Qualys Inc (QLYS) 2018 Q4 法說會逐字稿

Good day, everyone, and welcome to Qualys Fourth Quarter 2018 Earnings Conference Call. This call is being recorded. (Operator Instructions) I would now like to turn the call over to Natasha Asar, Investor Relations. Please go ahead, ma'am.

Good afternoon, and welcome to Qualys' Fourth Quarter and Full Year 2018 Earnings Call. Joining me today to discuss our results are Philippe Courtot, our Chairman and CEO; and Melissa Fisher, our CFO.

Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks and an accompanying investor presentation with supplemental information are available on our website.

With that, I'd like to turn the call over to Philippe.

Thanks, Natasha, and welcome, everyone, to our Q4 earnings call. Melissa and I are pleased to report another strong quarter and year in terms of revenue growth and profitability. These results underscore our position as the leading cloud-based security and compliance platform that unifies IT, security and compliance in a single-pane-of-glass view, with 2-second visibility across on-premise, assets and cloud and soon mobile and OT and IoT devices. With 19 cloud apps native in our platform, we believe we're well positioned to expand our wallet share within our growing user base as well as gain new customers.

At our user conference in November, we observed that our customers increasingly view Qualys as a trusted strategic partner.

As we all know, the digital transformation of businesses fueled by an explosion of new technologies is leaving gaping security holes in its wake. Organizations who are continuing to layer on point solution that do not communicate with each other are seeing diminishing returns.

Qualys delivers a true platform, offering greater visibility, accuracy and scalability across hybrid and cloud environment while ultimately allowing customers to reduce their overall spend.

To achieve security and compliance in this new hyperconnected environment and respond to an ever-increasing set of regulations, we believe that organization, in addition to deploying traditional firewalls and intrusion detection, must: know in real time what devices and application are connected on the network; always know the security and compliance posture for every devices, both known and unknown; and take immediate remediation action whenever necessary. This is precisely where traditional enterprise solution are falling short as they were not designed to operate at such a scale and, in reality, only solution that adopt a cloud-based architecture can provide the necessary scale, visibility, correlation and immediacy.

A few months ago again, we demonstrated to our customers at our user conference the significant extension we have made to our cloud-based platform and cloud apps. In 2008 (sic) [2018], specifically, we launched several new solutions into general availability or beta, including, Container Security, Cloud Inventory, Cloud Security Assessment, Certificate Inventory, Certificate Assessment as well as our new groundbreaking app for global IT Asset Inventory, which we call AI, and CMDB synchronization.

Our AI cloud app formally launched yesterday enable us to offer our customers a single source of truth for all IT assets within hybrid environments, covering on-premise assets, endpoints, cloud, and soon, again, mobile, OT and IoT environments.

We also demonstrated our passive network analysis solution, now in beta, that natively integrates network analysis function, deep packet inspection, device fingerprinting and data correlation into the Qualys Cloud Platform, delivering customers complete IT visibility at scale. This new capability will enhance our global IT asset management offering by adding the visibility of unknown assets to the existing capabilities.

We acquired 1Mobility, completed in Q2, which will enable us to provide enterprise discovery inventory, security, compliance and response on both enterprise-owned as well as employee-owned mobile devices, further expanding our footprint within our customer base.

And we also completed the acquisition of Layered Insight, a pioneer and global leader in runtime container security, which will provide insight into container images, adaptive analysis of running containers and automated enforcement of policy, while currently integrating Layered Insight technology into the Qualys Container Security app, which will allow to uniquely bring transparent orchestration to Container Security. We expect to complete this integration in the second half of this year.

In this fourth quarter -- in the fourth quarter, we continued to expand our partnerships, integrating with AWS Security Hub, introducing Qualys vulnerability and policy compliance findings with AWS Security Hub.

We launched the Qualys Container Security solution on the new AWS Marketplace for Containers, and we also announced today an expanded relationship with IBM X-Force Red who will deploy Qualys Patch Management and Web Application Scanning into global client environments, along with its existing vulnerability management deployment. This expansion enables X-Force Red vulnerability management services, VMS, to automate vulnerability prioritization and patching, enabling clients to simplify vulnerability remediation and fix their most critical vulnerability using less resources and time.

Earlier in 2018, we have been expanding our capabilities in the federal market with a deeper partnership with Carahsoft to markets, sell and distribute the FedRAMP-authorized Qualys Gov Platform and are now working on obtaining FedRAMP certification.

We're broadening our relationship with key partners, including Microsoft and IBM by adding integration into Microsoft hybrid cloud, Azure Stack releasing monitoring and assessment for the CIS, Center for Internet Security, Microsoft Azure Foundations Benchmark within our Cloud Security Assessment Cloud App, adding an integration with X-Force Red, which deploys the Qualys Cloud Agent and the Qualys Cloud Apps into client environments across the globe, and adding integration with IBM's first open cloud platform, IBM Security Connect.

We released our Qualys Community Edition, a free version of our cloud platform, to provide organizations, including SMB consultants and managed services and managed service providers with a unified view of IT, security and compliance as well as 2 other free services, CloudView and CertView, providing companies of all size the instant ability to track and monitor digital certificates and cloud resources.

And we've been -- and we launched a new comprehensive offering as well, the Qualys Consulting Edition for consultant, consulting organization and MSSP (sic) [MSPs], enabling them to perform multiple ongoing vulnerability assessment engagements and track these results from a single, centralized and self-updating platform.

