Qualys Inc (QLYS) 2013 Q4 法說會逐字稿

Good day, everyone, and welcome to the Qualys fourth-quarter 2013 investors conference call. This call is being recorded.

At this time, all participants are in a listen-only mode. Later, we will conduct a question-and-answer session and instructions for asking a question will be given at that time.

I would now like to turn the call over to Don McCauley, CFO of Qualys. Please go ahead, sir.

Welcome to the Qualys fourth-quarter and full-year 2013 investor conference call. I'm Don McCauley, the CFO; and I'm here with Philippe Courtot, our Chairman and CEO.

Before we get started, we would like to remind you that, during this call, management expects to make forward-looking statements within the meaning of the federal securities laws. Forward-looking statements generally relate to future events or our future financial or operating performance. Forward-looking statements in this presentation include, but are not limited to, statements related to our business and financial performance and expectations for future periods, our expectations regarding capital expenditures, including investments in our cloud infrastructure, and our expectations regarding the introduction of new solutions and enhancements to existing solutions.

Our expectations and belief regarding these matters may not materialize, and actual results in future periods are subject to risks and uncertainties that could cause actual results to differ materially from those projected. These risks include those set forth in the press release that we issued earlier today, as well as those more fully described in our filings with the Securities and Exchange Commission, including our quarterly report on Form 10-Q that we filed on November 7, 2013. The forward-looking statements in this presentation are based on information available to us as of today, and we disclaim any obligation to update any forward-looking statement, except as required by law.

We also remind you that this call will include a discussion of GAAP and non-GAAP financial measures. The non-GAAP financial measures are not intended to be considered in isolation or as a substitute for results for prepared in accordance with GAAP. A discussion of why we present non-GAAP financial measures, and a reconciliation of the non-GAAP financial measures discussed in this call to the most directly comparable GAAP financial measures, are included in our earnings press release that is available on our website.

Now to begin the discussion, Philippe will provide an overview of the Company's performance for the fourth quarter and full year 2013, then I will cover our financial results and factors that drove the quarter and year in more detail, as well as our outlook for the first quarter and full year 2014. Then we will open up the call for your questions.

With that, I will now turn the call over to Philippe.

Thank you, Don, and welcome to all of you that are joining us on the call today.

The fourth quarter of 2013 was a very solid quarter for Qualys, as we ended the year with strong progress in all aspects of our business. While Don will cover the financial details of our performance for the fourth quarter and the year, let me first start out by providing you with an overview of key highlights that are driving strong momentum in our business.

In 2013, our total customer count grew to over 6,700 across more than 100 countries. In the fourth quarter, we added many new noteworthy accounts, including Carlsberg, Catholic Health, Cielo, Davis Polk and Wardwell, Gazprom, Hearst Corporation, State of Ohio, Oshkosh, Royal KPN, J Sainsbury, Scott's Miracle-Gro, Stanford University, and Starwood Hotels and Resorts.

While our Vulnerability Management Solution remains the largest component of our business, we continue to make meaningful progress in diversifying our revenue base. We derive 84% of our 2013 revenue from subscriptions to our VM solution, which continues to grow well, compared to 87% of revenues for 2012. This continued diversification of our revenues is principally due to increased sale of our web application scanning and policy compliance solution, both of which continue to show strong growth.

As you know, we are still in the early days of selling additional solutions into our customer base that was, for the most part, been on our Vulnerability Management Solution. In fact, while making very good progress with upselling new solutions into our customer base, with progress from a year ago when only 20% of our customers had both more than one solution from Qualyx, to the point where 30% of our customers have adopted more than one of our solutions.

We continue to see strong demand for our product cloud platform that [rev deployed] for multiple customers and partners worldwide. In Q4, we added successful installations at Royal KPM in the Netherlands, Infosys in India, and a large financial institution in the US. Our private cloud platform leverages virtualization technologies, allowing us to install our entire QualysGuard technology stack on a VCE block within our customers' or partners' data centers, to use a QualysGuard suite of security and compliance solutions, while keeping the data within their premises.

We continue to make significant technological advancements in our cloud platform, and we are very excited to introduce at the upcoming RSA conference later this month, new continuous monitoring solutions for the perimeters, while this groundbreaking technology allows customers to continuously assess the security of their internet -facing systems and applications, and be alerted when a new vulnerability misconfiguration or network anomaly is discovered. We strongly believe this is the new paradigm for vulnerability management, as it empowers customers to take immediate action for mitigating vulnerabilities that can lead to cyber attacks.

