Qualys Inc (QLYS) 2017 Q3 法說會逐字稿

Good day, everyone, and welcome to Qualys Third Quarter 2017 Earnings Conference Call. This call is being recorded. (Operator Instructions) I would now like to turn the call over to Joo Mi Kim, Vice President, FP&A and Investor Relations. Please go ahead, ma'am.

Good afternoon, and welcome to Qualys' third quarter 2017 earnings call. Joining me today to discuss our results are Philippe Courtot, our Chairman and CEO; and Melissa Fisher, our CFO.

Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks and an accompanying investor presentation with supplemental information are available on our website.

With that, I'd like to turn the call over to Philippe.

Thank you, Joo Mi, and welcome, everyone, to our Q3 earnings call. Melissa and I are very pleased to report another quarter with strong performance on both revenues and profits, driven by the continued adoption of our Qualys Cloud Platform and its integrated suite of security and compliance application we call Cloud Apps. We're very pleased to raise again the bottom and top end of both our revenues and non-GAAP EPS guidance for the full year 2017, and Melissa will provide you with more color on it. These impressive results clearly underscore the competitive advantage we have created by taking the long view to build a highly scalable cloud platform that can be delivered both as a shared platform or on-premise. This dual approach gives us an additional and unique advantage given the accelerated migration to cloud solution in an increasingly vulnerable and regulated environment.

As we all know, traditional enterprise point solutions, which are inherently difficult to deploy, maintain and integrate, are not effective anymore in protecting against crippling attacks such as WannaCry and in coping with new regulations such as GDPR. As a result, companies are now looking for true platform solutions to consolidate their security and compliance stack in order to reduce costs and complexity while improving their security and compliance posture. Furthermore, businesses of all sizes have a critical need to accelerate their digital transformation. This transformation requires a new approach to security where security must be built in and not bolted on. These requirements make our platform approach strategic to our customers and bolster the expansion of our vulnerability management solution as well as the adoption of our additional solutions. This is underscored by the fact that now 30% of our enterprise customers have deployed 3 or more solutions compared to 23% a year ago. We also saw this manifest itself this quarter through the continued adoption of our Cloud Agent with almost 5 million purchased over the last 12 months. This represents a 37% increase over last quarter and contributed to the increase in the number of large deals with both existing and new customers.

As an example, we signed a multimillion dollar expansion with a leading cloud provider who not only expanded the scope of their vulnerability management, but added Cloud Agent and AssetView. Additionally, this quarter, we signed a multimillion dollar annual deal with a large health care company, encompassing both vulnerability management and threat protection. This was existing customers who had previously only used our web application solutions and PCI service on a limited basis.

As WannaCry and GDPR are impacting enterprises worldwide, we saw new customer's deal size in Europe increase this quarter as well. We signed a 6-figure deal with a new European customers to fully deploy vulnerability management in their environment. In the past, as you know, many customers had begun with partial deployment. As we have discussed before, larger deal size benefit both our stickiness with our customers as well as our profitability.

A few weeks ago, we hosted our 17th annual Qualys conference in Las Vegas, at which we had record attendance by our customers and prospects. The theme of the conference was, "from securing our networks to enabling the digital transformation of our enterprises." We demonstrated there a significant expansion of our platform as evidenced by ElasticSearch, where we now index 250 billion data points; and as well as the addition of additional open-source back-end like Cassandra and Kafka; and additional analytics and reporting engines. We also showcased an impressive suite of additional solutions we will be delivering during 2018, underscoring the power of our true platform approach, and you will find the list in our investor presentation, which is now online.

Enterprises worldwide are accelerating the adoption of cloud technologies to retool their business -- or their businesses. This adoption requires unprecedented scalability, accuracy and speed in order to identify all global IT assets, which could be vulnerable, whether on-premise, in the cloud or on endpoints. Enterprises also need to ensure that vulnerabilities are rapidly and properly remediated, which is something traditional enterprise IT security solutions cannot deliver effectively and at which Qualys excels.

Our Qualys platform enables enterprise to build security into their digital transformation, initiatives for global visibility and better business outcomes. Earlier this month in Monaco, I introduced at Les Assises, the leading security conference in France, Khaled Soudani, Societe Generale's IT infrastructure COO, as part of my keynote. He spoke about the vital need they had to accelerate the digital transformation, how security needs to be built into this new cloud-based infrastructure rather than bolted on, and how security needs to become an enabler rather than an impediment. He also added that the world is moving toward hybrid cloud. That is a combination of public and private clouds. Securing such hybrid cloud architectures requires that security and compliance vendors retool their solutions to adopt a cloud-based architecture.