So now built upon a very successful 2008 (sic) 2018 , we will continue to increase our competitive advantage by releasing new groundbreaking security and compliance application, leveraging both our talent base as well as acquired technology. Our current plans in 2019 include: the release of new solution, such as Passive Network Discovery, Secure Access Control, Certificate Management and Cloud Security Management; the general availability of Patch Management, announced today, enabling IT and SecOps team to quickly target critical common vulnerabilities and exposures, then deploy the patches across endpoints, on-premise or cloud assets and verify remediation, all from one console.

Continued acquisitions to enhance our product suite. In January, we completed the acquisition of Adya, a small innovative Indian startup that built their solution on the AWS Lambda platform. Adya's solutions enable security and compliance audits of SaaS application, which is becoming critical to enterprise, as they increasingly rely on cloud-based software. The Adya cloud-based solution provides company of all size with the ability to consolidate administration of the Software-as-a-Service applications into one console, manage license costs across SaaS applications, set and enforce security policies in one place and report and audit on all activity with a single tool.

And finally, we invest -- we have invested significantly in our back end, continuing to believe what we believe to be the most robust and scalable cloud platform in our market. We have now almost 2 trillion security data points indexed in our ElasticSearch clusters, providing almost instant query results and alert. This give us -- our customers 2-second visibility, and as we know, visibility, accuracy and scale are the keystones of security.

To support the significant number of additional solutions we are bringing to market -- that we are bringing to market, we increased our sales organization in the second half of 2018 by over 20% and we'll continue to do so over the next year. We expect to continue to outperform market growth in 2019 while producing a high level of profitability. We're optimistic about the opportunity to increase booking growth in the future because of newest solution, which solves meaningful problem for customers, and are priced similar to or at a premium to vulnerability management and Policy Compliance, and for example, Cloud Agent and ThreatPROTECT, which are priced at a fraction of vulnerability management and Policy Compliance. Qualys continue to clearly move well beyond vulnerability management and increase its competitive advantage through the acceleration of multiproduct adoption. This naturally increases our stickiness, which is a key element of our profitable growth, driving value for our shareholders.

With that, I will turn the call over to Melissa to discuss our financial results, guidance and metrics. Thank you.

Thanks, Philippe, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period, unless stated otherwise.

Our solid Q4 financial and operational results continue to reflect the healthy demand for our scalable and robust Cloud Platform. This is evidenced in the following financial and operational highlights.

Revenues for the fourth quarter of 2018 grew 18% to $74.2 million. Platform adoption continued to increase as a percentage of enterprise customers with 3 or more Qualys solutions rose to 41% from 32%. And the percentage of enterprise customers with 4 or more Qualys solutions increased to 21% from 15%.

New products released since 2015 contributed approximately 26% of total bookings in the quarter, up from 15%. And similar to Q3, we saw higher growth in the total number of orders from our SME and PCI customers. This positive result pulled our historical year-over-year average deal size increase down to 5%. However, the average deal size for our enterprise customers grew 11% year-over-year.

Our scalable platform model continues to drive superior margins and generate significant cash flow. Adjusted EBITDA for the fourth quarter of 2018 was $29.1 million, representing a 39% margin versus 38%. For comparability purposes, Q4 adjusted EBITDA margin would have been 37%, normalized for the impact of 606 and software capitalization.

Q4 EPS grew 62% including the benefit of a tax true-up. Normalized for this, Q4 EPS would have grown a healthy 44%. And we generated strong operating cash flow for the fourth quarter of 2018 of $29 million, an increase of 12%.

In Q4, we continued to invest the cash we generate from operations back into Qualys, including $6 million on capital expenditures, including principal payments under capital lease obligations, $10.3 million on the acquisition of Layered Insight and $38.5 million to repurchase 521,257 of our shares.

Looking back on the year, we had a successful 2018 at Qualys as we released several new products, features and enhancements, completing 2 acquisitions and made our first minority investment; saw an acceleration in the number of customers, spending $500,000 or more; enjoyed continued Cloud Agent adoption with 16.2 million Cloud Agents purchased over the last 12 months, up from 6 million, over 150% growth; benefited from strong performance from new products released since 2015, which at 20% of 2018 bookings almost doubled the prior year contributed to growth of our subscription revenues by 20% when you normalize for the positive impact of FX; and we achieved record EBITDA margin to 39% and grew operating cash flow 21%, normalized for the 606 benefit, software capitalization and our investment in 42Crunch, all this despite our continued investment in the business, including 37% year-over-year growth in headcount in 2018.

Looking to 2019, we expect full year revenue in the range of $320 million to $323 million, which represents a growth rate of 15% to 16% and Q1 revenue in the range of $74.5 million to $75.2 million, which represents a growth rate of 15% to 16%.

We are excited about the opportunities to accelerate revenue growth with our new solutions. Many of our new solutions, for example, FIM, IOC, AI, Passive Scanning and Patch Management are priced similar to or at a premium to vulnerability management and Policy Compliance, as Philippe mentioned.

As you have seen, multiproduct adoption has increased quarter-after-quarter. However, these newer solutions are so early in their adoption and consistent with prior years, we're not assuming a material contribution from new solutions in our guidance. Furthermore, the large deal we referenced on our Q3 earnings call has not yet concluded.

In terms of 2019 profitability, we expect to maintain our industry-leading margins while further investing to set the stage for future revenue growth. While we achieved record profitability in 2018, we invested in the business throughout the year, particularly in building our team, driving our record 2018 headcount growth of 325 employees. This spend was back-end loaded, and combined with additional expenditures we plan to make in 2019 across our engineering, sales and marketing, operations and administrative functions, will result in our adjusted EBITDA margin in fiscal year '19 in the range of 37% to 38% based on our current forecast.