While releasing our Web Application Firewall, or WAF, for general availability on Amazon EC2, as well as for on-premise deployments on VMware's virtualization platform. Qualys' cloud WAF is delivered via a cloud platform integrated with our web application scanning solution. These solutions combined allow customers to more rapidly deploy robust security for their web application, while minimizing administrative efforts and costs, thanks to the centralized cloud-based management capabilities of our solution.

We also partnered with [Sands] and the Council on Cyber Security to release a new, free service helping organizations to quickly determine if the PCs in their environment have properly implemented the top four security controls, which the Council on Cyber Security estimates can help companies prevent 85% of cyber attacks. This is the latest in a series of [Firemon] services that Qualys is using in its 2014 marketing campaigns.

We are on track with the new innovation we are making to the Qualys platform, including the cloud agent and the advanced malware detection and protection service, with a goal to release this new offering in beta later this year.

I will also like to take a moment to discuss key strategic alliances and partnerships that we have announced recently, notably the partnership with Dimension, who has announced that they will (inaudible) the previous vulnerability management solution and transition customers to Qualys. Similarly, we signed an agreement with PathDefender, the new operating entity for McAfee Secure Seal, to migrate services for vulnerability management, web application scanning, malware detection and PCI compliance to Qualys.

We expect these new channel partners to help us expand our reach into new markets and upsell Qualys' solutions to their customer base. We also expended our partnership with Accuvant, which announced a managed vulnerability management solution powered by Qualys. We believe that these partnerships exemplify a shift in the consulting industry, while now moving to the cloud and offering security and compliance services on a continuous basis.

Given our strong momentum throughout 2013, we are beginning to realize the benefits of our investments in building a security and compliance cloud platform, upon which we can build in our enhancements and new solutions. And we believe that our cloud platform will continue to play a critical role in enabling Qualys to stay ahead of our competition.

Now for a review of our financial performance and our guidance, I will now turn the call over to Don.

As Philippe said, we finished 2013 with strong momentum, and this will be evident as we review the results and metrics. Revenue grew in the fourth quarter to $29 million, which represented 18% growth over the same quarter last year. Full-year 2013 revenues also grew 18%, to $108 million. For the full year, the US represented 70% of revenues, compared to 68% in 2012.

Drilling down into revenue growth for the full year 2013, total revenues grew by $16.5 million. Revenues from customers existing at or prior to the beginning of the year grew by $8.7 million in 2013, compared to $7.8 million last year on the same basis. Revenues from new customers that were added in 2013 contributed $7.8 million to 2013 revenue growth, compared to $7.4 million in 2012. As you can see from these numbers, Qualys continues to have a balanced approach of growth coming from new, as well as existing customers.

Fourth-quarter bookings, which are revenues for the past four quarters plus the change in the current deferred revenues over the period, were $119 million at December 31, 2013, compared to $101.2 million at December 31, 2012. This increase of $17.8 million represented year-over-year growth of 18%.

As we discussed in last quarter's call, we are opting to move away from reporting of the four quarter bookings metric, as it is less indicative of bookings progress, since 90% of the metric is comprised of the revenues of prior periods. So this will be the last time that we report this metric to you in our quarterly update.

Instead, we find the change in deferred revenues to be a more straightforward indication of bookings progress, and these accounts showed good growth at December 31, 2013. Current deferred revenues are 19.5% greater than one year ago, and total deferred revenue are 17.3% ahead of the comparable figure last year.

GAAP gross profit increased to $22.5 million in the fourth quarter of 2013, compared to $19.7 million in the fourth quarter last year. GAAP gross margin was 78% for the fourth quarter of 2013, compared to 80% in the same quarter last year. Very similarly, non-GAAP gross profit in the fourth quarter increased to $22.6 million, compared to $19.8 million in the same quarter last year. Non-GAAP gross margins were also 78% in the fourth quarter, compared to 80% in the same quarter last year.

For the full year 2013, GAAP gross profit increased to $83.3 million, compared to $73 million in 2012. And the 2013 GAAP gross margin was 77%, compared to 80% in the prior year. Non-GAAP gross profit increased to $83.7 million in 2013, compared to $73.3 million in 2012; and non-GAAP gross margin was 78% in 2013, also compared to 80% in 2012.

As we have discussed previously, these decreases in gross margin percentages are due to the increased [appreciation] resulting from a higher level of capital expenditures to support the growth of our infrastructure, for new solutions and functionality we are developing, as well as the expansions of our data centers in the US and in Europe.

