Qualys Inc (QLYS) 2025 Q4 法說會逐字稿

Ladies and gentlemen, thank you for standing by. Welcome to Qualys' fourth-quarter 2025 investor call. (Operator Instructions) Please be advised at today's conference is being recorded.

女士們、先生們，感謝你們的耐心等待。歡迎參加 Qualys 2025 年第四季投資者電話會議。（操作說明）請注意，今天的會議正在錄音。

I would now like to turn the conference over to Blair King, Investor Relations. Please go ahead.

現在我將把會議交給投資者關係部的布萊爾金。請繼續。

Thank you, Michelle, and good afternoon, and welcome to Qualys' fourth-quarter 2025 earnings call. Joining me today to discuss our results are Sumedh Thakar, President and CEO; and Joo Mi Kim, our CFO.

謝謝米歇爾，下午好，歡迎參加 Qualys 2025 年第四季財報電話會議。今天與我一起討論我們業績的有總裁兼執行長 Sumedh Thakar 和財務長 Joo Mi Kim。

Before we get started, I'd like to remind you that our remarks today will include forward-looking statements that generally relate to our future events or future financial and operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

在正式開始之前，我想提醒各位，我們今天的演講將包含一些前瞻性陳述，這些陳述通常與我們未來的事件或未來的財務和營運績效有關。實際結果可能與這些說法有重大差異。可能導致結果與預期有重大差異的因素已在今天的新聞稿和我們向美國證券交易委員會提交的文件中列出，包括我們最新的 10-Q 表格和 10-K 表格。我們在本次電話會議中所做的任何前瞻性陳述均基於截至今日的假設，我們不承擔因新資訊或未來事件而更新這些陳述的義務。

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks, and investor presentation are all available on the Investor Relations section of our website.

在本次電話會議中，我們將介紹 GAAP 和非 GAAP 財務指標。今天的獲利新聞稿中包含了GAAP與非GAAP指標的調節表。再次提醒各位，新聞稿、準備好的發言稿和投資者簡報都可以在我們網站的投資者關係版塊中找到。

So with that, I'd like to now turn the call over to Sumedh.

那麼，現在我想把電話交給蘇梅德。

Thank you, Blair, and welcome to our fourth-quarter earnings call. As [threat actors] continue to compress time to exploit, we believe the next phase of pre-breach risk management will be defined by an agentic AI-driven risk fabric with out-of-the-box business quantification, automated remediation to respond to the speed of these threats. Against that backdrop, we continue to execute well in Q4 demonstrated by another quarter of strong revenue growth and profitability.

謝謝布萊爾，歡迎參加我們的第四季財報電話會議。隨著[威脅行為者]不斷縮短利用漏洞的時間，我們認為下一階段的入侵前風險管理將由智慧AI驅動的風險架構來定義，該架構具有開箱即用的業務量化和自動補救功能，以應對這些威脅的快速變化。在此背景下，我們在第四季度繼續保持良好的業績，實現了又一個季度強勁的營收成長和獲利能力。

In my conversations with hundreds of CIOs and CSOs as well as security leaders from many of the world's largest and most innovative organizations, one message has remained consistently clear. Reducing cyber risk isn't about detecting more exposures. It's about operationalizing a cyber risk management program that aligns spend with risk tolerance.

在與來自全球眾多規模最大、最具創新精神的組織的數百名首席資訊長、首席安全官以及安全領導者的對話中，我始終聽到一個清晰的訊息。降低網路風險並非在於發現更多風險敞口。關鍵在於落實網路風險管理計劃，使支出與風險承受能力相符。

In doing so, CSOs are increasingly prioritizing the unification of fragmented security stack into a centralized risk fabric. One that serves as a credible alternative to single vendor platforms by bringing diverse risk vectors into a prioritized measurable view of risk that the teams can confidently communicate and remediate at machine speed.

因此，首席安全官們越來越重視將分散的安全堆疊統一到一個集中的風險架構中。它透過將各種風險因素納入優先可衡量的風險視圖中，為單一供應商平台提供了一個可靠的替代方案，團隊可以自信地溝通並以機器速度進行補救。

That message was further amplified as our recently concluded ROCon conference in Mumbai with attendance up over 30% from last year's event as we again broadened the agenda to include a business truck and with the element of AI, which is demoralizing cybercrime and enabling adversaries to operate with unprecedented speed and sophistication, this meal is only intensifying.

我們最近在孟買舉行的 ROCon 大會進一步強化了這一訊息，與去年的活動相比，出席人數增加了 30% 以上。我們再次擴大了議程，納入了商業卡車，並加入了人工智慧元素，這正在削弱網路犯罪的士氣，並使對手能夠以前所未有的速度和複雜性運作，這場「盛宴」只會愈演愈烈。

As a result, we believe that the future of pre-breach risk management belongs to vendor-agnostic agentic AI-powered solutions that continuously predict, assist, confirm, quantify, prioritize, and remediate risk across on-prem and multicloud environments.

因此，我們認為，未來安全漏洞風險管理的發展方向是與供應商無關的、由人工智慧驅動的代理解決方案，這些解決方案能夠持續預測、協助、確認、量化、確定優先順序並修復本地和多雲環境中的風險。

Over the past years, we continue to execute relentlessly towards this vision. Delivering meaningful platform innovation to help customers reduce risk faster, operate more efficiently and stay ahead of an increasingly dynamic landscape.

過去幾年，我們一直不懈地朝著這個願景努力。提供有意義的平台創新，幫助客戶更快地降低風險、更有效率地運營，並在日益動態的環境中保持領先地位。

Accordingly, in 2025, we broadly expanded the Qualys ETM platform, the third-party data and launched a powerful new orchestration layer that unifies Qualys and non-Qualys findings applies our industry-leading intelligence and delivers a business contextual quantified view of risk with built-in prioritization and automated remediation. Building on this foundation, we introduced an agent AR risk fabric that assesses and normalizes diverse internal and external data sources, applications, and machines.

因此，在 2025 年，我們大幅擴展了 Qualys ETM 平台和第三方數據，並推出了一個強大的新編排層，該編排層統一了 Qualys 和非 Qualys 的調查結果，應用了我們行業領先的智能，並提供了具有內置優先級排序和自動補救功能的業務上下文量化風險視圖。在此基礎上，我們引入了代理 AR 風險架構，用於評估和規範各種內部和外部資料來源、應用程式和機器。

We expanded -- we extended these capabilities with the first-of-a-kind agentic AI risk management marketplace, enabling security and IT teams to quickly augment their existing workforce with highly specialized autonomous experts that significantly reduce time to remediation, increase accuracy, and reduce costs.

我們擴展了這些能力——透過首創的智慧AI風險管理市場，使安全和IT團隊能夠快速地用高度專業化的自主專家來增強其現有員工隊伍，從而顯著縮短補救時間、提高準確性並降低成本。

To further close security gaps, we again organically enhance ETM with a natively integrated identity security partial management solution at a time when identities have become part of the new AI perimeter. And further flexing the power of our platform, we are now confirming exploits the four customers are compromised, while traditional continuous threat exposure management solutions rely on a theoretical risk score and ignore mitigating security controls. ETM takes a fundamentally different approach on a single platform. It uniquely detects vulnerabilities, validates exploitability, applies remediation, and revalidate exploit using agentic AI workflow. The net result is that Qualys is redefining how organizations manage pre-breach risk management while competitors continue to focus on detecting vulnerabilities or mapping theoretical exposures, polishes moved decisively beyond that model.

