Qualys Inc (QLYS) 2017 Q1 法說會逐字稿

Good day, everyone, and welcome to the Qualys First Quarter 2017 Earnings Conference Call. This call is being recorded. (Operator Instructions) I would now like to turn the call over to Joo Mi Kim, Vice President, FP&A and Investor Relations. Please go ahead, ma'am.

Thank you. Good afternoon, and welcome to Qualys First Quarter 2017 Earnings Call. Joining me today to discuss our results are Philippe Courtot, our Chairman and CEO; and Melissa Fisher, our CFO.

Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release and accompanying investor presentation with supplemental information are available on our website.

With that, I'd like to turn the call over to Philippe.

Thank you, Joo Mi, and welcome everyone to our Q1 Earnings Call. For those who don't recognize my voice, I've not lost my accent. I'm just out of a good flu.

So with that, Melissa and I are pleased to report another great quarter that included strong performance both on revenues and profits. This quarter, we saw year-over-year growth across renewals, upsells and new customers. Qualys continue to replace McAfee vulnerability management solution with both small and large customers, and we'll continue to see evidence of the large, under-penetrated opportunity within our customer base as our Policy Compliance, for example, solution was adopted by major banks who were only VM customers before. We also were pleased to see sustained growth performance from our newer solutions, Cloud Agents and ThreatPROTECT. Melissa will provide you with more color on these. We have now partnerships with all of the major global MSSPs as we announced a partnership with IBM earlier this quarter that will add Qualys' continuous cloud-based IT security and compliance solutions to its Managed Security Services portfolio. IBM will integrate Qualys technology to enable its customers with enhanced visibility of IT assets, vulnerabilities and threat detail, accelerating how they prioritize remediation and simplify management of the IT security and compliance posture at scale.

Concurrently, we launched a new Qualys app for IBM's QRadar Security Intelligence platform that allows customers to have an improved visibility and analytics tools to help them identify risk metrics and take actions against key threat. As you may recall, at Analyst Day we launched WAF 2.0 combined with WAS 5.0 which, integrated together, brings web application security to its next level by offering unprecedented scalabilities and remediation capabilities in the form of a one-click patching. We also showcased our File Integrity Monitoring, which is in beta now; and the detection of Indication of Compromise solution, which will be in beta in the next few weeks.

These new solutions, which leverage our Cloud Agent technology, enables our customers to have deeper continuous view into their security and compliance posture at a click of a mouse, the dynamic and customizable dashboard and alerts. These new solutions expand our potential share of our $4 billion addressable market and position us very well for continued growth as -- and as already mentioned in our last earning call, we plan to launch additional solutions in beta in Q4 of 2017, including patch management, digital certificate management and passive scanning.

During the quarter, we also continued to widen the technology gap between our cloud platform and the competition with our Qualys Virtual Scanner Appliances now able to be directly deployed from the Google Cloud Launcher to the Google Cloud Platform. Our virtual cloud scanning capabilities now cover all major elastic environments. Furthermore, IDC confirmed that we have taken the #1 market share position over IBM and HP in the $1.6 billion vulnerability assessment market.

Our strong positioning in the market is driven by our unique ability to provide enterprises with both a single pane of view that enables 2-second visibility of the entire global IT asset, whether on-premise, endpoints or elastic cloud environment, as well as a continuous view of the security and compliance posture via customizable dynamic dashboards and alerts. As importantly, our cloud platform and solution at enterprises, large and small, to secure the digital transformation while reducing significantly the security and compliance spend, enabling them to consolidate multiple disparate on-premise security and compliance solution in a single platform that is centrally managed and self-updating.

Our cloud platform and the global visibility it provides is the result of 10-plus years of continuous innovation, starting in the Silicon Valley and now also in Pune, India. We believe it is the most comprehensive and technologically advanced in the market in which we compete, and yet we continue to innovate in order to deliver more value to our customers and remain ahead of the competition. In fact, we've now added new technology components to our platform to enable us to ingest, process, analyze and store high-volume of sensor data coming from our agents, scanners and soon, passive scanning analyzer and correlate that information at near speed -- light speed in a distributed manner for millions of devices. We now have, in fact, over 25 billion security data points indexed in our ElasticSearch clusters, providing almost instant query results. This gives us our customers a 2-second visibility without them having to index large amount of data.

We have deployed new Cassandra node clusters as the back end for FIM, File Integrity Monitoring; and IOC, detection of Indication of Compromise data collection providing us highly scalable data store compared to traditional RDBMS. This failure-resistant and highly available data store with linear performance draws millions of events per second and ingest data regardless of type, which will provide superior performances specifically for FIM and IOC, which depends on analyzing millions of events.