Because we started our journey with such a cloud-based architecture in mind, we believe that it gives us a significant head start. This is evidenced by the fact that 70% of the Fortune 50 have now adopted our cloud platform, including technology leaders such as Amazon, Microsoft, Apple and Oracle. We continue to expand our global partnerships and are pleased to announce that we have been selected by Ernst & Young to be a key component of their new next generation cybersecurity center in Texas, from where they can monitor clients' environments armed with the latest and most advanced tools to streamline detection and prevention of threats. We're also starting to make inroads in the federal market due to our FedRAMP certification and the market being more receptive to cloud-based solutions. Following the selection of our FedRAMP-certified private cloud by Lockheed Martin, we are pleased to announce that both the Secret Service and the Capitol Police became Qualys customers in Q3.

This quarter, we continue to expand our offerings with the general availability release of File Integrity Monitoring, FIM, and the detection of Indication of Compromise, IOC. Qualys FIM logs and centrally tracks file -- tracks file changes -- I'm sorry, file change events across global IT systems and a variety of enterprise operating systems to provide customers a simple way to achieve centralized cloud-based visibility of activity resulting from normal patching and administrative tasks, change control exceptions or violations or malicious activity, then report on that system activity as part of compliance mandates. This highly scalable and centralized solutions we provide now reduces the cost and complexity of detecting policies and compliance-related changes mandated by increasingly prescriptive regulations.

Qualys IOC detects activity and behavioral changes on the endpoint and delivers a continuous view of suspicious activity to customers that may indicate the presence of known malware, unknown variants or threat actors -- actor activity of devices both on and off the network, which is quite unique. By expanding the number of applications we offer, we enable our customers to consolidate an increasing number of security and compliance solutions, eliminating the daunting challenges they have with point solutions that all require their own infrastructure, are difficult and costly to deploy and manage and extremely costly to integrate. Our platform allows our customers to drastically reduce their spend. And for Qualys, we benefit from a more strategic relationship and increased stickiness with our customers.

In Q3, we closed the acquisition of Nevis Networks and integrated the team with our existing Pune, India operation. The acquisition of Nevis Networks enabled us to enter the market that is currently served by solutions such as ForeScout. The acquisition of Nevis provides us with a significant domain expertise in deep packet inspection, also known as passive scanning, and gives us the opportunity to accelerate our move into the adjacent markets of mitigations and response. Once this technology is fully integrated into our platform, we will provide additional visibility and response capabilities to products to protect against threats from IoT devices. This will provide a holistic view of vulnerabilities within our platform across devices and web applications, whether on-premise, in the cloud or on endpoints. We also expect the Nevis acquisition to strengthen our commercial presence in India, which we see as a significant opportunity for our company.

Speaking of Pune, our operations there now encompass 350 employees across all departments, including ops, dev ops, engineering, QA, customer support and product management. This is a major strategic advantage for our company as it continues to be both a competitive and a cost advantage for us. We will continue to invest heavily in Pune.

In summary, we continue to strongly believe that we are best positioned to secure the vital digital transformation facing our customers while helping them secure their current on-premise and endpoint environments. We believe our customers increasingly see us as a strategic vendor, which has earned their trust by delivering a true platform that offers them greater visibility, accuracy and scalability and helps them consolidate their stack. It is this platform approach, built over many years, that has allowed us to build a strong foundation of recurring revenues while achieving industry-leading profitability. We believe we are positioned better than ever to help our customers improve their security and compliance posture and forge ahead with their digital transformation.

With that, I will turn the call over to Melissa to discuss our financial results in detail. Thank you.

Thanks, Philippe, and good afternoon. We had a terrific third quarter with both revenues and profits exceeding our expectations. We continue to see healthy demand driven by our strategic positioning as the leading cloud platform in our market, coupled with strong market conditions.

The upside in revenue drove record margins for Qualys. We saw strong demand this quarter from both new and existing customers, the latter with both renewals and upsells. Deal sizes continue to increase in Q3, growing 17% year-over-year, and new customer deal sizes grew 62% year-over-year.

From a geographic perspective, we saw very good year-over-year growth in all geographies. In fact, we had record new customer bookings in EMEA in Q3, driven by deal sizes for new customers in EMEA growing year-over-year more than 100%.

Consistent with last quarter, we saw strong performance in the vulnerability management category. Bookings for both Cloud Agent for vulnerability management as well as threat protection more than doubled year-over-year. This drove meaningful acceleration in new product bookings.

New products released since 2015 contributed approximately 14% of total bookings in the quarter, up from 9% last quarter. These new product bookings are mostly due to Cloud Agent, which includes the associated subscription to either vulnerability management or policy compliance and include renewals that convert to Cloud Agent. Including Cloud Agent for policy compliance, we sold 4.7 million Cloud Agents in the last 12 months, an acceleration from 3.4 million as of last quarter. Our Cloud Agent platform, as you may recall, is the underpinning technology of many of our new solutions, including File Integrity Monitoring and IOC and therefore should help adoption of these newly released solutions.