為了進一步縮小安全差距，我們再次透過原生整合的身份安全部分管理解決方案，有機地增強了 ETM，因為身份已成為新的 AI 邊界的一部分。為了進一步展現我們平台的強大功能，我們現在確認了這四位客戶的系統已被入侵，而傳統的持續威脅暴露管理解決方案依賴於理論風險評分，忽略了緩解安全控制措施。ETM 在單一平台上採用了一種截然不同的方法。它採用智慧AI工作流程，能夠獨特地偵測漏洞、驗證可利用性、應用修復措施並重新驗證利用情況。最終結果是，Qualys 正在重新定義組織如何管理入侵前的風險管理，而競爭對手仍在專注於偵測漏洞或繪製理論風險敞口，Qualys 則果斷地超越了該模型。

We are pioneering the first agentic AI native risk operation center, ROC, a new category in cybersecurity designed to centralize an organization's response to that spanning exploit confirmation to autonomous remediation. Powered by our ETM solution, the ROC present a fundamental diversions from traditional CTEM tools. Competitors can point to exposures. They can't quantify cyber in dollar terms that matters most to the business, and they cannot adequately fix step. ETM fills that gap.

我們正在率先推出首個智慧AI原生風險營運中心（ROC），這是網路安全領域的一個新類別，旨在集中組織對網路安全問題的回應，涵蓋漏洞確認到自主修復。ROC 由我們的 ETM 解決方案提供支持，與傳統的 CTEM 工具存在根本性的差異。競爭對手可以指出風險敞口。他們無法用對企業最重要的美元來量化網路安全，也無法充分採取措施。ETM填補了這一空白。

This is what sets Qualys apart. We don't stop at detection and non-quantifiable prioritization. We natively integrate CTEM, export confirmation, risk quantification, and remediation operations into a single air-powered workflow to leveraging both Qualys and non-Qualys data sources.

這就是 Qualys 的獨特之處。我們不會止步於檢測和無法量化的優先排序。我們將 CTEM、出口確認、風險量化和補救操作原生整合到單一的空中動力工作流程中，以利用 Qualys 和非 Qualys 資料來源。

In doing so, our architecture orchestrates and implements a perception reasoning action loop enabling autonomous agents to collect real-time telemetry reason through risk signals, plan response workflows, and execute actions. This enables organizations to holistically predict emerging risk across infrastructure, cloud application security, IoT and identities, safely confirm probable exploits, prioritized threats based on business impact immediate through patching or other compensating controls and verify the effectiveness of the remediated tactic.

透過這種方式，我們的架構協調並實現了感知推理動作循環，使自主代理能夠透過風險訊號收集即時遙測推理，規劃回應工作流程並執行動作。這使得組織能夠全面預測基礎設施、雲端應用程式安全、物聯網和身分方面的新興風險，安全地確認可能的漏洞利用，根據業務影響確定威脅的優先級，並透過修補或其他補償控制措施立即解決問題，並驗證補救策略的有效性。

This end-to-end vendor neutral approach is catalyzing a paradigm shift in pre-breach cyber risk management, the customers aren't just seeing their risk holistically across the rest they are validating it, quantifying it, and reducing it continuously and autonomously at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable proactive risk reduction that brings customer value. Armed with this fresh new set of capabilities and early momentum already validating this model, we are now laser-focused on accelerating ETM adoption through our VMDR customer base and positioning Qualys for larger upsell opportunities over time.

這種端到端的、供應商中立的方法正在推動網路攻擊前風險管理的典範轉移，客戶不僅能夠全面地了解自身風險，還能持續、自主地大規模驗證、量化和降低風險。透過將安全性和 IT 決策與業務優先順序直接結合起來，我們為組織提供可衡量的主動風險降低，從而為客戶創造價值。憑藉這套全新的能力和已經驗證該模式的早期勢頭，我們現在正全力以赴地透過我們的 VMDR 客戶群加速 ETM 的採用，並隨著時間的推移，為 Qualys 爭取更大的追加銷售機會。

Moving to our business update with customers spending $50,000 or more with us growing 4% from a year ago to [$215,000]. Let me now share a couple of recent wins which illustrate why organizations ready to centralize the response to cyber risk or turning to Qualys to help unify the security stack to quantify remediate risk in their environment and fortify their security operations.

接下來是我們的業務更新，在我們這裡消費滿 5 萬美元或以上的客戶數量比去年同期增加了 4%。[215,000 美元]現在讓我分享幾個最近的成功案例，這些案例說明了為什麼那些準備集中應對網路風險或尋求 Qualys 幫助統一安全堆疊以量化其環境中的風險並加強其安全運營的組織。

First, an existing Global 50 customer was struggling under the weight of multiple unintegrated security tools, millions of vulnerabilities, and limited visibility into the overall risk profile. Traditional prioritization methods were unable to adequately fill up critical findings leading security and IT teams without the necessary business context to act decisively.

首先，一家現有的全球 50 強客戶正苦於應對多個未整合的安全工具、數百萬個漏洞以及對整體風險狀況有限的可見性。傳統的優先排序方法無法充分解決關鍵問題，導致安全和 IT 團隊缺乏必要的業務背景，無法採取果斷行動。

Consequently, this customer selected Qualys and launched a strategic initiative to unify the security stack by transforming silo risk signals spanning on-prem and multicloud environment into a cohesive agentic AI-native risk management solution. This included expanding the ETM deployment to further operationalize the ROC with ingested third-party data from several sources, resulting in a mid-six-figure annual bookings observed. By consolidating these data sources into the QALYS platform, we are now delivering this customer unified orchestration layer and full visibility of their attack surface, centralized resource assessment, quantification prioritization, and remediation workflows while unleashing the operational efficiency of the stack consolidation.

因此，該客戶選擇了 Qualys，並啟動了一項戰略計劃，透過將跨越本地和多雲環境的孤立風險訊號轉換為統一的、具有智慧體的 AI 原生風險管理解決方案，來統一安全堆疊。這包括擴大 ETM 部署，以進一步利用來自多個來源的第三方資料來營運 ROC，從而觀察到每年六位數的預訂量。透過將這些資料來源整合到 QALYS 平台中，我們現在為客戶提供統一的編排層，並全面了解其攻擊面、集中式資源評估、量化優先順序和補救工作流程，同時釋放堆疊整合的營運效率。

This expansion of the ROC underscores the power of our platform and reinforces Qualys' ability to unify siloed risk signals, operate as an autonomous defense layer, strengthen customer outcomes aligned to the business risk tolerance, and advance our leadership in the industry.

ROC 的此次擴展凸顯了我們平台的強大功能，並強化了 Qualys 統一孤立風險信號、作為自主防禦層運行、增強與業務風險承受能力相一致的客戶成果以及鞏固我們在行業中的領導地位的能力。

Leveraging our mROC partner ecosystem, we are also pulling new business into Qualys. During the planning stages of launching a new ETM POC with a Global 200 company in Latin America, we secured a seven-figure annual bookings upsell, which included our total cloud CNAPP and policy audit solutions. This win demonstrates the leverage of our partner-led motion and our ability to convert early engagements into meaningful multi-solution growth.