We have deployed also a new Kafka node to enable us to have a heavily distributed processing form that will allow us to process data points and events coming from our sensors in near real-time at rates of millions per second, minimizing processing delays in analyzing events and changes happening in customer's network on a continuous basis. We are also now deploying Redis, which is a high-speed in-memory cache that reduces expensive disk writes and speeds up all analytics operation.

In summary, with our upcoming solution and strengthening back end, we believe we will be the only platform capable of providing global prevention, detection and remediation in a scalable and cost-effective manner across on-premise, endpoints and elastic cloud environments. Supporting these, just yesterday, Frost & Sullivan recognized Qualys with a 2017 Global Vulnerability Management Market Leadership Award, highlighting the company's area of excellence in growth strategy, product quality, customer ownership experiences and unique platform technology leverage.

As we seek to ensure that the market recognizes the full breadth of Qualys Cloud Platform and the value we provide not only to security teams but also CIOs, we've hired a new CISO. Many of you met Mark Butler at our last Analyst and Investor Day in New York. He was formerly a customer of ours, as a chief information security officer at Fiserv. He joined Qualys because he saw the opportunity for Qualys to emerge as a leading platform amidst the stack consolidation occurring in the marketplace. In addition to Mark, we have also recently hired a new Vice President and General Manager for our SME and SMB market as we see additional upside to increasing management of our very profitable small enterprise business.

With that, I will turn the call over to Melissa to discuss our financial results in detail. Thank you.

Thanks Philippe, and good afternoon. I'd like to begin by sharing some color on, as some would call, our durable top line. We are delighted with our first quarter performance. Total revenues in the first quarter were $53.1 million, which represents 18% normalized growth over the first quarter of 2016. There was a negative impact on our Q1 2017 revenue growth rate of approximately 200 basis points from the MSSP contract and 100 basis points from FX.

As Philippe mentioned, we saw strong performance across renewals, upsells and new customer business during the quarter. We continue to see adoption of our platform increasing with the number of enterprise customers with 3 or more Qualys solutions rising to 27%, up from 21% a year ago, and their spend in a quarter increasing 27% year-over-year. The number of customers that have quarterly average spend of over $100,000 continue to show strong growth, increasing 32% year-over-year in Q1, and the cumulative revenues for these customers grew 44% year-over-year. In fact, the average deal size for all new customers grew 44% year-over-year.

On a reported growth rate basis, our other security and compliance solutions revenues increased 23% over the year-ago quarter, in part due to strength in Web Application Scanning in our SMB and SME customer base. And our vulnerability management solutions revenues grew by 12%.

As we've discussed, we see the opportunity to accelerate our growth rates with our new solutions, but we are in early stages of adoption. Having said that, we continue to see very good performance from both the Cloud Agent platform and from ThreatPROTECT with new products released since 2015 contributing approximately 8% of total bookings in the quarter. These bookings are mostly due to Cloud Agent, which includes the associated subscription to either Vulnerability Management or Policy Compliance and include renewals that convert to Cloud Agent. We had 2.6 million Cloud Agents purchased in the last 12 months, up from 2 million last quarter, and we saw the highest year-over-year growth rate of Cloud Agent bookings since launch.

Let me now address our deferred revenue balance. Our current deferred revenue balance was $120 million as of March 31, 2017, 18% greater than our balance at March 31, 2016. Normalized for the impact from FX, our current deferred revenue balance would have grown approximately 20% year-over-year.

Before moving to our profitability and cash flow, I would like to remind everyone that unless otherwise specified, all of the expense and profitability metrics I will be discussing on this call are non-GAAP results. Our non-GAAP metrics exclude stock-based compensation and nonrecurring items. A full reconciliation of all GAAP to non-GAAP measures is provided in the financial tables of the press release issued earlier today and is available on our Investors section of our website. Also note that certain amounts in prior periods have been reclassified to conform to the current period's presentation.

As we discussed on our last call, 2017 is another investment year for Qualys and in Q1, we continue to grow both our headcount and infrastructure. Because our unique operational model is so profitable, investing today to accelerate our growth and gain greater scale enables higher margins for the future. In Q1, our gross margin remained flat sequentially at 78%, which is very healthy when you consider our continued investments. Gross profit increased by 11% year-over-year to $41 million in the first quarter of 2017, but our margin was down from 80% in Q1 2016. The year-over-year decline in margin was driven by increased headcount as well as higher depreciation from software and hardware to support continued scaling of our operations.

Operating expenses in Q1 increased by 18% year-over-year to $29 million. Research and development expense increased to $8.6 million or 26% year-over-year primarily due to higher headcount. Sales and marketing expense increased to $14.9 million or 16% year-over-year primarily due to higher headcount as well. G&A increased to $5.8 million, 15% year-over-year largely due to payroll taxes from a larger amount of options exercised this quarter. Adjusted EBITDA for the first quarter of 2017 was $16.8 million, representing a 32% margin as compared to 35% in the first quarter of 2016.