Multiproduct adoption continues to increase as well with the percent of enterprise customers with 3 or more Qualys solutions rising to 30% this quarter, up from 23% a year ago, and their average spend in the quarter increased 24% year-over-year. Revenues in the third quarter were $59.5 million, which represents 19% normalized growth over the third quarter of 2016. There was a negative impact on our Q3 2017 revenue growth rate of approximately 150 basis points from the MSSP contract and approximately 110 basis points from FX. In Q3, we also saw more front-loading of deals, which benefited our revenues.

Turning to our deferred revenue balance. The current deferred revenue balance was $132 million as of September 30, 2017; 21% greater than our balance at September 30, 2016. Normalized for the impact from FX, our current deferred revenue balance would have grown approximately 22% year-over-year.

Before moving to our profitability and cash flow, I would like to remind everyone that unless otherwise specified, all of the expense and profitability metrics I will be discussing on this call are non-GAAP results. Our non-GAAP metrics exclude stock-based compensation and nonrecurring items. A full reconciliation of all GAAP to non-GAAP measures is provided in the financial tables of the press release issued earlier today and is available on the Investors section of our website. Also note that certain amounts in prior periods have been reclassified to conform to the current period's presentation.

Adjusted EBITDA for the third quarter of 2017 was $23.9 million, representing a 40% margin as compared to 35% in the third quarter of 2016. This contributed to a 63% year-over-year increase in GAAP EPS and a 40% year-over-year increase in non-GAAP EPS this quarter. Because of our expansion in India, we achieved this earnings growth despite a 26% year-over-year increase in headcount.

In Q3, we also benefited from greater efficiencies in operations, which contributed to an increase in our gross margin to 80% from 79% in Q2 and from 79% in the third quarter of 2016. Gross profit increased by 18% year-over-year to $47 million in the third quarter of 2017.

Operating expenses in Q3 increased by 7% year-over-year to $28.7 million. Research and development expense increased to $9.4 million or 15% year-over-year primarily due to higher headcount. Q3 R&D expense also includes 1 month of the Nevis team, and we're excited to have added the team from Nevis.

Sales and marketing expense increased to $14.2 million or 4% year-over-year primarily due to higher headcount and related costs. G&A was flat year-over-year at $5.1 million as higher headcount cost was offset by lower third-party spend. Net cash from operations in the third quarter of 2017 increased by 62% to $32.8 million compared to 22 - $20.2 million in the same period in 2016. The year-over-year increase in operating cash flow was driven largely by the growth in our billings and profits.

Capital expenditures were $13.4 million in the third quarter of 2017 compared to $9.8 million in the third quarter of 2016. Out of the $13.4 million, $5.1 million was for our business operations and $8.3 million was for our new headquarters buildout. We expect CapEx related to our operations in the fourth quarter of 2017 to be between $6 million and $7 million and CapEx related to the new office to be another $4 million to $5 million for a total Q4 CapEx spend of between $10 million and $12 million. Total 2017 CapEx related to the new headquarters buildout is now expected to be between $16 million and $17 million, up from our prior expectation of $13 million to $15 million. We also spent $5.8 million on the acquisition of Nevis Networks in Q3.

In terms of guidance for the fourth quarter of 2017, we expect revenue to be in the range of $61.7 million to $62.2 million, representing an estimated normalized year-over-year growth rate of 19% to 20% based on our current FX forecasts as well as the previously mentioned impact from the MSSP contract. We will continue to invest in Q4 and look for high-quality talent in a number of areas. However, given our highly scalable operational model, we now expect full year 2017 operating margin expansion.

We expect the GAAP EPS for the fourth quarter of 2017 to be in the range of $0.15 to $0.17 per diluted share, while non-GAAP EPS is expected to be in the range of $0.27 to $0.29 per diluted share. We are delighted to be raising our full year 2017 guidance for both revenues and earnings. We are raising the bottom and top end of our revenue guidance for full year 2017 again to now be in the range of $229.6 million to $230.1 million from the prior range of $226.8 million to $228.3 million. We are raising our GAAP EPS guidance range from $1.09 to $1.11 from $1.02 to $1.06 and non-GAAP guidance range to $1.04 to $1.06 from $0.87 to $0.91.

We believe our strong financial results reflect the enthusiasm our customers have for a cloud-based security and compliance platform that can secure their digital transformation and enable them to consolidate stacks for better visibility and security. At our user conference a few weeks ago, I personally saw how strategic our platform and applications are to our customers and how appreciative they are of our solution that is integrated and at a lower total cost of ownership than competitive on-premise solutions. We continue to believe that our unique competitive positioning, coupled with our scalable model, will enable us to continue to grow our revenues and boast top-tier margins.

With that, Philippe and I would be happy to answer any of your questions.

