Qualys Inc (QLYS) 2025 Q3 法說會逐字稿

Good day, and thank you for standing by. Welcome to the Qualys third quarter 2025 investor call. (Operator Instructions) Please be advised that today's conference is being recorded.

您好，感謝您的耐心等待。歡迎參加 Qualys 2025 年第三季投資者電話會議。（操作人員指示）請注意，今天的會議正在錄音。

I would now like to hand the conference over to your first speaker today, Blair King. Please go ahead.

現在我謹將會議交給今天的第一位發言人，布萊爾金。請繼續。

Thank you, Briana, and good afternoon, and welcome to Qualys' third quarter 2025 earnings call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO; and Joo Mi Kim, our CFO.

謝謝布里安娜，下午好，歡迎參加 Qualys 2025 年第三季財報電話會議。今天與我一起討論我們業績的有總裁兼執行長 Sumedh Thakar 和財務長 Joo Mi Kim。

Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements and factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

在正式開始之前，我想提醒各位，我們今天的發言將包含一些前瞻性陳述，這些陳述通常與未來事件或我們未來的財務或經營業績有關。實際結果可能與這些聲明有重大差異，可能導致結果出現重大差異的因素已在今天的新聞稿和我們向美國證券交易委員會提交的文件（包括我們最新的 10-Q 表格和 10-K 表格）中列出。我們在本次電話會議中所做的任何前瞻性陳述均基於截至今日的假設，我們不承擔因新資訊或未來事件而更新這些陳述的義務。

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website.

在本次電話會議中，我們將介紹 GAAP 和非 GAAP 財務指標。今天的獲利新聞稿中包含了GAAP與非GAAP指標的調節表。再次提醒各位，新聞稿、準備好的發言稿和投資者簡報均可在我們網站的投資者關係版塊中找到。

So with that, I'd like to now turn the call over to Sumedh.

那麼，現在我想把電話交給蘇梅德。

Thanks, Blair, and welcome to our third quarter earnings call. With threat actors continuing to reduce time to exploit at a fast pace, I believe the future of cybersecurity is moving from attack surface management to risk surface management using Agentic AI-powered proactive risk management with business quantification and automated remediation.

謝謝布萊爾，歡迎參加我們的第三季財報電話會議。隨著威脅行為者不斷快速縮短攻擊時間，我認為網路安全的未來正從攻擊面管理轉向風險面管理，利用智慧人工智慧驅動的主動風險管理，結合業務量化和自動補救措施。

Against this backdrop, we continue to execute well in Q3 demonstrated by another quarter of solid revenue growth and profitability. Over the last couple of years, I've had the privilege of meeting with hundreds of CISOs, CIOs and security leaders worldwide. From these conversations, one theme has stood out, the need to operationalize cyber risk management in business terms to align budget spend with business risk. CISOs are looking for a practical approach to consolidate tools where possible and empower their teams to use best-of-breed where it makes sense. They want to seamlessly unify their security tool set into a centralized risk fabric that provides an alternative to single vendor platformization by operationalizing the management of multiple risk vectors to effectively measure, communicate and ultimately remediate the organization's risk posture.

在此背景下，我們在第三季度繼續保持良好的業績，實現了另一個季度穩健的收入成長和獲利能力。在過去的幾年裡，我有幸與全球數百位首席資訊安全長 (CISO)、資訊長 (CIO) 和安全領導者會面。從這些對話中，有一個主題特別突出，那就是需要以業務術語來實施網路風險管理，以使預算支出與業務風險保持一致。首席資訊安全長們正在尋找一種切實可行的方法，盡可能整合工具，並授權他們的團隊在合適的情況下使用最佳工具。他們希望將安全工具集無縫統一到集中式風險架構中，透過對多個風險向量進行有效管理，從而有效衡量、溝通並最終改善組織的風險狀況，為單一供應商平台化提供替代方案。

The Risk Operations Center, ROC, powered by Qualys ETM delivers on this ask. At our recently concluded ROCon, Risk Operations Conference in Houston, where we elevated the business risk conversation to feature a specialized CFO and Board track, our customers validated this approach. With the broadening of the agenda for ROCon the attendance was up 20% over last year's QSC event.

由 Qualys ETM 提供技術支援的風險營運中心 (ROC) 可滿足此需求。在我們最近於休士頓舉行的 ROCon 風險營運大會上，我們將業務風險討論提升到了一個新的高度，專門設立了首席財務官和董事會專題討論，我們的客戶驗證了這種方法。隨著 ROCon 議程的擴大，與去年的 QSC 活動相比，出席人數增加了 20%。

While traditional security operations centers focused on detecting breaches after they happen, Qualys is pioneering the first Agentic AI Risk Operations Center, ROC, a new category in cybersecurity designed to centralize an organization's response to threats before they impact the business. Powered by our ETM solution, the ROC processes several petabytes of high-fidelity data every day, normalizes and correlates intelligence from both Qualys and non-Qualys sources and equips AI and humans to collaborate in real-time detecting and responding to threats at machine speed. This isn't about more alerts. It's about actions that close blind spots before attackers can exploit them.

傳統的安全營運中心專注於在安全漏洞發生後進行檢測，而 Qualys 則率先推出了首個智慧人工智慧風險營運中心 (ROC)，這是網路安全領域的一個新類別，旨在集中組織對威脅的回應，防止其影響業務。在我們的 ETM 解決方案的支援下，ROC 每天處理數 PB 的高保真數據，對來自 Qualys 和非 Qualys 來源的情報進行規範化和關聯，並使 AI 和人類能夠即時協作，以機器速度檢測和應對威脅。這並非關乎增加警報數量。它指的是攻擊者利用盲點之前採取行動來堵住這些盲點。

Unlike traditional continuous threat exposure management CTEM tools that simply highlight the exposure, but lack adequate native remediation capabilities. Our differentiated ETM solution combines CRQ, CTEM and native remediation operations to fix the risk that matter most quickly and at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable proactive risk reduction that Boards and customers value.

與傳統的持續威脅暴露管理 (CTEM) 工具不同，這些工具只是突出顯示暴露情況，但缺乏足夠的本地修復能力。我們差異化的 ETM 解決方案結合了 CRQ、CTEM 和本地修復操作，以最快、最大規模地解決最重要的風險。透過將安全性和 IT 決策與業務優先順序直接結合起來，我們為組織提供董事會和客戶重視的可衡量的主動風險降低措施。

Early adoption is already validating the model with POCs continuing to convert the commercial deployments, underscoring both the scale of this opportunity and its parallels to the early days of VMDR. And we're not stopping there. Our R&D engine is continuing to deliver innovations, rapidly expanding our platform and positioning Qualys for a larger upsell opportunity. In doing so, Qualys is now extending several proven module native capabilities into ETM, empowering organizations to harness them seamlessly across the entire attack surface.

早期採用已經驗證了該模型，POC 不斷轉化為商業部署，這既突顯了這一機會的規模，也凸顯了它與 VMDR 早期階段的相似之處。我們不會就此止步。我們的研發引擎不斷帶來創新，迅速擴展我們的平台，並為 Qualys 爭取更大的追加銷售機會。透過這種方式，Qualys 現在將幾個經過驗證的模組原生功能擴展到 ETM 中，使組織能夠在整個攻擊表面上無縫地利用這些功能。

By demonstrating -- by democratizing trillions of security exposures from both Qualys and third-party tools, including vulnerabilities, misconfigurations and identities aggregated by our ETM solution, we are unleashing a sophisticated predictive platform that leverages a combination of Qualys TruRisk framework, our TruLens threat management capabilities and a mission-ready Agentic AI workforce operating autonomously from discovery to remediation with full ITSM integration. This unique combination of capabilities identifies trending threats in real time, benchmarks threats against peers, assesses organizational impact and quantifies risks in clear, actionable terms that matter most to the business.

透過展示——透過普及來自 Qualys 和第三方工具的數萬億個安全風險，包括漏洞、錯誤配置和由我們的 ETM 解決方案聚合的身份信息，我們正在推出一個複雜的預測平台，該平台結合了 Qualys TruRisk 框架、我們的 TruLens 威脅管理功能以及一支隨時準備執行任務的智能 AI 團隊，該團隊能夠從完全集成到自主運行這種獨特的組合功能可以即時識別趨勢威脅，將威脅與同行進行基準比較，評估對組織的影響，並以清晰、可操作的方式量化風險，從而對企業至關重要。

As a result, security and IT teams can continuously prioritize ticket and remediate threats based on organization risks associated with emerging exposure, targeting specific industries, asset types and identity. We believe these most recent additions to our ETM solutions further advance our differentiation in the market, enhance security operations and significantly accelerate measurable outcomes for customers.

因此，安全性和 IT 團隊可以根據與新興風險相關的組織風險，持續對工單進行優先排序並修復威脅，針對特定產業、資產類型和身分。我們相信，這些最新添加到我們的 ETM 解決方案中的內容將進一步提升我們在市場上的差異化優勢，增強安全運營，並顯著加快為客戶帶來可衡量的成果。

Next up for our ETM solution, I'm particularly excited about yet another pioneering capability from Qualys, TruConfirm. TruConfirm flexes the power of our platform to confirm exploitability before customers become compromised. Using automated validation at scale, we remove the guesswork for customers by running safe exploits over the network to confirm whether the attackers will succeed in their breach attempts while closing the gap between theoretical and actual exposure. This approach further allows customers to be laser-focused on prioritizing only exploitable blind spots for the next logical step, which is automated remediation with TruRisk Eliminate.

接下來，對於我們的 ETM 解決方案，我特別興奮的是 Qualys 的另一個開創性功能 TruConfirm。TruConfirm 充分發揮我們平台的強大功能，在客戶遭受攻擊之前確認是否存在可利用性。透過大規模的自動化驗證，我們透過在網路上執行安全的漏洞程式來確認攻擊者是否會成功實施入侵嘗試，從而消除客戶的猜測，同時縮小理論風險與實際風險之間的差距。這種方法也能讓客戶更專注於優先處理可利用的盲點，以便進行下一步合乎邏輯的修復，即使用 TruRisk Eliminate 進行自動修復。

Our industry-leading capabilities are increasingly being recognized by our customers, partners and third-party analysts. Specifically at Black Hat, Qualys won Two Pwnie Awards for our outstanding contribution to threat research underpinned by our strong leadership in threat intelligence and triage. Equally important, GigaOm recognized Qualys as the leader in Patch Management, a market Qualys pioneered with over 140 million patches deployed in the last year alone.

我們業界領先的能力正日益受到客戶、合作夥伴和第三方分析師的認可。具體來說，在 Black Hat 大會上，Qualys 憑藉其在威脅情報和分類方面的強大領導地位，為威脅研究做出了傑出貢獻，並贏得了兩項 Pwnie 獎。同樣重要的是，GigaOm 認可 Qualys 是修補程式管理領域的領導者，Qualys 開創了這個市場，光是去年就部署了超過 1.4 億個修補程式。

While some competitors are only beginning to validate this strategy, Qualys has advanced well beyond patching. TruRisk Eliminate closes the unpatchable gap, enabling IT and security teams to automate an array of compensating controls when patches are deemed too risky to deploy or simply not available. And with adversaries increasingly exploiting vulnerabilities at AI speed, our umbrella of AI-based automated remediation solutions has evolved into a significant adoption layer, a distinctive competitive advantage and opens new market opportunities for Qualys.

