Qualys Inc (QLYS) 2016 Q2 法說會逐字稿

Good day, everyone, and welcome to the Qualys second-quarter 2016 investors conference call. This call is being recorded.

(Operator Instructions)

I would now like to turn the call over to Melissa Fisher, Chief Financial Officer. Please go ahead, ma'am.

Thank you, Catherine. I would like to welcome everyone and take the opportunity to introduce Joo Mi Kim, our new Vice President of FP&A and IR. Joo Mi was previously an investment banker and then worked at software companies in the Valley, including Anaplan. We're delighted to have her.

Thank you, Melissa.

We would like to remind you that during this call, we expect to make forward-looking statements within the meaning of the Federal securities laws. Forward-looking statements generally relate to future events or future financial or operating performance. Forward-looking statements in this presentation include, but are not limited to, the following:

Statements related to our business, financial performance, expectations for future periods, including the rate of growth of our business; our expectations regarding capital expenditure, including investments in our cloud infrastructure and the intended uses and benefits of those expenditures; trends related to the diversification of our revenue base; our ability to sell additional solutions to our customer base, and the strength of demand for those solutions; our plans regarding the development of our technology and its expected timing; our expectations regarding the capabilities of our platforms and solutions; the anticipated needs of our customer; our strategy, the scalability of our strategy, our ability to execute our strategy, and our expectations regarding our market position; the expansion of our platform and our delivery of new solutions; the expansion of our partnerships and the related benefits of those partnerships; our ability to effectively manage our costs; our expectations for currency exchange rates; our plans to pursue arrangements with MSSP, which are multi-year contracts at fixed prices; and finally, our expectations for the number of weighted average diluted shares outstanding and effective GAAP and non-GAAP income tax rate for the third quarter and full year 2016.

Our expectations and beliefs regarding these matters may not materialize and actual results in future periods are subject to risks and uncertainties that could cause actual results to differ materially from those projected.

These risks include those set forth in the press release that we issued earlier today, as well as those more fully described in our filings with the Securities and Exchange Commission, including our latest Form 10-Q and 10-K. The forward-looking statements in this presentation are based on information available to us as of today and we disclaim any obligation to update any forward-looking statements except as required by law.

We also remind you that this call will include a discussion of GAAP and non-GAAP financial measures. The non-GAAP financial measures are not intended to be considered in isolation or as a substitute for results prepared in accordance with GAAP. A discussion of why we discus non-GAAP financial measures and a reconciliation of the non-GAAP financial measures discussed in this call to the most directly comparable GAAP financial measures are included our earnings press release issued earlier today.

Joining me for today's call are Philippe Courtot, our Chairman, President and CEO; and Melissa Fisher, our CFO. Philippe?

Thank you, Joo Mi. Welcome to all of you. We are pleased to have delivered another excellent quarter.

At $48.5 million, our revenue was up 21.5% year over year. This was above our guidance of $47.6 million to $48.3 million. As we are expanding our footprint with current customers as well as landing new customers, this is driving our confidence to raise our outlook for the year.

Specifically, we are raising the bottom of our revenue guidance so that our new revenue range is now $197.1 million to $198.6 million. Similarly, we are moving up the bottom of our GAAP and non-GAAP EPS range.

Our current platform now consolidates 10 enterprise strength security solutions, giving customers unprecedented visibility and intelligence about all of their global IT assets, whether they reside on premise, in the cloud, or at end points and also drastically reducing their total cost of ownership this year. We're seeing tremendous adoption of our disruptive Cloud Agents and during the second quarter we achieved a remarkable milestone as we are now deployed over 1 million agents in our customers' environments, exceeding even our own very high expectations.

Our second-quarter results continued to show that we can, in fact, drive both strong revenue growth and top-tier profits. This is a function of our ability to deliver a steady stream of new offerings that we can sell very efficiently into our installed base, leveraging the cloud platform we have built over time.

We are seeing increased uptake of our new solution, both on initial contracts and in upsell scenarios. This is underscored by the fact that the percentage of our enterprise customers who have three or more of our offerings has doubled versus three years ago, from 11% in Q2 2013 to 21% this quarter. Not surprisingly, this drives larger contract size as upsells can be several multiples larger than the core VM engagements.