(Operator Instructions) Our first question comes from the line of Alex Henderson of Needham & Company.

So I just wanted to talk a little bit about the structure of your model going forward. Obviously, with the investments in India, it sounds like your OpEx growth ought to be probably towards the lower end of the teens range going forward. But it looks like your top line growth is at the upper end of the teens range and maybe even in the low 20s. Is that the right way to be thinking about the structure as we move forward into 2018 without actually giving guidance for 2018?

So our performance this quarter reflects what a scalable model we have as demonstrated by our record operating margins. We will continue to invest, however, as you can see by our Q4 guidance, which implies sequential margin contraction. Having said that, we have a highly scalable model, which allows us to continue to invest and boast very healthy margins. With regards to 2018 guidance, we will give that on our next earnings call, consistent with prior years.

Just if I could, one follow-up on that. So when exactly did the Nevis deal closed?

It closed on August 29th.

Our next question comes from Sterling Auty of JPMorgan.

So GDPR, I'm kind of curious. You talked about -- pointed out a good strong result in Europe. GDPR, I think, was a distraction initially for a number of vendors. Do you think we've moved past that? And are you actually seeing specific deal traction driven by that initiative?

Absolutely in Europe, and I think it's starting to impact the U.S. And this is something that I don't think many people understand, because a lot of people look at GDPR as a -- fundamentally a compliance requirement, that okay, you've got to pass another set of things and you have to -- but it's much deeper than that because it has forced, especially in Europe and now it's coming to the U.S., companies to rethink their entire security strategy and to fundamentally accelerate their digital transformation. That was the speech of Khaled Soudani, which is the COO for the entire Societe Generale infrastructure IT, and he's got 6,000 people reporting to him. And essentially, it's all about (inaudible) security; first of all, accelerating the digital transformation so you could have a much better handle on security, of course, improving the velocity of your business. And the fundamental notion that you've got to build the security into it, which means security is becoming much more of a dev ops now issue than the traditional like bolt-on and add security component or enterprise security solutions. It's a major shift. And I think GDPR, because of the onerous fine that the regulator could impose, up to 4% of their revenue, if the corporation cannot prove to the regulators that they have been good guardian of both the security and the privacy of the data of their customers, that's a huge, huge shift. And so I think we were, in a way, lucky because we have the right architecture, and -- which is not the same for a lot of other vendors.

That makes sense. Maybe one other on a vertical question. U.S. government, I think, was decent for some vendors but not for others. Can you give us maybe a little bit of your experience, what you saw in terms of demand, the U.S. federal, given their [configured in].

So for us, it's very different. Again, we are very different -- not positioned at all like all the other vendors which typically have between 20% to 40% of the revenues in federal. We have only 1%. So for us, it's all gravy. But more importantly, the government now needs scalability, immediacy. And again, cloud solution is really the only solution. And when I say cloud solution, cloud-based solutions. That means the fact that we have the ability (inaudible) cloud stack on-premise is exactly what government across the world require because they are not yet comfortable to put everything on Azure or on AWS. And their networks are really pretty big. So that's what we saw with Lockheed, which is now has the Qualys private cloud. And of course, now we just mentioned the Secret Service that is now a customer. So now, finally the market is coming to us again. So that's what's very -- it's very new for us. It's all -- of course, it's going to take some time, as you very well know, government takes time, the procurement is so complex and lengthy. But for us, I mean, it's all gain. I mean, we have nothing to lose here. We have everything to gain.

Our next question comes from Robert Breza of Northland Capital Markets.

Just curious, Philippe, if you could talk about kind of the macro backdrop, I think, kind of in tune with some of the prior questions. We've seen some companies execute well and some not so well. Are you seeing anything on the tea leaves from a macro environment, whether it's Europe or the U.S., that causes you to stay awake at night or think about more intently?

No, I think for us, we're -- again, we're so well positioned because we have that ability to deliver the cloud in the way company essentially can absorb it and also have that ability to secure. Like for example, with Microsoft Azure, we have our agent now integrated in the Microsoft Azure. So any Microsoft Azure customer can, at the click of a mouse, essentially provision a Qualys agent, which will give the continuous view of the security compliance posture of the environment on Azure. This is totally integrated. Nothing to install, nothing to do. They just click on the link, and that's it. So that ability to integrate security or to build security into this cloud environment, whether they are public or whether they are private, and it's really the new game. That's the way we see it. So we see that, as I mentioned earlier on the question of Sterling, GDPR is accelerating that thinking because of the onerous penalties that you could get. So getting 4% of your revenues as a fine, you may want to say, should I not invest that ahead of the game in my digital transformation to make sure that I'm not going to be -- I'm going to be able to really secure it? Because quite candidly, and I've been mentioning that many times during my RSA keynotes over the years to the point that I felt like Galileo, thank Lord I'm in America, so they didn't put me in house arrest; that it's becoming harder and harder, if not impossible, to secure the current computing environment, which is network-based. So with that, we need to move from that client/server enterprise network-based environment to a much more cloud-based environment.