We expect capital expenditures from operations to be roughly flat with 2018 in a range of $22 million to $27 million. We're continuing to invest to support the growth of the business, but we will be benefiting from earlier investments in building out data center in U.S. office locations. Additionally, we expect to purchase less hardware for physical scanner subscription as customers increasingly subscribe to virtual scanners.

As we have significantly increased our employee base in Pune, we do expect to spend an additional $4 million in the second half of 2019 for the beginning of our [buildup] of the new Qualys facility in Pune.

For the first quarter of 2019, we expect capital expenditures to be in the range of $8.5 million to $9.5 million. Even with all these infrastructure investments, we expect our 2019 year-over-year free cash flow growth to exceed the earnings growth currently implied by our guidance.

We feel very well-positioned in our markets given the unique nature of our integrated IT, security and compliance cloud platform. Our customer count growth accelerated in 2018 and we added almost 1,100 active users to our free solutions. Our new solutions provide the opportunity for us to increase average revenue per user, accelerate revenue growth and, driven by our highly scalable model, expand margins in the future. Our focus continues to be growing our foundation of recurring revenues and maintaining strong profitability.

With that, Philippe and I would be happy to answer any of your questions.

(Operator Instructions) Your first question comes from Howard Smith with First Analysis.

Yes, can you hear me?

Yes, we can.

Just wanted to start in thinking about the revenue guidance for '19 in the context of some of your longer-term guidance. One, are you still comfortable with the 2021 projection of low 20s growth rate? And if so, is the idea these products that are coming out and the investments you're making now and in '19 in the headcount and sales starts to really kick in, in earnest, in the following years and cause that acceleration? Or maybe you can just put it in context for us.

Yes, I'll take this, Howard. Let me start with the '19 and then come back to the 2021. So we have a very healthy business. As I have mentioned, multiproduct adoption continues to increase and new solutions contributed to 26% of our bookings. Having said that, consistent with prior years, we said that we are not assuming a material contribution from new solutions for the purposes of guidance because it's prudent given that the pace of adoption can be difficult to predict. Now the framework for the 2021 growth rate target was that the fact that all the additional solutions, when you add them up in totality, come to at least $10 -- or 10x out of a $1 spent of VM. And that framework hasn't changed. So while we don't update the model on a quarterly basis, the framework hasn't changed. And so everything that we're doing now should put us in position to achieve that.

Yes. And I will add to what Melissa said is that we have a very strong pipeline in our business. We see a lot of very good adoptions. We are very eager to bring these new services to market, but again, it takes time. So we have been relatively prudent. And as Melissa indicated in her comments earlier, today, because the Cloud Agent and the ThreatPROTECT are only a fraction today of our vulnerability management solution and we have such a huge base, of course it becomes a little bit harder for the services to fuel accelerated growth. And that's why essentially the combination of these 2 factors is the reason why we've taken a prudent approach to our revenues. Again, as we all know, being a 100% pure subscription-based company doesn't help in the term of revenues because you need to, of course, take the revenue as you deliver them. And so this is why we are -- certainly, we are very bullish about the business, very happy where we are. We've made significant investment in our back-end. And you are going to see even more things in 2019, which we believe are going to add, if you prefer, to the very disruptive nature. And again, the Passive Scanning is not yet there. So of course, we're not -- we are essentially competing today in our traditional markets against 2 companies, which is Tenable and Rapid7. But of course, we have a lot of more now to go and compete. We're doing very well with our FIM. Of course, the Passive Scanning will bring us in competition with ForeScout and others, but all of that out of a single platform. And that's the really core philosophy of Qualys. And that's why we have put a lot of effort scaling -- to scale to the security at the scale that you need to is not a walk in the park.

Your next question comes from Erik Suppiger with JMP Securities.

This is Michael Berg on for Erik Suppiger. Quick question on -- I'm going to dive down a little deeper into the guide. Can you help us walk through why it's almost 3% lower than -- where it was started. It seems like your new products are doing -- getting good initial traction. We had some shacks that suggested the IT Asset Inventory and Passive Scanning are really well liked among the beta testers. So can you just describe to us why the lower guide?

Yes. So let me remind you, we purposely do our full year guidance at the end of Q4 because Q4 has a meaningful impact on the guidance for the year. So the early expectations were not our guidance. This is our first time setting formal guidance for the year. And as I earlier mentioned, we have a very healthy business. As I said, the key metrics that we look at like multiproduct adoption and the contribution of new products into bookings have been doing very well. As Philippe mentioned, those earlier new products like Cloud Agents, ThreatProtection are only priced at a fraction of what I'll call the older products, Policy Compliance and vulnerability management. The newer solutions that are coming out are priced at a similar to or premium to Policy Compliance and vulnerability management. That's the opportunity to accelerate revenue growth in the future. But for the purposes of revenue guidance, we're not assuming a material contribution from these new solutions because it's difficult to predict what the uptake -- what the pace of the adoption will be.

So if I'm hearing you correctly, it sounds like accelerating revenue growth is still the plan for '20 and '21. It's just the '19 numbers, you're gauging now based on what happened in the fourth quarter. Is that my understanding?

Let me clarify a couple of things. So first of all, we've never given guidance for '19 or 2020 before today. So if you look back at our -- both of our June presentation as well as the one we had at QSC, the long-term target that we provided was for a growth rate in 2021 because it would have been, frankly, overly precise for us at that point in time to be able to give guidance for all the years up until then. And as Philippe mentioned, we always actively think in the most prudent way. So with regards to guidance for this year, Q4, obviously, had an impact as well as other quarters, and we have this large base of customers and revenues. And so in order to continue the growth rates at the levels, for example, that we achieved in 2018, we will need additional contribution from new solutions.

