Qualys Inc (QLYS) 2016 Q4 法說會逐字稿

Good day, ladies and gentlemen, and welcome to Qualys' fourth-quarter 2016 earnings conference call.

(Operator Instructions)

I would like to the call over to Joo Mi Kim, Vice President, FP&A and Investor Relations.

Please go ahead, Ma'am.

Thanks, Michelle.

Good afternoon, and welcome to Qualys' fourth-quarter and full-year FY16 earnings call. Joining me today to discuss our results are Philippe Courtot, our Chairman and CEO, and Melissa Fisher, our CFO.

Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Forms 10-Q and 10-K.

Any forward-looking statements that we make on this call are based on assumptions as of today. We undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP financial measures is included in today's earnings press release. The press release and an accompanying investor presentation are available on our website.

With that, I would like to turn the call over to Philippe.

Thank you.

Welcome, everyone, to our Q4 2016 earnings call. Melissa and I are pleased to report another steady quarter that included both strong revenue and continued profitability. We closed the year with 20% annual revenue growth and over 9,300 customers, excluding security consulting firms. In Q4, our new business bookings increased by 20%; and we won three new Fortune 500 customers, each with an annual [fee size] greater than $500,000.

We did have a couple of large (inaudible) pushed into Q1, which contributed to our revenues coming in at the lower end of guidance. One notable (inaudible) sell of approximately $850,000 by a Fortune 100 insurance company and a leading provider of [subsidy] insurance closed early in January. In fact, this is quite strategic because this customer is expanding their current VM subscriptions to get the full inventory of their global IP assets, which enables them to have a continuous view of the security and compliance posture.

During the quarter, we continued our momentum on the partnership front, announcing a partnership with Deutsche Telekom. We exited the quarter with additional significant partnerships in the pipeline. Our cloud platform is attractive to global [industries and armed forces] because our centrally-managed and self-updating solutions can be easily embedded into their offerings. These partners drive customers to us at a low acquisition cost and low overhead, thereby providing us with significant sales leverage.

All of this is a testament to how well we believe we are positioned in the changing cybersecurity market. In fact, today we announced that IDC confirms that we have taken the number one market share position over IBM and HP in the $1.6 billion Vulnerability Assessment market. While these customers now include 70% of the Forbes Global 50 and 68 of Fortune 50, these market share gains have been driven by our unique ability to provide enterprises with both two-second visibility across their entire global IT assets. Whether on-premise, on endpoints or in the cloud, and the continuous view of their security and compliance posture. As importantly, our solutions significantly reduce the security and compliance spend by enabling them to accommodate multiple on-premise security and compliance solutions in a single cloud platform that is centrally managed and self-updating.

As we indicated in our comments throughout the year, 2016 was a year of investment for Qualys from both a product and people perspective. Regarding our products, we launched several new products into general availability in 2016, now consolidating more than 10 traditional security and compliance point solutions. To summarize, in 2016, we announced our groundbreaking cloud agent technology that transformed both vulnerability management and policy compliance applications. Making them continuous and more effective by eliminating the need for scan Windows and authentication credentials.

In addition to Windows, our cloud agent now supports Linux and MAC environments and are embedded within Microsoft Assure. We announced ThreatPROTECT, which offers our customers the ability to integrate and correlate threat information natively, helping them prioritize [remediation] without having to take the data from Qualys out into other solutions. We announced our SAQ, or assessment questionnaire, that allows customers to streamline their vendor and internal security audits. We also unveiled a new form factor of our Product Cloud Platform, a Private Cloud Platform appliance for mid-market companies needing to retain data on-premise or within local geographies previously not served by Qualys.

In Q4, we continued to see strong adoption of our Cloud Agents, as well as ThreatPROTECT, with now 2 million Cloud Agents purchased in the last 12 months and with more than 1 million currently in active trials. In fact, 4 out of our top 10 new customers purchased our Cloud Agents. We also saw ThreatPROTECT almost doubling its booking again from the previous quarter.

Regarding our investment in people, during 2016, we increased headcount by 34%, from 510 people to 684 people. The majority of this headcount increase was due to the expansion of our engineering efforts in India. This represents an important strategic advantage, as we can add world-class engineering, operations and customer support talent at rates favorable to our cost structure. Today, nearly half of our customer support operation and R&D headcount is based in India.