Maybe as a follow-up to your guidance around Microsoft Azure and customers moving workloads to the cloud, et cetera. As we sit back and think about the number of IP addresses being scanned, have you seen your IP addresses being scanned or customers expanding the different or more workloads, et cetera, more applications, et cetera. As they're moving towards the cloud, are you seeing that expansion increase in terms of the overall business model? Or how should we think about -- because obviously, those elements still need to be scanned, whether they're running in Azure or AWS, et cetera, but...

Correct. Well, that's an interesting -- sorry, go on.

No, I'm done.

Okay. So that's a very interesting question. In fact, there's 2 moving parts here. On one hand, customers realize today that you cannot just look at your critical server -- your perimeter and your critical servers, add a few critical applications. You've got now, because everything -- interconnected with everything, you've got to really have a complete visibility on your entire environment. And very soon also on these IoT devices that connects to your environment as well. So that significantly increase, if you prefer, the scope of IT. Now at the same time, of course, as you are moving some of these assets into the cloud, it reduces, of course, the number of IT assets that you are going to have to look at on the on-premise world. But since today, we are so under businesses -- there's still so much room to grow in that old world, that it's -- that there's still a lot of expansion that we see within our existing customers, even customers who have been with Qualys for 10 years, they may be have been scanning maybe 30% of their assets. So now today, they've got to do more. And then of course, they need to add that solution to scan their assets or identify the vulnerabilities on those assets, which are in cloud environments. So the very unique thing of Qualys is that with the same platform, you do both. So it's a win-win for our customers.

Our next question comes from Michael Kim of Imperial Capital.

Just with regards to the global partnerships, do you see a greater focus or opportunity with partners like E&Y and the other consulting or MSSPs. And how do you think about exploring new routes to market?

Yes, absolutely. So what is happening today, we saw, first of all, as you may recall from some of our previous calls, that we have established a very significant position with all the Indian outsourcers, the Tata, the Wipro, the HCL, Accenture, et cetera, which are both Qualys customers now but as well as Qualys partners. Now we see companies like Ernst & Young and also these Indian outsourcers really focusing on the digital transformation and building its architectures, which absolutely again are cloud-based, so they can, in fact, provide not only helping the customers to accelerate their digital transformation through the retooling, consolidation of data center, virtualization, which now by the way is not anymore virtualization. Now the technology has moved, it's containerization. And then, of course, you've got to look at the security as a whole. So we, in fact -- so you have to have a cloud architecture to be able to fit into these new initiatives from these partners. And that's again the big advantage of Qualys here, is that this is an enterprise software solution. It's that simple. So we see that as strategic partners for the future, and we're very pleased with Ernst & Young, of course, with their brand-new data center or security center. We see that coming from other companies, and essentially, we're becoming a very strategic partner for these, I would call, next generation of outsourcers, which are essentially helping companies accelerate their digital transformation and security.

Our next question comes from Erik Suppiger of JMP.

The Cloud Agent has had a nice acceleration in the last couple of quarters. Can you talk a little bit about what dynamics are changing around that? And then secondly, can you give us a frame of reference on what kind of penetration you've had? I think we know your customer count, but I don't think we have a good sense for the endpoint customer count. So can you give us some sense of what kind of penetration you have at this point?

So generally speaking, the Cloud Agent is still the same, which means we have a natural extension from our customers, which already are doing policy compliance and vulnerability management. It's a very natural extension. As you know, this is a kind of a charge and hold strategy for us. Every new customer today essentially start taking Cloud Agent as well. And so that -- this Cloud Agent, the way to look at them is that not only they expand our ability to -- they provide a much better vulnerability management and compliance solution, because it makes it real time. As you may recall, you don't have now -- you don't need anymore the scanning Windows, you don't need to fetch the credentials, and it doesn't really give you immediacy, and it doesn't really take much traffic either. So they are really very good. It's next generation of vulnerability management and compliance that we have with them. But they are, at the same time, the enabler of a slew of new services, which now we're very pleased that we have now shipped our File Integrity Monitoring and our detection of Indication of Compromise, which are -- Indication of Compromise, this is what is going to really start pushing us more at the endpoint, because at the endpoint, you don't really scan an endpoint that leaves the network. So that's why we're never very strong on these endpoints. But now today, the beauty of our agent is that even if the endpoint is out of the network, we still track it. And that's, again, very unique to our architecture. And as we start to see traction of course for the IOC, we're going to have more and more of our agent on the endpoints, and then, of course, you have many other services that now we are -- which are in the making, and that will help us continue the, if you prefer, the acceleration of our Cloud Agent solution.