Yes. And to answer your question directly here is that, yes, we do anticipate, of course, that these new services, which carries a much bigger dollar value than the VM, which will be adopted by customers, in fact, will contribute to accelerated growth in the future.

Your next question comes from Daniel Ives with Wedbush Securities.

So first question in regards to your large deals. Obviously, the ones in Q3 hasn't closed yet, which you talked about, appreciate that. In terms of embedded into 2019 guidance, have you factored in any of larger deals of those sizes, and specifically, that Q3 deal to close in 2019?

Thanks, Dan. Yes, we don't take those type of outsized opportunities into our guidance because, again, we believe that we should be prudent with our guidance. So it's something that we'd -- deals that are closed of those sizes would be additive to what we have assumed.

Yes. And I could be a little bit specific about that one deal. In fact, that one deal, this is a customer which is essentially migrating a lot of his infrastructure at the top where we're about to get the order into a cloud -- into the totally cloud-based environment. And for us, to essentially complete that deal, we'll have to port our solution to that specific cloud that they have selected, which is something in the making, but, of course, that we don't have done yet. And until that happens, obviously, it cannot materialize.

Okay, great. And in terms of leverage -- because, obviously, the margin guidance for next year real strong. In terms of the model, I know you're not giving longer-term guidance, but is there just a lot more leverage, even less in the model, just as you just continue to execute on the strategy? Or maybe you can just talk about that because, obviously, margin is strong for next year, and I guess, just some thoughts maybe going ahead.

Yes. Thanks, Dan. We're proud of our industry-leading margins and are delighted with what we've achieved in the past year. We did -- in conjunction with the 2020 outlook, we did provide an outlook on margins. And so the margins for 2021, which we provided EBITDA -- adjusted EBITDA margin range of 40% to 42%. I think big picture, this is a very scalable model. And as you saw in 2018, the more we drive the revenue growth to be higher, the more we actually expand margins.

Yes, absolutely. And just to add to what Melissa said, effectively, we have a lot of leverage in our model, and we really build a highly leveraged model, and, in fact, you can see that because we did increase our sales force significantly in the second half of last year by about 20%, as we mentioned, and we want to continue expanding our sales force because of all these new services that we have. In fact, our market strategy, I will add, is two-pronged. One, you're going to see us launching a lot of what we call mini campaigns, which are campaigns whereby we invite people to try specific solution. We have now 19 solutions and more to come. And then we are going to have a top -- and we are building -- we are preparing a top-down approach, which is essentially going to the CIO, et cetera, to explain to them the value of the Qualys platform. So this is absolutely in the making. And despite all of that and, in fact, you could see that the model still generates significant profitability, and that's the leverage inherent to the model because we adopted absolutely a cloud that we are really -- the model has a lot of components on the leverage. Of course, our Indian operation is a huge leverage as well. We have, today, about 700 people now in Pune. I just visited Pune last year. There's a ton of talent in our operation there and that give us a significant leverage, plus, also, the relationship with all the Indian outsourcers and additional partners. So I think we're extremely well-positioned.

Your next question comes from Melissa Franchi with Morgan Stanley.

So I just want to circle back to sort of the same idea of previous questions and thinking about the acceleration or potential acceleration in the future. So another product adoption continues to proceed nicely and new products are contributing to bookings fairly well, but billings growth is slow this quarter. And so I'm just wondering if you can maybe talk about what's happening in the core VM business. And as you're thinking about the acceleration over the next few years, what do you need to assume about the health in pricing dynamics of core vulnerability management.

Melissa, it's Melissa. I'm going to take -- try and take those one at a time. So first of all, let me handle your billings question. So as I mentioned, we have a very healthy business. As we've previously discussed though, we often, in collaboration with our customers, move deals from the end of the quarter to the beginning of the following quarter to lessen the procurement pain on both ends, as figured in Q4. The impact to us is a day or 2 of revenue, and this is baked into our annual revenue guidance. So I think the bigger question though that you're trying to answer is, well, how do we think about the growth prospects? And the way I think about that based on the conversations with investors is, well, you would evaluate our revenue guidance which we said doesn't assume a material contribution from these solutions and then assess what you think the uptake of these new solutions could be, we said, which were not baked into our revenue guidance. With regard to the health of the core vulnerability management, so I would say a couple of things. It still continues turning healthy. As we've talked about previously, we don't incent our sales force by products, so we don't manage the business on a product basis. Our sales force is incented on total dollars. And that way, they're working with customers to be able to provide customers exactly what they need, and they're not pushing specific products that they're are not going to use, deploy and then turn off. And so we do assume that vulnerability management remains healthy, but it's not -- I would say, there's a number of different scenarios on a product basis that could accomplish the long-term target in 2021.