Adjusted EBITDA for the fourth quarter of 2013 increased by 1%, to $4.5 million, compared to $4.4 million in the fourth quarter of 2012. As a percentage of revenues, adjusted EBITDA decreased to 15% in the fourth quarter of 2013, compared with 18% in the same quarter last year. But for the full year 2013, adjusted EBITDA increased to $17.4 million, which was a 26% increase over the $13.8 million achieved in 2012. As a percentage of revenues, adjusted EBITDA increased to 16% in 2013, compared to 15% in 2012, demonstrating another year of solid progress and profitability, even while we continue to make strong investments in our business.

Moving on to earnings per share. For the fourth quarter of 2013, GAAP EPS was $0.0 per diluted share, versus $0.03 per diluted share in the fourth quarter last year; and non-GAAP EPS was $0.05 per diluted share in the fourth quarter of 2013, compared to $0.06 per diluted share in the fourth quarter last year. For the full year 2013, GAAP EPS was $0.05 per diluted share, compared to $0.08 per diluted share in 2012.

One thing to point out here is that the full year share count for 2012 is much lower than 2013, due to the issuance of our IPO shares in October of 2012. So GAAP EPS only appears to be lower than last year. GAAP net income attributable to common shareholders was actually much higher in 2013 than in 2012, as you will see when you review our income statement. Non-GAAP EPS was $0.20 per diluted share in 2013, equal to the $0.20 per diluted share in 2012.

Turning our focus to the balance sheet, we continue to have a strong cash position, with $133 million in cash and investments, and $800,000 remaining of capital lease obligations. In the fourth quarter of 2013, capital expenditures were $3.3 million, compared to $3.1 million in the fourth quarter of 2012.

For 2013, total capital expenditures were $15.7 million, compared to $11.2 million in the prior year. And just to repeat our previously stated intention, we plan to average approximately $3 million per quarter in capital expenditure spending in 2014, as we continue to expand our cloud infrastructure to support more customers and add more solutions and functionality to our platform.

Now turning to our outlook for 2014, starting with revenues. For Q1 of 2014, we expect revenues to be in the range of $29.3 million to $29.8 million. At the midpoint, this represents 19% growth over the first quarter 2013 revenues. For the full year 2014, we expect revenues to be in the range of $128.5 million to $130.5 million. At the midpoint, this represents 20% growth over 2013 revenues.

For earnings per share, we expect GAAP EPS for the first quarter of 2014 to be in the range of negative $0.06 to negative $0.04, and non-GAAP EPS is expected to be in the range of $0.01 to $0.03. Our first-quarter EPS estimates are based on approximately 37 million weighted average diluted shares outstanding.

For the full year, we expect GAAP EPS to be in the range of negative $0.06 to negative $0.02, and non-GAAP EPS to be in the range of $0.22 to $0.26. Our full-year EPS estimates are based on approximately 37.4 million weighted average diluted shares outstanding.

With that, Philippe and I would be happy to answer any of your questions. Operator?

(Operator Instructions)

Phil Winslow, Credit Suisse.

Thanks for taking my question. Just have a question on the cross-sell. Obviously, you guys have seen an increase in cross-sell. But when you look at the go-to-market right now, whether it be your channel partners or direct sales guys, how did you feel they're set up, from an infrastructure standpoint or, call it, the block and tackling to go out and actually sell this broad a portfolio? And then when you look at 2014 and the guidance that you're giving, what's really standing out to you, as far as the incremental above VM that's driving the growth? Thanks.

Thank you, Phil. We continue to see more movement to the channel in our business. In fact, we had done 60% -- 40% channel business in 2012, and we're still hovering right around there. So channel business continues to be very strong here. We're continuing to see really strong performance from both policy compliance and web app scanning.

Policy compliance, more on the enterprise side; web app scanning spread throughout the customer base. And also, we've got hundreds of new customers who have come aboard on Qualys with their first product being web app scanning, so it's become a new landing point, and that's continued nicely in Q4.

We see continued progress. And as Philippe mentioned, with Accuvant, and also you see from the McAfee announcement, when we mention that more and more of these partners are shifting to Qualys. And like with Accuvant, especially, setting up whole services powered by Qualys and bringing that to their customers, using our infrastructure.

And I will add one thing, Phil, is at the same time also what we see is we are starting to do deals which are more sizable than historically, as in fact the customers can come and buy into our suite of solution, which naturally increase the average deal size. So that's a trend that we see continuing very much.

Got it. Thanks, guys.

Matt Hedberg, RBC Capital Markets.

Thanks for taking my questions. I'm curious about the demand environment across the Americas and Europe. And then as a follow-up, a sense of the competitive environment. There have been a few other announcements made from some competitors. I'm curious about your thoughts there.

Which competitor announcement are you referring to?

There's been announcements in some of the other cloud-based web application firewall markets. Purvis has been making some news recently. There's some news in the private company space, as well.