Net cash from operations in the first quarter of 2017 increased by 89% to $32.4 million compared to $17.1 million in the same period in 2016. Free cash flow generated in the first quarter of 2017 was $27.9 million compared to $12.8 million in the comparable period of 2016. The year-over-year increase in operating cash flow was driven by the overall growth of our business, an increased number of prepaid multiyear deals and the benefit of the new accounting standard, ASU 2016-09, which bumps operating cash flow compared to prior periods by including the excess tax benefits from stock-based compensation. Excluding the benefit of the new accounting standard, cash flow would've still grown very strongly at 60% year-over-year.

Capital expenditures were $4.5 million in the first quarter of 2017 compared to $4.2 million in the first quarter of 2016. Capital expenditures in Q1 came in below our previous expectations as timing on certain purchases shifted into Q2. We expect CapEx related to our operations in the second quarter of 2017 of between $6 million and $7 million. We also expect to begin work on our new headquarters in Q2, and we anticipate CapEx related to that to be another $3 million to $5 million for a total Q2 CapEx spend of between $9 million and $12 million.

Now turning to guidance, starting with revenues. For the second quarter of 2017, we expect revenues to be in the range of $54.3 million to $55.1 million, representing an estimated normalized growth rate of 16% to 17% based on our current FX forecast as well as the previously mentioned impact from the MSSP contract. We expect GAAP EPS for the second quarter of 2017 to be in the range of $0.15 to $0.17 per diluted share, while non-GAAP EPS is expected to be in the range of $0.19 to $0.21 per diluted share. We expect our operating expenses to sequentially increase throughout the year as we continue to expand our platform and build out and move in to our new headquarters.

We are thrilled to have started 2017 with such a strong quarter and are excited about the expansion of our solutions which uniquely position us to become the ubiquitous security and compliance platform. For the full year 2017, we are raising the bottom end of our guidance for revenues, bringing our current guidance to a range of $225 million to $228 million. We believe the additional services will increase our stickiness with our customer base, accelerate growth and set ourselves up for expanded margins in the future.

With that, Philippe and I would be happy to answer any of your questions.

(Operator Instructions) The first question is from Melissa Gorham of Morgan Stanley.

So I just wanted to dig into the upsell metrics that you disclosed. So you noted a pretty meaningful uptick in the number of customers adopting 3 or more products. I'm wondering if you could maybe give us more details on what solutions are driving that adoption beyond VM.

It's really a mix. I mean, we see our customers expanding their scope of VM. We see them -- Philippe talked about some customers adding on Policy Compliance that were VM-only customers before as well as taking up our newer products like Cloud Agent and ThreatPROTECT.

Yes, and the Web Application Scanning as well. So...

Okay. And then Melissa, you mentioned the cash flow benefit from an increase in prepaid multiyear deals. Can you provide a little bit more color on that? And specifically, I'm wondering if you can quantify the extent to which contract durations increase.

Yes, overall, we still haven't seen a meaningful change in our contract length. But as our deal slices get larger, that, combined with an increased number of prepaid multiyear deals, created a situation where we were able to collect a significant amount of cash flow this quarter. We don't actually manage -- we don't manage our business to necessarily drive multiyear prepaid deals. It's often, frankly, our customers who view us as a strategic partner who come to us to seek a longer-term agreement.

And the next question is from Bill Choi of Wunderlich.

Last quarter you talked about an environment where deals kind of close towards the end of the quarter and slipping. How are you seeing that environment now? And then one of the biggest questions I get most commonly is there's a continued enterprise move to the public cloud, and with that growing, why do you need a Qualys. And clearly, you're doing well here, but if you could readdress what that move to the public cloud is pulling in terms of demand, what type of products and how some of the engagements are changing.

This is a very good question. So as far as are the deals slipping or not, this is -- some quarters, they come early; other quarters, they come late. When you look at overall, I mean, this is not really that significant. As far as your second question, in fact, that movement to the cloud, we see that accelerating or what you could call the digital transformation of the enterprise. And I think Qualys is extremely well positioned here. Why? Because we can provide our existing customer with a visibility on platform like Azure, like Amazon and now like Google. And of course, we do that very uniquely because our customers can, on one hand, consolidate and save a lot of dollars out of their current spend in security. But also now with that same platform, they can now, of course, have the same view of the security across all their cloud environments and that's very unique. So I think we're extremely well positioned. We're also moving into container security, big time. We're also expanding our what we call Codename Cloud 360, which is a major engineering effort also that we're doing to provide that constant visibility across multiple clouds. I will remind you that we have already succeeded in doing something which is quite exceptional. Our agent are now embedded in Microsoft Azure, which means any Qualys -- any Azure customers can essentially invoke at a click of a mouse a Qualys agent to have the view of their security and compliance posture on Azure, and we are doing many more things around that. So for us, I think it's very welcome. As you know, why can we do that, which is the question, is because our architecture was cloud-based. And as a result of that, we could migrate our solution much more easily than any enterprise solutions into the cloud because our architecture was right from the beginning.