The average size booked in the quarter increased by 18% from a year ago. We are now tentatively in the right place at the right time and to capture the opportunity we have been reinforcing our sales organization. We have both grown our enterprise sales force and strengthened sales management by promoting from within and attracting great new talent as well.

At the end of Q2 2016, we had 18 regional sales leaders covering more than 100 countries and the sales management team has, on average five years of tenure with Qualys. We operate in fact in a healthy demand environment and believe that we are prime beneficiary of the trend -- the undisputable trend I should add, to cloud computing. We feel confident that this will help us sustain and even improve our growth rates in the coming years.

There is an increasing need among customers to leverage cloud-based security solution as they are now accelerating the migration of their IT infrastructure to cloud solutions. Furthermore, the reality is that in order for companies to prevent breaches rather than react after the fact, they must leverage an enormous amount of data. There is simply no way to do these cost effectively with on-premise enterprise software.

These views are shaped not just by the data itself but also by the significant amount of time I personally spend with clients. For example, I recently met with the CIO of a major European financial institution and a Qualys customer. He echoed that Vulnerability Management is increasing in importance for his company.

The regulations they must abide, I recall that they have visibility of all IT assets, not just the perimeter, and that they be able to demonstrate this. On-premise enterprise software solution becomes cost prohibitive at [this case]. In addition, he sees no choice but to move to cloud-based IT models to improve the agility and reduce the cost of his IT infrastructure. In fact, he shared that his goal is to have 80% of his IT infrastructure in the cloud three years from now.

Additionally, as all companies must do more with less, they are looking to consolidate bandwidths and we are gratified to hear from many of our customers that they would like to do more with us. As a result, we are pleased to be chosen for an increasing number of consolidation arrangements, both with customers and with partners. Validations are powerful and position us as a disruptive force in the security and compliance industry.

Being a strategic vendor to our customers is a function of the current capabilities of our solution as well as their confidence that they will continue to innovate and expand our features and abilities. We have released several exciting innovations in the second quarter, mainly Qualys ThreatPROTECT, that became generally available in the quarter. As many of you already know, the [PROTECT] customer prioritized vulnerabilities based on a number of key threat indicators.

At the Gartner Summit we announced a groundbreaking new form factor to extend our private cloud security and compliance to medium-sized companies, delivering our entire cloud platform in the 1U format, totally remotely managed and [circulating]. This now allows us to address those companies who need to retain data on premise or within local geographies but do not have a big enough IT infrastructure to adopt our larger private cloud platform and who have now 30 private cloud platforms deployed over the planet. This new private cloud appliance, as we call it, supports both scanners and Cloud Agents and includes a comprehensive integrated suite of Qualys apps for automating [discovery] security assessment and compliance management.

Our Security Assessment Questionnaire 2.0 was also released in the second quarter. This is a cloud-based solution that orchestrates IT audits with automated validation, dramatically simplify third-party and vendor risk assessment. We achieved the first letter of FedRAMP certification in the quarter and expect to have the full FedRAMP certification this current quarter. This offers federal agencies a path to quickly adopt Qualys, our Qualys cloud platform, for continuous security and compliance to provide them with a continuous view of their security and compliance postures.

Subsequent to the end of the second quarter, we announced the expansion of the Qualys cloud-based security compliance platform to support Microsoft Azure with a new Azure-certified virtual scanner appliance. This enables an organization to assess the security and compliance posture of their Azure environment for the Qualys concept.

Each of these new offerings brings key solutions to markets who had previously not served extensively or at all. Let me finally emphasize that we're not only taking share from our legacy competitors but we are also entering new markets, enabling our customers to consolidate their spending with us and delivering better performance with the function of our solution being integrated and accessible to a single platform. Thank you.

Thanks, Philippe, and good afternoon.

Our strong second-quarter performance reflects the recognition by our customers of the operational and financial value of our cloud-based security platform, which provides a holistic view of our customers' assets and their vulnerabilities. Total revenues in the second quarter were $48.5 million, which represents 21.5% growth over the second quarter of 2015.

As we discussed last quarter, we signed an attractive new arrangement with one of our MSSPs which resulted in additional revenue being recognized in 2016 for the same customers. In the second quarter, this represented a little over $1 million of revenues, slightly higher than in Q1. In contrast, FX again muted second-quarter revenue. Excluding the impact of the MSSP and FX, our year-over-year revenue growth rate was still a robust 20.4%.