Yes, and I would add to what Melissa said. If you look today at the vulnerability management, so in our larger customers today, as we mentioned, if you look today at the gross retention rate of customers, which have more than 4 solutions, we have attained 99%, which is absolutely strong. So today, if you look at the VM specifically, we're competing much more -- continuing competing at the mid-market rather than at the large enterprise. In fact, we have tendency to continue expanding significantly. So for us, we believe that today all we -- we have 2 competitors in that marketplace, one obviously is -- one is Tenable and the other one is Rapid7. So what we see, specifically, Rapid7 is essentially more providing with DR inside. They are more attacking the marketplace at the low end of Splunk, and that's where they find their growth, and they've done a pretty good job at packaging their solution around DR and cloud, but still they don't scale. That -- we see that every time they try to capture one of our large customers, which we can -- if I look today at the larger -- at the enterprise customers that we could -- that we lose, you can count them in one hand, and they typically are those companies who have not deployed more than 2 solutions. As far as Tenable is concerned, Tenable is extremely aggressive in price today. So they try to steal the business, but yet they are still much more into the mid-market where we compete. So what we believe in term of -- so we don't compete really on price because what happens, because scalability wins at the end of the day, and when we lose on price, we typically recover these customers 1 or 2 years later. So what we believe is, as we deliver more and more solution, of course, we are outgrowing, if you prefer, the competition. And it's going to become harder and harder and harder to compete with Qualys as we deliver all these new services. So one certainty, you have the Asset Inventory that you can do, the Patch Management that you can do, the Passive Scanning also. All of that integrated into a single platform. We really believe that it's going to be harder and harder to compete with Qualys, and that's what makes us very good -- very confident, in addition to a very significant pipeline that we have today. That we have built. Again, all of that needs to be translated into revenues, which, again, this is where we are a little bit at a disadvantage because we have $0 of perpetual license.

Got it. That's helpful. Talking about the sales force and you've made some acceleration in hiring for the sales force in the second half of the year. How do you feel about the capabilities of those individuals in terms of selling the broader suites? I know a number of products are not yet on the market, but are they fully ramped in selling the broader portfolio? Or is there still work to do in terms of selling the suite?

So I would answer this. They are fully ramped to sell the new -- first of all, all these new services. First of all -- and the reason -- I would substantiate why. If you recall, we have, in fact, structured our sales force between the hunters and the farmers. The hunters, they are all technical and we hire them from our customers so they already have the understanding of what it takes to deploy enterprise solution, et cetera. Of course, they can pick up pretty quickly new solutions, of course, we're returning them, et cetera, but also backed by SMEs, subject matter experts. And we have done one change today with our post sales, if you prefer, our farmers, which reflects by the way the fact that Qualys is becoming extremely strategic for a lot of companies. We have now divided them into what we call the MASA -- the MASAs, which is the Major Account Solution Architects, and of course, the regular technical account managers. We did that so we could have now -- the best of all times have now been promoted to essentially handle less number of account but much bigger one. So they have about typically about 10 accounts. That has been already implemented, which, of course, allows us to grow with some banks which we could see we could triple, quadruple the revenues that we can do, as an example. So that's what we have done for the post sales. And that is pretty much done essentially globally in countries where we have enough of this very large customers, which is not, of course, every country, but essentially Europe and the U.S. and not yet in Asia, but that will come. Now on the new business side, we are expanding, in fact, now more. That's where we make the investment, our new business sales force which now we're hiring typically from consulting organization. Again, technical people, but then which have now the -- who knows how to sell to the C-suites, which is, obviously, what is going to be the new, if you prefer, impetus of Qualys since now we have owned these solutions together, built into 1 single solution. So that's essentially what we've done in the go-to-market. And again, all that, if you prefer, supported by what I mentioned earlier, which is that flurry of -- you're going to see these mini campaigns going after, okay, try our VM service, try our File Integrity Monitoring solution, et cetera. We have about 20 of those mini campaigns underway, which are going to essentially allow us to go bottom up and then we're now preparing a big campaign starting at RSA, with setting top-down and that's essentially what we have organized and all that investment has already been made essentially.

Your next question comes from Alex Henderson with Needham.

Just wanted to hit a couple of quick ones. First off, could you give a geo split? Any sense to what the growth rates are in geos? I don't think that was offered up. And then, second, along the same lines, the acquisitions, any sense of the size of that in terms of either revenues or costs that we need to build into the model would be helpful. And I've got a follow-up, please.

What was it? I'm not so sure that I understood the second question.

The size of Adya.

Oh, the size of Adya. This is a small company. What is interesting, it is a fascinating company by the way. It's a very small company in India.

No, I'm not looking for a description of the company. I just need the revenue and costs associated with it.

It's not material. It's really like an acqui-hire, Alex.

Yes, correct, correct. What is interesting with them is that they have done everything based on the AWS Lambda, which is serverless architecture, so you realize it's truly cost effective for them to deploy -- to develop that application because they only have to upload their code into the AWS platform. So to -- and to answer your previous question today, if we look at the dynamic, as you know, U.S. has always been the bigger market, and then followed by Europe and then by Asia. We are starting to see India, by the way, as a very significant market for us as we're picking up a lot of steam there. But globally speaking, we see today the growth rate in Europe being now today a little bit higher than in the U.S. and the reason is because of costs. The U.S. has already deployed all these that move much more than Europe, the ThreatPROTECT and all of these services, which are only carrying a fraction of the costs. However, as we develop these new services, we believe it's going to revert back. The U.S. being growing much faster than Europe because again we have so much that we can sell to our existing huge large base of -- large companies, and therefore, we're going to see that change. So that's the dynamic that we have. Does that -- is that clear?

Yes. But it really wasn't of that. Was just looking for this -- the mechanical splits. Do you have those numbers?

What do you mean by that?

Of course, I mean, do you have the -- what's this -- what portion was in U.S.? What portion was in Europe?

Oh, it's about typically 70% in the U.S., 25% in Europe and 5% in Asia Pac.

Right. Was it the same as normal? Or there was any change...

Yes, that's significantly changed.