雖然一些競爭對手才剛開始驗證這項策略，但 Qualys 已經遠遠超越了打補丁的階段。TruRisk Eliminate 彌補了無法修補的漏洞，讓 IT 和安全團隊能夠在修補程式被認為風險過高而無法部署或根本無法使用時，自動執行一系列補償控制措施。隨著對手越來越多地以人工智慧的速度利用漏洞，我們基於人工智慧的自動化修復解決方案已發展成為一個重要的採用層，一個獨特的競爭優勢，並為 Qualys 開闢了新的市場機會。

Moving on to our business update. With customers spending $500,000 or more with us growing 5% from a year ago to 211, let me share a couple of recent wins, which illustrate why organizations ready to centralize the response to cyber risk are turning to Qualys to help unify their security tools, quantify and remediate risk in their environments and fortify their security operations. In Q3, one of my favorite wins was with a Global 700 customer that was previously only using Qualys for PCI scanning. This customer, like many organizations, were buried under fragmented telemetry manual spreadsheets and disconnected tools. With little automation, their teams were spending more time documenting than reducing risk and consequently were burdened by an onslaught of compliance audits. This customer chose Qualys to transform siloed risk signals, spanning code repositories, endpoints, identity, cloud container and network assets into a cohesive real-time risk management solution by consolidating Qualys and non-Qualys data.

接下來是我們的業績更新。在我們這裡消費 50 萬美元或以上的客戶數量比一年前增加了 5%，達到 211 家。讓我分享一下最近的幾個成功案例，這些案例說明了為什麼準備集中應對網路風險的組織正在轉向 Qualys，以幫助統一其安全工具、量化和修復其環境中的風險並加強其安全運作。第三季度，我最喜歡的成功案例之一是與全球 700 強客戶合作，該客戶之前只使用 Qualys 進行 PCI 掃描。和許多組織一樣，這位客戶也被分散的遙測手動電子表格和不相連的工具所困擾。由於自動化程度低，他們的團隊花費在記錄上的時間比降低風險的時間還多，因此承受著大量的合規性審計壓力。這位客戶選擇 Qualys 將分散的風險訊號（涵蓋程式碼庫、端點、身分、雲端容器和網路資產）整合為統一的即時風險管理解決方案，方法是將 Qualys 資料和非 Qualys 資料整合在一起。

This included replacing their existing vulnerability management vendor and purchasing three additional Qualys modules, including ETM to begin operationalizing the risk operations center with ingested third-party data resulting in a mid-6-figure annual bookings upsell. By consolidating these data sources into the Qualys platform, we are delivering this customer a vendor-agnostic orchestration layer with full visibility of their attack and risk surface, centralized risk management, quantification, prioritization and remediation while unleashing the operational efficiencies of security stack consolidation aligned with acceptable -- within acceptable risk parameters for the business.

這包括更換他們現有的漏洞管理供應商，並購買三個額外的 Qualys 模組，包括 ETM，以便開始利用攝取的第三方資料營運風險營運中心，從而實現每年六位數的預訂追加銷售。將這些資料來源整合到 Qualys 平台中，我們為客戶提供了一個與供應商無關的編排層，可以全面了解其攻擊和風險面，集中進行風險管理、量化、優先排序和補救，同時釋放安全堆疊整合的營運效率，並在可接受的風險參數範圍內滿足業務需求。

With our innovative technology, unmatched platform effect and focus on reducing risk and friction, this will underscore Qualys' ability to eclipse legacy siloed solutions and advance our leadership in the industry. It's also an outstanding example of how we are working with our managed risk operation, mROC partners of choice to activate the ROC with new win business. For the next phase, this customer is evaluating our TotalCloud native CNAPP solution and TruRisk Eliminate solutions while also bringing additional third-party tools into Qualys platform, representing a significant upsell opportunity.

憑藉我們創新的技術、無與倫比的平台效應以及對降低風險和摩擦的關注，這將凸顯 Qualys 超越傳統孤立解決方案的能力，並鞏固我們在業界的領導地位。這也是我們如何與受管風險營運 (mROC) 合作夥伴攜手合作，透過贏得新業務來啟動 ROC 的一個傑出例子。在下一階段，該客戶正在評估我們的 TotalCloud 原生 CNAPP 解決方案和 TruRisk Eliminate 解決方案，同時也將其他第三方工具引入 Qualys 平台，這代表著一個重要的追加銷售機會。

Further leveraging our mROC partner ecosystem to drive new logos was a new 6-figure customer win with a major airline in the Middle East. This customer chose Qualys because of our unified detection and remediation capabilities with TruRisk Eliminate. Nearly 9 months after announcing GA with our ETM solution and over 28 POCs converting to commercial success already, we have gained valuable insights into ETM pricing and packaging. As a point of reference, we expect that for every $1 of VMDR, ETM can drive an uplift of up to 100% now that ETM will include Cybersecurity Asset Management as well as other ETM feature enhancements such as those mentioned earlier and third-party data ingestion. Given this, starting with our Q1 2026 earnings call, we will shift from reporting cybersecurity asset management LTM bookings to ETM customer penetration as we believe ETM will be evolving into a key pillar of growth for Qualys over the next several years.

進一步利用我們的 mROC 合作夥伴生態系統來推動新客戶拓展，我們與中東一家大型航空公司贏得了一筆價值六位數的新客戶。這位客戶選擇 Qualys 是因為我們擁有 TruRisk Eliminate 的統一偵測和修復功能。在我們宣布 ETM 解決方案正式發布近 9 個月後，超過 28 個概念驗證專案已轉化為商業成功，我們對 ETM 的定價和包裝有了寶貴的見解。作為參考，我們預計，每投入 1 美元用於 VMDR，ETM 就能帶來高達 100% 的收益提升，因為 ETM 將包含網路安全資產管理以及其他 ETM 功能增強（如前面提到的那些）和第三方資料攝取。有鑑於此，從 2026 年第一季財報電話會議開始，我們將不再報告網路安全資產管理 LTM 預訂量，而是報告 ETM 客戶滲透率，因為我們相信 ETM 將在未來幾年發展成為 Qualys 的關鍵成長支柱。

Turning to our federal business. We achieved a high 6-figure upsell with an existing large government agency. This customer had previously used multiple legacy and next-gen tools to manage a variety of risk management use cases across their security, IT and DevOps team. In addition to the complexity of using multiple point products, this government agency has become increasingly frustrated with increasing costs associated with legacy on-prem deployments, the efficiencies of operating siloed systems and elongated remediation efforts.

接下來談談我們的聯邦事務。我們與一家大型政府機構達成了一筆高達六位數的追加銷售交易。該客戶之前曾使用多種傳統工具和新世代工具來管理其安全性、IT 和 DevOps 團隊的各種風險管理用例。除了使用多個獨立產品的複雜性之外，該政府機構還對傳統本地部署帶來的不斷上漲的成本、孤立系統的運作效率以及漫長的補救工作感到越來越沮喪。

With a distinct need to shift several monolithic workloads to micro application across its hybrid environment on a FedRAMP high solution, this customer accelerated the consolidation of its security stack over 17 Qualys modules, including VMDR, Cybersecurity Asset Management, TotalAppSec, TotalCloud, TruRisk Eliminate and TotalAI. Today, this customer is leveraging a unified dashboard that provides them with a greater insight and automation than any of the competitive products they evaluated while taking full advantage of the speed and scale of cloud-native platform. This, alongside a significant 7-figure state win are a testament to the strength we see in our federal state and local government business and the long-term growth potential of the market.

由於迫切需要將多個單體工作負載遷移到其混合環境中的 FedRAMP 高解決方案上的微應用程序，該客戶加速整合了其安全堆疊，使用了 17 個 Qualys 模組，包括 VMDR、網路安全資產管理、TotalAppSec、TotalCloud、TruRisk Eliminate 和 TotalAI。如今，這位客戶正在利用統一的儀表板，該儀表板為他們提供了比他們評估過的任何競爭產品都更深入的洞察和自動化功能，同時充分利用了雲端原生平台的速度和規模。這場勝利，加上先前贏得的數額龐大的七位數州級項目，證明了我們在聯邦、州和地方政府業務方面的實力，以及該市場的長期成長潛力。

Beyond these wins, we are also increasingly gaining leverage from our partner ecosystem. In Q3, partner-led deal registration increased, demonstrating the success of our partner-first sales motion. In addition, we have now certified nearly a dozen partners who are actively launching mROC services, leveraging ETM to deliver centralized automated pre-breach risk management. Momentum is building towards a global ROC alliance, and we expect to certify additional strategic partners in the coming months ahead who are committed to positioning Qualys as their mROC partner of choice.

除了這些勝利之外，我們還在持續從合作夥伴生態系統中獲得優勢。第三季度，合作夥伴主導的交易註冊數量增加，這表明我們以合作夥伴為先的銷售策略取得了成功。此外，我們目前已認證了近十家合作夥伴，他們正在積極推出 mROC 服務，利用 ETM 提供集中式自動化入侵前風險管理。全球 ROC 聯盟的勢頭正在增強，我們預計在未來幾個月內將認證更多戰略合作夥伴，這些合作夥伴致力於將 Qualys 定位為他們首選的 mROC 合作夥伴。

Further contributing to our platform growth is our flexible platform pricing model, which we are calling Q-Flex. We beta tested Q-Flex in Q3 to help customers accelerate and maximize the adoption of the Qualys Enterprise TruRisk platform. In less than a quarter after introducing this model, we're seeing notable customer interest and tremendous success. To give you an example, an existing Global 10 customer made a multiyear commitment under our Q-Flex program, increasing their annual bookings by over 50% while adding new modules to their subscription count with Qualys. This win reflects our growing capabilities in risk management, and we expect the contribution from Q-Flex to continue to grow.

我們平台的成長也得益於我們靈活的平台定價模式，我們稱之為 Q-Flex。我們在第三季對 Q-Flex 進行了 beta 測試，以幫助客戶加速並最大限度地採用 Qualys Enterprise TruRisk 平台。推出該模式不到一個季度，我們就看到了顯著的客戶興趣和巨大的成功。舉例來說，一家現有的全球 10 強客戶根據我們的 Q-Flex 計劃做出了多年承諾，使其年度預訂量增加了 50% 以上，同時還增加了 Qualys 的新模組訂閱數量。此得標反映了我們在風險管理方面不斷增強的能力，我們預期 Q-Flex 的貢獻將持續成長。

In summary, our continuous innovation, early ROC deployment, strategic wins with federal customer -- and state agencies, momentum in partner-led initiatives and the initial adoption of Q-Flex collectively underscore Qualys' strength in unifying risk management workflows, reducing operational complexity for customers and addressing today's toughest security challenges. We believe these achievements not only validate our ongoing investments, but also position Qualys as a trusted leader in pre-breach risk -- cyber risk management, setting the stage for durable growth and long-term success.