As we look into 2017, we are expecting further growth and customer adoption of our Cloud Agent and ThreatPROTECT, expansion of our customer base, and the release of many new features and offerings. Next week at RSA, we will announce a new significant strategic partnership. We will also launch WAS 2.0 and WAS 5.0 which, integrated together brings [well] application security to the next level by offering unprecedented scalability and remediation capabilities in the form of one-click patching.

At RSA, we will also showcase our [fine acuity] monitoring, and the detection of [indicative compromises] solutions, which will be in data. We encourage you to stop by our booth to see our products in action, and also join us for our Company cocktails event on Monday, February 13, at the San Francisco MOMA.

In summary, during 2017, we plan to release five additional solutions; namely file integrity monitoring, the detection of indication compromise, patch management, the CERT certificate management and passive scanning. Therefore, throughout 2017, we plan to continue hiring across all of our functions, with a focus on the scalability of our engineering teams for the launch of new products. We will continue growing our sales force. In fact, I would like to share that we recently hired a VP of EMEA and promoted one of our regional VPs to VP of US Field Operations and Alliances. We will be looking for a new VP of Worldwide Field Operations.

In closing, we are pleased with our achievements in 2016 and hope to take away from this goal the following key points. One, strong business performance as evidenced by our new business, renewal and asset (inaudible). Two, a winning product and partnership strategy with an expanding and fully integrated product portfolio and new key partnerships. Three, a balanced financial strategy as we continue to grow the top line of the business, building a strong foundation of recurring revenues while maintaining industry-leading profitability.

With that, I will turn the call over to Melissa to discuss our financial results and guidance for 2017.

Thank you, Philippe.

Good afternoon. I would like to begin by sharing some color on our top line.

2016 was an important year for Qualys, as we successfully released several new products, features and enhancements while growing revenues by 20%. Total revenues in the fourth quarter were $52.2 million, which represents an estimated 18% normalized growth over the fourth quarter of 2015. The restructuring of the MSSP contract earlier in the year resulted in a one-time positive impact on Q4 revenues of approximately $350,000. This was offset by approximately $550,000 of negative FX impact. Thus, the net effect of Q4 revenues was approximately a 40-basis-point reduction on the reported growth rate.

As Philippe mentioned, we closed significant new business during the quarter. However, we also had a few large up-sells move into Q1, including one for $850,000, which has already closed. On a reported growth rate basis, our Vulnerability Management solutions remained strong, with revenues growing by 16% in Q4 from the year-ago quarter and by 19% for the full year versus 2015. Q4 revenues from our other security and compliance solutions increased 22% over the year-ago quarter, resulting in full-year growth of 26% versus that in 2015.

We saw exceptional performance from both the Cloud Agent platform and from ThreatPROTECT, with Cloud Agent platform bookings accelerating sequentially by approximately 90% and from ThreatPROTECT over 90%. In fact, we hit 2 million Cloud Agents purchased in the last 12 months. We continue to see adoption of our platform increasing with the number of enterprise customers with three or more Qualys solutions rising to 26%, up from 20% a year ago, and our spend in the quarter increasing in 20% year over year.

The number of customers with an average spend of over $100,000 continue to show strong growth, increasing 34% year over year in Q4. The cumulative revenues for these customers grew 41% year over year. Clearly, we continue to see traction with our enterprise customers.

Let me now address our deferred revenue balance. Our current deferred revenue balance was $115 million as of December 31, 2016, 17% greater than our balance at December 31, 2015. As we have discussed, our deferred revenues are negatively impacted in 2016 by both the MSSP contract and FX. Normalized for the impact from the MSSP contract, as well as FX, our current deferred revenue balance would have grown approximately 23% year over year. As a reminder, deferred revenues cannot be relied upon to calculate our current bookings due to the timing of the actual invoicing, as well as the impact of FX.

Before moving to our profitability and cash flow, I would like to remind everyone that unless otherwise specified, all of the expense and profitability metrics I will be discussing on this call are non-GAAP results. Our non-GAAP metrics exclude stock based compensation and nonrecurring items. A full reconciliation of all GAAP to non-GAAP measures is provided in the financial tables of the press release issued earlier today, and is available on the Investor section of our website.

In Q4, our gross margin remained flat sequentially as 79%, which is very healthy when you consider our continued investments. Gross profit increased by 15% year over year to $41 million in the fourth quarter of 2016. Our margin, at 80%, was down slightly from Q4 2015. The year-over-year decline in margin was driven by our increased headcount investment, as well as software and hardware expense to support continued growth of our operations.