The US represented 71% of Q2 revenues, or the same as the year-ago period. Some of our international clients pay us in US dollars, so our revenue exposure to foreign currencies was only around 17% of total Q2 revenues.

Our revenue plus the change in our current deferred revenue balance grew 29%, year over year.

I highlight this because I recognize that it is a metric investors track as a proxy for current booking. However, I would like to point out that this calculation will not always mirror our current bookings, due to the timing of the actual invoicing as well as impacts of items like FX. This quarter, it does reflect our strong performance.

However, please note that it was positively impacted by the large slipped renewals from Q1 that we mentioned in our last call, as well as being negatively impacted by the MSSP contract and FX. Said another way, when I compare our historical quarterly bookings for growth rate to the historical year-over-year growth of revenue plus the change in current deferred revenue, they are not always in line.

Our current deferred revenue balance was $104 million as of June 30, 2016, 19% greater than our balance at June 30, 2015.

As we have discussed, the change in MSSP contract reduces our current deferred revenue balance account, because it is billed on a quarterly basis. Excluding the impact from the MSSP contract as well as FX, our current deferred revenue balance would have grown 21% year over year.

Last quarter, we discussed that our existing disclosure metrics may not be the best reflection of the positive trends in our business.

We have evolved from a single-product company to a multi-product platform business with 10 solutions that have varying pricing, growth rates and release dates. We're adding new capabilities, extending the breadth of our solutions and we have enhanced our core VM offerings through new solutions as well. Through the end of 2016, we will maintain the current disclosures, we expect to rollout new metrics at our upcoming Analyst Day on November 17 that more properly reflect how our business is trending.

On the existing basis, our Vulnerability Management solutions remain strong, thus continuing to represent 79% of second-quarter revenues, in line with results in the second quarter of 2015. Our last 12-month bookings growth rate for policy compliance and web application scanning was 26% year over year. Note that this figure does not include newer solutions like our Cloud Agent used for vulnerability management, our PCP and ThreatPROTECT.

At the initial steps toward the new metric, we've shared with you the percentage of our enterprise customers who have purchased three or more Qualys products. While we sell our platform cost-effectively to both small customers of 50 employees as well as to large enterprises, we expect to see additional solution uptake more pronounced in our enterprise customer base.

Our prior disclosure was the percentage of total customers with two or more total products including PCI and this figure was 63% in Q2, up from 60% a year ago. Incidentally, we are adding an updated investor deck to our investor relations website today to increase the clarity of our message.

Before moving to profit and loss items, I would like to point out that unless otherwise specified, all of the expense and profitability metrics I will be discussing on this call are non-GAAP results. Our non-GAAP metric excludes stock-based compensation and nonrecurring items. A full reconciliation of all GAAP to non-GAAP measures is provided in the financial tables of the press release issued earlier today, and is available on the investors section of our website.

Gross profit increased 21% year over year to $38.8 million in the second quarter of 2016. Gross margin was 80% equal with second quarter last year. Our strong margins are a testament to the scalable operational model of Qualys and are higher than other comparable security and SaaS companies.

Our platform enables us to easily launch new mission critical capabilities that will plug and play with other Qualys offerings and are therefore highly cost-effective to sell. In fact, our 2015 revenue per sales and marketing head is over $1 million as compared to a median of approximately $540,000 for comparable security and SaaS companies. One driver that our cloud-based platform enables a try and buy at generating sales at a lower cost than on-premise software companies.

Furthermore, we are continuing to leverage low-cost yields with a percentage of our customer support operations and R&D headcount in India having increased to 36% in 2015 from 15% in 2013. By having a strong operation there, we can innovate 24 by 7, which accelerates our ability to develop solutions for our customers. We are taking advantage of our highly profitable model to invest for growth as we see multiple levers to drive additional revenues.

Operating expenses increased by 21% year over year to $27 million, in line with our stated goal to increase our investment in terms of headcount, systems and other services to scale the business. In fact, we added 92 people in the first half of 2016, compared to 53 people in the first half of 2015.

Research and development expense increased to $7.7 million, or 26% year over year, primarily due to higher headcount. While we're adding personnel there, it is important to note that we have a highly efficient R&D organization, with an average annualized personnel expense per employee of approximately $110,000 as of Q2.