And then you talked about this relationship with IBM and new app you're using -- created that takes advantage of visibility and analytics, and that gets me thinking more about what kind of value you could derive from the vulnerability management database you're building as -- particularly as analytics becomes more important. What are some ways that you're looking to monetize? And how can we see revenue come from such efforts and then what timeframe?

Yes, so that's -- as you know, IBM is a very powerful machine. It's a machine that grinds slowly. But when they grind, they grind. We have established a very good relationship with them, which is at the multiple level. One, we're a natural extension for them on their Managed Security Service. If you remember, we replaced what they had with Rapid7. So -- but more deeply, what we provide to QRadar is the asset inventory capabilities, which makes their solution smarter. So with that, of course, we see the benefit of bringing more and more data into QRadar, which will increase the value. And for us it established further Qualys as the company who collects the data, give you the asset's inventory and also give you the full view and continuous view of the security and compliance of those assets and again, not only just for the endpoint or not only for the on-premise, but on the cloud -- but for these 3 environment, which is also very unique. I don't know of any company who does that today.

Any thoughts on how you monetize it and how it...

I mean, the monetization is, of course, we have the MSSP relationship and this is starting to occur. It's going to take some time. But of course, it will grind, as I mentioned. And the rest is much more us continuing to establish a good relationship with IBM. We are very good partner in their QRadar initiative. We see them playing some very strong position in emerging countries as well. So for us, it's a very powerful partnership. We have always had a good partnership with IBM, as I mentioned earlier, and so we know them very well. They know us. I think they respect us. They respect our technology. So it's just a question of time. That thing will grow naturally and will grow well.

The next question is from Robert Breza of Northland Capital.

Maybe Melissa or Philippe, really kind of piggybacking on one of the questions asked earlier around strong customer adoption of 3 or more applications. And I know you mentioned 8% kind of came from Cloud Agent in combination with ThreatPROTECT. When you look out maybe 12 months from now, how do you see the mix between, let's say, new products and VM, and maybe just some context to maybe put a range around and sort of think about the diversification away from VM?

That's an interesting question. I'm going to disclose a little bit of our thinking now, which is in the term we see our future markets. We look at now at all these applications that we have created, the VM, the Policy Compliance, et cetera, much more as application engines. And we're now focusing -- if you look on the enterprise, there's this actually -- every enterprise today is organized into fundamentally 4 groups: you have the IT, IT security, info sec; you have the app sec for the applications; you have at the end points; and then you have, of course, now the cloud and now you have the dev ops. So our architecture, what we had done here, is actually we're now packaging that to solve the problem of each of these different groups with the combination of all these different applications. So at some point in time looking further, we're not going to think anymore about Web Application Scanning or about these different application. We're providing end-to-end solution, which give you the visibility. You can now identify all of your global IT assets, again, across your different environment. And then from there you can synchronize that with your CMDBs, and then you can have the view of the global security and compliance. So it's going to be all that fuses. And of course, at the end of the day, we -- all the data that we collect through these various engines or application engines, we index that. I've mentioned about all the enhancement we have done into our back end to be capable of managing and sitting through that significant millions of data per second that we are collecting. So that's the way we see ourself as that solution that is going to be able to capture a lot of information and then digest it and then presenting that in the way that fits the endpoint team, the web application team, the info sec team, et cetera. So different view of the world and -- or of the cloud teams.

And I would just add, we're really focused on growing the total company because, for example, the solutions that you talked about, obviously, our newer ones are doing very well and we're very excited that, for example, Cloud Agent had the highest surveyor growth rate since launch. But Cloud Agent for VM, for example, is a VM-related solution, so that's not going to change the diversification. In that instance, the File Integrity Monitoring and detection of Indication of Compromise are not really VM solutions per se. So we're continuing to give this level of color because we know it helps the investor community, I guess, on transparency. But we're focused on, as Philippe described, solving the solutions of various security teams.

Yes, the way we see this, and another way of how we look at our business, it's all about, of course, keeping our customers, selling them more solution and of course, expanding. And the more solution, that's what that metrics of 27% now of customers which have bought more than 3 solution, is important and we want to see that growing because it makes us significantly more sticky. We create value. But at the same time of becoming sticky, it reduces the spend from our customers. It's a good stickiness because there is quite a lot for our customers in that process. And so that's what we're really focusing on. And of course, the more we adopt, the more customers adopt, the more we grow and the more we grow profitably because the cost for us to deliver, maintain and support all these additional operations -- solutions, of course, is -- and you see that already in our business model. So that ability to one single platform, that's where the big investment of quality has been, took us a long time to get there, but I think we're really getting there now and of course, that should mean very well for the future of Qualys.