So let me then answer the question in two parts. For the first one, in term of the growth, what we see today is that Europe is, I would say, doing well now. We went through, as you well know, a difficult time in Europe. This is behind us.

The big difference here is that we see the US, the size of the deal in the US is being (inaudible), while doing our bigger deals in the US. So the weight of the US now is becoming bigger. We, of course, anticipate that we will see the same phenomenon in Europe next year, or the year after, as always Europe has this tendency of lagging about a year behind the US.

And as far as the competitive announcement, I think what is very unique with our web application scanning -- so we see, again, VM essentially continue growing very strongly. We are becoming more and more -- the market, in fact, at the very high end of the market base, we have 60%-plus of the market. So we're becoming the market in VM.

And as far as the policy compliance and the web application scanning specifically, we continue seeing very strong growth. And if you look at the web application, what differentiates us today on the web application firewall side is the fact that we can bring, -- we can scale, with web application scanning, meaning that we can identify and scan essentially all the web applications that a corporation has, as we mentioned earlier on the previous call, that very large companies scanning 5,000, 6,000 web applications on a weekly basis.

And now, where our web application firewall, which is about to go GA, differentiates from these other, more traditional solutions is the fact that we can ,at scale, firewall all these [vulnerabilities], and it's actually providing automated mitigation, which very few (inaudible) have been testing or engineered very much to ensure that we minimize the number of [perimeters] which is really the enemy of security. And therefore, because we can scan all of these applications at the scale, that nobody else can today in the marketplace, I think our web application firewall is very well positioned. And since we are going to bring that to [you] we're going to see the adoption and so forth in the month to come.

That's great. And then maybe one for Don, curious how many sales reps you ended up adding in the quarter? I think you were targeting maybe about 125. And maybe how should we think about that for 2014?

We came close. We finished at about 123, Matt. And we're looking to increase that by 25 to 30 during this year.

Great. Thanks, guys.

Sterling Auty, JPMorgan.

Hello, guys. It's [Sackett] here for Sterling. Don, how should we think about some of the new products you've spoken about contributing in 2014, to 2014 revenue, and which of them do you think could make the biggest contribution qualitatively?

We have two products that will be released later this month at RSA, continuous perimeter monitoring and web application firewall. They both have terrific potential. It's really hard to project these things. It's not like I know the answer and I'm not telling you. There's really no way to gauge exactly what the pace of progress will be.

We're real optimistic. We think we have the right products for the customers in a very good deployment. But there's really no way for me to give you a real insight as to what we think the take up rate will be on those products.

And let me add, on the continuous monitoring, I think this is really groundbreaking and a change on the VM side. In order for you, you must now today look at continuously at your perimeter, because that's what the hackers are doing. We are already a very strong presence with our customers, providing them with the ability to continuously monitor their perimeter which, by the way, the perimeter is not anymore your corporate servers, et cetera. It's everything which is internet-facing, everything in your corporation which touches the internet, whether it's your browsers, whether it's your application you have on Amazon, whether it's, of course, all of your corporate servers.

But it's also all your web applications which are touching the internet. So Qualys being essential today the only company which has a cloud infrastructure to address that. I think that puts us in a very strong position with an already large customer base.

And in addition, we bring out the new metaphor which allows us to essentially immediately alert the security people and the operations people, like for example, if an FTP server, which supposedly is not allowed, has suddenly appeared on your perimeter, which is an indication that something is really wrong, somebody may be trying to exfiltrate data, or just an operator mistake that suddenly that FTP server suddenly became visible.

So that, I think, is a very big game changer that builds on the Qualys strength that we already have. And of course, as I mentioned earlier, when I look at the web application firewall, that web application firewall builds on the strength of our web application scanning.

Stockton, one other thought on continuous program monitoring. Qualys is, according to IDC, the number one vendor in device vulnerability, with about a 14.9% market share, which means that there is 85.1% market share that we have not yet enjoyed. And continuous program monitoring could be an exciting new landing point for companies who are really trying to -- struggling with all these checks on their perimeter, with a much easier to deploy solution to specifically address that problem, even if they hadn't previously signed up for the entire corporate vulnerability management program.

That's really helpful. Just for my follow-up, if I can, as continuous monitoring and WAF ramp up, do you see them changing your core gross margin profile? Or are they roughly similar to the vulnerability management business?

Exactly the same, from our point of view. Remember, we are software as a service, no installed software, we don't sell hardware. So it's really, from a business model point of view, it's more of the same.

Very helpful. Thanks.

Rob Owens, Pacific Crest Securities.