Our R&D organization has delivered many new products over the last 12 months, including the Cloud Agent platform, ThreatPROTECT, the Security Assessment Questionnaire 2.0 and the 1U PCP appliance as well as new feature functionality such as ElasticSearch and AssetView integration with ServiceNow.

Sales and marketing expense increased to $13.1 million, 11% year over year, primarily due to higher sales headcount as well as costs related to our salesforce.com implementation, offset by somewhat lower expense in marketing. As Philippe mentioned, we have been growing our enterprise sales force and are proud of our high productivity.

G&A increased to $6.3 million, 41% year over year, largely due to higher headcount and legal, accounting, and consulting fees related to our increased scale worldwide. Due to our strong revenue growth, adjusted EBITDA for the second quarter of 2016 increased by 20% to $15.7 million, compared to $13.1 million in the second quarter of 2015.

Again, the MSSP contract change had a positive effect since revenues were higher, but excluding this impact, adjusted EBITDA would still have increased over the second quarter of 2015. Adjusted EBITDA margin in the second quarter of 2016 was 32%, as compared to 33% in the second quarter of 2015.

Moving on now to earnings per share, for the second quarter of 2016, GAAP EPS was $0.09 per diluted share same as the second quarter of 2015. Non-GAAP EPS was $0.20 per diluted share in the second quarter of 2016, up from $0.16 in the second quarter of 2015. Our Q2 non-GAAP expenses, net income and EPS exclude a one-time tax related expense. I would note that nonrecurring items included in non-GAAP expenses, net income and EPS over the last couple of years have been immaterial.

Net cash from operations in the second quarter of 2016 increased by 12% to $17.3 million, compared to $15.5 million in the same period in 2015. Free cash flow generated in the second quarter of 2016 was $12.7 million, compared to $11.3 million in the comparable period of 2015. In the second quarter of 2016, capital expenditures were $4.8 million, compared to $4.3 million in the second quarter of 2015.

In addition to this, we've front loaded approximately $7 million of CapEx that is scheduled to be paid later in the year. Of the $7 million, $5 million was related to the early renewal of a license arrangement as we were able to lock in an attractive rate on database software for the next several years. This was CapEx that otherwise would have been spent in 2017 and does not represent a change in our business model.

In the third quarter of 2016, we expect capital expenditures to be in the range of $5.5 million to $6.5 million, excluding the previously mentioned $7 million incurred in Q2. We expect to spend only $3.5 million to $4.5 million in capital expenditures for Q4, offsetting the increased Q2 and Q3 spend. So excluding the early license renewal, we are projecting capital expenditures of $20 million to $22 million in total for 2016.

Now turning to our guidance. Starting with revenues for the third quarter of 2016, we expect revenues to be in the range of $50.3 million to $51 million. For the full year 2016, we are raising the bottom end of our guidance for revenues, bringing our current guidance to a range of $197.1 million to $198.6 million.

As to earnings-per-share guidance, we expect GAAP EPS for the third quarter of 2016 to be in the range of $0.08 to $0.10 per diluted share, while non-GAAP EPS is expected to be in the range of $0.17 to $0.19 per diluted share. For the full year 2016, we are raising the bottom end of our guidance for both GAAP and non-GAAP EPS. Our current guidance for GAAP EPS is now $0.37 to $0.41 and for non-GAAP EPS, $0.75 to $0.79.

We expect our operating expenses to sequentially increase in Q3 and Q4. We are continuing to invest in our business as we scale for the rollout of additional solutions to our platform because we have a highly profitable operational model. Our third-quarter EPS estimates are based on approximately 38.8 million of weighted average diluted shares outstanding. Our full year 2016 EPS estimates are based on approximately 38.9 million shares outstanding.

For the third quarter and full year 2016, we have used an expected effective GAAP tax rate of 38% and an expected effective non-GAAP tax rate of 36%.

I'm thrilled to be at Qualys. I am now almost 100 days into my tenure here and I have gained significant visibility into the growth opportunities for our business and its scalable operational model.

With that, Philippe and I would be happy to answer any of your questions.

(Operator Instructions)

Siti Panigrahi, Credit Suisse.

Thanks for taking my question. I just wanted to focus on the VM market. You talked about 10% growth last quarter. I'm just wondering what sort of growth rate you saw this quarter and what sort of competitive landscape? Are you seeing any kind of legacy displacement in the market that is driving growth at this point.