透過我們的 mROC 合作夥伴生態系統，我們也為 Qualys 帶來了新的業務。在與拉丁美洲一家全球 200 強公司合作推出新的 ETM POC 的規劃階段，我們獲得了七位數的年度預訂追加銷售，其中包括我們的全套雲端 CNAPP 和策略審計解決方案。這次成功證明了我們以合作夥伴為主導的行動的有效性，以及我們將早期合作轉化為有意義的多解決方案成長的能力。

Turning to our federal business. We achieved a mid-six-figure expansion with one of the federal government's most visible shared security services utilized by several large government agencies nationwide, faced with an overwhelming volume of security issues that limited resources to continuously assess risk across augmented tools and manual workflows, this customer chose Qualys for its cloud native FedRAMP high authorized platform to enable a centralized government program that quantitatively prioritizes risk with automated assessment, standard output, and low operational overhead. Given the success of this deployment, we are now working towards a multi-agency ETM rollout representing a significant upsell opportunity as the shared services team prepares to operationalize its risk operation center.

接下來談談我們的聯邦事務。我們為聯邦政府最受矚目的共享安全服務之一實現了六位數的中段成長，該服務被全國多個大型政府機構使用。面對大量的安全問題，資源有限，無法透過增強工具和手動工作流程持續評估風險，該客戶選擇了 Qualys 的雲端原生 FedRAMP 高授權平台，以支援集中式政府計劃，該計劃透過自動化評估、標準輸出和低營運成本對風險進行量化優先排序。鑑於此次部署的成功，我們現在正致力於多機構 ETM 的推廣，這代表著一個重要的追加銷售機會，因為共享服務團隊正準備投入營運其風險營運中心。

These results, alongside another six-figure upsell with a separate large federal agency, reinforce our program ability to align technical capabilities with operational outcomes that address modern security challenges and address for the long-term growth opportunity in our federal business.

這些成果，加上與另一家大型聯邦機構達成的六位數追加銷售，鞏固了我們專案將技術能力與營運成果相結合的能力，從而應對現代安全挑戰，並抓住我們在聯邦業務中的長期成長機會。

Beyond these wins, we're also gaining more leverage from our partner ecosystem. As we continue to endorse a partner-first sales motion, partner-led deal registration increased again in Q4, reflecting deeper alignment and execution across the channel. In addition, with well over a dozen certified mROC partners actively launching new services, momentum continues to build towards a global ROC alliance, fueling our capability, harnessing transformative solution sales, and bringing new business to Qualys.

除了這些勝利之外，我們還從合作夥伴生態系統中獲得了更大的影響力。隨著我們繼續推行以合作夥伴為先的銷售策略，第四季度合作夥伴主導的交易註冊量再次增加，這反映出整個通路的協調性和執行力都得到了提升。此外，隨著十幾家認證的 mROC 合作夥伴積極推出新服務，全球 ROC 聯盟的勢頭持續增強，這推動了我們的能力，促進了變革性解決方案的銷售，並為 Qualys 帶來了新的業務。

Further contributing to our growth profile, in Q4, we continued beta testing QFlex to help customers accelerate and maximize adoption of the Wallace ETM platform. Given the strong customer response and early success of this model, we plan to continue to focus on proactively identifying opportunities to leverage QFlex to enable select customers and partners to accelerate the adoption of Wallace solutions in 2026.

為了進一步促進我們的成長，在第四季度，我們繼續對 QFlex 進行 beta 測試，以幫助客戶加速並最大限度地採用 Wallace ETM 平台。鑑於客戶對該模式的強烈反響和早期成功，我們計劃繼續專注於積極尋找機會，利用 QFlex 使選定的客戶和合作夥伴能夠在 2026 年加速採用 Wallace 解決方案。

In summary, we are fundamentally changing how organizations manage pre-breach cyber risk by unifying CTEM with expert confirmation, risk quantification, and automated remediation powered by an agentic AI risk fabric. Our rapid pace of innovation and strategic investments are driving strong competitive differentiation, deeper ROC adoption, broader engagements across large federal agencies, growing partner-led execution, and initial QFlex success.

總而言之，我們正在從根本上改變組織管理入侵前網路風險的方式，將 CTEM 與專家確認、風險量化和由智慧 AI 風險架構驅動的自動補救措施相結合。我們快速的創新步伐和策略性投資正在推動強大的競爭優勢、更深入的 ROC 採用、更廣泛的與大型聯邦機構的合作、不斷增長的合作夥伴主導的執行以及 QFlex 的初步成功。

Looking ahead to 2026, we'll continue our disruptive innovation, further advance our gold market investments, and execute our ROC vision with a balanced approach to long-term growth and profitability.

展望 2026 年，我們將繼續進行顛覆性創新，進一步推進黃金市場投資，並以平衡的長期成長和獲利能力的方式實現我們的 ROC 願景。

With that, I will turn the call over to Joo Mi to further discuss our fourth-quarter results and outlook for the first quarter and full year 2026. ++

接下來，我將把電話交給 Joo Mi，讓她進一步討論我們第四季度的業績以及對 2026 年第一季和全年的展望。++

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that, except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior-year period unless stated otherwise.

謝謝你，Sumedh，下午好。在開始之前，我想指出，除收入外，所有財務數據均為非GAAP數據，成長率均基於與去年同期的比較，除非另有說明。

We're pleased to report a healthy finish to the year, highlighting our continued execution, financial discipline, and scalable business model. For the full year, we grew revenues by 10% to $669.1 million and achieved adjusted EBITDA margin of 47% and even with continued 14% growth in investments in sales and marketing. Net income and EPS grew 13% and 15% to $257.8 million and $7.07 per diluted share, respectively. And free cash flow reached $304.4 million or 45% of revenues, all of which exceeded our expectations for the year.

我們很高興地宣布，今年業績圓滿收官，這凸顯了我們持續的執行力、財務紀律和可擴展的商業模式。全年來看，我們的營收成長了 10%，達到 6.691 億美元，調整後的 EBITDA 利潤率達到 47%，即便在銷售和行銷方面的投資持續成長 14% 的情況下也是如此。淨利和每股收益分別成長 13% 和 15%，達到 2.578 億美元和每股稀釋收益 7.07 美元。自由現金流達到 3.044 億美元，佔收入的 45%，所有這些都超出了我們對今年的預期。

Turning to fourth-quarter results. Revenues grew 10% to $175.3 million. The channel continued to increase its contribution, making up 51% of total revenues compared to 48% a year ago. Revenues from Channel Partners grew 17%, outpacing Direct, which grew 4%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue.

接下來來看看第四季業績。營收成長10%，達1.753億美元。該通路的貢獻持續成長，佔總營收的 51%，而一年前這一比例為 48%。通路合作夥伴的收入成長了 17%，超過了直接收入的 4%。由於我們策略性地重視利用合作夥伴生態系統來推動成長，我們預期這一趨勢將會持續下去。

By geo, 15% growth outside the US was ahead of our domestic business, which grew 6%. US and international revenue mix was 56% and 44%, respectively.

以地理劃分，美國以外地區的成長率為 15%，高於國內業務的 6%。美國和國際收入分別佔56%和44%。

With customers confirming their prioritization of security within IT budgets, we anticipate the selling environment in 2026 to remain similar to last year with a low- to mid-single-digit growth in security spend persisting for the foreseeable future. Reflecting the sentiment, our gross dollar retention rate remained comfortably above 90%. We saw a modest sequential decline in Q4 with our net dollar expansion rate at 103%, down from 104% last quarter.