Maybe one follow-up for you, Melissa. The deferred revenue was up, you said, 18%, outpacing revenue and outpacing even the normalized revenue or close to it. Is there a change in contract length? What are you seeing as the deferred revenue? Or is it more, again, going back to the customer adoption of taking more solutions?

So we should remember, our current deferred revenue growth relates to -- doesn't include our multiyear, right? So contract length, it wouldn't affect, but that's deferred revenue that we expect to recognize in the next 12 months. Yes, we had a good quarter from a year-over-year growth rate. In fact, when you take into account the impact of FX, it was actually 20% year-over-year. And what we're seeing there is, as we discussed, increased multiproduct adoption. And I think it's a reflection of that we're becoming a more strategic vendor to our customers. The other thing I would keep in mind that I've said before is deferred revenue is influenced by factors, such as the timing of invoicing. So I know it's one of the closest metrics that people can use for trying to get to a bookings number, but it's not always going to mirror, not on a quarterly basis. Over the long term, it will, but yes, not on a quarterly.

The next question is from Matt Hedberg of RBC Capital.

With the broadening product platform seem to be having a lot of success with new products, what sort of additional investments are going to be made -- maybe to be made to go at more of a top-down CIO-level sales. It seemed like if we'd come in at a strategic level, there'd be more of an opportunity for this broadening suite. Just curious on your thoughts there.

Yes, no. So we look at that, absolutely. That's one of the reasons, by the way, why we hired Mark Butler because that is essentially his mission, to essentially evangelize the Qualys platform from the top to CIOs and CISOs. And of course, we are beefing up our new business, Salesforce. Of course, with our existing customers, we're already very well established. So it's spending a bit more time with the management -- with the top management, to form new businesses really advocating that value. So yes, we're doing that. But again, with our model, it's not suddenly that I have to unleash a huge Salesforce pounding on the pavement. We're very, very leveraged. We have also very large partners. We have now -- Wipro is kicking in pretty well. They have all the relationship, of course, with our customers at the very top and again, it's for us to make sure that our partners also understand now the value of Qualys. And quite frankly and quite simply, the more new solution we deliver, the easier it's become.

That's helpful, and then maybe one more. Your solutions would strike me as fitting well under the GDPR, European breach notification framework that goes live about a year from now. Curious if you're seeing any sort of institutional demand from Europe either now or maybe in the pipeline as it relates to GDPR?

Yes, so it's -- yes, absolutely. So there's no question about that. In fact, we have 2 things on GDPR. First of all, we have now established on our Policy Compliance some of the GDPR framework. That's a very natural extension. We just announced some new frameworks from the Federal Reserve Bank in India, which we see, by the way, as a significant market for us, a significant growth opportunity market. We're, of course, very well established now there. So that's a natural phenomena. We see a deeper phenomena, which I think I mentioned on the previous earnings call is the fact that we've seen our major corporation now accelerating their digital transformation in Europe. And they do that essentially 2 ways: one, is adopting the clouds, big time. I was mentioning the example of Societe Generale, which publicly announced that they were accelerating their digital information program mainly because of GDPR, because this company concluded that in a way, trying to secure their current IT infrastructure with all the holes that you have, all the complexity with enterprise security solutions, traditional on-premise that do not scale, that are very difficult to integrate, so that was really throwing money and they were better putting that money into accelerating their digital transformation and going to cloud solution. The other way they are doing it is a lot of them are now moving their IT operations either to India or to other regions, like Poland, to try to streamline and again, use that as the impetus to accelerate their digital transformation. And that, of course, plays very well with us. We have this discussion with many of our large customers, as we speak, in Europe. And again, we have established a pretty significant customer base in Europe today. So that's good for us in a way.

The next question is from Rob Owens of Pacific Crest.

Wondering if you could touch a little bit on renewal rates, both what you're seeing from a dollar-based renewal rate as well as a customer renewal rate in the fourth quarter -- in the first quarter, excuse me.

Yes, so we actually added to our investor presentation this quarter a customer count renewal rate because that had been requested of us. And for -- we've broken out by enterprise and SMB, SME and the enterprise rate is approximately 90% and SME and SMB is 80%. And it's been around that area for -- we did some work looking at it historically. It really hasn't moved. In terms of dollar rates, we focus on dollar expansion, which includes the upsells. And we give that out on an annual basis, and it was 104% for the company as of Q3, which was at our Analyst Day. And you can imagine enterprise is slightly higher than that, and SMB, SME is a bit lower. But again, I don't think that changed materially. If anything, it's probably step a bit.