And from a penetration standpoint, we estimate that out of our customer base, the percent of customers with Cloud Agent is approximately 8%, which just shows how much room we have to grow, but also even so understates the opportunity because similar to our current VM or policy compliance solutions, our customers have not fully deployed their Cloud Agents. And so there's huge opportunity within our customer base for more growth.

Our next question comes from Gur Talpaz of Stifel.

So in the press release, you made a pretty interesting customer announcement in Maersk, which was notably hit by the NotPetya ransomware campaign. Can you talk about the impact of ransomware here? Was this deal specifically related to ransomware? And just more broadly speaking, have you seen ransomware serve as a driver of adoption, just sort of given the natural correlation between vulnerabilities and your solution?

Absolutely, and let me explain. So what WannaCry, that ransomware, essentially did, that WannaCry, is exploiting a vulnerability which is very pervasive vulnerabilities and then essentially crippling companies. And that's a rude awakening for a lot of companies. Before, everybody was focused on APTs, (inaudible) targeted, so okay, they go after a certain number of things. But now today, they can cripple your business, and we effectively gave Maersk as an example, which was not a Qualys customer, just to discover today which are the devices which are vulnerable to WannaCry. Nobody has an idea. So that's where Qualys shines, because immediately, we can tell you, if you're an existing Qualys customers and we are scanning your entire environment, which we start to do more and more, then of course, we will immediately tell you without even having you to search through our ElasticSearch back end, which remember now today, we have indexed, which is absolutely a fantastic engineering feat, 250 billion data points and growing. So immediately, in 2 seconds, we tell you this is where you are exposed. And now, of course, you've got to go, and through ThreatPROTECT, you can even follow through the remediation, so we give you the dashboard, which allows you to not only immediately see everything where you are exposed, but then follow the remediation, which is as important, of course, in discovering them. So that has been essentially highlighting the unique capability of our scalability and has created the new business. And of course, as we continue moving more into the IOC and the detection, now trying to detect ransomware is going to be something very interesting at the moment of infection. So this is, of course, extension that we are starting to go, that we're starting to build into our platform to go more into the response side. So today, WannaCry, to make the story short, serves us because of our ability to detect vulnerable devices. And now, of course, we are going to expand our platform to be also being capable of responding if an attack is occurring. But that will take, of course, some time, and I'm not going to give you deadlines here. But that's the direction that we're absolutely taking.

Our next question comes from Ryan Flanagan of Monness, Crespi, Hardt.

I had a question about hiring. We've heard scarcity of talent in the Silicon Valley. Has that been a problem for you guys? Or does the fact that you have such a large headcount in Pune kind of act as an offset there?

Yes. So no, it has been a huge issue. And in fact, Claude, Sumedh and I, we made the decision now about 5 years ago to do 2 things. One was to essentially rearchitect our back-end because of course of all the new technology coming. And now that you can see with the [in section] , and you can see that in our investor presentation, we have injected a lot of open-source back-end. The challenge here is that these open-source back end are great, but you need to make them scalable and you need to integrate them into a single solution. And that's where Qualys has absolutely done a fantastic job. Now we, very candidly, will not have been able to do that job if we will not have made the decision, Sumedh and I, to invest in Pune 5 years ago. And so -- because we could not find the talent. Now the advantage, we went to India for the talent. We didn't go to India for the cost. And of course, we discovered the cost. And now thanks to that huge difference in terms of cost, we can still do -- while doing that massive investment in India, we can still generate fantastic profits. And by the way, we are continuing investing big time in India. The Silicon Valley, it's very, very difficult to find the talent that we need specifically, so I think we are really glad that we made that decision 4 years ago.

And I think one added benefit for us is given where we are with the platform and we're in a position where we've made our first acquisition and we're looking at acquisitions, we'll also be in a position to add talent inorganically, whereas 5 years ago, the company may not have been ready.

Correct, which is that's the other advantage also of having now the platform ready. In the past, while a lot of people who were trying to push us to accelerate our growth by spending more money, we're trying to explain, no, we want to build the platform first before doing acquisitions because it's all about being able to integrate in our model additional solution to our platform. So either we build them or we buy them. But for us to buy them, it makes only sense if there is -- the architecture is there that we can take that foreign DNA and that, that foreign DNA is also designed in such a way that we can also take it. So that has been limiting our ability to go -- to grow through acquiring technology. But now today, we feel that we're very positioned and very delighted, by the way, with that Nevis acquisition. They are already all integrated in Pune, and we are quite candidly looking at other acquisitions in India as well.

Our next question comes from Matt Hedberg of RBC Capital Markets.

Philippe, new products continue to be a driver of bookings, I think most notably, the Cloud Agent, which you talked about. How should we think about the cadence of new product releases into Q4 and 2018?