由於客戶確認了他們在 IT 預算中優先考慮安全問題，我們預計 2026 年的銷售環境將與去年類似，安全支出將在可預見的未來保持低至中等個位數的成長。與此相符，我們的毛美元留存率一直維持在 90% 以上。第四季淨美元擴張率較上季略有下降，為 103%，低於上一季的 104%。

In terms of product mix, our differentiated new products continue to drive growth with all three of the following increase in contribution to bookings in 2025. First, cybersecurity asset management, combined with ETM made up 10% of total bookings and 13% of new bookings in 2025, up from last year's 8% and 9%, respectively.

從產品組合來看，我們差異化的新產品將繼續推動成長，以下三項產品在 2025 年對預訂量的貢獻都將增加。首先，網路安全資產管理與 ETM 結合，在 2025 年佔總預訂量的 10% 和新預訂量的 13%，分別高於去年的 8% 和 9%。

Next, patch management made up 8% of total bookings and 16% of new bookings in 2025, up from last year's 7% and 16%, respectively.

其次，修補程式管理佔總預訂量的 8%，佔 2025 年新預訂量的 16%，分別高於去年的 7% 和 16%。

Lastly, total cloud made up 5% of total bookings in 2025, up from 4% a year ago. We believe that these differentiated products combined will continue to increase contribution to bookings in 2026, given our opportunity to increase market share and maximize share of wallet.

最後，到 2025 年，雲端服務預訂總量佔總預訂量的 5%，高於一年前的 4%。我們相信，鑑於我們有機會提高市場份額和最大化錢包份額，這些差異化產品結合起來將在 2026 年繼續增加對預訂量的貢獻。

Turning to profitability. Adjusted EBITDA for the fourth quarter of 2025 was $82.6 million, representing a 47% margin, same as last year's. Operating expenses in Q4 and increased by 11% to $68.9 million, driven by investment in sales and marketing, which grew 18%.

轉向盈利。2025 年第四季調整後 EBITDA 為 8,260 萬美元，利潤率為 47%，與去年持平。第四季營運支出成長 11% 至 6,890 萬美元，主要原因是銷售和行銷方面的投資成長了 18%。

With this strong performance, fourth quarter of 2025 was $1.87 per diluted share, and our free cash flow was $74.9 million, representing a 43% margin compared to 26% in the prior year. In Q4, we continued to invest the cash we generated from operations back into Qualys, including $724,000 on capital expenditures and $44.7 million to repurchase 328,000 of our outstanding shares.

憑藉這一強勁的業績，2025 年第四季每股攤薄收益為 1.87 美元，自由現金流為 7,490 萬美元，利潤率為 43%，而去年同期為 26%。第四季度，我們繼續將營運產生的現金重新投資於 Qualys，其中包括 724,000 美元的資本支出和 4,470 萬美元的回購 328,000 股流通股。

Since commencing our share repurchase program in February of 2018, we've repurchased 10.7 million shares and returned over $1.2 billion in cash to shareholders. As of the end of the quarter, we had $160.5 million remaining in our share repurchase program.

自 2018 年 2 月啟動股票回購計畫以來，我們已回購了 1,070 萬股股票，並向股東返還了超過 12 億美元的現金。截至本季末，我們的股票回購計畫中還剩餘 1.605 億美元。

We are pleased to announce that our Board has authorized another increase of $200 million to the share repurchase program bringing the total available amount for share repurchases to $360.5 million.

我們很高興地宣布，董事會已批准將股票回購計畫的資金再增加 2 億美元，使可用於股票回購的總金額達到 3.605 億美元。

With that, let us turn to guidance, starting with revenue. For the full year 2026, we expect revenue to be in the range of $717 million to $725 million, which represents a growth rate of 7% to 8%. For the first quarter of 2026, we expect revenues to be in the range of $172.5 million to $174.5 million, representing a growth rate of 8% to 9%. This guidance assumes no material change in our net dollar expansion rate with moderate growth contribution from new business in 2026.

接下來，讓我們轉向指導意見，先從收入方面開始。我們預計 2026 年全年營收將在 7.17 億美元至 7.25 億美元之間，成長率為 7% 至 8%。我們預計 2026 年第一季的營收將在 1.725 億美元至 1.745 億美元之間，成長率為 8% 至 9%。該預期假設我們的淨美元擴張率不會發生實質變化，2026 年新業務的成長貢獻適度。

Shifting to profitability guidance. For the full year 2026, we expect EBITDA margin to be in the mid-40s implying mid-teens increase in operating expenses and free cash flow more trend in the low-40s. We expect full year EPS to be in the range of $7.17 to $7.45.

轉而關注獲利能力指引。我們預計 2026 年全年 EBITDA 利潤率將達到 40% 左右，這意味著營運費用將增加 15% 左右，自由現金流將趨向於 40% 左右。我們預計全年每股收益將在 7.17 美元至 7.45 美元之間。

For the first quarter of 2026, we expect EPS to be in the range of $1.76 to $1.83. Our planned capital expenditures in 2026 are expected to be in the range of $8 million to $12 million. And for the first quarter of 2026 in the range of $1.2 million to $2.6 million.

我們預計2026年第一季每股收益將在1.76美元至1.83美元之間。我們計劃2026年的資本支出預計將在800萬美元至1200萬美元之間。2026 年第一季預計在 120 萬美元至 260 萬美元之間。

In 2026, with respect to operating expenses, we plan to align our product and marketing investments to focus on specific initiatives aimed at driving our pipeline, accelerating our partner program, and expanding our federal vertical. As a percentage of revenues, we expect to prioritize an increase in investments in sales and marketing with more modest increases in engineering and G&A.

2026 年，在營運費用方面，我們計劃調整產品和行銷投資，重點關注旨在推動產品線發展、加速合作夥伴計劃和擴大聯邦垂直業務的具體舉措。從營收佔比來看，我們預期將優先增加對銷售和行銷的投資，而對工程和一般及行政管理的投資增加幅度則較為溫和。

With that, Sumedh, and I would be happy to answer any of your questions.

那麼，我和蘇梅德很樂意回答你們的任何問題。

(Operator Instructions) Jonathan Ho, William Blair.

（操作說明）Jonathan Ho，William Blair。

Hi, good afternoon, and congratulations on the strong quarter. Can you talk a little bit more about some of your QFlex offerings and how it potentially helps remove friction and perhaps encourages broader adoption of your platform?

您好，下午好，恭喜貴公司本季業績優異。您能否再詳細介紹 QFlex 的一些產品和服務，以及它們如何幫助消除摩擦，並可能促進平台的更廣泛應用？

Yeah, thank you very much, and that's a great question. We've talked about this last quarter as well. I think if you have to, if you take that in relation to what we are doing with the risk operations center and ETM and how we're differentiating ourselves from the exposure management solutions is that the ability to detect all your assets, find your vulnerabilities, ability to use agentic AI to actually not only prioritize those, which is what a lot of these exposure management solutions do, which is just giving you a score, we're leveraging the ability to use agentic AI to confirm those exploits within the environment, which is very differentiated from what everybody does. But then after that, actually the ability to also remediate those.