總而言之，我們持續的創新、早期 ROC 部署、與聯邦客戶和州政府機構的戰略合作、合作夥伴主導的計劃的勢頭以及 Q-Flex 的初步採用，共同凸顯了 Qualys 在統一風險管理工作流程、降低客戶運營複雜性以及應對當今最嚴峻的安全挑戰方面的優勢。我們相信這些成就不僅驗證了我們持續的投資，而且將 Qualys 定位為網路風險管理領域值得信賴的領導者，為持續成長和長期成功奠定了基礎。

With that, I will turn the call over to Joo Mi to further discuss our third quarter results and outlook for the fourth quarter and full year 2025.

接下來，我將把電話交給 Joo Mi，讓她進一步討論我們第三季的業績以及對第四季和 2025 年全年的展望。

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period, unless stated otherwise.

謝謝你，Sumedh，下午好。在開始之前，我想指出，除收入外，所有財務數據均為非GAAP數據，成長率均基於與去年同期的比較，除非另有說明。

Turning to third quarter results. Revenues grew 10% to $169.9 million. The channel continued to increase its contribution, making up 50% of total revenues compared to 47% a year ago.

接下來來看看第三季業績。營收成長10%，達1.699億美元。該通路的貢獻持續成長，佔總營收的 50%，而一年前這一比例為 47%。

Revenues from channel partners grew 17%, outpacing direct, which grew 5%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By geo, 15% growth outside the US was ahead of our domestic business, which grew 7%. US and international revenue mix was 56% and 44%, respectively. In Q3, gross retention continued to improve. However, upsells remain challenging with our net dollar expansion rate of 104%, unchanged from last quarter.

來自通路合作夥伴的收入成長了 17%，超過了直接收入的 5%。由於我們策略性地重視利用合作夥伴生態系統來推動成長，我們預期這一趨勢將會持續下去。以地理劃分，美國以外地區的成長率為 15%，高於國內業務的 7%。美國和國際收入分別佔56%和44%。第三季度，總留存率持續提高。然而，追加銷售仍充滿挑戰，我們的淨美元擴張率為 104%，與上一季持平。

In terms of product contribution to bookings, Patch Management and Cybersecurity Asset Management combined made up 17% of total bookings and 28% of new bookings on an LTM basis. Our cloud security solutions, TotalCloud CNAPP made up 5% of LTM bookings. Reflecting our scalable and sustainable business model, adjusted EBITDA for the third quarter of 2025 was $82.6 million, representing a 49% margin compared to a 45% margin a year ago.

就產品對預訂的貢獻而言，修補程式管理和網路安全資產管理合計佔總預訂量的 17%，佔過去 12 個月新預訂量的 28%。我們的雲端安全解決方案 TotalCloud CNAPP 佔 LTM 預訂量的 5%。由於我們可擴展且可持續的商業模式，2025 年第三季的調整後 EBITDA 為 8,260 萬美元，利潤率為 49%，而一年前的利潤率為 45%。

Operating expenses in Q3 increased by 5% to $64.9 million, driven by investments in sales and marketing, which grew 9%. As we remain focused on driving growth, we are mindful of where to further increase investments while optimizing returns and others, which resulted in EBITDA margin exceeding our expectations in Q3. This demonstrates our ability to maintain high operating leverage, remain capital efficient while continuing to innovate and invest to support our long-term growth initiatives.

第三季營運支出成長 5% 至 6,490 萬美元，主要原因是銷售和行銷方面的投資成長了 9%。在繼續專注於推動成長的同時，我們也注意在哪些方面進一步增加投資，同時優化回報和其他方面，這使得第三季的 EBITDA 利潤率超出了我們的預期。這證明了我們有能力維持高營運槓桿，保持資本效率，同時不斷創新和投資，以支持我們的長期成長計畫。

With this strong performance, EPS for the third quarter of 2025 grew 19% to $1.86. Our quarterly free cash flow was $89.5 million, representing a 53% margin compared to 37% in the prior year. Year-to-date, free cash flow margin was 46% compared to 42% in the prior year. In Q3, we continued to invest the cash we generated from operations back into Qualys, including $901,000 on capital expenditures and $49.4 million to repurchase 366,000 of our outstanding shares. Since commencing our share repurchase program in February of 2018, we've repurchased 10.4 million shares and returned $1.2 billion in cash to shareholders. As of the end of the quarter, we had $205 million remaining in our share repurchase program.

憑藉這一強勁的業績，2025年第三季每股收益成長19%至1.86美元。我們當季自由現金流為8,950萬美元，利潤率為53%，而去年同期為37%。今年迄今為止，自由現金流利潤率為 46%，而去年同期為 42%。第三季度，我們繼續將營運產生的現金重新投資於 Qualys，其中包括 901,000 美元的資本支出和 4,940 萬美元的回購 366,000 股流通股。自 2018 年 2 月啟動股票回購計畫以來，我們已回購了 1,040 萬股股票，並向股東返還了 12 億美元現金。截至本季末，我們的股票回購計畫中還剩餘 2.05 億美元。

With that, let us turn to guidance, starting with revenues.

接下來，讓我們轉向指導意見，先從收入說起。

For the full year 2025, we expect revenues to be in the range of $665.8 million to $667.8 million. which represents a growth rate of 10%. This compares to prior guidance of $656 million to $662 million. For the fourth quarter of 2025, we expect revenues to be in the range of $172 million to $174 million, representing a growth rate of 8% to 9%.

我們預計 2025 年全年營收將在 6.658 億美元至 6.678 億美元之間，成長率為 10%。這與先前6.56億美元至6.62億美元的預期相比有所下降。我們預計 2025 年第四季的營收將在 1.72 億美元至 1.74 億美元之間，成長率為 8% 至 9%。

While we believe our platform approach to cyber risk management provides some insulation in macro volatility, this guidance assumes continued budget scrutiny in a challenging environment for new business growth in Q4. Shifting to profitability guidance. We expect full year 2025 EBITDA margin in the mid- to high 40s, net free cash flow margin in the low 40s. We expect full year EPS to be in the range of $6.93 to $7, up from a prior range of $6.2 to $6.5. For the fourth quarter of 2025, we expect EPS to be in the range of $1.73 to $1.8. Our planned capital expenditures in 2025 are expected to be in the range of $5.5 million to $7 million and for the fourth quarter of 2025 in the range of $1.2 million to $2.7 million.

雖然我們相信我們的網路風險管理平台方法能夠在一定程度上抵禦宏觀經濟波動，但這項指導意見假設在第四季度新業務成長面臨挑戰的環境下，預算審查將繼續進行。轉而關注獲利能力指引。我們預計 2025 年全年 EBITDA 利潤率在 40% 到 40% 之間，淨自由現金流利潤率在 40% 左右。我們預計全年每股收益將在 6.93 美元至 7 美元之間，高於先前預期的 6.2 美元至 6.5 美元。我們預計 2025 年第四季每股收益將在 1.73 美元至 1.8 美元之間。我們計劃 2025 年的資本支出預計在 550 萬美元至 700 萬美元之間，2025 年第四季的資本支出預計在 120 萬美元至 270 萬美元之間。

With that, Sumedh, and I will be happy to answer any other questions.

除此之外，我和蘇梅德很樂意回答任何其他問題。

(Operator Instructions)

（操作說明）

Roger Boyd of UBS.

瑞銀集團的羅傑·博伊德。

Awesome, thanks for taking the questions and Congrats on a nice quarter. Sumedh, can you just double-click on some of the pricing you mentioned around ETM earlier I just wanted to be clear on that 100% upsell metric. Is that inclusive of what you have with cybersecurity asset management in patch? And just now with the kind of packaging sort of figured out on that product, just your confidence in kind of the ability to start driving better upsell moving forward. Thanks.

太棒了，謝謝你回答問題，也恭喜你本季業績出色。Sumedh，你能雙擊你之前提到的關於 ETM 的一些定價嗎？我只是想弄清楚 100% 追加銷售指標的含義。這是否包含了您在修補程式中對網路安全資產管理所做的工作？現在，隨著該產品包裝方式的逐步完善，您對未來推動更好的追加銷售的能力也更有信心了。謝謝。

Yes, that's a great question. So from the way the pricing we're looking at it is the ETM pricing is going to include Cybersecurity Asset Management because as we talk to our customers, for building any Risk Operations Center, the foundation is asset inventory and without that, you cannot succeed. And so that was a big feedback that came about. So that's included. What we have added also is the Agentic AI capabilities for them to be able to augment their security team with AI agents so that they can really manage outcomes for cybersecurity within their spend and optimize because everybody has been asked about how they're optimizing their spend even in cyber.

是的，這是一個很好的問題。因此，從我們目前了解的定價來看，ETM 定價將包含網路安全資產管理，因為正如我們與客戶交流時所了解到的，建立任何風險營運中心的基礎都是資產清單，沒有資產清單，就無法取得成功。所以，這就是我們得到的重要的回饋。所以這部分也包含在內。我們還添加了智慧體人工智慧功能，使他們能夠利用人工智慧代理來增強其安全團隊，從而真正管理網路安全方面的支出，並進行最佳化，因為每個人都被問及如何優化他們在網路安全方面的支出。

And the ability to have very focused threat intel that will allow them to validate exploits, so that's included. The upsell that we look forward to is then once they have used ETM to be able to get the inventory to be able to confirm that the exploit can work in their environment. Then they purchase TruRisk Eliminate, which includes patch as an example and mitigation so that they can get that particular thing actually remediated. Because at the end of the day, we can create all kinds of visibility, but given that attackers are exploiting vulnerabilities, if you saw the recent Mandiant report in minus 1 day on an average, which is even before patches are coming out, the key is going to be about being able to remediate things and mitigate things even if you don't have a patch available.

而且，他們還具備取得高度精準的威脅情報的能力，以便驗證漏洞利用，這一點也包含在內。我們期待的後續銷售是，一旦他們使用 ETM 取得庫存，就能確認漏洞可以在他們的環境中發揮作用。然後他們購買 TruRisk Eliminate，其中包括補丁和緩解措施，以便他們能夠真正修復該特定問題。因為歸根結底，我們可以創造各種可見性，但考慮到攻擊者正在利用漏洞，如果你看過 Mandiant 最近的報告，平均而言，漏洞會在一天內被利用，甚至在補丁發布之前就會被利用，那麼關鍵在於即使沒有補丁可用，也要能夠修復和緩解問題。

So the pricing, to answer your question is 100% -- up to 100% is what we see with the addition of VMDR ability to bring in CSAM, Agentic AI, as well as ability to confirm exploitation. And then from there, the upsell will be they will -- they can upsell to eliminate so that they -- it allows them to do more in terms of actually getting an outcome.

所以，定價方面，回答你的問題，是 100%——最高可達 100%，這是我們看到的，因為 VMDR 能夠引入 CSAM、Agentic AI，以及能夠確認漏洞利用。然後，從那裡開始，追加銷售就是——他們可以追加銷售來消除，這樣——這讓他們能夠在實際獲得結果方面做得更多。

Really helpful. Thanks for the call.

真的很有幫助。謝謝你的來電。

Patrick Colville of Scotiabank.