For the fourth quarter, operating expenses increased by 18% year over year to $27 million. Research and development expense increased by $7.6 million, or 23%, year over year primarily due to higher headcount. Sales and marketing expense increased to $13.9 million, or 16%, year over year primarily due to higher sales headcount, higher marketing expense and costs related to our salesforce.com-related implementation.

G&A increased to $5.7 million, 15%, year over year, largely due to higher headcount and third-party spend. Operating expenses were sequentially flat, as the slight increase in sales and marketing expense from higher commission and trade show expense was offset by a sequential decrease in both R&D and G&A expense. The decrease in G&A was largely driven by a lower third-party spend. The lower expense in R&D was primarily driven by a reclassification of certain immaterial license and software spend cost of sales.

Due to our strong revenue growth, adjusted EBITDA for the fourth quarter of 2016 increased by 12% to $18.5 million, compared to $16.4 million in the fourth quarter of 2015. Excluding the positive impact to revenues from the MSSP contract, adjusted EBITDA would still have increased over the fourth quarter of 2015. Adjusted EBITDA margin in the fourth quarter of 2016 was 35%, as compared to 37% in the fourth quarter of 2015.

Net cash from operations in the fourth quarter of 2016 decreased by 45%, to $13.4 million, compared to $24.3 million in the same period in 2015. Free cash flow generated in the fourth quarter of 2016 was $9 million, compared to $19.1 million in the comparable period of 2015.

The year-over-year decrease in operating cash flow was largely due to three items. The MSSP contract's negative effect on deferred revenue; a large, multi-year prepaid deal received in Q4 of 2015; and an increase in deferred tax assets relative to Q4 2015. Capital expenditures were $4.4 million in the fourth quarter of 2016, compared to $5.2 million in the fourth quarter of 2015.

Now I would like to talk to you about how we are approaching guidance for 2017.

Starting with revenues, for the full-year of 2017, we believe revenues will range from $224 million to $228 million, which represents a normalized growth rate of 16% to 18%. We expect our reported revenue growth rate to be negatively impacted by approximately 300 basis points, of which 150 basis points is estimated to be driven by our current FX forecast, which assumes a similar geographic mix. The remainder of the negative impact is due to the higher estimated one-time bump in revenue from the restructured MSSP contract in 2016, relative to 2017.

As I indicated during our Analyst Day in November, we believe there is a real opportunity to sustain and even accelerate our revenue growth rate over the next few years due to our new solutions. However, because our new solutions are in the early stages of adoption, our 2017 revenue guidance does not assume a material contribution from new products. This guidance is informed by our 2016 results, during which new products released since 2015 contributed approximately 5% of total bookings. This figure was mostly due to our Cloud Agent, which includes the associated subscription to either Vulnerability Management or Policy Compliance.

For the first quarter of 2017, we expect revenues to be in the range of $52 million to $53 million, representing an estimated normalized growth rate of 16% to 18%, based on our current FX forecast, as well as the previously mentioned impact from the MSSP contract. We believe we will see accelerating adoption of our new solutions during 2017, leading to an uptick in bookings over the second half of the year. We are excited about our prospects in Web application security with our first-quarter new releases of our Web application scanning and Web application firewall solutions. Our file integrity monitoring an indication of compromised solutions will go into Beta in Q1, as we said at our Analyst Day.

Let me now explain how we are thinking about investments and profitability this year.

In 2016, we balanced growth and profitability by hiring 174 net new employees and releasing a series of products and platform enhancements. Our adjusted EBITDA margin was 34%, which was flat compared to 2015 and, in dollars, up $11.3 million year over year to $68 million. In 2017, as we discussed at our Analyst Day, we plan to continue to invest to ensure we have the necessary scale and capacity to support our growth. We anticipate purchasing more servers and storage for our platform, as well as hiring significantly in R&D.

In addition to growing our salesforce, we expect to increase our marketing spend as we decided to time new branding initiatives with RSA and our Q1 product releases. We expect our operating expenses to sequentially increase over the year, and these investments in total to decrease our operating margins 200 basis points to 300 basis points from 2016. We expect capital expenditures in 2017 to be in the range of $20 million to $25 million, weighted toward the back half of year as we invest for the rollout of new products. We also signed a lease in Q4 2016 for our new headquarters, which will require additional one-time CapEx of $13 million to $15 million, approximately 50% of which will be reimbursed by our landlord.