是的，非常感謝，這是一個很好的問題。上個季度我們也討論過這個問題。我認為，如果一定要說的話，如果把這一點和我們正在進行的風險運營中心和ETM項目聯繫起來，以及我們與風險敞口管理解決方案的區別在於，我們能夠檢測所有資產，發現漏洞，並利用智能體人工智能對這些漏洞進行優先級排序（很多風險敞口管理解決方案只是給出一個分數），而我們則利用智能體人工智能對這些漏洞進行優先級排序（很多風險敞口管理解決方案只是給出一個分數），而我們則利用智能體人工智能對這些漏洞中的其他漏洞的漏洞。但之後，實際上也有能力彌補這些問題。

And so being able to get this end to end very quickly, very fast before attackers are leveraging AI to do the same for your environment, the QFlex proposal allows the customer at their pace to then be able to consolidate a lot of these capabilities on a single platform with Qualys and do that over a period of time during their subscription with us, which allows them to maybe initially start with more of that prioritization and confirmation.

因此，QFlex 方案能夠幫助客戶快速實現端到端的安全防護，趕在攻擊者利用 AI 對您的環境進行攻擊之前，讓客戶能夠按照自己的節奏，將許多此類功能整合到 Qualys 的單一平台上，並在訂閱期間逐步完成，從而讓他們能夠首先進行更多的優先排序和確認。

But then as the year goes by, it allows them then to leverage our eliminate capabilities more and more to be able to focus on getting the outcome of getting these things fixed. And so what we're excited about is our conversations initially with the customers that have adopted this have been very positive in the fact that the security environment is not a static environment at the beginning of the year, it is continuously changing throughout the year.

但隨著時間的推移，這使他們能夠越來越多地利用我們的消除能力，從而專注於解決這些問題。因此，我們感到興奮的是，我們與採用此方案的客戶的初步溝通非常積極，因為安全環境在年初並不是一個靜態的環境，而是在一年中不斷變化。

And the flexibility that pricing model offers them to actually be able to leverage different quality capabilities throughout the year as the threats change is a very big positive for them. So really happy with the feedback we have gotten in the beta phase. And at this year, 2026, we look forward to doing more of that and moving more towards the GA model for that.

這種定價模式賦予他們的靈活性，使他們能夠根據威脅的變化，在一年中靈活運用不同的品質能力，這對他們來說是一個非常大的優勢。非常高興我們在測試階段收到了這麼多回饋。到 2026 年，我們期待在這方面做得更多，並朝著通用航空模式邁進更多步伐。

Got it. And then just in terms of some of your comments around AI, I mean, clearly, you're seeing a lot of customer interest here. Can you maybe help us understand like where the customer is in terms of their AI journey and also help us understand what that opportunity looks like for Qualys? So if you start selling more of these agentic products, AI sort of native products, how do we think about how that can impact sort of net retention going forward? Thank you.

知道了。然後，就您之前對人工智慧的一些評論而言，我的意思是，很明顯，您看到了客戶對此的濃厚興趣。您能否幫助我們了解客戶在人工智慧發展歷程中所處的階段，以及這對 Qualys 而言意味著什麼機會？所以，如果你開始銷售更多這類智慧產品、人工智慧原生產品，我們該如何看待這會對未來的淨留存率產生怎樣的影響？謝謝。

Sure. I think a lot of people talk about AI is embedded in their platform. I think where we differentiate ourselves is that what we have done is introduce the concept of AI agent marketplace within the platform, which allows the customers to actually augment their workforce, their security team, which we have talked about this for years, that there's never been enough talent in the security space.

當然。我認為很多人都在談論他們的平台已經嵌入了人工智慧。我認為我們與眾不同的地方在於，我們在平台內引入了人工智慧代理市場的概念，這使得客戶能夠真正增強他們的員工隊伍，他們的安全團隊。多年來，我們一直在談論這個問題，安全領域的人才一直都不夠用。

So the ability to get Agent Sara, who's an expert in patches data, the ability to get Agent Val, who's an expert agent with skill sets, that can autonomously make calculations and decisions on exploitation, remediation. So the ability to say, I want to employ this particular agent on the platform to achieve a task, which otherwise would take me weeks and months to hire a consultant to get that outcome.

因此，我們需要獲得擅長補丁數據的特工薩拉，以及擁有能夠自主計算和決策漏洞利用和修復技能的專家特工瓦爾。因此，我可以說，我想在平台上僱用某個特定的代理人來完成一項任務，否則我需要花費數週甚至數月的時間去聘請顧問才能達到這個結果。

What we've done with our agentic AI capabilities is not only have those built in throughout the platform, but with agentic AI, we can now actually have these agents that feel like they're really part of that team and they can help you get those outcomes. And the way we have really positioned this is that customers who are leveraging VMDR, they get a really high-quality list of findings. But then as they cross-sell into ETM, they get the ability to not only do the prioritization of these vulnerabilities, but they get the agentic AI capabilities, which then allow them to achieve different tasks. And as you look at how customers are thinking of headcount, et cetera, in the agentic AI world, these really help them get to those outcomes pretty quickly.

我們利用智能體人工智慧技術所做的，不僅在於將這些技術內建在整個平台中，而且在於借助智能體人工智慧，我們現在可以擁有感覺像是真正屬於團隊一部分的智能體，它們可以幫助您獲得這些結果。我們目前的定位是，使用 VMDR 的客戶可以獲得一份非常高品質的調查結果清單。但當他們交叉銷售 ETM 產品時，他們不僅能夠對這些漏洞進行優先排序，而且還能獲得智慧 AI 功能，使他們能夠完成不同的任務。當你觀察客戶在智慧人工智慧領域中如何考慮人員編制等問題時，你會發現這些功能確實能幫助他們很快地達到目標。

And then of course, in addition to that, with our local AI offering, we're also helping customers detect, find, and address vulnerabilities and misconfigurations that are coming up in the AI workload that they have.

當然，除此之外，透過我們的本地人工智慧產品，我們還可以幫助客戶檢測、發現和解決他們在人工智慧工作負載中遇到的漏洞和錯誤配置。

And so with that, we look forward to customers bringing more data around their own AI solutions into Qualys ETM. And we believe that the agent AI capabilities are a differentiator for customers to upgrade from or to cross-sell from VMDR into ETM as well as looking at some of the other exposure management solutions where they just give you a score. This will allow them to actually use an agentic AI to get patching done pretty fast and pretty quickly. And so we see that that differentiation can be the catalyst for us, for customers to pick ETM over some of those other exposure management solutions that out there.

因此，我們期待客戶將更多與其自身人工智慧解決方案相關的數據引入 Qualys ETM。我們相信，代理 AI 功能是促使客戶從 VMDR 升級或交叉銷售到 ETM 的一個差異化因素，同時也促使客戶考慮其他一些風險暴露管理解決方案，這些解決方案只是給出一個分數。這將使他們能夠真正利用智慧AI快速且有效率地完成修補工作。因此，我們看到這種差異化可以成為促使客戶選擇 ETM 而不是其他一些風險暴露管理解決方案的催化劑。

Thank you.

謝謝。

Kingsley Crane, Canaccord. ++

金斯利起重機，Canaccord。++

Hi. Congrats on the quarter. You answered some of this in the prior response, but we'd just love to hear more about how Agent Vals elevating ETM from an advocacy perspective and just how Agent Vals reducing total man hours at the customer level and how that's resonating with customers. Thanks.