We didn't speak of 10% growth. We are seeing that our VM marketplace that we're growing at around 20%, 21% growth, so this is what we say. As far as the competitive landscape, so we have naturally in our space that has what I call the two last men standing. Essentially Tenable which is a private company and Rapid7, which is a public company. And we essentially have an extremely strong position on the -- with the large enterprise. Rapid7. We see them gaining more in the mid-market and Tenable is strong in government and with consultants essentially. They are all trying, of course, to go and attack our large customer base.

But I think we remain today the Company which has really truly [adopted] platform which is a huge advantage. We also deliver new services fully consolidated with our platform so that increased barrier to entry significantly against Qualys. To speak about the VM market as I mentioned during the call is that we see [verty] management becoming as a significant core security application the company must absolutely adopt. And this is relatively new and this is because you cannot secure what you don't know.

Everything is interconnected with everything. You need to have a global view of all of your IT assets. And then you need to ensure that they are not vulnerable to attacks and then you need to prioritize the remediation, remediate as fast as you can today. It's a question of time and prioritize the remediation and improve your remediation activities.

As a follow up, you talked about Cloud Agent deployment of 1 million already and also you released ThreatPROTECT. I'm wondering what sort of feedback, early feedback you have got on ThreatPROTECT, and what sort of adoption you are expecting?

We're expecting a very strong adoption of ThreatPROTECT. We have essentially -- that solution went [G] about a month ago. We already have quite a few orders, a big demand for that. It is very natural extension of our platform.

We replace your either stand alone solution that we are taking the data out of Qualys and then correlating that data with threat information and/or companies taking the Qualys data, putting that into Splunk and then taking -- putting threat information in Splunk and doing that application in Splunk. So obviously I think that the data from Qualys is significantly easier and better for our customers. We see all of our customers, which have already used these kind of threat solution that I mentioned are looking at migrating Qualys. It becomes also a very big differentiator when we compete for new business.

Gur Talpaz, Stifel.

Great. Thanks for taking my question. I want to talked about Cloud Agent adoption. Philippe, you noted over 1 million endpoints and that is a pretty big metric, given how relatively new the product is. Maybe you could talk about what's driving the adoption, what's driving that strength? Maybe walk us through what a typical Cloud Agent deal looks like in terms of penetration of a customer.

This is -- in fact, this doesn't really surprise us. Whereas a lot of people are saying oh, it is so difficult to put agent, et cetera, and the argument I was making then was that what our Cloud Agent does first is to essentially make the [verdancy] management application significantly easier to deploy and manage because you don't need now credentials. You don't need the scanning windows and you have realtime.

So this is quite significant. And now -- so we see customers, existing customers adding the Cloud Agent to some of the IPs that they were scanning for adding on the device, of course, and also, interesting enough, it allows us now to move into end points, so we see also customers adopting the agent for their endpoints.

Furthermore, unlike anybody, our agent also may go to the cloud. Our agent hass the unique ability to go to on-premise or servers, et cetera, on end points, as well as on cloud environment. We've just announced, by the way, recently that we have worked with Microsoft and now we are in the process of finishing the total integration of our agent with the Microsoft Azure platform so customers move directly from the Microsoft security center immediately have the agent available at the click of a button. It's a significant integration and we are working as well with all of these other cloud vendors to do exactly that same thing.

So this is significant adoption. Of course, it does now start to do the same thing for the policy compliant. And let me remind that we see the agent is really a new platform, an extension of our cloud platform. This allows us to deliver, in a relatively short period of time, additional structure that all of our customers are asking, which are the file integrity monitoring capabilities, the detection of viruses, the patch management capabilities and also we're working on the [dish] certificate as well. So this is absolutely a no-brainer for our customers, essentially.

That is great color, Philippe. One last question. In your script, you noted achieving FedRAMP compliance. In the past, you talked about the federal opportunity. Can you talk about the pipeline there now that you have achieved a level of compliance in that arena? Do you see it building up? Is it a real opportunity beginning to play out?

Definitely, I think we are at the right time and the right place now with federal. As you know, everything in federal takes time. We are not expecting to see any kind of significant revenue this year. I think we are very well positioned for next year because, again, as you see, the federal is absolutely crippled with data breaches. The reason is because they are using all these enterprise solutions. They don't integrate their massive networks.