In the first quarter of 2017, we expect CapEx to be between $5.5 million and $6.5 million, including the spend related to our new headquarters. We believe 2017 will be a pivotal year for Qualys as we invest to accelerate growth, enhance our leadership position in cloud security, and set ourselves up for expanded margins in the future. Like Philippe, I am excited about our rollout of additional products and features, which will provide us a growing foundation of profitable recurring revenue while providing our customers greater security in a scalable, cost-effective manner.

With that, Philippe and I would be happy to answer any of your questions.

(Operator Instructions)

Bill Choi, Wunderlich.

Okay, thank you. Just want to see if you could provide some magnitude of the total number of the large upsell that were pushed out, in terms of billings. And also just getting a little more perspective about what kind of deal closures you are expecting in Q1, whether you expect all of those push outs to get completed in Q1?

Essentially, two -- we have a little bit more than two, essentially -- two big ones, one is -- which we already mentioned, was $150,000, which we closed early January. The second one was close to $500,000 that we are expecting to close, in fact, in a week or two. And there was a couple of minor ones. In terms of deal closures for the quarter, I think we are pretty much on-track with all of the deals. Essentially, because we do not have, by the way, major big deals. As you know, these big deals, they come, they are not -- they do not come every month. So this quarter, we have a lot of deals, but not major deals that we have not closed or that we do not -- we are not 100% sure that we would close. Does that answer your question?

(multiple speakers) -- and then -- yes, yes. I also wanted to get some perspective on the feedback on these new products. Obviously, your Beta testing done in Q1, but you have been engaging customers about those upcoming Betas throughout 2016. How are they thinking about either budgeting for these already, or do they have to evaluate, test and then scrounge up budgets as the get more comfort? Do you have any sense whether they have already planned for that? Thanks.

Yes, this is a very good question. On the vulnerability monitoring, we essentially already had a significant demand for the quality of banks, essentially, financial institutions asking us to give them budgetary pricing so they could budget it. And this is the [modality is an] agent that we are going to sell significantly at a much higher price than our Cloud Agent for VM or Cloud Agent for Policy Compliance. Because of -- essentially, of the value that we bring, and the fact that we eliminate a lot of cost, a lot of cost of maintaining traditional enterprise solutions, so that is for the [vulnerability] monitoring.

The [eviction] of the IOC -- the detection from the compromise, we did not really have many people looking for the budget because that is much more something that they want to do in many ways. Everybody wants to know -- [it truly vises] if we compromise on that, so it is not really a replacement here; it is more a very nice add-on to VM. The way we price it is very attractive, so we did not really see much pricing pushback, and so this is something that we expect also to see a very good adoption. The third one, which today, we are trying to accelerate, is go-to-market, which we have a huge demand for it, as well, is our digital certificate management.

As you may recall, we already capture all of the information about the digital [security] cases, something that we have -- meaning, who else fund them, when they expire, et cetera, and on a global scale. And then the only missing part is, essentially, the updating of those security case, and that is where our agent comes in. So this is what we are kind of building. We expect today, I will not make a firm commitment because we are trying to add additional engineering and resources, that we are looking at that being -- that solution in Q2. And then we know we have a huge, almost immediate adoption, because that is a huge problem that every large customers we have, have. And the patch management will come later, this is more in the Q3 timeframe, as well, as our passive scanning.

I would just add on, from the statistics that we provided about Cloud Agent, we are getting very good feedback. One thing I want to make sure people heard was, out of our top 10 new customers for the quarter, 4 of them are purchasing Cloud Agents, so we see a lot of momentum there.

Jack Andrews, D.A. Davidson.

Hello, good afternoon. Thanks for taking my question. Philippe, I was wondering at a high-level, since you offer organically built cloud solutions. As you introduce more products over the next few quarters, are you starting to run into situations where because of the functionality you offer in the cloud, there may not necessarily be a traditional incumbent anymore? And I guess said another way, are you seeing more greenfield opportunities as your product portfolio broadens?

Significant, because what we see -- that is another very good question. We see, today, a lot of our large customers having, essentially, what we call the deeper transformation of their business, moving into cloud solutions. And this is what Qualys is extremely well positioned. We have not spoken much of what we do on securing the cloud, but this is another big initiative that we have, that we call Cloud360.