加拿大豐業銀行的派崔克‧科爾維爾。

Thanks for taking my question, guys. I guess I want to ask 2 parts. One is on the Fed. I know the Fed is like a more nascent notion for Qualys, but what are you guys seeing in the Fed's, especially kind of in the first couple of weeks of 4Q given the shutdown. And then -- and the other question I'd like to ask is about the competitive environment. And the reason I ask this one is the one we get most from investors. And it's like is the competitive environment changing for Qualys, given noise from vendors like CrowdStrike and others who are claiming to be entering the space and winning share. So are you coming up against different companies now versus a year ago? And results speak for themselves, win rates seem high, but can you talk to that as well?

謝謝各位回答我的問題。我想問兩點。其中一位是聯準會成員。我知道聯準會對 Qualys 來說還是一個比較新的概念，但你們對聯準會有什麼看法，尤其是在第四季度的前幾週，考慮到政府停擺的情況。然後——我想問的另一個問題是關於競爭環境的問題。我之所以問這個問題，是因為這是我們從投資者那裡聽到最多的問題。鑑於 CrowdStrike 等供應商聲稱要進入該領域並贏得市場份額，Qualys 的競爭環境是否正在改變？所以，你現在遇到的競爭對手和一年前有什麼不同嗎？結果不言自明，勝率似乎很高，但您能否也談談這方面的情況？

Yeah, that's a two-part question. So let me stay focused to answer both of them. So first one is on the federal side, as you already know, we are at our very, very early innings, and we made the investment and the commitment to get FedRAMP high, which has really created very, very powerful conversations. I mean I have the pleasure of actually being out in D.C. and having some very critical meetings there to start to have the conversation around Risk Operations Center, how it can help the government and essentially bring efficiency. And so you kind of have the dose, which is, of course, that is driving people to think more of efficiency in terms of how they can consolidate different things, and that's where the Risk Operations Center as a way to eliminate, fixing things that don't really matter to the risk has really resonated well with our federal customers.

是的，這是一個包含兩個部分的問題。那麼，讓我集中精力來回答這兩個問題。首先，如您所知，聯邦層級目前還處於非常非常早期的階段，我們已經投入資金並致力於提高 FedRAMP 的水平，這確實引發了非常非常有力的討論。我的意思是，我有幸親身來到華盛頓特區，在那裡參加了一些非常重要的會議，開始討論風險營運中心，探討它如何幫助政府並提高效率。因此，這在某種程度上促使人們更多地思考如何整合不同事物以提高效率，而風險營運中心作為一種消除和修復對風險並不真正重要的事物的方式，確實引起了我們聯邦客戶的共鳴。

Today, it's not just the spend of the tool. It is the amount of spend you put in remediating things that the tool is telling you, which is a waste of time and money if those things are not even exploitable. So for us, what we are seeing is -- it's a very exciting early conversations. We see lots of opportunities over the next few years. Of course, when you have the current scrutiny that is going on, sometimes people are taking a bit of a wait-and-watch opportunity. In other cases, we're actually seeing opportunities coming to us because of the focus on being able to be efficient in terms of the Risk Operations Center. So it's a mixed bag.

如今，重要的不僅是工具本身的花費。工具告訴你的是你在修復這些問題上投入的資金，但如果這些問題根本無法利用，那麼修復這些問題就是在浪費時間和金錢。所以對我們來說，我們看到的是——這是一場非常令人興奮的早期對話。我們認為未來幾年有很多機會。當然，在目前這種密切關注的情況下，人們有時會採取觀望態度。在其他情況下，由於我們專注於提高風險營運中心的效率，我們實際上看到了機會的到來。所以情況好壞參半。

But overall, from what we see right now is we don't have as much exposure revenue to that part. We do see that this is an area that we have committed to invest over the next few years and FedRAMP was our first step. And now with our focus on the conference we did in D.C., and we are going to continue to invest in the federal space moving forward.

但總的來說，從我們目前看到的情況來看，我們在這方面的收入佔比並不高。我們確實認為這是我們未來幾年將要投資的領域，而 FedRAMP 是我們的第一步。現在，我們專注於在華盛頓特區舉行的會議，並將繼續增加對聯邦領域的投資。

On the vulnerability management and competition side, I think if you -- I was really excited to see that Qualys got the leader position in GigaOm's Patch Management above many of the other vendors that have been out there. Because really with what we have been seeing and what I saw a few years ago and why we have been talking about how vulnerability management is evolving, less about detecting more and more CVEs. Most people are barely fixing 5% of the CVEs that are being discovered because it's creating so much noise.

在漏洞管理和競爭方面，我認為——我真的很高興看到 Qualys 在 GigaOm 的修補程式管理中領先許多其他供應商。因為實際上，根據我們目前所看到的，以及我幾年前所看到的，以及我們一直在討論的漏洞管理是如何演變的，與其說是檢測越來越多的 CVE，不如說是不斷演變。由於造成了太多幹擾，大多數人只修復了已發現的 CVE 的 5%。

So while there are other players that talk about discovering more CVEs, the focus for Qualys and what we are doing with the Risk Operations Center has been about how we are helping customers really narrow down and we did that at our conference, ROCon Conference, where we show a nice little representation of how 62 million findings after applying the right agent in threat intelligence went down to 2 million findings that really mattered in terms of any risk. And then further after applying business context went down to only 300,000. And so our focus has been shifting towards how do we help the customer actually pinpoint exactly what matters from threat intel perspective, but then also how can we help them immediately fix it, because of attackers are attacking things in 4 hours, you don't have time to go and create Jira tickets and ServiceNow tickets and wait for other teams to use different patching solutions and different mitigation solutions to do that.

因此，儘管其他一些參與者也在談論發現更多 CVE，但 Qualys 以及我們透過風險營運中心所做的工作，重點在於如何幫助客戶真正縮小範圍。我們在 ROCon 大會上展示了這一點，並簡要說明了在威脅情報中應用正確的代理後，如何將 6200 萬條發現結果減少到 200 萬條真正與任何風險相關的發現結果。然後，在考慮業務背景後，進一步下降到只有 30 萬。因此，我們的重點已經轉移到如何幫助客戶從威脅情報的角度準確找出真正重要的問題，以及如何幫助他們立即解決問題，因為攻擊者會在 4 小時內發起攻擊，你沒有時間去創建 Jira 工單和 ServiceNow 工單，然後等待其他團隊使用不同的補丁解決方案和不同的緩解解決方案來完成這項工作。

And so what we're doing now, what we're seeing is really an evolution of that is customers really like our capabilities, accuracy of detection, et cetera, but we have also opened up the platform now with ROC to be able to ingest data from other areas like OT or other EDR tools that might be collecting CVEs. So that we can help customers actually narrow down that focus of what really matters and the key exciting thing is for them to be able to get things fixed with Qualys, which is something that -- and validating the exploit and then getting it fixed with Qualys is what is focus for most of our customers right now.

因此，我們現在所看到的，實際上是這種演變的過程。客戶非常喜歡我們的功能、檢測準確性等等，但我們也透過 ROC 開放了平台，以便能夠從其他領域（如 OT 或其他 EDR 工具）攝取數據，這些工具可能會收集 CVE。這樣我們就能幫助客戶真正縮小關注範圍，專注於真正重要的事情，而最令人興奮的是，他們能夠使用 Qualys 來解決問題，這正是我們大多數客戶目前關注的重點——驗證漏洞，然後使用 Qualys 來修復它。

So primarily, we see Tenable, Rapid7. Yes, occasionally, we see some of the other tools that are talking about giving more CVEs. But customers are focusing more on how do we get the key things remediated quicker rather than discovering more which they are not fixing anyway.

所以，我們主要看到的是 Tenable 和 Rapid7。是的，偶爾我們也會看到其他一些工具在討論如何提供更多 CVE 編號。但客戶更關注的是如何更快解決關鍵問題，而不是去發現更多他們根本不會解決的問題。

Thank you, Suma. That's super helpful.

謝謝你，蘇瑪。這太有幫助了。

Mike Cikos, Needham.

麥克·西科斯，尼德姆。

Great, thanks for taking the questions guys. I just wanted to double check and congrats on the quarter here. Was there any onetime benefits to revenue or CCP that we need to take into account on our side? And then secondly, as a follow-up, Joo Mi, great to see the results. Net dollar retention obviously remains here at 104 what needs to happen for that net dollar retention to actually start picking up from where we are today?

太好了，謝謝各位回答問題。我只是想再次確認一下，並祝賀你本季的成績。我們這邊是否需要考慮任何一次性的收入或中共收益？其次，作為後續跟進，Joo Mi，很高興看到結果。淨美元留存率顯然仍維持在 104，那麼要讓淨美元留存率從目前的水準真正開始上升，需要發生什麼？

Yeah. With respect to CCP, nothing specific to call out, it was a solid quarter. As usual, you do get some benefit or negative impacts from out-of-cycle renewals, but nothing material that we think that's specific to this quarter. So it was really a solid growth quarter from an execution standpoint. Net dollar expansion rate, we'd love to get that up from 104 and upward, and this is part of the reason why Sumedh had commented on the fact that we've been really focused on making sure that we're delivering the message in terms of how ETM could be beneficial to our existing customers as well as new prospects. And so as we look to the cohort of customers that are up for renewal in each respective quarter, we're making sure that they understand the value that they could potentially see from whether they're looking to upsell from CSAM to ETM or cross-selling with adding ETM to their existing VMDR solution, and we think that, that could be a meaningful impact during the dollar expansion rate.

是的。關於中共，沒有什麼特別需要指出的，這是一個穩健的季度。像往常一樣，非週期性續約會帶來一些好處或負面影響，但我們認為本季不會出現任何實質的影響。所以從執行角度來看，這確實是一個穩健成長的季度。淨美元擴張率，我們希望將其從 104 提高到更高水平，這也是 Sumedh 評論說我們一直非常專注於確保我們傳達的信息，即 ETM 如何使我們現有的客戶以及潛在客戶受益，部分原因在於此。因此，當我們專注於每季即將續約的客戶群時，我們會確保他們了解他們可能獲得的價值，無論他們是希望從 CSAM 升級到 ETM，還是希望透過將 ETM 添加到他們現有的 VMDR 解決方案中進行交叉銷售，我們認為，這可能會對美元擴張率產生重大影響。

Thank you so much.

太感謝了。

Crane of Canaccord Genuity.

Canaccord Genuity公司的起重機。

Hi, thanks for taking the question, and Congrats on a really great quarter. If we think about Agentic AI within the risk operations center, TotalAI within VM and then the CNAPP suite, they all require significant development resources to how are you prioritizing R&D spend across those initiatives? And just what metrics do you use to evaluate resource allocation?

您好，感謝您回答這個問題，也恭喜您度過了一個非常棒的季度。如果我們考慮風險營運中心的智慧體人工智慧、虛擬機器中的全人工智慧以及 CNAPP 套件，它們都需要大量的開發資源，那麼你們是如何優先安排這些計畫的研發支出的呢？那麼，你們使用哪些指標來評估資源分配情況呢？

Yeah, that's a great question. And I think it's really the focus for us on investment in R&D and sales and marketing right? And at the beginning of the year we started with the plan to hire a CRO from a sales perspective and put focus on hiring more engineers, et cetera, to be able to deliver on all the capabilities that we're talking about. And I think as we have -- I'm pretty happy with our focused execution with the level of investments that we have made and the way Shawn, who is our VP of Global Sales, has executed with the team to give us a solid quarter. And so the focus for us now is to really, from a sales and marketing perspective to focus on working with Shawn and team. So that we can get efficiencies from what we are seeing cross-functional between our sales team, our product management team, et cetera.