Great, and thanks for taking my question. I wanted to focus a little bit on new customer acquisition. If I look at your customer counts in 2013 versus 2012, and then 2012 versus 2011, it seems like you added more customers in 2012 than you did in 2013. So I want to know, where's the focus, is that metric correct, and what's going on on that front to drive new customer acquisition?

Rob, I think it was pretty close. I'm not sure which numbers you're looking at, but we finished up over 6,700, and we were over 6,000 to start the year. And I think that was within 50 or 75 of the prior year. We didn't see a big difference in this year versus any other year. Not a meaningful change one way or the other.

And then second, from a VM perspective, you mentioned your mid-teens market share. How can you accelerate that? And if we look at the growth of the VM business and that into 2014, would you expect it to stay about the same? Is there a chance of increasing or will it decrease, given the size of the numbers?

Our VM market share, of the vulnerability marketplace, is that what you're saying? It should definitely increase. We've been increasing historically, because every competitor of ours is selling on prem enterprise software, and there's a lot of it to replace. You see trends here with -- we mentioned McAfee Secure Seal, these guys are migrating now to Qualys, using Qualys.

But also, this continuous perimeter monitoring, we think could be, in one respect, the first rejuvenation of vulnerability management in 10 years, with a very topical, easy to deploy product that really only Qualys can sell, because you need a cloud platform to effectively, as Philippe was saying, to scan everything that touches your perimeter effectively, having this cloud platform is really the way to go. So we think that could -- we haven't seen a stimulating new product in vulnerability management in a long time.

And also to add to what Don was saying is that you see also that with Accuvant, is that the traditional channels in security, considering an organization such as Accuvant, start to realize that really bringing a more automated managed security solution is really what they need to do, instead of reselling, if you prefer, enterprise software solutions. So you see, I am anticipating that we will see more and more of these traditional channels realizing that they are much better off, from a business quality standpoint, to try to present these kind of cloud-based vulnerability management services, and therefore helping us to replace faster these existing enterprise software solutions.

Great. Thanks, guys.

Steve Ashley, Robert W. Baird.

Thank you very much. I'd like to start with a housekeeping question. Don, you mentioned on the call that percentage of revenue from the Americas was 70% for the full year. Do you know what that metric was in the fourth quarter?

No, I don't, Steve.

Okay. And my next question had to do with the web application firewall. When you launched the web application scanning several years ago, it took a while to iterate it, to harden it, and to get it really where it is today, where it is not throwing off false positives. It took a while to iterate in the public market before it really saw traction. If we look could look at web application firewall, is that -- is your expectation that that will mature and be ready, hardened, at a faster pace then web application scanning might have been?

Good question. So in fact, two things. If you recall, I mentioned, I think, in one of these earning calls that we learned our lesson, so we are not rushing to put products into GA until we have had enough to prove to ourselves that we had reached maturity from a technology standpoint. So this is what we have done with the WAF.

The second thing, one of the biggest challenges that we had with web application scanning is the scale at which we wanted to build a solution, like scanning tens of thousands of applications with very little false positive is not something that you do overnight. On web application, the problem is different. We have much less of that scale issue, because we already have the platform.

And here, what happens is that as long as we identify the vulnerabilities, then we can essentially create the signatures essentially to block, to virtually patch, if you prefer, these vulnerabilities, so we have much less of a scalability challenge here that we had with the web applications. And again, and we are here building from an existing customer base which have already adopted web application scanning. So it's very natural to go to the next step. When in the past, the web application scanning was some kind of a new modality that we're bringing on customers which really like our VM solution, but they were using all of the other tools for the web application scanning.

Great. That was really helpful. And then lastly, you added to your management team with Ann Johnson, and that looks like a really nice hire. I wonder if you could remind us a little bit of her background, and who her direct reports will be and what her responsibilities might be within your organization? Thank you.

So Ann came from RSA, where she was running a $300 million business, their Ford business. And currently today, we're are focusing Ann onto essentially the worldwide field sales operation, including our SMB business, as well as the customer support operation.

And that's where the focus is. And as we have done that, then we're also expanding our management in marketing. As you will see, we'll make soon some announcements. So increasing the breadth of the management of Qualys is what we're doing, as well, at the same time.

Great. Thank you.

Erik Suppiger, JMP Securities.

Good afternoon. Can you confirm, was the web app scanning and the policy compliance, do they continue to grow at a 50% or more rate year-on-year?

Yes, they did.

Okay. How many private cloud deployments do you have at this point? Can you tell us?

I think we have about 14 private clouds.

I was going guess 15.