Yes, and what I said also, Rob, what I could add also is that these numbers, in fact, underestimate our real renewal rates, if you could really measure them. And the reason is because we see sometimes a company consolidating, buying another of our customers. Of course, we have not lost the customer. That, of course, is now part of a bigger entity and we see many of that. I remember the day when Oracle was buying our customers one after the next one with PeopleSoft, et cetera, et cetera. So that, of course, in a way give you less renewal rates. Also, there's now a benefit of a bigger discount because there's more volume. But still, it means that Qualys is strengthening, not weakening. So that's -- so our renewal rates, in fact, are very, very healthy. And again, they are a little bit underestimated because of these 2 factors that I mentioned, especially on the enterprise. On the SME, SMB, they have always customers that disappears. You have much less loyalty there. So you have typically the renewal rates which are not -- but again, they are acquired or they are moved or they disappeared. But all in all, we have very strong renewal rates.

Yes, now it's part of our anecdotal color for the call, which -- about the quarter, we saw frankly strong performance across renewal, upsells and new customers.

Great. And then if I look at the platform adoption, you talked about 27% of customers having multiple products. Why aren't you seeing more growth than in the other security solutions? Is there something falling off in that bucket? I know it was only up 23% year-over-year, I think $11 million -- or $13 million, excuse me, versus $11 million a year ago, where we might see some acceleration there if the multiple product strategy in these new categories continue to catch on.

Yes, well, there's a variety of factors that go into them. I mean, some of the increased multiproduct adoption is going to be from VM customers taking ThreatPROTECT. So for example, that would still be in the VM bucket. And the other thing to remember is the breakout of the [inverse] is other security and compliance solutions has been on a reported growth basis, and so there was a negative 300 basis points impact to the growth rate as a result of the MSSP contract and FX. So you kind of add back 300 basis points and you're at, let's say, 26%.

So the MSSP actually impacts those other security solutions as well?

Yes.

The next question is from Steven Couche of Stephens.

This is Steven on for Jonathan. With regards to the new SMB position, how do you plan on utilizing that position? I know historically you've been mostly direct to enterprise. And maybe just give us the broader strategy for doing better with SMBs.

No, in fact, we have -- we've always had is telesales -- it's mainly our SME, SMB business, although we have telesales, although we have partners also reselling what we call our Express and Express Lite package, the same code base, but packaged differently for this market. What we see here is now that we have -- it's a significant business today. We want to really make it more of a business unit on its own. We are revamping our website, so we want to have more for the website also, which will target the SME, SMB because we believe we can grow that marketplace much faster. So we brought somebody who has the experience of building at scale. As -- that person was running the digital certificate business of VeriSign, which was, at the time when he left, a $200 million business. So I think the time has come so we could really make that unit more and more of a true business unit than being part of, if you prefer, of our overall sales and marketing operation.

Yes, and just to give some color to how well established -- I mean, it's already been built out. If you remember at our Analyst Day, we shared the breakout of our customer count and 83% of our customers are SMB, SME. So that's a large part of our 9,300 customers. But as Philippe said, we see opportunity to really scale it to the next level. So we're excited for -- to have our new General Manager.

And then maybe one more. Can you give us a quick update on the MSSP agreement that was announced last first quarter? I know -- I think on the call you had mentioned that there were 6 quarterly fixed payments. So could you just update us on that, and then if there would be anything there that might affect the business throughout the remainder of the year?

Sure. So the MSSP agreement that was signed in Q1 of '16 was a multiyear contract, and so we're in the second year of it. Not much has changed. It is quarterly built, so that's actually 4 payments per year. And we expect that after this year, we won't have to talk about the impact on revenues which we're talking about because last year, we had large amounts of, call it, onetime of accounting. This time, we had the absence of it, so it's important that people understand what our more normalized growth rates would be. But it continues to be a strategic partner, and we continue to expect to see our business from them growing.

Yes, and in fact, that partner has now adopted many of our new solutions, which they are pushing, so -- which I think is good for them, and it's good for us.

And the next question is from Jayson Noland of Baird.

I wanted to ask on your sales cycle with an increase in attach rates that may elongate a little bit, and then a shift to the cloud, which may shorten the sales cycle. What changes have you seen, if any, over the last 6 to 12 months?

Well, I think to the extent that we do very large deals, which has become more increasingly common, those do take longer. And sometimes that's because of multiproduct adoption, but sometimes it's, frankly -- it can be a very large single product -- single-product purchases as well. But we haven't seen any necessarily change in the dynamics of our business. Philippe, do you want to add more color to that?