是的，這是一個很好的問題。我認為我們真正的重點是研發、銷售和行銷方面的投資，對吧？今年年初，我們制定了從銷售角度招募首席營收長 (CRO) 的計劃，並專注於招募更多工程師等人員，以便能夠實現我們所說的所有能力。我認為，正如我們所取得的成就——我對我們專注的執行力以及我們所進行的投資水平感到非常滿意，也對全球銷售副總裁肖恩帶領團隊取得的穩健季度業績感到非常滿意。因此，從銷售和行銷的角度來看，我們現在的重點是真正專注於與肖恩和他的團隊合作。這樣我們就可以從銷售團隊、產品管理團隊等跨職能部門的合作中獲得效率。

And then on the R&D side, we have had really good success with leveraging AI internally within our own development efforts. And as an example, we pretty much stopped hiring anybody in QA anymore. We are seeing 20% to 25% efficiency gain with our best engineers. And ironically, it's actually the best engineers who are getting the most benefit of using AI. And so in a way, with all the things that we are doing with adding AI into the Risk Operations Center, AI is benefiting us in adding those without a significant increase in our R&D expense. And so I think at this point, the way we are looking at it is we're going to continue to leverage AI.

在研發方面，我們利用人工智慧在內部研發工作中取得了非常好的成功。舉例來說，我們基本上已經停止招募品質保證人員了。我們最優秀的工程師的效率提高了 20% 到 25%。諷刺的是，實際上最優秀的工程師才是人工智慧應用的最大受益者。因此，從某種意義上說，隨著我們在風險營運中心引入人工智慧，人工智慧正在幫助我們實現這些目標，而無需大幅增加我們的研發支出。所以我認為，目前我們看待這個問題的方式是，我們將繼續利用人工智慧。

And of course, we're going to invest back in our business. But no need really at this point for us to look at having CRO and the team is executing well focused with what our goals are. And then on the R&D side, again, we, of course, are -- if you see the innovations that are coming out, is a pretty rapid pace, we will, of course, continue to invest in R&D, but it's all going to be looked at from the lens of what kind of investment we will make in terms of people versus AI tools and how those tools are going to give us the required efficiency or I would say, unexpected efficiency in some cases. And so we're excited about what we're going to be able to do from both adding the Risk Operations Center, Agentic AI capabilities while internally also using Agentic AI across the board, not just in R&D, but also in sales and other areas as well.

當然，我們也會將收益再投資到我們的業務中。但目前我們真的沒有必要考慮轉換率優化（CRO），團隊正在很好地執行我們的目標。在研發方面，我們當然——如果你看看目前湧現的創新成果，你會發現它們發展速度非常快，我們當然會繼續投資研發，但這一切都將從這樣一個角度來看待：我們將在人員和人工智慧工具方面進行何種投資，以及這些工具將如何為我們提供所需的效率，或者在某些情況下，帶來意想不到的效率。因此，我們對透過增加風險營運中心和智慧人工智慧功能，以及在內部全面使用智慧人工智慧（不僅在研發領域，而且在銷售和其他領域）所能夠做的事情感到興奮。

And just to add to that, we are extremely focused on making sure that we have the right team structured in the focus areas from a product development standpoint. We have different teams working on, whether it be a total AI or ETM. And because of that, we are continuing to increase the hiring, the R&D, the engineers. It's just that the geographic mix of incremental hires has shifted more to be in India, which has helped from an R&D expense standpoint, but we are making sure that we're working across it different orgs or different functional areas within the engineering team to make sure that we're prioritizing in the right manner.

此外，我們非常注重確保從產品開發的角度出發，並在重點領域組建合適的團隊。我們有不同的團隊在做不同的項目，無論是完全的人工智慧還是電子交易管理（ETM）。正因如此，我們將持續增加招募、研發和工程師人數。只是新增員工的地理分佈更多地轉移到了印度，這從研發費用的角度來看有所幫助，但我們正在確保與工程團隊內的不同組織或不同職能部門合作，以確保我們以正確的方式確定優先事項。

Really helpful thank you.

非常感謝，這很有幫助。

Shrenik Kothari of Baird.

Baird公司的Shrenik Kothari。

Yeah, thanks for taking my question and Echoing my congrats to the team. Sumedh, the TruConfirm announcement definitely sounds like a step function moving from, as we said, the risk scoring to automated exploit validation and at scale. Just curious like -- do you envision this also becoming sort of a pillar like ETM as monetizing it standalone? Or do you think of it as becoming an on-ramp to move customers into broader ETM. And then just with the with the POCs converting and all the large enterprise consolidations you talked about, like how should we think about the ETM trajectory ahead? And then I have a quick follow-up for Joo Mi.

是的，謝謝你回答我的問題，也請代我向團隊表示祝賀。Sumedh，TruConfirm 的公告聽起來確實像是階躍函數，正如我們所說，它從風險評分過渡到自動化漏洞驗證，並且實現了規模化。我只是好奇——您是否設想它也能像 ETM 一樣，成為一種獨立盈利的支柱業務？或者您認為它將成為引導客戶進入更廣泛的 ETM 的入口？然後，隨著 POC 的轉換和您提到的所有大型企業整合，我們應該如何看待 ETM 的未來發展軌跡？然後我還要快速問一下 Joo Mi 一個後續問題。

That's a great question. And look, I mean I think I would say that at the end of the day for risk management, you only manage your risk if you have eliminated the right risk, right? Just building dashboards and as I said, dashboard tourism is not helping with just visibility. And so at the end of the day, for that to happen, you need to have three things. You need to be able to collect data from multiple sources so you can get a broader picture of the view and your you're applying threat intelligence and you're seeing some of the traditional CTEM, which has been around for many years.

這是一個很好的問題。你看，我的意思是，我認為歸根結底，對於風險管理而言，只有消除了正確的風險，才能真正管理風險，對吧？僅僅建立儀表板，正如我所說，儀錶板旅遊並不能提高可見性。所以歸根結底，要實現這一點，你需要三件事。你需要能夠從多個來源收集數據，以便更全面地了解情況，並且你正在應用威脅情報，並且你看到了一些傳統的 CTEM，它已經存在很多年了。

Some of the CTEM solutions are just giving you, we consolidate the data and here it is. And so they are giving you a theoretical view of what might be exploitable in the environment. But with TruConfirm included as part of ETM, we are going a step further relative to the CTEM visibility-only platforms, giving them the ability to actually confirm and that's included as part of ETM. It is not an additional upsell, but that helps us differentiate from the CTEM only solutions, gives them the ability to confirm in that environment that the exploit actually works. And then the upsell from there is really and that's kind of how we look at the beachhead for converting our customers from the MDR to ETM is that, that conversion then will allow us to upsell them to the actual eliminate capability.

有些 CTEM 解決方案只是簡單地將資料整合起來，然後就呈現出來了。因此，他們向你提供了一個關於環境中哪些資源可能被利用的理論觀點。但是，由於 TruConfirm 已包含在 ETM 中，我們相對於 CTEM 僅可見性平台更進一步，使它們能夠真正進行確認，而這已包含在 ETM 中。這不是額外的追加銷售，但這有助於我們與僅使用 CTEM 的解決方案區分開來，使他們能夠在該環境中確認漏洞是否真的有效。然後，從那裡開始的追加銷售，實際上，這就是我們看待將客戶從 MDR 轉化為 ETM 的灘頭陣地的方式，這種轉換將使我們能夠向他們追加銷售實際的消除功能。

Because again, like I said, if attackers are looking -- are starting to exploit vulnerabilities even before patches are being made available, it is really about speed. And so you need to be able to quickly detect the vulnerability, you need to be able to then confirm that it is exploitable in your environment rapidly. And then the next logical step has to be a automated AI-driven fix. So that you can get it fixed before the attackers get there. And if we -- and that's really where the Risk Operations Center is not just a CTEM solution, it really is more than a CTEM solution, which is just giving you dashboards.

因為就像我之前說的，如果攻擊者正在尋找漏洞——甚至在修補程式發布之前就開始利用漏洞，那麼速度就至關重要。因此，你需要能夠快速偵測到漏洞，然後迅速確認漏洞在你的環境中是否可被利用。接下來合乎邏輯的步驟必然是採用人工智慧驅動的自動化修復方案。這樣你就能在攻擊者到達之前把它修復好。而且，如果我們——而這正是風險營運中心不僅僅是一個 CTEM 解決方案的地方，它實際上不僅僅是一個 CTEM 解決方案，它只是為您提供儀表板。

Got it. Super helpful. And Joo Mi, very quickly, Sumedh mentioned about the AI driver for automated remediation and orchestration scale into model mROC partner delivery again also reducing the heavy lifting internally. So just curious, as partners increasingly monetize these services, how should we think about incremental leverage and how we're thinking about that.

知道了。非常有用。Joo Mi很快提到，AI驅動自動修復和編排規模化到模型mROC合作夥伴交付中，再次減少了內部的繁重工作。所以我很好奇，隨著合作夥伴越來越多地將這些服務貨幣化，我們應該如何看待漸進式槓桿，以及我們是如何看待這個問題的。

Yeah. I think that mROC will really help us to grow the top line because how we see the new product and value proposition in terms of the customers being able to really see how ETM could help them from a risk management standpoint, they will need assistance from the partner to really make sure that they are implementing the tool they're utilizing in the appropriate way and they're maximizing the ROI from their respective like customization that's required from the organizational standpoint.

是的。我認為 mROC 將真正幫助我們提升營收，因為我們從客戶的角度來看待新產品和價值主張，客戶能夠真正了解 ETM 如何從風險管理的角度幫助他們，他們需要合作夥伴的幫助，以確保他們以適當的方式實施所使用的工具，並最大限度地提高他們各自所需的投資回報率，例如從組織角度進行的定制。

So with working hand-in-hand with the partner to help us accelerate the top line growth for us, we think that we will get some leverage from a margin perspective, but really the unit economics, we don't really see a material shift there. I think we're already seeing some kind of benefit as we continue to shift more of our business to the partner side and then layering on top that mROC, professional services or additional implementation help that customers might see will help to accelerate that revenue growth and the ETM penetration.

因此，透過與合作夥伴攜手合作，幫助我們加速營收成長，我們認為從利潤率的角度來看，我們將獲得一些優勢，但實際上，在單位經濟效益方面，我們並沒有看到實質的變化。我認為，隨著我們不斷將更多業務轉移到合作夥伴一方，我們已經看到了一些好處，然後在此基礎上增加 mROC、專業服務或客戶可能看到的額外實施幫助，這將有助於加速收入成長和 ETM 滲透。

And Shrenik, just to kind of add to what Joo Mi said, I called that out as an example in our earnings calls where an mROC partner, brought this new logo opportunity to Qualys in the Middle East, one of the largest airlines because they were excited about, not because of just a margin here or there, they were excited about the ability to provide high-value risk management services to their customer. If they brought that customer to Qualys versus just selling them some other VM scanner that would just give them more findings and they would have to do a lot of work to provide value on top of that. So that strategy around mROC partners are bringing not just ETM, but they're also bringing us other customers, other deals with the understanding that these engagements with Qualys will lead to services revenue for these companies.