It's starting to pick up more. As you may recall, in the early days, with our [contribution], which was not virtualized, we were very careful, because that was a much more [idealistic] thing to do. But now today, the fact that we are totally virtualized, fully integrated to the VCE block, it's becoming significantly easier, while doing, by the way, much -- even more effort to package them, to make them almost like we create images and it's done.

So it's a very good -- it's not technically an accessory for customers. But what it serves is the purpose of you can keep your data on premise and essentially under credentials. And it allows us to penetrate markets like where it's very more difficult to penetrate them before.

And Erik, the pace of our pipeline on these things is increasing, as more and more interest in large customers and partners keeping data on prem. And they see this as a very good solution.

Especially abroad, and also within large corporations in the US, which really then, in that case, they have the advantage of having everything dedicated for them. In fact, as you may have read, facebook.com has now essentially adopted that model, because they offer a kind of on-site version, dedicated version of their platform.

So customers who want that could be hosted by facebook.com, and the key here is the same code base. This is not another version of our data center. It is exactly the clone of our data centers that it can deliver to your premise. So you have all the functionality, everything's the same. And they're better choices than with only one cloud base to maintain.

Okay. How many -- if you have 14 at the end of the quarter, how many did you have at the beginning of the quarter, do you know?

We added three. We added three in the quarter.

In light of the various cyber attacks that we saw in the holiday season at the end of 2013, did that generate some incremental demand for you, are customers looking at you as a way of protecting against APTs at all, or how did you look at some of those attacks?

So it's a very good question. So two things. First of all, what it does it that is has increased significant interest in the continuous monitoring of the perimeter, because that's the only way. The first order of priority is to prevent the bad guy to come in. The continuous perimeter monitoring, with all the new functionalities that we have, et cetera, makes that solution ideal for that.

The second question is, once they are in, how do you do to detect them again? And that's where you see the FireEye essentially answering the question. We would not be compromising and we do not know about it.

So this is still a very new market, and in fact, as we disclosed earlier, we are building the solution around our platform to essentially provide the malware protection and detection, so you can look at these indications of compromise, et cetera. So we are building that platform and we are expecting to release that solution sometime this year to the market. And then we'll address the second question of the APTs.

But first, if you don't protect your perimeter, if you don't do the identifying your vulnerabilities and doing something about it, you're going to be penetrated. And what is happening today is that detecting the bad guys once they are in is very difficult. And today, all these solutions that does exist creates a lot of false positive. You need to put a lot of consultant, forensic people.

It's not easy, because they have become very stealth and very sophisticated at evading detection techniques. And you cannot really look at your entire network today. It's not really practical. So our goal is to essentially provide a solution that, like everything that Qualys does, stays as low false positive and is a real platform that consulting organizations can really leverage.

Okay. And then, in terms of your outlook, you gave a revenue outlook. Might we presume that your bookings outlook would track at least correspond with that? Or is there any reason why your bookings growth would be consistent with your revenue growth?

No, there isn't. But we don't forecast that, Erik.

Of course. Okay. And last question, can you talk a little bit about what kind of changes Ann Johnson is making or plans to make?

I think this is again, there's nothing really to change at Qualys on a monthly, at the same time, except that accelerating our growth, I think, we have done a significant market penetration. And so what needs to be done is do more of the same. These new products are going to make that easier, so it's about strengthening our sales force with a fantastic customer support. So I think it's essentially bringing more firing power into the [safehold], that's essentially why we hired her.

Very good. Thank you.

Michael Kim, Imperial Capital.

Hello. Good afternoon, guys. So just following up on the expansion in private cloud, can you talk about if the continuous monitoring solution for perimeter is applicable to federal cyber security opportunities, especially now that we have a budget deal in place, and how you might see opportunity to capture that, especially with some large programs for continuous diagnostics and mitigation with the federal civilian agencies? Thanks.

I think that's absolutely fits very well the capacity. We have had resistance, as you know, in the federal space, which were very slow at adopting the cloud, even though you may have, at some very high level, comments about it. But because of the procurement process, because of a lot of things, they have been very slow.

Today if you look at your perimeter, if you are an agency, there is no other way than doing it from the internet. So we are eliminating, essentially, that barrier. And continuous monitoring is exactly what we built to order. So I think that puts us in a very strong position, already have very good [customers] in the federal space, with the Securities and Exchange Commission, the OTC and a few others.

And of course, having now private cloud that we could essentially make more government, if you prefer, ready, that also would increase our footprint. So we just hired somebody to run our federal team, which came from Accenture and DHS. And so we're finally already prepared for a much stronger position in the federal market.