Already have our agent fully embedded on Microsoft Assure, whereby any Microsoft Assure customers can, at the click of a mouse, provision an Agent for a trial. That Agent is automatically activated, and now, they can have the view of the security and compliance of their applications and their infrastructure on Assure and via the Microsoft Security Center. We are doing the same thing with many other cloud providers, and we see a lot of -- a quality number of companies migrating their IT legacy infrastructure to cloud environment, so we are very ready for that. Also working on containers and there is a lot of things that work in here, part of our Cloud360 initiative, which, in fact, we will present in great detail at our next Analysts Day.

Thanks, and just as a quick follow up, can you provide an update on how you are thinking about the overall -- the Federal market opportunity here?

The Federal market opportunity, we are very happy to have -- or to have been one [Fed wants], you know, certified. We also have the major win with Lockheed Martin, and we are, currently today, working with quite a few new Federal customers. As you know, Federal takes time, so we are not expanding much revenues in 2017, but I think we are very well-positioned for the Federal market. Very happy with that, so we are beefing up our Federal practice and really starting to line up Federal integrators.

Thank you very much. Gur Talpaz, Stifel.

Hi, this is actually [Chris Burrows] on for Gur. You mentioned that over 2 million Cloud Agents have been purchased in the last year. Can you talk about the degree to which these agents are being adopted by new customers, and driving new customer adoption versus being sold into your current install base?

Yes, those -- yes we can, so essentially, what we see is that today, as we mentioned, a very strong adoption from our existing customers, that we said this is a no-brainer. With the new customers we see, most of the new customers that are opening the Cloud Agents from the get-go, and it becomes a very good differentiator. I do not know exactly the statistics, but maybe --

Yes, in terms of mix, it skews towards existing customers, our business, because of the size of our renewal base and the up-sells, anything in our business ends up skewing towards existing. So it has been a mix, but it is still more existing customers than new, but it is still -- we feel pretty good, it is a pretty healthy mix.

Yes, we see most of the new business customers are taking the Agent, as well, so that is what we see. And again, as I mentioned, it is a big differentiator.

Got it, thank you. And one more, if I may. You also mentioned that the number of customers spending over $100,000 with you was up over 30% year on year. Can you talk about what, specifically, you believe is driving this increase enterprise spend?

Yes, there is two very simple factors. One is that more continuing VM, Vulnerability Management, deploying, and it is actually the use case now becomes to do the global ITSS inventory. This something that we really believe in, we are extremely well-placed, I would say, we are better than anybody on the market. Once we add passive scanning, we will be not only able to identify and catalog everything that you know you have, that you are only going to be able to discover very easily [on their own] devices. So in that case, the full inventory of what you know and of what you do not know, and that is a foundation that every company must have, and what is very unique about Qualys is that we do that across on-premise solutions, endpoints, and then lastly, cloud. That is what drives that expansion of VM, as I mentioned, in fact earlier, a huge upsell of $550,000 from one of our major -- one of our existing customers. And the second, essentially, the adoption of additional products -- of additional solutions, which is really going very well.

Got it. Thank you, guys.

Sterling Auty, JPMorgan.

Great, thanks. Hi, guys, this is Jack [Finhader] on for Sterling. A quick question on expenses, as far as the hiring investments and the head counts you are going to add in the year. I know you mentioned that it is probably going to increase throughout the year, but is it going to be perfectly linear? Is there going to be any kind of seasonality to that?

Yes, I think that there will be just typical seasonality in terms of, in Q4, you end up hiring a little bit less because people do not often move jobs that they -- they seek to get their year end bonuses. So there is nothing out of the ordinary, other than, I think, typical seasonality.

Yes, and historically, that is the way that we have been managing our business, essentially. That kind of balance between growth and profitability, but really focus on building a very strong foundation of profitable, recurring revenues, so I [am really curious about] -- we are always managing well, our head count versus our growth, and that is what we have been doing. Today, there is an acceleration in India, but -- which, of course, is a significant strategic advantage as we discussed earlier, and we have really been doing very well in India, and we are continuing investing in India.

Then just a follow-up on that, would you expect that the expenses, that the majority of them will be in India for 2017, like you have been seeing?

Not really, because it is -- the advantage that India -- we have more headcount in India, but not in terms of expenses because you have, essentially, a ratio of 6 to 1 -- or 7 to 8, to 1; so it is significant.

Okay, then just a quick follow-up, on -- can you guys remind us the cash tax impact or the GAAP tax rate impact that you are going to see in 2017?