Shrenik，我補充一下 Joo Mi 剛才說的，我在我們的財報電話會議上舉了一個例子，mROC 的合作夥伴為 Qualys 在中東帶來了這個新的品牌合作機會，這家中東最大的航空公司之一，因為他們對此感到興奮，不僅僅是因為利潤，而是因為他們能夠為客戶提供高價值的風險管理服務。如果他們把客戶帶到 Qualys，而不是只是向他們推銷其他虛擬機器掃描器，那麼 Qualys 只會給客戶帶來更多發現，而 Qualys 還需要做很多工作才能在此基礎上提供更多價值。因此，圍繞 mROC 合作夥伴的策略不僅帶來了 ETM，還帶來了其他客戶、其他交易，因為與 Qualys 的這些合作將為這些公司帶來服務收入。

Great, thanks a lot so much, Julie. I appreciate it.

太好了，非常感謝你，朱莉。謝謝。

Junaid Siddiqui of Truist Securities.

Truist 證券公司的 Junaid Siddiqui。

Great, thank you for taking my question. As you pivot more into a platform play, are you seeing any changes in sales cycles from customers?

太好了，謝謝你回答我的問題。隨著你們更多地轉向平台型營運模式，你們是否觀察到客戶的銷售週期發生了任何變化？

I mean, I think nothing notable to call out for. I think on the -- there's good and bad, right, at times for us to be able to show the value of the platform by ingesting data from tools that they already have. Can be a win instead of saying, you need to do a deployment of our agents and scanners everywhere to see the value that Qualys brings and then the pricing kind of allows them to think about maybe eliminating their existing solution over a period of time.

我的意思是，我覺得沒什麼值得特別指出的。我認為──有利有弊，對吧？有時候，我們能夠透過從他們已有的工具中攝取資料來展示平台的價值。與其說“你需要到處部署我們的代理和掃描器才能看到 Qualys 帶來的價值”，不如說“定價方式讓他們可以考慮在一段時間內逐步淘汰他們現有的解決方案”，這樣反而是一種雙贏。

And so I think today, I think so far, we are in the early days, but we're seeing, especially with the ROCon Conference that we had and the partner advisory -- I mean -- sorry, the product advisory board where we had a lot of the top banks out there. I think the feedback is a lot of excitement around the Risk Operations Center as a focus area rather than just kind of trying to do a like-to-like scanner to scanner replacement and the time and effort it takes. This is something that they feel like it's something that they can justify in terms of moving quickly now, of course, it is something that is new. Everybody is looking at it this year.

所以我覺得今天，我覺得到目前為止，我們還處於早期階段，但我們看到，特別是透過我們舉辦的 ROCon 會議和合作夥伴諮詢委員會——我是說——抱歉，是產品諮詢委員會，我們有很多頂尖銀行都參與其中。我認為回饋表明，大家對風險營運中心作為重點領域感到非常興奮，而不是僅僅嘗試進行類似的掃描器替換，以及由此耗費的時間和精力。他們覺得現在快速行動是合理的，當然，這是件新鮮事。今年大家都在關注這件事。

So it is allowing them to figure out how they're going to budget. Some people have the budget now, some people are looking at it to budget for next year's purchases. And so -- but overall, the conversation has been pretty positive. And I think the goal for us is to not only existing customers not only bring the Qualys findings into ETM, but that value they get out of that is going to encourage them to bring a lot of other findings and other assets that are not currently in Qualys.

這樣一來，他們就可以自己訂預算了。有些人現在有預算，有些人正在考慮為明年的採購做預算。所以——但總的來說，這次談話還是相當正面的。我認為我們的目標不僅是讓現有客戶將 Qualys 的發現帶入 ETM，而且他們從中獲得的價值還將鼓勵他們引入許多其他目前不在 Qualys 中的發現和其他資產。

And so we are seeing that with some of the early adopter customers. They started with bringing Qualys VMDR findings into ETM, but then quickly pivoted after seeing the value to bringing sometimes twice as many assets into Qualys as they had before from other tools, increasing the license count for ETM. So that's kind of how we're looking at it as we progress is that it's going to help us be much quicker in POCs and we don't have to walk away if a customer already has a competing VM scanner. We can actually just ingest the data, show them the value -- show them the business value and then grow from there rather than doing prolonged POCs that involve deployment of agents and scanners, which ultimately they see the value in that, but it is sometimes -- just takes a longer cycle. So I think net-net, I think will -- it's early days. We'll see how it develops. But so far in the initial engagements we have had, it's been pretty exciting and fairly quick moving.

因此，我們在一些早期採用者客戶身上看到了這一點。他們最初將 Qualys VMDR 的發現結果引入 ETM，但後來很快意識到，將有時兩倍於先前從其他工具導入 Qualys 的資產引入 ETM 的價值，從而增加了 ETM 的許可證數量。所以，我們目前是這樣看待這個問題的，隨著專案的推進，這將幫助我們更快地完成概念驗證，而且即使客戶已經擁有競爭對手的虛擬機器掃描器，我們也不必放棄。我們其實可以直接吸收數據，向他們展示價值——向他們展示業務價值，然後以此為基礎發展，而不是進行涉及部署代理和掃描器的長期概念驗證，最終他們會看到其中的價值，但這有時——只是需要更長的周期。所以總的來說，我認為——現在下結論還為時過早。我們拭目以待事態發展。但就目前為止，我們所進行的初步合作非常令人興奮，進展也相當迅速。

Great, thank you.

太好了，謝謝。

Joshua Tilton of Wolfe Research.

Wolfe Research 的 Joshua Tilton。

Hey guys, thanks for sneaking me in and Congrats on a great quarter. I've been bouncing around a few calls, so I'm actually going to ask a pretty high-level question. And my question is, we have the privilege of covering three publicly traded vulnerability management vendors, and you guys are all kind of growing at different rates. And I guess my question to you is, are the deltas in your growth rate a function of things changing within the VM market and therefore, some of you are growing faster, taking share, growing slower within VM, or the delta in the growth rates because some of you have taken these broader platform plays and you have these non-VM products better separating the growth between these 3 players? And if it's the latter, I guess, can you just help us understand which of the product -- the non-VM products for you are really driving the separation and growth that we're seeing at Qualys versus some of the other players?

嘿，夥計們，謝謝你們讓我偷偷溜進來，祝賀你們季度業績出色。我接了好幾通電話，所以這次想問一個比較高層次的問題。我的問題是，我們有幸報道三家上市的漏洞管理供應商，而你們的成長速度各不相同。我想問你們的是，你們成長率的差異是因為虛擬機器市場內部的變化所造成的嗎？因此，你們中的一些人成長更快，市場佔有率更大，而另一些人在虛擬機器領域成長較慢？還是因為你們中的一些人採取了更廣泛的平台策略，並且擁有非虛擬機產品，從而更好地將這三家公司之間的成長區分開來？如果是後者，我想請您幫我們了解一下，貴公司非虛擬機產品中的哪些產品真正推動了 Qualys 與其他一些競爭對手相比所取得的差異化和成長？

I would just say that some of us have just have an awesome organic platform. That's why we are growing at a different pace. But having said that, look, I think, we've talked about this for a few years, VM has been changing and people are less focused on just scanning and more focused on prioritization remediation, and that's why we pivoted towards, if you recall, Patch Management a few years ago and we got GigaOM giving us that number one spot in their analysis for Qualys, which was a great achievement for us just within four years, getting to number one of our established players.

我只想說，我們中的一些人確實擁有一個非常棒的有機成長平台。這就是為什麼我們的發展速度與眾不同。但話說回來，你看，我認為，我們已經討論這個問題好幾年了，虛擬機一直在變化，人們不再僅僅關注掃描，而是更加關注優先修復，這就是為什麼幾年前我們轉向了補丁管理，如果你還記得的話，GigaOM 在 Qualys 的分析中將我們評為第一名，這對我們來說是一個巨大的成就，僅僅四年時間就從我們成熟的參與者中脫穎而出，成為第一名參與者。

We're also pivoting more with ETM towards the ability to not just -- not only collect data from multiple tools as well as our own tools, but also ability to prioritize with threat intel. We have award-winning threat intelligence, and we talked about that. And then the ability for us to actually confirm the vulnerabilities exploitable by exploiting it and then getting it fixed. And so what we are seeing, and we have been reporting on how Eliminate and Patch Management has been growing as a percentage of our LTM bookings. And then we've also talked about now that our focus on ETM and how starting at the earnings call for Q1, we're going to focus more on the penetration for ETM in our customer base, which is elevating from VMDR to ability to give them a broader Risk Operations Center and then the upsell from that is going to be the Eliminate capabilities to get things fixed.

我們也在努力使 ETM 不僅能夠從多個工具以及我們自己的工具中收集數據，而且還能夠根據威脅情報進行優先排序。我們擁有屢獲殊榮的威脅情報，我們也討論過這一點。然後我們能夠透過利用漏洞來確認漏洞是否可被利用，然後修復漏洞。因此，我們看到，並且我們一直在報告，消除和修補程式管理在我們 LTM 預訂中所佔的比例一直在增長。然後我們也談到了我們現在對 ETM 的關注，以及從第一季財報電話會議開始，我們將更加關注 ETM 在客戶群中的滲透率，這將從 VMDR 提升到能夠為他們提供更廣泛的風險運營中心，然後在此基礎上的追加銷售將是消除功能，以解決問題。

And so I -- with the engagement that we have with our customers, there is a big focus from customers on business alignment of cybersecurity spend, the ability to look at risk from a business perspective. And what we are doing now in the organically developed platform that we have that integrates so many different things together, I think, is helping customers get a very quick and simplified view of their actual risk and the ability to actually remediate before attackers get there versus competitors have multiple acquisitions with multiple separate tools that don't really work with each other. And they're not able to get that kind of -- in my belief, they're not able to get the kind of response that we are able to give very quickly whenever there is something going on, and that's the feedback that we have been getting from customers.

因此，透過與客戶的互動，我們發現客戶非常關注網路安全支出與業務的契合度，以及從業務角度看待風險的能力。而我們現在透過自主開發的平台，將許多不同的功能整合在一起，我認為，可以幫助客戶快速、簡化地了解他們的實際風險，並能夠在攻擊者到達之前進行補救，而競爭對手則透過多次收購擁有多個彼此不相容的獨立工具。我認為，他們無法獲得我們能夠在有事情發生時迅速給予的那種回應，而這正是我們從客戶那裡得到的回饋。

Sumedh, you had me at organic platform. But maybe just a follow-up for Joo Mi. If I missed it, I apologize, but any way to think about how we should expect billings growth to finish or current billings growth to finish this year?