Great. Thanks. And then Don, one for you. With the strengthening in the channel mix, or mix from the channel, how do you see your relationship with Lumention or PathDefender and Accuvant starting to -- or potentially changing the economics of the model, either in pricing or go-to-market?

I think it represents a potential shift of lots of their customers now on the Qualys platform, over time. And as far as shifting -- fundamental shifts in the market or pricing, I don't see that yet. But these are all good steps that show the power of what we're providing, and in some respects, the futility of these other companies trying to continue to provide it on the old model.

Great. Thank you very much.

Sanjit Singh, Wedbush Securities.

I had a quick question on McAfee, if there was -- how much of a competitor were they in the quarter in the vulnerability management space, whether it's in terms of market share, did they show a lot in competitive bake-off?

There is two things, let's separate. So McAfee has had two offerings on the vulnerability management space. One which was from the Foundstone acquisition, which was essentially the enterprise product which we have been competing since the very early days, I would say, extremely successfully. We took most of their large accounts now. We're continuing displacing them.

We don't see them as much as a competitor anymore, because their application is aged and an enterprise software. This is the salesforce.com versus [cbit] system here. And then, that other business, which was called the McAfee Secure Seal, where they acquired another company -- and I forgot the name of that company -- which essentially was targeting to the low end of the marketplace and merchant, essentially, providing that secure seal. And that's the business that McAfee essentially has spinned off.

And now instead of relying on their vulnerability management back-end that they had created, they are now relying on Qualys. And already the switch from their users has already taken place. That essentially brings us into a marketplace where Qualys was not really there before, which was about, they have about 300,000 merchants which are getting the seal, which as we start to replace them, it give us, of course, a unique opportunity to upsell them additional services, continuous monitoring of the perimeter being the very obvious one. And of course, this is much more on the small merchant, SME, SMB side.

Thank you so much for the explanation. With quick regards onto your investment plans for 2014, if you look at the guidance, the earning per share is a little bit below what the Street had been modeling. Can you talk to us about what areas you're investing in, how much incremental investment we should think about versus 2013?

Sanjit, as I mentioned in the headcount numbers, we're stepping up our investment again in sales personnel. We added about 13 last year. We expect to add at least double that this year, at least 25 to 30. So I would say that's number one.

We are also, as we introduce new products, we are entering some new markets, so we have some increased marketing programs focused on things like web app firewall and eventually advanced map malware, and certainly the continuous program monitoring, some new marketing programs going on there. And a continued focus on R&D. We've got numerous R&D teams focused on a whole host of new products and functionalities, including the ones that we've discussed with you that are coming up this year, but also ones that we're working on for the future.

So we're still in heavy investment mode here. We've got so many opportunities, both in developing new products and in bringing them to the marketplace. So this is a heavy year of investment for us.

I appreciate the insight. Thank you.

Fred Ziegel, Topeka Capital Markets.

Good afternoon, guys. I'm curious, when you talk to customers, is it a sense, in terms of their IT budgets, that particularly vulnerability management, is that a line item or is it still something that you have to fight the battle, in terms of their discretionary dollars? And has that changed over the last year?

I think vulnerability management, there was always that tension between patching and vulnerability management, where you have the patch management systems, and then you don't need to have vulnerability management, because we do the patching. And as long as you do the patching, that's enough. Of course, they were fighting for the dollars.

Now today, because of this scale issue that corporations have realized now that they need to know the [inventory] of what they have. They need to understand much more. So now, vulnerability management, in a way, is starting to become a must, a very important part of the first thing you need to do. And we personally believe that with the fact that we're now changing vulnerability management from I scan, I analyze, I report, to a much more dynamic solution, which is essentially, you tell me what should be in that, what is a good environment, and then we will continuously monitor that environment and we'll alert you when there's a change.

I think that's a much more effective, much more action-oriented metaphor. And as we start with the perimeter first, but when we start to move that same paradigm on the enterprise, the reason why we selected the perimeter first is because you have much less data.

And again, as I mentioned earlier, the perimeter is also the number one priority, because that's where you are constantly attacked. So you want to see the network in your perimeter, the way the hackers look at it. So that's what I think is going to rejuvenate vulnerability management in making a much more palatable application, because then you can alert and roll that into your SIM, and then you can essentially industrialize, if you prefer, or operationalize vulnerability management.

Do you have any sense of whether there are any industry initiatives, I guess like PCI, that might be coming down the road to drive demand that perhaps isn't there today?

There is one which is coming really very strong, as we see it. You may have seen some of that article in The New York Times. But if you look at what happened with Target, everybody knows now that what has happened that is an HVAC or HVAC system was in fact compromised by people essentially getting the credential onto that system and then from there, because that system was connected to the corporate network, they could go from there into the corporate network.