Enterprise security software just doesn't cut it. You need to have the scalability that our cloud platform provides so you can identify again all of your global IT assets, their variabilities, their security posture. In the past, the federal did not want us because we are eliminating a lot -- because of the complexity of the procurement cycles, et cetera. So being FedRAMP is really the key for us. I think we are expecting -- we are very confident that next year we'll start to see really business coming from the federal government.

Craig Nankervis, First Analysis.

Thanks, good afternoon. Nice quarter, folks.

Philippe, you mentioned that scenario about the over in Europe someplace, about the regulations or visibility into all IT assets. Are you pursuing a special -- any special initiative to really capitalize that over there in any part of the market? It seems like it would be really something that could add to your growth.

In fact, yes, because -- that is a very good point, Craig, because in Europe, our deal size has been historically much lower than in the US. The reason because of the European companies were much slower at adopting that cloud-based parentheses management solution that we offer for the internal network. So the bank that I mentioned to you before was in fact, a customer since 2002, very active with Qualys, but it is only now that they are looking at essentially deploying us on the inside.

The regulation is really a very big driver of that, because the regulation in Europe is really becoming -- essentially that you could see a change from the regulator to try to reverse the burden of proof. So you have to prove now that there almost that you have taken everything -- you have done everything you could have done to secure your network. That is really tough. And again, so the fact that today we have a very strong partnership with a company like Orange Business Systems, AIRBUS Saba Defense, Siemens, Reva Locklear. Very big partners that deliver also private clouds locally.

So all these issues about where does my data reside. Certainly not in the US. They don't want that anymore. We have solved all of these problems. I think Europe is ripe for us to see bigger deals from our existing customers and we have a large customer base in Europe. As well as our competition there is not very strong. So really, being capable of becoming a major player in Europe, as well.

Are you adding more sales heads there, by chance, to --

We have already made a huge -- what is interesting is we don't have a very good productivity in Europe as compared to the US, because, again, what I told you about the deal sizes much lower. We are very well staffed in Europe. So already, as I mentioned, we have 5 original VPs in the US and we've now today about 14 outside of the US. It's a rather significant already presence established with long-term customers and so we are very strong in Europe. It is just a question about the deal size, which is now starting to move into our favor.

Can you also just review where your data center locations are over there now with -- does Brexit have any impact on the services you --?

Absolutely. Very good question again. Historically, we have a data center in Geneva and now we're adding another data center in Amsterdam. The reason is because today with these new regulation Switzerland is not part of the EU. So Switzerland, which was the place of peace is not anymore the place of peace, if I may say so. You have to have your data outside of -- you have to have your data in the EU community, which is what we are doing now.

In addition to that, we're a company like Deutsch Telecom or T-Mobile, which they have their own private cloud. We have Orange Business systems which is also a private cloud. AIRBUS cyber defense, a private cloud. Siemens, the private cloud. We're also that ability of delivering private cloud very easily and so all of these regulation works in our favor because we keep the power of our cloud model, but now we can really deliver it on premise or within a local geography, like with Du Telecom in Dubai, Saudi Telecom in the Kingdom and others.

Matt Hedberg, RBC Capital Markets.

Thanks for taking my questions.

Philippe, in your prepared remarks you talked about your expectations for improving growth rates longer term now. I know you have 10 products. I'm curious, outside of your core VM, WAS, PCI and Policy Compliance, if you could only pick one, which of these additional products do you think has the highest potential to become really a major contributor to future growth?

The major contributor to future growth with no question asked is the Cloud Agent platform for the reasons I mentioned earlier. All these additional revenue streams that we are working to generate and relatively early in the year for next year with File Integrity Monitoring, Detection of [sneaker shirt] for compromises, the patch management, the [nuclear] certificates. This is something we see coming very, very strongly. And then we have interesting additional products which -- like ThreatPROTECT which are really -- we charge 30% of the VM subscription to our customers to have the benefits of ThreatPROTECT.

That is a nice little bump on a huge VM customer base. We've also our security assessment questionnaires that we see also adding to the Policy Compliance Application. These are things that currently today are in production and doing very well. That is what we see.

Great. Maybe one for Melissa. You guys had a nice earnings beat this quarter. I know you did raise the low end of your full year guidance slightly. I'm curious, why didn't it go even higher?