Sumedh，你說的「有機平台」就足以讓我心動了。但也許只是給朱美的後續報導。如果我錯過了相關信息，我深表歉意，但有沒有辦法預測一下今年賬單增長的最終結果，或者說當前賬單增長的最終結果？

Yeah. I think that Q4 because it was a very strong quarter, a tough compare for last year. We do expect current billings to be a few percentage points below the revenue growth rate ending the year. So maybe if you think about it from the like 2025 full year current billings growth at around 8%.

是的。我認為第四季表現非常出色，因為與去年同期相比，這是一個很高的比較門檻。我們預計目前的帳單金額將比年底的收入成長率低幾個百分點。所以，如果你從 2025 年全年目前的帳單成長率來看，大約是 8%，情況或許會是這樣。

Super helpful. Thank you.

非常有用。謝謝。

Jonathan Ho of William Blair.

威廉布萊爾的喬納森何。

Hi, This is Garrett Burkam on for Jonathan. I was just wondering if you could walk us through how you're thinking about contribution from your new and continued product innovations like including AI and new modules around VMDR and mROC versus just continuing to upsell and cross-sell your existing installed base? And then also, can you just talk about how customer conversations are going with your mROC solution at this point? Just what traction you're getting there?

大家好，我是 Garrett Burkam，替 Jonathan 為您報道。我想請您詳細介紹一下，您是如何看待新產品和持續產品創新（例如在 VMDR 和 mROC 中加入 AI 和新模組）的貢獻，而不是僅僅繼續向現有客戶群追加銷售和交叉銷售？另外，您能否談談目前客戶使用您的 mROC 解決方案的溝通情況？你在那邊取得了怎樣的進展？

Sorry, I didn't get the first part of the question again. So you're asking for contribution from...

抱歉，我沒聽懂問題的第一部分。所以你是想尋求…的捐款。

Yeah, like new modules and new customers versus upselling your existing base in your existing modules?

對，就像是開發新模組、吸引新客戶，而不是向現有客戶群推銷現有模組？

Yeah. Look, I think every customer is a different part of the journey. So we don't really break it out by individual modules. I think we have been giving color on the contribution of TotalCloud, which is our cloud native CNAPP solution. We're happy to see the progress it is making in early days, but it was 5% of the bookings for the quarter. And then you also have -- we called out Patch Management and Cybersecurity Asset Management, which has been the focus for us the last couple of years, and we're happy with the penetration there.

是的。我認為，每個客戶都是顧客旅程中不同的一環。所以我們並沒有按單一模組進行細分。我認為我們已經重點介紹了 TotalCloud 的貢獻，它是我們的雲端原生 CNAPP 解決方案。我們很高興看到它在初期階段取得的進展，但這只佔該季度預訂量的 5%。此外，我們還重點關注了修補程式管理和網路安全資產管理，這是我們過去幾年的重點，我們對這方面的滲透率感到滿意。

But we're also now pivoting more towards the Risk Operations Center, ETM solution that we talked about and our goal is going to be just like we did from VM to VMDR a few years ago, really up level our customers from VMDR to ETM solutions. So which we have a very nice existing installed base of vulnerability management customers that we can work on upselling them and cross-selling them to ETM, which by the way, will include Cybersecurity Asset Management already. And then next step above that, we'll be upselling them to Eliminate solution to actually get things fixed. And so conversations have been super positive around Risk Operations Center, as I said in the earnings script, one of the big differentiators for us has been the CRQ and the business focus on risk management rather than just giving technical scores, and that was underscored at our ROCon Conference in Houston where we added a business track, separate business track for cybersecurity, which had sessions with CFOs and Board members and insurance companies.

但我們現在也正更加轉向風險營運中心、ETM解決方案，正如我們之前討論過的，我們的目標是像幾年前從VM到VMDR那樣，真正將我們的客戶從VMDR提升到ETM解決方案。因此，我們擁有非常不錯的現有漏洞管理客戶群，我們可以努力向他們追加銷售和交叉銷售 ETM，順便說一句，ETM 已經包含了網路安全資產管理。接下來，我們會向他們推銷 Eliminate 解決方案，以便真正解決問題。因此，圍繞風險營運中心的討論一直非常積極。正如我在獲利報告中所說，我們最大的優勢之一就是 CRQ 以及對風險管理的業務關注，而不僅僅是給予技術分數。這一點在我們休士頓舉行的 ROCon 大會上得到了強調，我們在大會上增加了一個業務板塊，一個單獨的網路安全業務板塊，其中包含與財務長、董事會成員和保險公司的會議。

And actually, because of that, we had a 20% increase in attendance because people were really focused on making sense out of from a business perspective. So the conversations with customers are on Risk Operations Center, ETM solution from Qualys has been that they really like that we're not just a CTEM solution, giving them dashboards. We're actually natively fixing issues for them rapidly as well as we're giving them AI-based intelligence around the business and for their particular industry, what is the risk of ransomware? How much money could they lose, why should they fix this particular vulnerability versus not fix another vulnerability.

事實上，正因為如此，我們的出席人數增加了 20%，因為人們真的專注於從商業角度理解這件事。因此，與客戶的對話主要圍繞著 Qualys 的風險營運中心和 ETM 解決方案展開，他們非常喜歡我們不僅僅是 CTEM 解決方案，還為他們提供了儀表板。我們實際上正在快速地為他們解決原生問題，同時我們也為他們提供基於人工智慧的業務情報，以及針對他們特定行業的勒索軟體風險。他們會損失多少錢？為什麼他們應該修復這個漏洞而不是修復其他漏洞？

So it's been very positive feedback, and we're excited about that. And so I think, as we get into the next year, we are really putting a focus on ETM and as part of that we have made some internal promotions to align well with our go-to-market strategy there with product management and Jonathan, our CISO, also really working on helping us as a GM for our risk operations solutions to really bring all of our teams to executing more towards ETM and getting the benefit out of upselling our customers to ETM. And that's what we see in the Q1 earnings call, we'll be starting to focus on the opportunity ahead of us.

我們收到的回饋非常積極，對此我們感到非常興奮。因此，我認為，進入明年，我們將真正專注於 ETM，作為其中的一部分，我們進行了一些內部晉升，以更好地配合我們的市場推廣策略，包括產品管理，以及我們的首席資訊安全官 Jonathan，他也在努力幫助我們，作為風險運營解決方案的總經理，真正帶領我們所有的團隊更多地執行 ETM，並從向客戶加加銷售 ETM 中獲益。這就是我們在第一季財報電話會議上看到的，我們將開始關注我們面前的機會。

In addition, of course. One of the reasons is like there's a lot of CNAPP solutions out there. We see the resonation -- what is resonating with customers with our CNAPP solution. There's not so much individual features, but it is, again, the ability to bring the cloud risk as part of the holistic business risk. And so yes, other CNAPP solutions can tell you how many open buckets that you have after the public. But if you ask them, what does that mean, how in dollar value lost to your company, if one of them is compromised. There don't have answers to that. And so our cloud security solution is actually integrated from a risk perspective to give that business quantification, and that's what the feedback that we're getting from customers. And so as I look into next year, our focus is going to be on ETM as the big focus to cross-sell our customers.

當然，還有另外一點。其中一個原因是市面上有許多 CNAPP 解決方案。我們看到了共鳴—我們的 CNAPP 解決方案引起了客戶的共鳴。雖然沒有太多具體的功能，但它再次強調了將雲端風險納入整體業務風險考量的能力。所以，是的，其他 CNAPP 解決方案可以告訴你，在公開之後，你還有多少未使用的桶子。但如果你問他們，如果其中一個系統被攻破，這代表什麼？公司會損失多少美元？這個問題沒有答案。因此，我們的雲端安全解決方案實際上是從風險角度進行整合的，以便對業務進行量化，而這正是我們從客戶那裡得到的回饋。因此，展望明年，我們的重點將放在 ETM 上，以此作為向客戶交叉銷售的主要方向。

It's going to be continued investment for long term in the federal market. Focus on the continued innovation that we have with Eliminate capabilities. And then all of that is going to be underpinned by our work that we are doing with mROC partners which I think is going to contribute even more to scale our business in 2026.

這將是聯邦市場一項持續的長期投資。專注於我們在消除能力方面的持續創新。而所有這些都將以我們與 mROC 合作夥伴的工作為基礎，我認為這將為我們 2026 年的業務規模擴大做出更大的貢獻。

Joseph Gallo of Jefferies.

傑富瑞集團的約瑟夫·加洛。

Hi guys, This is Anec Bevin on for Joe Gallo. Really strong quarter. Can you just share some color on where exposure management is in terms of budget prioritization in 2026? And can we expect billings to track in line with your noted 8% for 2025?

大家好，我是Anec Bevin，替Joe Gallo為您報道。本季表現非常強勁。能否簡單介紹一下2026年風險敞口管理在預算優先順序的狀況？我們能否預期 2025 年的帳單金額將按照您提到的 8% 的速度成長？

I think I'll answer the first part is we're seeing definitely customers are looking to invest in proactive risk management solutions. And as I said, that the Risk Operations Center where exposure management is part of that in business quantification. With the feedback and response that we're getting from customers. This is definitely an area that they are focusing on in all the conversations that we had with this year.

我認為我可以回答第一個問題：我們確實看到客戶正在尋求投資主動風險管理解決方案。正如我所說，風險營運中心是業務量化中風險敞口管理的一部分。根據我們從客戶那裡得到的回饋和回應。這絕對是他們今年在我們所有對話中重點關注的領域。

I think a lot of customers see the Risk Operations Center and the Security Operations Center, ROC and SOC kind of working closely with each other because there is a lot of fatigue currently on the SOC side because of too many alerts. And the feeling is that if they can focus on better prevention in the first place that can reduce the number of alerts and reduce the fatigue that they see in the SOC and people are looking to balance in the early conversations, while I don't have an exact percentage right now. we will see how it evolves in next year.

我認為許多客戶都希望創投中心和安全營運中心（ROC 和 SOC）能夠緊密合作，因為目前 SOC 方面因為警報過多而感到疲憊不堪。人們普遍認為，如果他們能夠先專注於更好的預防措施，就能減少警報數量，減輕安全營運中心（SOC）的疲勞。在早期討論中，人們正在尋求平衡，雖然我現在還沒有確切的百分比，但我們會看看明年情況如何發展。

People do talk about balancing their cybersecurity budgets between proactive risk management versus just reactive after the fact that somebody is in your network, and there's -- a lot of that has happened in the past. And it's ultimately you cannot do away with one or the other. You need both, so that you can proactively reduce risk while having the monitoring needed, if there is a compromise to block that. But there is definitely a focus on customers to prioritize the split between those because again, if they don't prioritize what they are fixing accurately, then they're asking and wasting their IT teams resources and fixing things that don't actually matter while at the end, getting more alerts in their SOC.

人們確實會談到如何在網路安全預算中平衡主動風險管理和被動應對（在有人入侵你的網路之後）之間取得平衡，而且——過去發生了很多這樣的事情。歸根結底，你不能捨棄其中任何一個。兩者都需要，這樣才能在採取必要措施阻止風險的同時，主動降低風險。但客戶肯定會專注於如何優先處理這些問題，因為如果他們不能準確地確定修復問題的優先級，那麼他們就會浪費 IT 團隊的資源，修復一些實際上無關緊要的問題，最終導致安全營運中心 (SOC) 收到更多警報。

So from that perspective, we are seeing conversations around the Risk Operations Center and exposure management is one part of that. We are definitely trending where customers are liking this ability to think about how much they spend into proactive risk management in terms of business risk and how much risk they would have, which is what I talked about in my keynote as well as ROCon is moving from a attack surface management to risk surface management. You can spend a lot in covering your attack surface, but the risk of loss was only $50,000 and you spent $500,000 to your attack surface. That's not a great business equation. So that's what we are hearing and we're seeing from our customers in terms of billings, Joo Mi?