So we see again all these issues of -- you are now to look at all of your point of entries. And it's going to become absolutely important for companies to realize and to make sure not only identify if they're current HVAC system is connected to their corporate network, which they should be extremely careful about how the connection is, if needed. But then also, monitor that continuously. Because again, you don't know.

So that's another dimension which is taking place, which forces you to look at the hygiene of your network. Is it properly configured? Is everything the way it should be? And do that on a continuous basis. So we personally believe that vulnerability management is going to become some of the thing that you absolutely want to do, because if you don't do that, you expose yourself and know you can put as many firewalls as you like and right and left. If your network is not properly configured, if you are going to do something on that network, the bad guys will find a way to come in.

And don't forget the corporate refrigerator.

Absolutely. And with the internet of things, where everything becomes now connected to the internet, there's going to be even more entry points. So all of that has to be monitored continuously. And of course, in order to do that, you need to have an architecture that scales. And enterprise software cannot just scale to that problem.

And that's what you want to have the cloud, a cloud-based architecture. And then of course, the advantage of the cloud-based architecture is that you can put your self-sensors to monitor, like today we secure our home. If you look at today the controls that we have on our homes, about the temperature, what's coming, the pictures, all of that goes onto your iPhone, then we need to do the same thing for our network.

And that was with the vision of Qualys. And I think what's going to really, as people start to understand that the need to embrace cloud solution, because if not, they will never have the visibility. And enterprise software doesn't give you that visibility, period. I think are very well positioned.

So in the internet of things, do you envision partnerships with the silicon guys, like ARM or Intel or Broadcom, or that group?

Yes. That absolutely. Our priority today is to -- absolutely. But our priority is today much more to try to partner with people who [chav] the devices so we could create fingerprints, so we can identify them, like identifying all of your HVAC systems that you may have connected to your network. So for that, we need fingerprints, so you have medical devices, all these things which connect.

So this is where, again, we're building from our strength today. And then effectively, as you very well say, there is more partnership opportunities, because what Qualys does, in addition to being capable of deploying sensors or looking at the signatures of sensors, what we can also do with that cloud platform where we can correlate all that information, and therefore make much more intelligent decision.

And this is exactly what we re starting to work with our cloud agent, where we now build the agents were we can have hundreds of millions of agents in the world, not millions, hundreds of millions, that beam up all the data relevant to the endpoints. And then it's the cloud which does all the computation, all the analysis, to try to identify it if there are suspicious devices here that we need to pay attention to.

Thanks.

Robert [Riza], Sterne Agee Capital Markets.

Thanks for taking my questions. Philippe, I was wondering if you could talk about -- you talked briefly about some of the management changes here. Do you feel like you have your team built out here, and if so, or if not, I guess, more importantly, where else do you think you need to make additions? Thanks.

We, of course, as a company -- the Company, in fact, is growing much more than you may see from the revenues, because remember, we are a pure [service] company. So in fact, we are much bigger than we appear, if you just look at the revenue. So of course, you know, we need to expand our management in quite a few directions. And this is what we are doing.

So we are, for example, now we are going to dedicate some resources on the corporate development. So that is an area where we need to absolutely add some headcounts. So there's a few places here where we expand the management to essentially have a broader reach, corporate development being one of them. So that's what we are doing, essentially.

Great. Thank you.

Erik Suppiger, JMP Securities.

Don, did you say what the contribution from the new services were in the fourth quarter?

No, we talk about it on a year-to-date revenue basis.

You're not going to break it out on a quarterly, is that right?

Correct. The trend has been moving about 300 basis points a year for two straight years. So that's been a pretty steady pace.

Okay. And then secondly, in terms of the guidance for the first quarter, it looks like the operating margin is coming down some. Is that a function of gross margin or of OpEx increasing?

It's a function of OpEx. It's more sale -- hiring in sales, some more marketing programs and stepping up some R&D. It's all OpEx stuff.

Okay. Very good. Thank you.

Thank you. And I'm not showing any further questions at this time. I would now like to turn the call back to Philippe for any further remarks.

Okay. So thank you all for joining us today. We are pleased with our strong performance and continued momentum in the marketplace as we begin 2014. We believe that we are well positioned to deliver best-of-class computing compliance solutions to our customers and partners, as we continue to expand our cloud platform and deliver more innovative solutions. If you have any follow-up questions, Don and I are available to you. And we look forward to speaking with you next quarter. Thank you very much.

Ladies and gentlemen, thank you for participating in today's conference. This does conclude today's program. You may all disconnect. Everyone have a great day.