Well, I think we have -- we again here, we have reached a very good maturity because what is very unique in any cloud environment is that you're not in the assembly line, I would say, of your traditional enterprise, where you've got engineering designing, then they pass that to QA, then QA pass that to customer support, and then you install and then et cetera, et cetera. So what we have done very uniquely, as you may recall, is that under Sumedh, our Chief Product Officer, we have now ops, dev ops, engineering, QA, customer support, product management, all that under one roof, and we cloned that in India. And that's one of the reasons also why we can attract top talent in India because we give them really the opportunity to really contribute instead of just writing code. So that ability to do all this business together, we have really mastered that. And the advantage then when you have done that is that in order for you to develop a new solution or to integrate a new solution, you don't need an army of people, because you leverage the platform. So our application team, if you prefer, our Cloud App team, are small. If I tell you that ElasticSearch, for example, was done by 3 people, that's it. So we leverage, of course, the ElasticSearch engine open-source available, and then we have the 3 people really making it scale. And here suddenly, about a year later, we have indexed 250 billion data points. So that tells you that there is multiple leverage points in Qualys, in our business model, and we absolutely worked at that over time and resisted the sirens of accelerated growth at any cost. And I think today, we're starting to see the benefits of that longer-view approach that we have taken.

And I would add, Matt, another reason why we're positioned even better today than previously is, as I mentioned in my prepared remarks and I think Philippe mentioned as well, the Cloud Agent is the underpinning technology for some of these new solutions like File Integrity Monitoring and IOC. And so with now having 5 million Cloud Agents deployed, it makes it that much easier for customers to adopt these added solutions.

Absolutely.

Our next question comes from Jayson Noland of Robert Baird.

Melissa, I wanted to ask on the deceleration and long-term deferred. Is that primarily a function of the big MSSP deal from Q1?

Actually, it's not really the MSSP deal. The deceleration in the long-term deferred is a result of amortization of existing multiyear prepaid deals exceeding the number -- the amount of deals sold in Q3. So if you recall, we had talked about in Q1 in terms of cash flow, we had a large number of multiyear prepaid deals. It was higher than usual. And now we're back to more regular levels, and that's the reason. We focus on current deferred because majority of our business is 1-year contracts, and we don't intend our sales force to do multiyear prepaid deals, and we don't drive our business that way. It's really driven by customer requests.

Our next question comes from Rob Owens of KeyBanc Capital.

This is Liz Verity on for Rob Owens. Related to the ransomware question, curious if -- what impact you think the high profile Equifax had on maybe the perception of vulnerability management overall and any impact to your business in terms of demand and maybe the quarter being more front-end-weighted.

So yes, this is not like WannaCry. This is more -- Equifax is another of this type of nasty vulnerability, if you prefer, which is here, it was in an Apache code. And so as we know now, the Equifax was, in fact, a server which was vulnerable outside of the U.S., and they managed to get back into the network and do all their bad things. So that's again for our business especially (inaudible) a godsend and because it shows how important it is to identify your vulnerabilities. And if you don't look at everywhere, then you could be caught by surprise exactly, which was what happened to Equifax, that you could be penetrated in one place on the globe and somehow, they managed to tunnel from there to go inside. And once they are inside, then that's another game. It becomes much harder to detect. And that's why we're working, by the way, on really trying to work on the detection from the inside, which is really a very unsolved problem. And so at least, you need to know your vulnerabilities, and everybody goes back to that basis. So the years of vulnerabilities have come, I would say. And it was always the kind of applications which are relegated to, yes, but we've got better things to do. We need to put up firewalls, we need to put intrusion detection, et cetera, et cetera. But now today, people realize that despite all of these precautions, the bad guys find a way to go inside. And once they're inside, then it's become with the current environment, which is very network-based, unless you segment everything on your network, which then, of course, had 0 absolute, nothing moves. And then, of course, you have peace, but then you don't do much. So that's good for us in a way.

Our next question comes from Srini Nandury of Summit Redstone.

Philippe, regarding your comment on ForeScout and the Nevis acquisition, is the solution going to be deployed on-premises to monitor IoT devices attaching to the network? Or it looks like it'll be certainly a departure from your cloud model, which you have right now? And when is the Nevis product coming to the market?