Is this a reflection of additional hiring or conservatism? I just want to make sure I understand the thought process around the full-year earnings guide.

Another great question, Matt. It's a couple of factors. As we've mentioned, we have been increasing hiring, so to the extent we do that within a quarter, that is one factor that contributes to the sequential increase in expenses. As well as -- there is additional investment in these areas, like headcount, that we are continuing to make.

Michael Kim, Imperial Capital.

Good afternoon. Can you talk a little bit about pricing trends and specifically on Continuous Monitoring and ThreatPROTECT. You did mention possibly a 30% lift of the current VM subscription and I think last quarter for CM something like a 20% lift. Are you still doing some price discovery? How is that holding?

The price is holding fine. I think we're absolutely that we will see praise from our customers and now we have got enough of them. It is just not one or two. They say they are very happy that -- they were very happy with our pricing. They thought it was a fair price, no questions asked.

We add in fact everything we do, we always try to engage customers before so we don't come and certainly surprise our customers. We work with them on the new product, on the new pricing. We try to really understand what they are expecting. That was really -- no, we are very confident with the pricing.

With the up-sells getting larger, are you seeing any change in average contract length? How might that adjust pricing?

We have not seen any change in the average contract length, per se. What we've talked about in the past is that when we do have larger deals, larger deals take longer to close because of the more involved procurement process and more approvals required. We have not seen much movement today now.

On the contract length specifically, we see more and more for our large customers. They want a multi-year contract. We are doing more three-year contracts at the request of our customers. That has been a trend that we're doing.

But it has not been enough to move the needle to date.

It doesn't change the revenues. It doesn't change at all our booking either, because we haven't realized everything. We have some prepaid deals which sometimes could of course impact the current [defer]. But these ones are relatively rare, as deep prepaid. We have a few of those.

Jack Andrews, DA Davidson.

Good afternoon. Thanks for taking my question.

Philippe, you introduced a slew of new products earlier in the year. As we're sitting here slightly past the halfway point of 2016, can you update us just in general on your thought process for additional products? Are there any particular market adjacencies perhaps that look attractive to you?

First of all, they were not early in the year that much, with the exception of the Cloud Agents. ThreatPROTECT was very recent. Security Assessment Questionnaire was very recent, in fact.

This being said, we are expecting today essentially with the new services that we are planning to deliver, we're looking at them as a showcase at our user conference in October. We probably will showcase them on our Analyst Day as well, in November. We see them as generating revenues early next year, starting early in the year.

In term of the market adjacency, we're just continuing to essentially expand really naturally. So you look at ThreatPROTECT. This is adds to VM, a very interesting market that we believe we can really make a very big difference. There are, in fact, two markets. One, is the asset discovery.

We believe that today we have absolutely the best technology today to do asset discovery and inventory and then synchronize like we are doing today now with ServiceNow. That is almost like orphan IT, if you prefer, market. There are a few years that we can bring security and compliance and IT security and compliance into one single solution.

We are starting to really compete very effectively against [Tenyon], which you can consider as an additional market. And then there is one looking at additional certification within really we can -- we have a very good solution. We already have a half of the solution for additional certificate in the sense that we can discover all of your additional certificate and then we can analyze where they are coming from, when they are going to expire. The only thing which we are missing today to really provide the full solution, which we are working on as we speak, which is the ability to update or manage these difficult certificates. So we are not far from also that solution. That is really the kind of adjacent market.

Thanks. Appreciate that. As a quick follow-up, could you give us an update in terms of your senior management team? Are there any meaningful roles that you are still looking to fill at this point?

Yes. We are always expanding our management team. Today, I'm a little bit -- we're starting looking very seriously at doing some acquisitions, albeit very carefully, which is a way to increase the management. Currently, I'm looking at adding a Chief Security Officer. We are currently actively looking. We add our VP of Worldwide Sales, which went back with his previous company, so that gave me the opportunity to really look for somebody, as well. These are essentially the two key positions on the management level that we're looking at adding.

Srini Nandury, Summit.

Thank you for taking my call. This question is for Philippe.

Philippe, I know your Cloud Agent that was initially for Windows and last quarter you released the box for Linux and Mac OS. Can you talk about whether these products are being deployed in the field? And can you talk about how the pricing for these new services are? Then I have a follow-up, please.