Yes, so as you are aware, ASU 09 came into effect, such that the excess tax benefits from stock-based compensation hit the book tax expense instead of hitting APIC. So for Q1, this is driven by, in part, stock option exercises as it is been publicly disclosed, Philippe exercised a large option grant earlier in January. And that is what is driving the large Q1 benefit of 145% for an effective tax rate.

Right, okay. Thanks, guys.

Michael Kim, Imperial Capital.

Hi, good afternoon, guys. So with the five new solutions planned in the roadmap for 2017, and you talked a little about the need for growth investments in the R&D line. How could -- can you talk a little bit and how you feel about sales capacity, and the need to maybe invest in the field organization or account manager? How we should think about that building out over time?

Yes, so as you know, the -- our salesforce, again, is divided into two categories, the hunters and the farmers. But the farmers is almost mathematical, with the growth of the customers, we essentially, grow our technical account manager post sales, as we call them. And of course, the big advantage we have here is that because we do now -- the dollars per customers is increasing, of course, we do not need to double. If one customer is a $1 million customers a year, it becomes a $2 million customers a year, I do not need to double that headcount. So here, we have a very -- and that is a big base, remember, this is the core of our business. Then our looking -- so this is almost mathematic, it goes with the growth that we have, very predictable.

On the new business side, essentially, we have now, our new business is really coming -- or more than 50% of our new business is coming from [honors], despite some of the very big deals that we do as new business directly. So that is, essentially, where the investment we have seen our sales force, is to add more new business people, that is where we are kind of looking. In fact, we are looking at people who can now start selling at a higher level, we have now the ability to sell to the CIO, which we have never had before, doing a top-down sale. We could provide to these companies the full view of their global ITSS, we can now provide them with a continuous view of the [synchrony] comprised posture on those assets.

And now, with the IOC, also telling them which of these assets have been compromised, or that we believe are very suspicious. So that allows us to have a much more top-down sales, as opposed to the bottom-up sales that we did in the past; so that is where we are putting focus. And of course, I think we have very strong partners, and you will see the partner that we will announce at RSA. We have significant ability to grow our new business, as well, so -- which is much more balanced and much more profitable than, I think, a lot of feet on the ground.

I would just add we are very excited about the two VP positions that we have filled, hiring someone for the VP of EMEA, as well as promoting someone from within for US sales, which he thinks will help organize and help elevate the discussion to the CIO.

Yes, and I am going to be, as I mentioned in the -- I am going to actively look for a new VP of Worldwide Sales, somebody who has really knows about the sale at the top. That is essentially what -- we have a very good sales force, which knows the business very well. I think he is adding more new business people, and as well as people who can connect at higher levels in the organizations.

Great, and then just going back to some of the deals that got pushed into Q1, some of them did sound a bit on the larger side. Are you seeing any change in buying patterns, any additional reviews on the part of the enterprise customers and any general trend in lengthening of sale cycles?

No, what we see as far as our business is concerned, we do not see any change. In fact, what we see today is that now, that we issue more and more of a cost savings because we have significantly more new product. So now we start to speak in [cracking] terms of ROIs sometimes, about the money we can save them if they consolidate a few of their applications. And that is very specific with the financing of the [more tier], monitoring, for example. With policy compliance, as well, these are really applications where we saved a lot of dollars because you do not need all these amount of servers and infrastructure, as you know, to manage our cloud based solutions. As opposed to these traditional enterprise legacy software, I will call that, which requires hundreds of servers and updates, et cetera. Extremely costly, not so much on the term of their maintenance, per se, their license, but in terms of all the costs associated with managing them, updating them, et cetera.

Thank you. Matt Hedberg, RBC Capital Markets.

Thanks, this is actually Matt Swanson on for Matt. Philippe, can you talk a little bit about the competitive landscape in the [WAF] market, and maybe as it relates to the updates that are coming out of RSA, and how that leaves you positioned?

We are very excited with the WAF -- with our WAF, because if you recall, we did our WAF 1.0, but we are very happy with the quality of the engine. But not so happy with the fact that we have been too ambitious in the beginning to provide that one-click patching, so we had to go back to the drawing board, we need to open up our engines, et cetera, to sell [mentioning] work. And that is it, we have done it, so now, today, we are breaking to market, at the same time, extension to our web application scanning, which is the web app scanning 5.0, which is, essentially, adds two new elements. One is the ability to automatically scale, so now, instead of having to configure the scanners to scan large numbers of application, you do not care, you just point the scanners and they automatically will balance. And now, we can scan, very easily, thousands of web applications, that is the one thing. And the second thing -- and you will see why it is important to have the one-click patching, because what is the purpose of scanning thousands of web applications if you cannot fix the code? So you need, of course, to eliminate the vulnerabilities, and the only practical way today, on web application, is to do a virtual patch.