因此從這個角度來看，我們看到圍繞在風險營運中心的討論，而風險敞口管理是其中的一部分。我們目前的趨勢是，客戶喜歡這種能夠思考他們在主動風險管理方面投入多少資金來應對業務風險以及他們將面臨多少風險的能力，這正是我在主題演講中談到的，ROCon 也正在從攻擊面管理轉向風險面管理。你可以在攻擊面上投入大量資金，但損失的風險只有 5 萬美元，而你卻在攻擊面上投入了 50 萬美元。這可不是一個好的商業模式。所以，這就是我們從客戶那裡聽到和看到的帳單情況，Joo Mi？

No, I think that 8% that we believe that we'll be able to achieve in 2025 for the full year is on track.

不，我認為我們預計在 2025 年全年能夠實現的 8% 的目標正在按計劃進行。

Thank you.

謝謝。

Rudy Kessinger of D.A. Davidson.

D.A. Davidson 的 Rudy Kessinger。

Hey, great, thanks for squeezing me in here. Just a clarification on that last question, Joo Mi. You said that 8% billings for this year is "on track." Is that to imply that you think you can do 8%-ish again next year? Or can you just clarify that, please?

嘿，太好了，謝謝你們擠出時間來幫我。Joo Mi，關於最後一個問題，我需要澄清一下。你說過今年8%的帳單金額「正在按計畫進行」。這是不是代表你認為明年還能再次達到 8% 左右的成長率？或者您能解釋一下嗎？

Yeah. So right now, I mean, billing has the tendency to be very lumpy. So for this year, we think that we're going to end the full year at 8%, which implies a lower current billings growth rate for Q4 given the tough compare to one year ago. In terms of next year, it's a little bit too early to tell in terms of 2026, what we think that we'll be able to achieve. A lot of it will depend on what we'll be able to close the year at when it comes to the net dollar expansion rate. And we are monitoring very closely in terms of the newer product adoption to give us a better sense and clarity into what we think that we should be anticipating for 2026 growth rate.

是的。所以現在，我的意思是，帳單往往很不規則。因此，我們認為今年全年成長率將達到 8%，這意味著考慮到與一年前相比的嚴峻形勢，第四季目前的帳單成長率將會降低。至於明年，現在談2026年我們能夠達成的成就還為時過早。很大程度取決於我們今年年底的美元淨擴張率是多少。我們正在密切關注新產品的採用情況，以便更好地了解並明確我們對 2026 年成長率的預期。

Got it. Okay. And then you guys had some pretty decent results in the last few quarters now. Growth has been stable at 10% the last 4 quarters, I believe, on revenue. You've got NRR stable at 104%. What -- I guess, what would you need to see to maybe give you guys confidence in maybe declaring that you can deliver a stable 10% plus growth over the next couple of years?

知道了。好的。而且你們最近幾季的業績都相當不錯。我認為，過去四個季度營收成長一直穩定在 10%。你們的淨收益率穩定在 104%。我想，你們需要看到什麼才能有信心宣布，在未來幾年內能夠達到10%以上的穩定成長？

Well, we're certainly working towards that. I think the key growth vectors we see right now are converting our VM customer base to -- VMDR customer base to ETM is an area of focus, creating upsell with Eliminate on that. We continue to see very -- a lot of interest for our cloud security solution. And I think with a long-term federal opportunity that we are focusing on, we have really good conversations with Risk Operations Center on the federal side as well. I think those are the areas that we continue for sort of short-term, medium-term and long-term growth, which is again underpinned by our focus on mROC partnerships. But we're really laser-focused next year on our VMDR to ETM conversion and the upsells will Eliminate.

我們當然正在朝著這個方向努力。我認為我們目前看到的關鍵成長方向是將我們的 VM 客戶群轉換為 VMDR 客戶群，這是一個重點領域，透過 Eliminate 實現追加銷售。我們持續看到市場對我們的雲端安全解決方案表現出濃厚的興趣。我認為，我們正在關注的長期聯邦機遇，也讓我們與聯邦方面的風險營運中心進行了非常好的對話。我認為這些領域是我們短期、中期和長期成長的重點，而這又得益於我們對 mROC 合作關係的重視。但明年我們將真正專注於 VMDR 到 ETM 的轉換，追加銷售將會消除。

Yun Kim of Loop Capital Markets.

Loop Capital Markets 的 Yun Kim。

Congrats on a solid quarter. Sumedh, on the Enterprise TruRisk Management, ETM, is that primarily a big deal sales motion? Or is it just a combination of a bunch of products that could be purchased and deployed in multiple phases and collectively that could lead to 100% uplift over time. Just want to get a better understanding of that 100% plus uplift commentary.

恭喜你們本季業績出色。Sumedh，關於企業TruRisk Management (ETM)，這主要是一種大型銷售策略嗎？或者，這只是一系列產品的組合，可以分多個階段購買和部署，最終隨著時間的推移，這些產品共同作用可以帶來 100% 的提升。我只是想更能理解那100%以上的提升幅度。

Yeah, I think we feel and with the early response from customers, we feel like we can hold up to, of course, 100% of the VMDR because we're adding them -- we are providing them AI capabilities, Agentic AI capabilities, marketplace built in, where they can essentially bring on an AI agent as part of their team for 4 weeks as they're focusing on an audit or for three weeks as they are triaging the ransomware related vulnerabilities. And so CSAM is also included in that. Ability to test exploits is also included in that. And so we feel like that's something that is going to be helpful for customers, primarily it is VMDR, CSAM plus all the new capabilities that I highlighted, or what is focused on that now.

是的，我認為我們感覺，並且從客戶的早期反饋來看，我們感覺我們當然可以滿足 100% 的 VMDR 需求，因為我們正在添加它們——我們正在為他們提供 AI 功能、代理 AI 功能、內置市場，他們基本上可以在專注於審計的 4 週內，或者在對勒索軟體相關漏洞進行分類的 3 週內，將 AI 代理作為其團隊的一部分。因此，CSAM 也包含在其中。測試漏洞利用的能力也包含在內。因此，我們認為這對客戶來說會很有幫助，主要是 VMDR、CSAM 以及我重點介紹的所有新功能，或者說現在重點關注的功能。

We also talked about Q-Flex and I think a lot of this is going to go hand-in-hand as we start seeing scale next year. A lot of these customers who are looking to buy ETM are also going to be interested in our Eliminate platform and also be interested in cloud. And so the Q-Flex is what sort of you talked about is from an ability to provide them a way to try and use different Qualys modules that make sense to them instead of having to go through multiple purchase cycles through the year and we are going to see a combination of the Q-Flex pricing with ETM cross-sells are the focus for us as we get into next year.

我們也討論了 Q-Flex，我認為隨著明年規模的擴大，很多事情都會齊頭並進。許多有意購買 ETM 的客戶也會對我們的 Eliminate 平台感興趣，並且會對雲端服務感興趣。因此，您剛才提到的 Q-Flex 功能，就是讓使用者能夠嘗試使用對他們有意義的不同 Qualys 模組，而無需在一年中經歷多次購買週期。我們將看到，Q-Flex 定價與 ETM 交叉銷售相結合，這將是我們明年工作的重點。

Okay. Great. Looking forward to ETM adoption next year, given that it sounds like it's going to have big impact. Just Sumedh, you haven't done any acquisition in a while or anything sizable. If you can just give us an update on your view on acquisition strategy. Obviously, you guys are performing very well. The business overall is stable. You got this ETM kicking in starting next year. Obviously, you're very proud of your organically growing platform, but you must see a strategic opportunity to expand your offering to get to that place faster than organically, are you tempted at all given how dynamic the market is evolving?

好的。偉大的。鑑於 ETM 似乎會產生重大影響，我期待明年它的普及應用。Sumedh，你很久沒有進行任何收購，或者說沒有進行任何規模較大的收購了。如果您能向我們介紹一下您對收購策略的看法，那就太好了。顯然，你們表現得非常出色。整體業務狀況穩定。你的ETM計畫將於明年開始啟動。顯然，您對自身平台的自然成長感到非常自豪，但您肯定看到了一個策略機遇，可以透過擴展產品和服務來更快地達到目標，考慮到市場瞬息萬變，您是否對此有所動搖？

Look, we are always open to all kinds of different opportunities to look at organic small acquisition, some larger acquisition potential as well. That makes sense. We definitely come more from -- we want to give our customer an organic experience with the platform. Having said that, we have done tuck-in acquisition in the past where if there is a fit with our platform, we're not shy of looking at something larger. But currently, with the way we are executing, focusing -- and one of the things that happens with ETM now is that we are able to increase the asset count that the customer has with Qualys by actually bringing data from other tools and may not necessarily need them to essentially buy that particular capability from Qualys, as an example, right?

我們始終對各種不同的機會持開放態度，包括小型有機收購，以及一些較大的收購潛力。這很有道理。我們絕對更注重——我們希望為我們的客戶提供平台帶來的自然體驗。話雖如此，我們過去也曾進行過一些小規模收購，如果收購目標與我們的平台契合，我們也不介意考慮規模更大的收購。但就目前而言，我們執行的方式和重點——ETM 現在帶來的一個好處是，我們能夠透過從其他工具匯入資料來增加客戶在 Qualys 中的資產數量，而客戶可能並不一定需要從 Qualys 購買該特定功能，例如，對吧？

Like now with ISPM identity solution, as an example, that we have as part of ETM, we can pull an identity from Okta and AD and others, and we don't necessarily have the customer to us to maybe acquire an AD security company. We can work with companies out there while that increases the asset count in Qualys. And so these dynamics keep changing, and we see efficiencies coming out of AI. We are seeing ability for us to look at various players in the market, how they are doing. And we continue to stay focused on our road map from an organic experience for our customers while also keeping an eye on the industry and looking at whether it's going to be a smaller or a larger acquisition, we're definitely continuing to be open to that.

以我們現在擁有的 ISPM 身份解決方案為例，它是 ETM 的一部分，我們可以從 Okta 和 AD 等平台提取身份信息，而我們並不一定需要客戶來收購 AD 安全公司。我們可以與這些公司合作，同時增加 Qualys 的資產數量。因此，這些動態不斷變化，我們看到人工智慧帶來了效率提升。我們現在能夠觀察市場上各個參與者的表現。我們將繼續專注於為客戶提供有機體驗的路線圖，同時密切關注行業動態，並考慮進行規模較小或較大的收購，我們對此始終持開放態度。

Thank you. This now concludes the question-and-answer session. Thank you for your participation in today's conference. This does conclude the program. You may now disconnect. Goodbye.

謝謝。問答環節到此結束。感謝您參加今天的會議。節目到此結束。您現在可以斷開連線了。再見。