Yes, no, and the cloud, of course, the cloud we see -- again, in the SME, SMB, of course there's an acceleration, but that doesn't change the dynamic of SME, SMB, which has always been reliably short-selling cycle. On the enterprise, we see them adopting, but again, it's more bigger deals at the enterprise level. So we don't see really much changes all in all for what Melissa mentioned. We do bigger deals absolutely now, and that takes a little bit longer. [Additionally] they are less predictable. So...

I wanted to ask on headcount expansion, too. If you could talk about your case relative to full year targets. It's kind of hard to make hires in the category, I would assume. And then specifically, what roles you're hiring for?

Yes, well, we've added this quarter across all of our functions and in our R&D and ops. We do continue to see a little bit more than expected coming from India. And again, in a lot of situations, we are posting the job openings both locally here and in Pune and we find the right people in Pune. So again, we're all about finding the right talent. And if it comes at a lower our cost, it's just a benefit. So we feel very good about where we are, and we feel very good that we were in position to announce our CISO and our General Manager of SMB, SME on this call today as well.

The next question is from Gur Talpaz of Stifel.

This is actually Chris Speros on for Gur. Can you guys talk about what's driving the persisting demand for the Cloud Agent and the degree to which you're expecting the File Integrity Monitoring and the other yet-to-be-released solutions that leverage the Cloud Agent to expand the annual spend of the current Cloud Agent installed base? And also, can you talk about how many Cloud Agents that you currently have in active trials?

So to answer your first question, the beauty of our Cloud Agent is not only it's a very unique and very powerful architecture, but the fact it's a natural extension, it makes our vulnerability management and our Policy Compliance much better because it gives you real-time. You don't have to have scanning windows. You don't have to ask credentials. So that's where the trust of that Cloud Agent grow, which as Melissa mentioned earlier, we're now more than 2.6 million. And then the quarter (inaudible) trials as well. I mean, the trials are still very strong.

It's about 1 million.

Yes, so it's -- which has been like that since quite a few months already. So what's now -- what -- the beauty of our Cloud Agent also is the fact that now that these Cloud Agents have been installed for our customers to adopt the FIM and to adopt the IOC is also very straightforward because they don't need another agent. That's -- they can immediately try our FIM and our IOCs and future services as well. So you look at that as a kind of a Trojan horse that will push our agent naturally to our VM and Policy Compliance application where we're already a huge customer base and now suddenly, we have all these new services enabled. So we expect a very big success of both the File Integrity Monitoring as well as the detection of Indication of Compromise. So cannot wait to have that out of beta and selling that.

Yes. And I will just add, I think you should view our increased investment in our back end as greater confidence in the market appetite for these solutions.

Yes, because effectively, because case in point, we realize also and that's what accelerated some of these -- some of our efforts in the back-end, that were now sucking a lot of data. And so to make sure that we were not -- that at the end of the day, the growth potential that we see will not be hampered by the fact that we didn't have the back end capable of digesting all that data. So we took that initiative and very happy that engineering responded very well, and we're very happy with this expansion that I mentioned earlier. And that's why I mentioned, quite frankly, the Kafka, the Redis and of course, our elastic storage capabilities. So that's really a tall order. This is not that obvious to do, and we did it.

The next question is from Michael Kim of Imperial Capital.

Can you talk a little bit about the pipeline for web application security? You have a pretty good installed base on the scanning side. And coming out of RSA, curious about kind of the early feedback for WAF 2.0.

So the feedback has been very positive. We don't have that yet -- a lot of traction yet in terms of orders, but I think the feedback is very positive. I think combined, the WAS 5.0 and web app, it's driving, in fact, today part of the acceleration that we see in our Web Application Scanning market. So I think we need another quarter or 2 to try to see that thing taking off substantially.

The next question is from Sterling Auty of JPMorgan.

This is Ugam Kamat on for Sterling Auty. I don't know if this might have been answered earlier; we have been juggling between calls. But you had a pretty significant billings beat in the quarter. But if I see the revenue guidance, you have just increased by $1 million at the lower end. I mean, is it something where the deals from second quarter or third quarter got closed early in the first quarter? Or how should we think about this?

Well, you're right that in terms of our deferred revenues, it is affected by the timing of invoicing, so it's not a direct proxy to bookings. In terms of our revenue guidance, we had a great quarter and we raised the bottom end of our revenue guidance. We generally assume that we will guide to a range of $1 million each quarter. And where we have greater visibility, we will narrow the range, as we did in Q2. And so -- and it's influenced by a number of factors, such as the number of large deals, the timing that we expect the larger deals to occur within a quarter as well as potentially new products coming out. So in general, because Q3 and Q4 are larger quarters, we would assume that we will guide to a range of $1 million for each of those quarters. And so that's how we ended up with our $3 million revenue range.

The next question is from Erik Suppiger of JPMorgan -- I'm sorry, JMP.

