how much of a barrier to entry? Or can you talk about the complexity of that process?

Sumit Dakar, CEO, Qualys: It’s quite painful, but we have made that investment. And it’s, you know, it’s been going on for the last two, three years. Now we did start from a base of having FedRAMP moderate, so it was but you see a lot of companies struggle to get that FedRAMP, you know, moderate as well because it takes a lot of investment to get your platform to that standard now because we had FedRamp moderate for many years and we work to build on top of that. It is not a trivial investment, not just in terms of dollars, but also in terms of time and effort across the group to ensure that all the different, you know, requirements are met. So we are, you know, in progress right now, in process, what they call it.

So, we’re looking forward to to getting that pretty soon. Got it.

Jonathan Ho, Analyst, William Blair and Company: Multiple times during this conversation, you’ve talked a little bit about your cloud solution, and the need for vulnerability management in the cloud. I I think in our investor conversations, it’s oftentimes, you know, confused with CSPM.

Sumit Dakar, CEO, Qualys: Yeah.

Jonathan Ho, Analyst, William Blair and Company: Can you maybe help us, unpack the differences between vulnerability management in the cloud, CSPM, CNAP? What do these things mean for Qualys, and what does that opportunity set look like for you?

Sumit Dakar, CEO, Qualys: Yeah. That’s a great question. If you look at the basics of cybersecurity, there are three key areas that bring risks to any environment. One is vulnerabilities in the software. Second is misconfigurations, where the system is not configured correctly even if there is no vulnerability.

And the third is identity, where you have an identity that has the wrong access and somebody can go in and, and, you know, access your information. And so what we see is in the cloud is essentially the same three areas, are critical. So one aspect of that is the CSPM, which is looking at misconfigurations. However, all the software running in the environment still requires vulnerabilities to be assessed because, a CSPM does not give you a visibility into software vulnerabilities that an attacker can leverage. And at the same, time, also, you need to be able to monitor the identities and have access to data in the cloud.

And so, these are three key areas in cloud. I I to to your point, sometimes all of these get confused, and people talk about that. And there’s a huge acronym soup with CWPP and CSPM and stuff like that. But that’s why I wanted to break it down. It just comes down to those three basic things.

And Qualys is being leveraged pretty heavily by customers. In the last count, we had almost 30,000,000 agents in public cloud environments where customers were leveraging Qualys to assess the vulnerabilities of their workload while they might be using either Qualys or they might be actually using a different tool for CSPM and a different tool for identity management. And so we routinely see where customers are using Qualys for the workload in the cloud and the same account they might be using Wiz for CSPM, they might be using some other solution for identity. But now not only do we have an opportunity to continue to provide cloud specific security solutions to these customers, but also with ETM and Risk Operation Center, we can actually bring cloud data from multiple different vendors into one view and give them a a view of the posture of their cybersecurity posture from a cloud perspective.

Jonathan Ho, Analyst, William Blair and Company: Yeah. It make it makes a ton of sense that you’re able to sort of wrap everything together just in the cloud, but also in the on prem world as a single pane of glass to your to your earlier comments. You know, maybe just to, you know, put everything to debt together, can you help us understand, you know, where we are in terms of sales productivity following some of the actions that you’ve taken over the past few years, you know, what are you happy with? What are you unhappy with at this point? What’s what’s sort of left to be done?

Jume Kim, CFO, Qualys: What we’ve done well is really building a relationship with our channel partners and our our build of the channel managers internally. So we’ve hired sales reps who are focused on making sure that they prioritize the needs of our partners, whether it’s MSSP or VARs. We’ve also built out our team from a product manager’s perspective, making sure that we understand how to go out to the market and showcase what we can actually bring to the customers and the prospects at the end of the day. When it comes to the direct sales reps, though, there that’s where we we feel like we haven’t really reached a level of productivity that we had hoped for. And that’s part of the reason why we thought that, you know, longer term, it makes more sense for us to remove that friction and be be working better with partners where they don’t feel like they’re competing with us.

So even though we do have our direct sales reps, they’re also working with their channel manager and the partner team as well. So, it’s really one team working together with the support from solutions architects, bring that entire team together so that we can go out and be successful together is our strategy today. And I think that right now it’s still early. There’s a lot of improvements that we still have to make. We are continuing to hire and recruit, but at the end of the day, because of our shift in strategy and focus on channel, it has less to do with headcount per se.

Jonathan Ho, Analyst, William Blair and Company: Excellent, excellent. We’ve got a couple of minutes left so I’ll open it up for Q and A to the audience. If there’s anyone that has a question, just raise your hand and

Sumit Dakar, CEO, Qualys: we’ll call on you.

This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.