你好。恭喜你本季取得佳績。您在先前的回覆中已經回答了其中的一些問題，但我們很想了解更多關於 Agent Vals 如何從倡導的角度提升 ETM，以及 Agent Vals 如何減少客戶層面的總工時，以及這如何引起客戶的共鳴。謝謝。

Thanks, Kingsley. I wish, unfortunately, the call is only an hour, but I could talk about this forever. But look, I think we have seen the history of this evolution, back when -- (inaudible) has done work with this, is like everybody's giving you theoretical scores, right, based on the vulnerability findings and CV, SS information that is out there.

謝謝你，金斯利。可惜通話時間只有一小時，不然我可以一直聊下去。但是，我認為我們已經看到了這種演變的歷史，早在——（聽不清楚）就從事這方面的工作，就像每個人都在根據現有的漏洞發現和CV、SS資訊給你給出理論分數一樣。

Unfortunately, a theoretical score does not actually mean that a high score does not mean that the customer may not have other controls in place that mitigate that actual exploit from working in their environment. They might have a firewall, they might have something else, memory protection that is enabled, that a typical scanner or a exposure management solution will not pick up.

不幸的是，理論得分並不能真正說明問題，高分並不意味著客戶沒有採取其他控制措施來減輕漏洞在其環境中造成的危害。它們可能設有防火牆，也可能啟用了其他記憶體保護功能，而普通的掃描器或曝光管理解決方案無法偵測到這些功能。

What Agent Val does is leverages that decision-making, autonomous decision-making process to basically look at the findings, look at the scoring, but then actually the ability to run a very safe exploit against the asset to confirm whether that vulnerability is actually exploitable in their environment, on their machine, or it is not. Not just a theoretical score.

Agent Val 所做的就是利用這種自主決策過程來查看調查結果和評分，然後實際上能夠對資產運行非常安全的漏洞利用程序，以確認該漏洞在他們的環境、他們的機器上是否真的可以被利用。不僅僅是理論分數。

And what typically happens is when the security team gives these scores to the IT team, they spend a lot of time trying to chase down these findings only to feel like, this was a false positive because look, we already have a control in place and a lot of time is wasted in arguing back and forth.

通常情況下，當安全團隊將這些分數交給 IT 團隊時，他們會花費大量時間去追查這些發現，結果卻發現這只是誤報，因為我們已經採取了控制措施，而且很多時間都浪費在了爭論上。

What the customers really want to be able to do is not waste their IT team's time on fixing things that actually are not exploitable in that environment. And the ability to for sure confirm by running an actual exploit in a safe manner that this is or is not exploitable means that the IT teams will be saving significant amount of time not chasing down ghost scores and will actually have an absolute confirmation that, yes, it is a very highly exploitable vulnerability, but I don't need to worry about it because I have other controls that are mitigating this, or it is highly exploitable, attackers are using it and I don't have a protection environment. So instead of just chasing scores, I can actually go and focus on fixing these and that's going to make it a lot safer.

客戶真正想要的，是不要浪費 IT 團隊的時間去修復那些在該環境中實際上無法被利用的問題。能夠透過以安全的方式運行實際的漏洞利用程序來確切地確認該漏洞是否可被利用，意味著 IT 團隊將節省大量時間，無需再去追踪虛假的漏洞評分，並且能夠真正獲得絕對的確認：是的，這是一個非常容易被利用的漏洞，但我無需擔心，因為我有其他控制措施來緩解它；或者它確實很容易被利用，攻擊者正在使用。這樣一來，我就不用只顧著追求分數，而是可以專注於解決這些問題，這會讓事情變得更安全。

So it's a significant time saving for the customer because of the agentic AI workflow. They can actually then significantly reduce the number of findings that they have.

因此，由於採用了智慧AI工作流程，客戶可以節省大量時間。這樣一來，他們實際上可以大幅減少需要發現的問題數量。

And the other thing is that once the exploit is confirmed on your environment, you don't have the time to create JIRA tickets and ServiceNow tickets to then have people go and manually make the remediation. As soon as you know that this is exploitable in your environment, confirm, you want to be able to use another agent to immediately take off remediation and get it fixed.

還有一點是，一旦確認您的環境中存在漏洞，您就沒有時間建立 JIRA 工單和 ServiceNow 工單，然後讓其他人去手動進行修復。一旦確定此漏洞在您的環境中可被利用，請確認您是否希望能夠使用另一個代理立即啟動修復程序並解決問題。

And you feel a lot more comfortable because now you have confirmed that this is exploitable. It's not theoretical, so people are going to want to also save time and not leave the exposure open for a long time by being able to run that exploit and then also automatically run that remediation. And you cannot show up for the AI fight today with your JIRA tickets and your ServiceNow tickets. You got to be able to do automation and autonomous decision-making to get things fixed, and that's the differentiator.

你現在感覺安心多了，因為你已經確認這是可以利用的漏洞。這並非理論上的，所以人們也希望節省時間，避免長時間暴露在風險之中，方法是能夠運行該漏洞程序，然後自動運行該修復程序。你不能帶著你的 JIRA 工單和 ServiceNow 工單來參加今天的 AI 之戰。你必須能夠實現自動化和自主決策來解決問題，這才是關鍵。

Yeah, it's really exciting times, and it's good that you're leading the way here. For Joo Mi, it's been a remarkable year for Qualys. You guided to 7% at the midpoint entering last year and you put up 10%, and now, you're guiding closer to 8% this year. How can we think about the levers for upside to growth this year? Thanks.

是的，這真是令人振奮的時刻，很高興你在這裡起到了帶頭作用。對於 Joo Mi 來說，Qualys 今年取得了非凡的成就。去年年初你預測年中收益率為 7%，實際收益率達到了 10%，而今年你預測的收益率接近 8%。今年我們該如何看待促進成長的槓桿作用？謝謝。

Yeah, 2025 was a solid year from an execution standpoint. It was a very exciting year for us with ETM having gone live at the end of 2024.

是的，從執行角度來看，2025 年是相當成功的一年。對我們來說，這是非常令人興奮的一年，因為 ETM 已於 2024 年底上線。

We've had a significant number of discussions with our existing customers in terms of how we can increase value without them having to double their spend initially with us. And so in doing that and working through our partners, what we were able to do is finalize our pricing and packaging for ETM and identify our key products that are going to be levers for growth in the short term and the long term going forward as well.

我們已經與現有客戶進行了大量討論，探討如何在不讓他們一開始就將支出翻倍的情況下增加價值。因此，透過與合作夥伴的合作，我們最終確定了 ETM 的定價和包裝，並確定了我們的關鍵產品，這些產品將成為短期和長期成長的槓桿。

So 2025, solid year with closing the year with another 10% growth for revenue, which we're really pleased about. Now, when it comes to current billings, it came in line as expectations from last quarter with 2025 current billings growth of 8%. That's slightly lower than the 9% that we posted back in 2024 for current billing.

所以 2025 年是穩健的一年，年底營收又成長了 10%，我們對此非常滿意。就目前的帳單而言，它與上一季的預期相符，2025 年目前的帳單增加了 8%。這比我們在 2024 年公佈的當前計費比例 9% 略低。

So looking ahead to 2026, I think that's kind of more or less in line with what the baseline case is for us. Looking out, our guidance is really informed by what we see in the business today, the discussions that we're having, what we expect from the macro, and then the spending environment.