First off, you said the billings for the new products were 8%. Can you tell us what it was last quarter? I think last quarter, the revenue was around 5%. But did you give us the billings from prior periods?

We haven't provided billings. What we had talked about last quarter was that for 2016, our newer products for the year were 5% of bookings. So we were providing that color in the context of how we were thinking about guidance for 2017. Obviously, 8%, we're very happy. It's obviously meaningfully larger than it was a year ago, but that's also not a fair comparison because ThreatPROTECT, for example, didn't exist a year ago. So I think all the color we're giving you about how new products are performing, you should take that as our excitement about them.

Okay. So was 5% of billings for all of '16 is what the new products were (inaudible), correct?

Yes, but it's bookings, not billings, Erik.

All right. Okay. The VM grew 12%. Is that consistent with where it's been? Because I'd thought a while back it was growing a little bit faster than maybe in the mid-teens. Is 12% growth in VM, does that reflect any slowdown?

Well, so if you actually normalize for the impact of the MSSP contract and FX, you end up back in the mid-teens, which is where the market growth is. And our historical ability to outperform the market has been because we've innovated around these solutions and our new solutions are just currently in the early stages of adoption. So we definitely see opportunity to accelerate our growth rate there.

The next question is from Siti Panigrahi of Wells Fargo.

Philippe, just wondering -- just following up on that question -- with the prior question on VM market. Just wondering if you have seen any kind of changes from your competitors, Rapid7 and Tenable? If they have stepped up investment or anything? And also, are you seeing any kind of [macro] customers switching to you or any of this -- any of your competitors at this point?

So in terms of the competition, Rapid7, we see them trying to put more and more emphasis with their InsightIDR product, their analytics. That's where they -- we see them much less aggressive in a way on the enterprise market. They still continue to be, of course, on the SME and SMB side, which we compete very effectively against them there. As far as Tenable is concerned, we see them -- if you may recall 2 months ago, they announced that they were the first cloud-based VM solution. Now they are announcing they got the next-generation VM solutions, so they are making a lot of noise. But still, we'll have to -- Tenable.io is still pretty rough. So they make a lot of noise and of course, they have to try to take on our customers. And so far we don't see, except for the -- they are more of a nuisance than a threat at this stage.

And the final question is from Srini Nandury of Summit Redstone.

Anyway, the question I have is I just want to understand your public cloud opportunity a little better. Now you're available on Microsoft Azure as well as through Google Cloud deployments. I was kind of wondering if you are factoring any revenue from -- contribution in 2017.

So just to answer, we've been very -- in all of these new services that we have, we've been very conservative in any kind of evaluation because it simply takes time. Our vision is very big. In fact, again, as I mentioned earlier, having our agent embedded with Azure is not a small feat and that this is done. We have a bigger vision with our Cloud 360 View, which is essentially to really be the company that provides that visibility across all of your cloud because the world is not going to be a world where companies have the Azure cloud or the Microsoft cloud or the AWS cloud or the Google cloud. I think we are moving into a hybrid world because these platforms are differentiating themselves. Some are much better in terms of pricing and capabilities to really elastic clouds when we see, for example, Microsoft, especially with their private cloud becoming more an enterprise-friendly solution. So at the end of the day, the world is going to become a hybrid world. So the key here is to give you that visibility across all of the clouds, and that's what we're doing. And so we'll make some more specific announcement about all the new things that we're doing at our next investor conference or at our user conference. So we see a very good potential market for us. We are very well positioned.

Okay. Just to jog my memory, are you guys also available on Google -- on AWS, I'm sorry?

Absolutely. Not only are we available on AWS, but also AWS is using Qualys like Microsoft is as well to secure their own AWS platform. So we give the visibility to AWS across their entire cloud so they could ensure that their platform is secure.

Okay. Melissa, just to clarify, are you guys factoring any revenue contribution from these public cloud sources into your 2017 estimates?

No, as I mentioned earlier, we've been very -- we're very conservative in terms of the adoption of all these new things. And so again, time works in our favor. That's one thing that you have to understand. We're not an enterprise model whereby you've got to get the business because if you don't -- so we typically grow our customers. We take them slow, small and we grow them. And so that's the beauty of, in fact, of our model. So we will always (inaudible) but essentially, people are used -- they pay what they consume, and like enterprise software, which you've got a lot of shelf ware. That's not our model. So it grows slowly, but it grows more profitably and over time, it all adds up.

And at this time, I'd like to turn the call back over to Joo Mi Kim for closing remarks.

Thank you, operator, and thank you all for attending our First Quarter 2017 Earnings Call. We look forward to seeing many of you at the JPMorgan TMT Conference in Boston later this month.

Thank you. Ladies and gentlemen, this concludes today's conference. You may now disconnect. Good day.