Okay. And then, looking at the guide for the 2019 period, Can you give us some sense of what you're thinking in terms of impacts from FX, economic activity, any of the sort of exogenous variables? Are you taking into account a slower condition as a result of recent geo slowdowns? Or any change in conditions that you're seeing as a result of those broader environmental issues?

Yes. So we believe today that the impact from FX is immaterial, but we know that things could change. So it will obviously depend on how rates move. We do believe that the market for our products are still very healthy.

Yes, absolutely. And on the geo side, I don't -- we don't see much change today. The dynamics, for example, today in Europe, thanks to our global IT Asset Inventory, very strategic for large European companies, especially because they have GDPR. One of the things they've got to do is their global IT Asset Inventory. So that's a product that we see would take -- is going to take traction because, again, the platform aspect that we have, we help them save money. So I -- we don't see any geopolitical impact with exception, I think, India, we're extremely well-positioned to see, of course, to really becoming an interesting market for us, but again, it's just at the beginning here.

One last question and I'll cede the floor. What rate of hiring and sales do you expect in 2019 and -- built into your model?

So we have increased that by 20% last year, our sales force. Of course, we don't need to increase that much. And the reason is because, I don't have the exact number, but it's certainly not going to be 20%, I can tell you. The reason is because on our farmers, it's totally predictable. This is absolutely, of course, and we -- that's part of the power of the model is that, if I double the revenues on an existing customers, I don't need to double the size of our technical account managers. It's more on the new business side. So I would say today that it's less -- it's quite less than 20%. We make the effort in the second half, and I think, we're going to continue expanding more on the new business side. And on the farmers, it depends on the growth of the new business essentially.

Yes. And I would just add to that. As Philippe had mentioned that a lot of the sales -- a lot of these adds had come in the second half, so we're going to see it from an expense perspective, the -- it'll obviously hit the full year in 2019. So from a modeling perspective, you're going to see the areas, I think, of highest investment for us on a year-over-year basis be R&D and sales and marketing.

Your next question comes from Sterling Auty with JPMorgan.

I'm bouncing between calls, so I'm still a little confused about the guidance for 2019 revenue and the slowdown. I caught the -- not including the new products given. I want to make sure you gain confidence and I think I caught the 1 or 2 days maybe difference in terms of revenue recognition. But what else explains the -- it's a pretty material slowdown from the rate that you have been seeing. Is it competitive? Is it something that you're seeing in the customers? I'm still not clear.

No, it's essentially the fact that we're prudent. Because today, you have to realize that what was fueling our growth is essentially the Cloud Agent, which is doing very well, the ThreatPROTECT, all these new services and they're a fraction of the cost of the -- for $1 of VM, we've got...

$0.20 of those.

$0.20 of those products. So because we've such a huge base, today growing that base, of course, we'll require, if you prefer, bigger guns. And so this is exactly what these new services that we have now today, which carry far more than for $1 of VM, we have -- these new services are a multiple of $1 VM. So they will grind. We see today, for example, one of the services, which was, like the FIM specifically, they're now starting to grind because we have the full product, the APIs, and so forth, but we are just at the beginning. So we have been prudent and we don't want to ever extend ourselves. And that's the fundamental reason here. So we hope that we're going to do significantly better, quite frankly, but we didn't want to -- and yet what is remarkable, I would add is that we can maintain our profitability while continuing investing. And that's not the case of many -- so we try to balance that. I think we have been doing that, and that's today, we say, I wish we could continue populating the world with agents and with ThreatPROTECT, et cetera, but, of course, we have such a large user base, specific in the U.S., which have adopted that pretty well, which by the way, again, remember these agent, generate additional services, and all of that, these small ruts become big rivers but it takes some time. So we're all prudent.

So basically, you're saying the core VM growth has been constant or steady over the last couple of years. You had a -- not a surge but you had an uplift from adoption of Cloud Agent, but now that you've gotten to a certain level of penetration, that growth will now kind of more normalize and now it's just the timing as you wait for the new products to kick in to...

Yes, that was exactly -- that's exactly it. Exactly it. Now we could be surprised pleasantly because these new products are very good by the way. We know that. So I'm not questioning at all the adoption of these news products, it's more a question of timing here.

Yes. And just Sterling, I may help you see a bit of break down. From revenue perspective, our VM grew 20% in the past year and so-called non-VM categories grew 23%, so you see VM seem fairly good.

Yes, because, of course fueled by the component of the Cloud Agent for VM and ThreatPROTECT, that's exactly the point.

Your next question comes from Rob Owens with KeyBanc Capital Markets.

So if you look at the slowings, to follow on, I guess, is it the VM that slows relative to '19? And with the 20% hiring throughout the year or in the back half, how do you think about sales force productivity and at what point of those -- does get fully ramped?

So what we have today, again, we needed to distinguish between the farmers and the hunters. The farmers are extremely good productivity, of course, we'll make an investment, but all that as we add these certain new services. So I will say that we certainly will maintain. We've not increased the productivity on our farmers, it's on the new business side that today, of course, it takes a bit longer. And also we have tendency naturally to -- instead of pushing these to make them bigger and bigger and bigger, we try to -- we prefer to land a customer young, if you prefer, and then grow that customer. That has been our model since the very beginning because, of course, it's significantly more profitable than trying to go and give big discounts at the end of the quarter and all these things that enterprise software is pretty good at. And like our competitors, I will name -- not name them, but we were absolutely [down] their price, so that's never has been Qualys. So we try to do, okay, let's start small and then let's grow the customer. That has been our philosophy. As a result of that, the ramping of that sales force -- of that new business sales force is much slower.