So essentially, the way we look at the market, some people will tell you, oh, you know, you have to be agentless. Of course, if you have only an agentless solution, that's exactly what you will tell, "so this is the solution." The reality is that you need to do -- the complexity of the problem is such that you need to have multiple view. And so we really believe in that kind of architecture that we have, where we bring 3 different technologies at scale, which is really the big challenge. One is, of course, the scanning technology, which is agentless, which we have really mastered, on one way, scanning billions of IPs a year. The second one, of course, is that agent technology, which wherever you can put an agent, you have now real time full visibility. And then now that passive or network analysis, which also will give you other information. And it's bringing these 3 information together that really give you that complete view. And that's where again Qualys differentiates. Because to put this, again, you go back to the 250 billion data points indexed on ElasticSearch, on our ElasticSearch cluster. If you bring all this technology, and by the way, with the IOC, with everything we do, we're going to have even more than that. So you need to have a highly scalable back end. Now in order to have such a scalable back end, you cannot really do that with your traditional enterprise architecture. You need a cloud architecture. What is very unique with Qualys is that, because of the requirement of some of our customers, like Oracle was the first private cloud for Qualys, and now, of course, Microsoft, Amazon and many other very, very large environment, they want that on-premise. And because they want the architecture, but they want it on-premise, because you cannot really secure cloud from the outside, from another cloud, or at least, you're limited. So you want to secure the cloud from inside the cloud. But then, you need to have the same architecture as the cloud to secure it, and that's what Qualys has a unique difference. We have been doing that with today more than 50 platforms, private cloud installed in the world, in large corporations. We have now a smaller version, 2 [newer] versions of our private cloud. And that's what we start shipping in quite a good quantity. So for us, there's no differentiation between private and public cloud. It's the same architecture, and we can deliver as customer needs and requires it. So that's the big challenge and the big opportunity for us. So we are moving definitely, to answer your question, on offering a much broader solution essentially that you see from the ForeScout and others, and the Nevis acquisition is a piece of it. And we anticipate today, if you go to our investor presentation, under the category now that we call Secure Access Control, which is a response to threats automatically by controlling access to critical resources. And that's what that Nevis acquisition will be in part there and that we're anticipating today to be on the release of Q3 2018.

Which would be the target beta date.

Which is the target beta date, and we will try to do better.

Our next question comes from Siti Panigrahi of Wells Fargo.

Most of my questions have been answered, but Philippe, just wanted to dig a little bit into the competitive landscape. Are you seeing anything different from your competitors, mainly Rapid7, Tenable, are they [acquiring shares]? Any changes that you're seeing there?

I think, as I mentioned earlier, I mean, the strategy of Rapid7 is becoming very clear today for everybody, is that they're already focusing on creating an analytics platform. That's what they're doing more and more through the acquisitions, so this is their inside DR. And so that's -- of course, that's for them to execute on that strategy. And so that -- what we see, we see them in that sense not as much as a competitor as they used to be. And as far as Tenable, the jury is out as far as I'm concerned, because on one hand, they were so against the cloud. Most of the big chunk of their business is federal, so they have now today their old enterprise architecture; and now they've got the new AWS architecture. So of course, that's a lot of work that they've got to do to essentially come up with a really true competing solution to Qualys on the AWS platform. And on top of that, the AWS platform, albeit shortens your deployment because, of course, you want that to be in a lot of things that they have. On the other hand, you cannot deliver, really, AWS on-premise. So they will have -- if they want to do that, they will have to rebuild all of that. So we are just looking at what they do. They make a lot of claims, but so far, I see them with significant engineering challenge ahead of them.

Our final question comes from the line of Melissa Franchi of Morgan Stanley.

Philippe, I was wondering if you could just comment on the health of your MSSP business. I know that you have a number of relationships. And I think at the beginning of the year, you also expanded your relationship with IBM. So just wondering if you have any -- if there's any change in the overall view and if that's becoming a more strategic channel for you?

So that's a good question. So our business with MSSP is doing fine. What I see really happening is that there is going to be a race for new MSSP generation because the existing generation, they have built their own thing, and they have to retool as well. So there is going to -- like we did, if you go back Qualys 4 years ago, we realized that we needed to absolutely inject new technology. We have just finished our -- the virtualization of our entire platform. Now everything that we do, we containerize it. So just to tell you, technology moves so fast. So once technology moves fast like that, it gives opportunities, and that's what we see with companies like Ernst & Young and others trying to really come with a different -- with a newer architecture to compete against the existing, more established MSSPs. So the race is on. And for us, quite frankly, we are more the Swiss Army here or the Swiss -- for us, we have a platform that people can leverage. We are very easy to integrate in this environment, obviously, because we've got the right architecture. So we see them as a kind of more opportunity for us.

Thank you. At this time, I'd like to turn the call back over to Joo Mi Kim for any closing remarks. Ma'am?

Thank you, and thank you all for attending our third quarter 2017 earnings call. We look forward to seeing many of you in November at the Stifel One-on-One Growth Conference in Chicago and UBS Global Technology Conference in San Francisco.

Okay. Thank you.

Thank you.

And Good Halloween. I don't know how you say that in English.

Happy Halloween.

Happy Halloween, okay, to all of you.

Ladies and gentlemen, this concludes today's conference. Thank you for your participation, and have a wonderful day.