The second thing that the [web application 5.0] brings the table is the ability to essentially, scan [rested PRs], which open the door, now, to us looking at mobile web applications. That is -- again, that is kind of a new market. And now, with the one-click patching, essentially, we identify vulnerability and now, we have made that very easy with one-click, the ability to patch. What was missing before -- the mistake we have made that is we had made that automatic, and then, of course, nobody wanted to let that (inaudible) automatic, which -- and so we had to open up everything, and the key models, so now we can show exactly what the engine recommends that we do.

So people can look at that, and then if everything is fine, drag the click and the virtual pass is pushed and installed. They go hand-in-hand, so that, we think, is going to do two things. One is accelerate our growth of web application scanning, and also at the same time, add additional revenues with the web app [can followers]. So we are very happy -- it went GA, I think, last week, or a few days ago, so now, it is GA and we start to see some very good results.

[Sudeep Pahagrahee], Wells Fargo.

Hi, and thanks for taking my question. Melissa, this first one, a housekeeping -- did you say that the insulation growth for Q4 was 16% and 2016 was 19%?

That is correct.

What about the similar growth rate for the other security solutions, [I think]?

Yes, so for Q4, it was 22% and for the year, 26%.

Okay, that is helpful. Now looking at your guidance for 2017 of 16% to 18% normalized growth rates, if I compare that to your normalized 20% growth rate earlier, what are your [in jumps some] in terms of via market growth? Are there any factors that -- complications or any other factors that can slant your growth rate for 2017? Any color would be great.

Yes, sure. We had a great quarter across new products, as well as across VM. When we have talked about VM, historically, we have talked about how VM has grown 19%, both in 2015 and 2016, continuing up -- continually outperforming the market. And that is because the innovation we have done around VM-related solutions. So we talked about at Analyst Day, if you looked at the original core VM solution was approximately 83% of revenue; three years ago, it was only approximately 75% revenues today. But because of the early -- because we are in the early stages of adoptions of our new solutions, our guidance does not assume a material contribution for new solutions.

Okay. Do you expect any kind of [new] revenue stream coming from ThreatPROTECT or cloud, again, any of the new products (inaudible) -- in the 2018 timeframe, or what is your expectation on that?

Yes, we have not baked in a material contribution from new solutions and we would include that in it, as well. We provided -- I provided the color of that for the years 2016, these solutions contribute to bookings -- to about -- they were about 5% of total bookings. But that also includes the underlying moment for Cloud Agent, the underlying vulnerability management or policy compliance subscription. So we feel very good about the momentum, but it is the early stages of adoption for us.

You are talking about revenue impact?

Right, in terms of revenue impact, that is correct.

John Lucia, JMP Securities.

Hey, guys. Thanks for taking the question. You said your revenue was negatively impacted by deal push-outs, out of Q4 into Q1, some of which have closed. Yet your Q1 guidance does not assume to reflect that. The Q1 guidance is for, historically low sequential growth, if you look at Q1. Can you just help me understand that?

Yes, so look -- as we said, we had a great quarter. We had record new business in the quarter, we saw strong performance in new solutions with Cloud Agent bookings accelerating 90% sequentially, and ThreatPROTECT almost doubling. We saw increasing dollars from multi-product adoption from our enterprise customers. But Q1 is a seasonally low quarter for bookings for us, and because we are in the early stages of adoption of our newer solutions, we are not assuming material contribution in our guidance. And we also have headwinds from MSSP and effects that we have taken into account.

Okay, I guess I want to circle back on the new products. You have had to -- the new products like Cloud Agent, I think Cloud Agent was introduced two years ago; ThreatPROTECT, I think was a year ago. I know there has been significant product innovations that have happened since then or updates, but why are we not seeing these products be meaningful in 2017? You just need more time, or is there a catalyst like a product release or something that will drive the growth in 2018? I am just curious why we are not seeing meaningful contributions in 2017 from these products.