Your next question comes from Matt Hedberg with RBC Capital Markets.

I guess, following up on Sterling and Rob's question. The VM market seems to remain healthy, I mean, a 20% growth is pretty good relative to historical trends. I know it's hard to generalize, Philippe. But I guess, excluding Cloud Agent, do you have a sense for how penetrated your customer base is in terms of being scanned? In other words, like, how much dark space is there in networks within your customer base?

I would say today there's not that much if you look at the large companies. In fact, that's the reason why Qualys is so strong in that marketplace, in the large enterprise. That's where our competition despite their pricing tactic and everything they can say they really don't take that market away from us is because of scale. And I will say that today there's still some more growth, but it's -- for us, it's more at the endpoint. On the service side, I think, the large companies are pretty now looking continuously. And on the endpoint, of course, we have now more opportunities because of the Asset Inventory's going to put our agent on the endpoint, and of course, now currently you do more VM and on and on. So for us, the green space or the whatever...

Dark space.

Dark space is on the endpoint, which is quite significant, so that's where we see the future growth. And of course, I will see all these new solution, that all that requires an agent -- the Patch Management is going to really propel. And once now you suddenly do Patch Management on the endpoint, what about doing productivity management? What about doing compliance? Well in the past, people were saying okay, okay, I'm not going to do it or I've got another agent, I've got so many agent. Now today, they've got a compelling reason to go. So that's what we see on the high end of the marketplace. On the mid-market, what mid-market and small-market, the new space is the cloud, which we're extremely well-positioned. More and more the SME and SMB are moving to the cloud. And therefore, it's now a kind of a different market. And that's where we compete really essentially, with Tenable and the Rapid7, is in that mid-market, which is also moving into the cloud. And there, we believe we have a unique advantage because of our agent can natively be, as they are today, integrated with Azure where they are about to fully being integrated the same way with AWS as well as with Google and soon with IBM as well. And at some point in time, also Alibaba. So I think we're native in the cloud and that will give us an advantage. With [hunting] today, that's where we fight, if you prefer.

Your next question comes from Gur Talpaz with Stifel.

This is actually Chris Speros on for Gur. But can you speak to the demand that you saw in Q4 for the recently launched Container Security and Asset Inventory products? As well as the feedback you foresee from customers in the Passive Scanning beta?

Well, absolutely. So Container Security, this is definitively the new game in town. It's still early in the market. Customers are adopting Container Security. So are we, by the way. We have containerized now almost everything that Qualys does. This is really the future. It probably changed a lot of the IT dynamics and, of course, so -- but it is still early. So today everybody likes our vulnerability assessment solution that we have for containers. It's very straightforward. We have quite a very good use cases from customers. Now we're integrating that acquisition with Layered Insight, which will happen most likely, because there's quite a complexity, more in the Q2, end of Q2 time frame, second half maybe Q3, which then we'll have the full solution for Container Security because not only you can do the assessment, but also you do the run time and then you can, of course, control and push your policies. But that's the new big game. No question, I think we're extremely well positioned, but in term of revenues, this is still relatively early. As far as the Passive Scanning is concerned, I'm very impatient to get that being delivered. It's today -- it's -- we have a fantastic solution. We are beta, as you know. I would expect because there was a lot of complexity with the -- technically, that you need to absolutely -- to make it easily deployable, et cetera. I think we will be in Q2 GA. And that component has a lot of -- this is the ForeScout competitor except that it's going to be totally integrated with the Qualys platform. So you have at the same time agent, agentless all that into the single platform, the full view of your global IT Asset Inventory. Now you can do network traffic. It's also -- while embarking into another major development, which we're going to speak a little bit later in the year. It also gives so much information. And now what is fascinating is when you combine agentless, which is the scanning agent plus the Passive Scanning, you are dealing now with a volume of data and there's not a single company to date who can do that. And that essentially what we're now working on, on our back end is to bring all that data into a single place where you can analyze, correlate, et cetera, et cetera. So that's the new game. So Passive Scanning is very strategic for us. And I think we're doing -- we're taking our time because you need to build that at scale and that's where the big challenges are. Worth mentioning, we already we have indexed 2 trillion data points on our ElasticSearch clusters. Believe it or not, ElasticSearch is becoming too slow. That's the new frontier, so we're really moving into the new frontier as well. So -- and later this year, we would talk about that.

Your next question comes from Josh Tilton with Berenberg.

Just one more on the guidance. If the new products being released grow at a similar rate of the older non-VM products, should we expect upside to the guidance because they're priced higher? And then maybe just what level of contribution to revenues are you hoping from these new products that have yet to be released?

Yes, so as I mentioned, since the guidance doesn't assume any material contributions from these solutions, should that happen, yes, that would be additional contribution to our revenue guidance. I'm not sure I understood the second part of your question.

Do you guys have an anticipated contribution to total revenues from the new products that are yet to be released?

We really don't manage our business on a product basis. We really, as Philippe mentioned, we have hunter and farmer sales force, and so our sales force is focused on our -- what we call, our farmers are focused on renewals and upsells and those are all done on a dollar basis. And that's because we don't want our sales force pushing product on our customer that they're not going to use and that they're going to just turn off. So we've always kept our sales force, as I mentioned with dollar-based quotas and we don't manage the business on a product basis.