展望 2026 年，我認為這與我們的基本預期基本一致。展望未來，我們的指導意見主要依據我們目前在商業領域看到的狀況、我們正在進行的討論、我們對宏觀經濟的預期以及消費環境。

With that said, we do anticipate significant upside given what Sumedh just covered. We have very exciting product discussions with existing customers as well as prospects. I think that we've gone ahead and really leveraged our innovation and our power to really deliver what the customers are looking for and what the market is looking for. So we're excited about the outlook, but with that said, the baseline still remains to be around 7% to 8%.

綜上所述，鑑於 Sumedh 剛才提到的內容，我們預計會有很大的上漲空間。我們與現有客戶和潛在客戶就產品展開了非常令人興奮的討論。我認為我們已經充分利用了我們的創新能力和實力，真正滿足了客戶和市場的需求。所以我們對前景感到興奮，但即便如此，基準線仍然在 7% 到 8% 左右。

Rahul Chopra, Berenberg.

Rahul Chopra，貝倫貝格。

Yes, thank you. have a couple of questions. I mean, I appreciate these are not your estimates. But if I look at 2023 market share data which you gave, at that time you had market, total market is $64 billion. In the current deck, you are talking about $53 billion market for 2026. At the same time, I can see previously, you had '28 market of, I think something around $79 million, $78 billion. Now, '29 market is $75 billion.

是的，謝謝。我還有幾個問題。我的意思是，我知道這些不是你的估價。但是，如果我查看您提供的 2023 年市場份額數據，當時您的市場份額，總市場規模為 640 億美元。在目前的簡報中，你們談到的是 2026 年 530 億美元的市場規模。同時，我之前看到，你們的 2028 年市場規模大約在 7,900 萬美元到 780 億美元之間。現在，2929 年的市場規模為 750 億美元。

My question here is that basically, is the core market shrinking for VM and exposure management? I appreciate these are not your estimates, but I want to understand what you're thinking about the core estimates in terms of the market itself, what is it doing? One.

我的問題是，虛擬機器和風險敞口管理的核心市場是否正在萎縮？我知道這些不是您的預測，但我希望了解您對核心預測的看法，以及市場本身的趨勢。一。

The second question is, I wanted to understand your thoughts about the competitive landscape (inaudible), especially given the ServiceNow is acquiring Armis, obviously, that's going to probably change some dynamics. So we wanted to hear your thoughts on that, please. Thank you.

第二個問題是，我想了解您對競爭格局的看法（聽不清楚），特別是考慮到 ServiceNow 正在收購 Armis，顯然，這可能會改變一些格局。所以，我們想聽聽您對此的看法。謝謝。

Sure. I think I've been in this quality for 20-something years and vulnerability management has definitely changed. And if you recall, we've been talking about that as the number of assets has increased, the number of CVEs and software has increased. We're seeing that customers in the traditional way that vulnerability scanning was done is just generating way too much noise and vulnerability management has evolved, which we have called out many times and that's the reason the last few years, we've been focusing on shifting and focusing on the solutions that customers actually are looking for.

當然。我從事這個行業已經二十多年了，漏洞管理肯定已經改變了。如果你還記得的話，我們一直在討論這個問題，因為資產數量增加了，CVE 和軟體的數量也增加了。我們發現，客戶仍沿用傳統的漏洞掃描方式，這會產生太多噪音。漏洞管理已經發生了變化，我們多次強調了這一點。正因如此，在過去的幾年裡，我們致力於改變思路，專注於客戶真正需要的解決方案。

So as an example, when we innovated with patch management, we're the first vendor to do that. And even today, we're not seeing really much traction with others in patch management.

舉例來說，當我們在補丁管理方面進行創新時，我們是第一個這樣做的供應商。即使是今天，我們在補丁管理方面也沒有看到其他方面取得太大進展。

Yeah, it's not just vulnerability management doesn't mean you just scan and scan and scan if you cannot get it fixed. And so as that evolved, we innovated, we came up with patch management as a capability, we came up with cybersecurity asset management that was needed for a successful VM program. Now, we have expanded that capability with agentic AI with ETM because that's really what customers are looking for is how do you continue to triage that.

是的，漏洞管理不僅僅是指在無法修復漏洞的情況下進行無休止的掃描和掃描。隨著技術的發展，我們不斷創新，提出了修補程式管理功能，提出了網路安全資產管理功能，這是虛擬機器計畫成功實施所必需的。現在，我們利用 ETM 的智慧 AI 擴展了這項能力，因為客戶真正想要的是如何繼續進行分類。

And then adding the layer of validation is another game changer in our mind from a vulnerability management perspective. And then along the way, we've also focused on how do we bring total cloud, which is a CNAPP solution that we have, which we're very happy with the traction that we're seeing with that we're coming up with agentic AI.

從漏洞管理的角度來看，我們認為增加驗證層是另一個顛覆性的變革。此外，我們也專注於如何實現完全雲端化，這是我們的 CNAPP 解決方案，我們對目前的進展感到非常滿意，因為我們正在開發智慧人工智慧。

So for us, it is about how do we continue to track the areas that customers are focusing on and then how do we maximize our share of that spend that they have. And that's what you're seeing the progression in the innovation that we are going. And it's great to see that there is a focus and attention on the CTEM exposure management marketplace, as you mentioned, the ServiceNow buying Armis, which has been around for a long time, using passive capabilities to detect asset inventory, et cetera.

所以對我們來說，關鍵在於如何持續追蹤客戶關注的領域，以及如何最大限度地提高我們能從他們的消費中獲得多少份額。這就是你所看到的，我們正在朝著創新方向發展。很高興看到大家對 CTEM 風險敞口管理市場給予了關注，正如您所提到的，ServiceNow 收購了 Armis，Armis 已經存在很長時間了，它利用被動功能來檢測資產清單等等。

But the reality, again, is that today, customers don't want just more vulnerability findings from these solutions that don't actually help you fix anything. And so what we are looking forward to is again, autonomous workflows leveraging agentic AI to get customers to fix things quickly, as you saw in the recent Mandiant report that the mean time to remediate oh over the last five years has gone from 63 days to negative 1 day.

但現實情況是，如今的客戶並不希望這些解決方案僅僅提供更多漏洞發現，而實際上並不能幫助您解決任何問題。因此，我們期待的是，利用智慧AI實現自主工作流程，讓客戶能夠快速解決問題。正如您在最近的Mandiant報告中看到的那樣，過去五年中，平均修復時間已從63天縮短至-1天。

So today again, with solutions like that, ServiceNow, Armis, and other solutions, do you have the time to create ServiceNow tickets and chase people down while attackers are having a free time exploiting your vulnerabilities.

所以，如今有了 ServiceNow、Armis 等解決方案，你還有時間建立 ServiceNow 工單並追蹤問題嗎？同時，攻擊者有時間利用你的漏洞。

So what we feel pretty excited about with our customer conversations is the differentiation that we have that is allowing them to very quickly and accurately get to the things that actually matter to their business, put dollar value loss quantification numbers on it, get the validation, get the vulnerabilities fixed, and that is allowing us to differentiate and that's where a lot of the conversations we're seeing are very positive in the focus of not just another exposure management solution but moving towards a risk operation center.

因此，我們與客戶的交流讓我們感到非常興奮，因為我們擁有的差異化優勢能夠幫助他們快速準確地找到對業務真正重要的事情，量化損失的美元價值，進行驗證，修復漏洞，這使我們能夠脫穎而出。我們看到的許多對話都非常積極，重點不僅僅是另一個風險敞口管理解決方案，而是朝著風險營運中心的方向發展。

And so our goal here is that of course security market keeps changing, et cetera. We're bringing solutions that we are looking forward to maximizing the share of the customer's spend focused on the pre-breach side of the security and not necessarily the post-breach side.