Yes, it just takes time for the adoption of -- there are two things that we are impacted from, right. One is the adoption of new products, and then the time it takes to impact our revenues because we have a ratable revenue recognition model. We see a lot of interest from the Cloud Agents, but in certain situations, it evolves getting the buy-in from IT in order to implement them. Until -- all of our customers are giving us very good feedback, and as we said, we have approximately 1 million Cloud Agents in trial, so we feel very good. But we think it is prudent to guide based on no material contribution to our revenues from these.

Yes, and -- and also, you say that the Cloud Agent is about -- will be two years old in August of this year, essentially, but ThreatPROTECT is much younger, also, as well. So of course, we have a lot of Cloud Agent, ThreatPROTECT is essentially a 30% increase in the -- our net to expenses about 20% net, if you count the resellers and so forth on our current [fee at], so that is, of course, very good. But it takes -- as I have mentioned, it takes some time, so we are being prudent.

Steven Couche, Stephens. Mr. Couche, your line could be muted.

Sorry, it was. This is Steven on for Jonathan, and thanks for taking the question. Most of my questions have already been answered, but just a quick modeling question, with regards to cost of revenue. Moving forward, it makes sense that you are -- have some additional expenses there, ahead of your revenue ramp. I guess looking into the back half of 2017, and probably into 2018, should we expect gross margin to tick back up into the 80 percentage range, or should we think about 79% as kind the new run rate? And is -- can you give us a broad timeline on when we should expect you to grow into those additional expenses? Thanks.

Yes, so in terms of cost of sales, we are going to be adding expenses throughout the year, so we what -- we do not guide to gross margin, but you could see some pressure there, and it is a bit early to give color on 2018.

Okay, great. That is all I have, thank you.

Patrick Colville, Arete Research.

Hi there, thanks for taking the question. Profitability implied in your guidance seems to be kind of falling to next year, is that due to continued R&D investments on -- and I guess the second half of that question is R&D as a percent of the sales is quite high versus -- [simple companies] more broadly, and security companies. Is that something that we can expect to trend down over time?

Yes, so as we indicated our Analysts Day, and then we confirmed here, this -- 2017 is the year of investment for Qualys. And as such, we are -- because we see such an opportunity to sustain, and even accelerate our growth rate, we are making investments across the Company. A lot of it is going to be headcount in R&D, as we add people to support the rollout of new products. So that is not only engineers and QA around specific new products, but it is also people who are developing additional capacity in the back end to support the additional customer base that we expect to get. So that is going to be a lot of it, but it will also be areas I talked about like sales and marketing, both from headcount perspective, as well as a branding -- as well as expenses around branding, which we decided to time around the RSA conference.

Yes, and just to add more color on the engineering side to give you some example. We are working continually expanding our backend significantly so we introduce a last stage search capabilities. I am very happy to report that believe it or not, we are up to the $9 billion point index with our cluster of [elastic] search, that is significant. So now, we are adding additional components to our backend, such as [Cascar and Casandra] for essentially, analytics. So all of that, of course, requires investment in the backend, and of course, as you continue delivering new services on the top of this backend capabilities, that is where you really get the leverage. So we are [seeing] investing for the future -- we did a very powerful platform. We are going to introduce passive scanning, so it is all about getting more data, more power.

I just announced that we have expanded, in fact, our data centers to adding three more. One in the US, and now, we have three shared platforms in the US; we have added one in India, which is going to serve the Indian market. We are starting to see very good traction, as well as Asia-Pac, and another one in Amsterdam, we have one in Swiss, historically, and we still have one in Switzerland, we have just added another one in Amsterdam. And the specific reason of that additional one in Amsterdam is to comply with the EU regulation. Whereby you need to have your data in an EU country, and Switzerland is not, as I am sure you all know, an EU country. So now, we are in Amsterdam, and this -- they are both -- these three additional data centers are operational already.

Got it. Thanks very much, and see you next week. Have a nice day.

Thank you. Very happy to see you there. By the way, I invite all of you to come at the booth. We have a huge, huge display, seven by nine, we are working to showcase, our exhibition is quite impressive, and high definition -- you know, 4K displays, so that should be fantastic. We cannot wait to see you there, and you can see what we are doing.

Thank you. I am showing no further questions at this time, and I would like to turn the conference back over to Joo Mi Kim for any closing remarks.

Thanks, Michelle. And thank you all for attending our fourth-quarter and full-year FY16 earnings call. As Philippe mentioned, we look forward to seeing many of you at the RSA conference in San Francisco next week. Thank you.

Ladies and gentlemen, thank you for participating in today's conference. This does conclude the program, and you may all disconnect. Everyone, have a great day.