Yes. I think the question was, unless I misunderstood, on these new services like the Patch Management and all that, and we said that we have not really considered that as meaningful revenues to 2019 because it's hard to predict the ramp of -- the adoption ramp. We are very confident that our customers will adopt it, but it takes some time because they need to find the budget. They do the proof-of-concept, et cetera. Sometimes it's a displacement much more than -- so you've got all that, it takes time, but we're absolutely confident of the adoption of these new services.

Yes, that have added color. I was portraying to provide the framework of how we manage our business, which is based on contribution from new customers and then growth of existing.

And are you guys expecting similar uptake by customers relative to the older products that have been released in 2015?

Well, as we said, the actual curve is going to depend on what the pace of adoption is. And without any data points, it's hard to pop what the curve's going to be. Some may be faster, some may be slower.

Right. However, if you look at the key metrics that we disclosed like the number of customers which have adopted 2 or more solution, which now is, I think, 70%; and then those who have 3, which I think today it's 40%.

41%.

41%. Those who have adopted 4 and more, which is...

21%.

21% and now we show the 10%, which is about 10% correct?

5% plus 10%.

That was 5% plus 10%. We can absolutely say that today we believe that, of course, these new product all continue feeling that at the end of day, we believe that 70% of our customer base are going to adopt all our 4 solutions. Why? Is because why you would never want to do that when they're totally native in one single platform, a single administration, self-updating, all of these benefits and it start to reduce significantly your cost as you're instead of laying on all these different solutions that you got to integrate, to manage, have different teams, all of that will leave me at a lot cost. So we're very confident that overall, what we cannot really predict is essentially the ramp in the early days. So today, as we start to see [level of] data points, so today we can see the trajectory by the way of the 3-plus, which today at 40%, you could almost predict when are they going to be at 70%. So those which are -- the more you go into, of course, the newer ones, the harder it is to predict because we have less data point. Does that make sense?

Your next question comes from Patrick Colville with Arete Research.

Can I ask about the Patch Management tool? Because I know that in my work speaking to CISOs, that is going to be a product that's going to be really in demand. And so I'd just like to better understand it in terms of what is the tool, I guess, going to offer? And when it's likely to be released?

So we just announced today that the Patch Management is really going to be a -- or what's in the few weeks, so it's -- we're ready to go. Now that Patch Management solution is relatively unique. And because it cuts across all the different environment, the Patch Management tools today that you have are very specific to Windows, to UNIX, to this, to that. So it's a nightmare for companies when they're, for example, to put an urgent patch, which cuts across like, WannaCry, for example, multiple environment. Today with Qualys, you are now able to essentially -- first of all, Qualys will tell you exactly where all your vulnerabilities are, where do you need to patch, and then you just push a button, and this will be all patched. Now you could, of course, not do that 100% automatically, you may want to add some kind of steps in between, but that's become an operational issue for the company. So that murky patching capabilities is very unique of Qualys. So that's one big differentiator. And then, after that, the question becomes also a question of automation. The problem today is that there's -- you have never tied very well vulnerability with Patch Management, with the superceding patches, and that will resolve all of these problems. So look at us operationalizing it. So for example, we have solution on Patch Management like what -- you have some of the Microsoft solution like WSUS are totally free, but the problem is that you just do patching without that visibility. And so Qualys, for relatively very attractive price, everything automated, give you these capabilities. So we -- I cannot tell you again the rate of adoption. It's too soon. However, I can tell you that we are solving a real problem here because the immediacy of patching has become today very important because the more time it takes -- you take to eliminate your vulnerabilities, the more time you give for the bad guys to essentially damage you. And as you know, today 0 days used to be few -- a month before an exploit could -- was in the wild, that it was published. Now today, it's almost minutes. It's absolutely pretty fast. So you better be on the top of your vulnerabilities. But then you need to patch. Without remediation, identifying your vulnerabilities, okay, so the only -- so you could shut down your network, close down your network then you don't do any business. So that immediacy is becoming very important. So we anticipate a very good success as well of the Patch Management solution.

Can I just follow up on that. I mean, it seems like a very -- like an obvious place for you to go into. And so I guess, why by now given that this would be a product that...

It's a very good question. If you look today -- a very good question. If you look today at the story of Patch Management, you have BigFix. BigFix was the first solution that really was providing an enterprise-wide Patch Management solution, multi-platform, if you prefer. And then IBM bought them. The problem with BigFix is that it's central enterprise software, so it's pretty heavy. It costs a lot. So we took a cloud approach to Patch Management. Again, everything's centrally managed, self-updating. It took us -- we have been working on that now for about essentially 4 years. And so it doesn't happen in 1 day. And we took the lot of the technology in partnership with Ivanti, so taking some of -- because there's a lot of complexity and to deliver that as a cloud solution, like doing vulnerability management solution, which is very unique to what Qualys did from the cloud, very few companies have done that. It's like we're the only one who really does that well on that scale because we needed to have our scanners, then you put your scanners inside, you need to do -- remotely manage. It's a lot of complexity to make it that easy, and that's same thing with Patch Management. It took us about 4 years to get that product out.

And I'm showing no further questions at this time. I would like to turn the call back over to Natasha Asar for closing remarks.

Thanks, Heather, and thank you all for attending our fourth quarter and full year 2018 earnings call. We are holding an event for our analysts and investors during the RSA Conference on Wednesday, March 6, from 11:00 a.m. to 1:00 p.m., and registration will be on our site soon. We also look forward to seeing many of you later this month at the JMP Securities Technology Conference and the Morgan Stanley TMT Conference in San Francisco. Thank you.

Ladies and gentlemen, thank you for participating in today's conference. This does conclude the program and you all may disconnect. Everyone, have a wonderful day.