I'm not so sure that I understood the question. You're asking about the price for this Cloud Agent?

Price after you launched Linux version of your Cloud Agent and Max OS earlier last quarter, so I just want to understand how those products have been doing in the market and what your conversations have been.

The Unix agent is essentially the big market for them is of course with companies which are using Unix servers, and as well as the cloud environment. The cloud environment are essentially Unix. (Inaudible) very successful. It was in big demand.

The Mac is much more for the endpoint essentially. That's also strengthened our position and offering on the endpoint. All in all, today, when I look at these agents, there is a combination of adding to the existing VM that we are doing. So we have an average today with this cloud agent generating significant -- we are above the, I would say, $5 per agent per year. It is thought to be an interesting add-on to our business and it's growing very well (multiple speakers)

Yes. Just extending the Cloud Agent technology it looks like it is a natural extension for end points such as Android devices and IOS. You and I talked about this a while ago. Do you expect to release a Cloud Agents for hand-held devices, as well?

No. The issue with the Android devices and IOS devices is that you cannot really put an agent -- or let's say that the agent that you can put can give you really minimum information. There is already -- the market with the MDM applications, but for us, our strategy at the moment there is to essentially take the data from these MDM vendor to enrich information that we have and put all that into our cloud back end rather than doing a MDM agent because it is already preoccupied. This being said, when and if the Google and Apple open up their OS then so we can put an agent then we're ready for it.

Because the challenge is not to build the agent, the challenge is really all the analyses you have build that to hundreds of millions of agents, if not billions of agent, but currently today with the large cloud providers now deploying 2 million agents of Qualys in the process of deploying this agent. That is a question of scale, and of course that is a problem that we have solved.

We're also working on providing an SDK for our agent so people could build the agent that sells and then we can provide all of the processes, if you prefer, back end to do all what needs to be done with the data that the agents are bringing back. Does that make sense?

Steve Ashley, Robert W. Baird.

Thank you very much. Philippe, I just want to ask a high-level question on the industry. You kind of have a statesman of the industry and a big picture view. There are rumors that McAfee might be for sale. There are rumors that Fire Eye might be for sale. There are rumors that Imperva might be for sale. We're seeing Semantic and Blue Coat merge.

There seems to be at least the rumor of a lot of consolidation of some meaningful sized businesses. What do you see going on in the industry and why do you think this might be happening now? Thanks.

That is a fantastic question, Steve. I really appreciate it. In fact, yes, this is exactly what is happening. By the way, it is not surprising. This is something, by the way, that I predicted many years ago. I'm a little bit late on the timing.

You look at what happened with the mainframe industry, going through the mini computer industry, which was more of a technological revolution. Then a totally new architecture came with the client/server. Now we're seeing the same thing happening with the cloud computing architecture. Now today what is happening is like we saw in the mainframe, meaning it is [troy] consolidation of the old industry which is about to die. Then the question is how long it will take.

And then the emergence of the new breed of company, which I strongly believe Qualys is one of them. And nothing new here. The only thing which is new is today, the very specific challenge that security has, which is very unique and it is becoming very clear. There was a discussion with Jeff Moss, in fact, this morning, who is at Black Hat now. With Jeff Moss the founder of DEF CON and Black Hat that he sees exactly the same thing.

Security today is a huge challenge because things are going so fast. You have the complexity has increased significantly. Now the speed at which the attacks are coming are absolutely incredibly fast. As soon as -- the bad guys now can detect vulnerabilities in your organization even before you can yourself do, they have created an exploit and you're attacked now in no time. How do you protect against that? You really have to change.

This is where all these enterprise solutions are falling apart because they are too slow, they are too costly to manage, what do you do with all that data, (inaudible). So there's absolutely a need for that new breed of solution and that's -- and we see that from our customers. That's what we have really, really I think the market is coming our way big time.

Thank you, everyone, for attending our Q2 earnings call. We look forward to seeing many of you next week at the Pacific Crest conference in Vail, the Credit Suisse Small and Mid-Cap Conference in New York in September. We will be holding an Analyst Investors Day in New York on November 17. If you would like to attend our annual user conference as well, which will be in Las Vegas in October, please let us know. Thank you.

Ladies and gentlemen, thank you for participating in today's conference. This does conclude today's program. You may all disconnect. Everyone, have a great day.