因此，我們的目標是，當然，安全市場一直在變化等等。我們正在推出一些解決方案，我們期待這些方案能最大限度地提高客戶支出在安全漏洞發生前的預防方面所佔的比例，而不是漏洞發生後的補救方面。

Okay, understood. Thank you very much.

好的，明白了。非常感謝。

Nehal Choksh, Northland Capital.

內哈‧喬克許 (Nehal Choksh)，北國首都。

Yeah, thank you. And nice color there on why the Armis acquisition by ServiceNow won't be impactful. It sounds like a key portion here is that basically they're lacking patch management. So can you dive a little bit further here and explain why patch management has remained such a differentiator for Qualys here.

是啊，謝謝。文中對 ServiceNow 收購 Armis 不會產生影響的原因進行了很好的分析。聽起來關鍵在於他們缺乏修補程式管理。那麼，您能否更深入地探討一下，解釋為什麼修補程式管理一直是 Qualys 的獨特優勢？

Yeah, thank you. I think today ,if you see, people are finding millions and millions of finding and the IT team does not want to be spending all their time in sort of innovating, going out, and fixing so many vulnerabilities without the proper context. And so what we're seeing is that, and we talked about this a couple of months ago, the Qualys agents have been able to deploy 140 million patches just in the last 12 months. And in one of the recent GigaOm reports, we replaced this as the number one patch management vendor by the analyst.

是啊，謝謝。我認為，如今人們發現了數以百萬計的漏洞，而 IT 團隊並不想把所有時間都花在創新、外出和修復如此多的漏洞上，卻缺乏正確的背景資訊。因此，我們看到的情況是，正如我們幾個月前討論過的那樣，Qualys 代理在過去 12 個月中已經部署了 1.4 億個修補程式。在最近的一份 GigaOm 報告中，我們取代了它，成為分析師選出的第一大補丁管理供應商。

And so the reason why we're getting so much traction is that in the past, when I remember when I joined Qualys, scanning one supporter and taking 30 days to fix all your issues was considered okay. Today, when the attackers are attacking you within three, four, five hours of the vulnerabilities being disclosed, you need that ability to quickly correlate, we figure out that it doesn't matter to your business or that it's not exploitable in your environment and actually get it fixed.

因此，我們之所以能獲得如此大的進展，是因為在過去，我記得我剛加入 Qualys 的時候，掃描一個支持者並花 30 天時間解決所有問題被認為是可以接受的。如今，攻擊者會在漏洞披露後的三、四、五個小時內對你發起攻擊，你需要具備快速關聯分析的能力，才能確定該漏洞對你的事業無關緊要，或者在你的環境中無法被利用，並最終將其修復。

And so our success with patch management really has been a highly integrated solution with VM and not just a partnership where you're going out with some other separate solution and trying to bridge that gap. It's highly integrated solution that is quickly able to not only detect the vulnerability of find whether it is actually exportable in your environment, but then, within a matter of minutes, it can actually fix and patch that particular issue.

因此，我們在修補程式管理方面的成功，實際上是與虛擬機器高度整合的解決方案，而不僅僅是與其他獨立解決方案建立合作關係，試圖彌合兩者之間的差距。這是一個高度整合的解決方案，它不僅能夠快速檢測漏洞，找到它是否真的可以在您的環境中導出，而且，在幾分鐘內，它還可以修復和修補該特定問題。

And so what we're excited about is the success of patch management the last few couple of years, but also what we did end of last year is moved even further into providing customer more abilities to mitigate the risk of the vulnerability without patching. And I like to call it patchless patching, which is applying mitigating controls on the machine, which has given even more flexibility to our customers because sometimes, you're worried about a patch breaking, something -- how do you balance the worry of patch breaking something with the worry of getting exploited.

因此，我們感到興奮的是，過去幾年補丁管理取得了成功，而且我們在去年底所做的工作也進一步為客戶提供了更多能力，讓他們能夠在不打補丁的情況下降低漏洞風險。我喜歡稱之為無補丁修補，即在機器上應用緩解控制措施，這為我們的客戶提供了更大的靈活性，因為有時，你會擔心補丁會破壞某些東西——你如何平衡擔心補丁會破壞某些東西和擔心被利用之間的矛盾。

And many times because of our super deep research in the threat research landscape with our research analysts, we actually are able to figure out the way exploits are working and then find ways to apply mitigations on the machine so that the actual exploit can be blocked. So at the end of the day, what is the point of all the spend you do in vulnerability scanning is to get the right things fixed before the attackers get there.

很多時候，由於我們的研究分析師對威脅研究領域進行了非常深入的研究，我們實際上能夠弄清楚漏洞利用的運作方式，然後找到在機器上應用緩解措施的方法，從而阻止實際的漏洞。所以歸根結底，你在漏洞掃描上投入的所有資金的意義在於，在攻擊者到達之前修復正確的問題。

So the majority of the value that comes in that overall spend is really about the patching part. If you do not patch it, you can build all kinds of dashboards and there's a dashboard tourism going on right now, but those dashboards don't mean anything if you don't actually get it fixed before the attackers get to it.

因此，這筆總支出的大部分價值實際上都體現在修補部分。如果不打補丁，你可以建造各種各樣的儀錶板，現在也出現了儀錶板旅遊的現象，但是如果你在攻擊者得逞之前沒有真正修復它，那麼這些儀錶板就沒有任何意義。

Okay, thank you. And Joo Mi, are there any headwinds leading to expectation of no change in NDR in your calendar '26 guidance -- that's embedded in your calendar '26 guidance?

好的，謝謝。Joo Mi，您認為在2026年業績指引中，NDR不會發生變化，是否有任何不利因素導致這項預期？ （這部分內容已包含在您的2026年業績指引中。）

Yeah, our guidance is -- assuming no material change in net dollar expansion rate, you could see that it's always kind of gone up a quarter or down a quarter in the past couple of years. And right now, being starting out the year ending 2025 at 103, we don't anticipate a material change at that rate.

是的，我們的指導方針是——假設美元淨擴張率沒有實質變化，你可以看到，在過去幾年裡，它總是上下波動，有時上升一個季度，有時下降一個季度。而現在，到 2025 年末，全球人口為 103 人，我們預期以這個速度不會發生實質變化。

But why is that? Why are you expecting no change?

但這是為什麼呢？為什麼期望一切照舊？

Our guidance is informed by what we're seeing in the pipeline today and what we're expecting based on our existing customers, what they anticipate by moreover how they're thinking about spending more with Qualys in 2026. Our preliminary discussions and view into the outlook today implies that assuming kind of similar inline gross dollar retention, the expectations from an upsell standpoint, and then of course a new business. What we expect to land from a local perspective. This is all informing our guidance and the way we look at things.

我們的指導意見是基於我們目前在產品線中看到的情況，以及我們根據現有客戶、他們的期望以及他們考慮在 2026 年如何增加與 Qualys 的合作支出而做出的預期。我們目前的初步討論和對前景的看法表明，假設毛收入留存率與之前大致相同，那麼從追加銷售的角度來看，以及當然還有新業務方面，預期情況都是如此。從當地角度來看，我們預期會達到怎樣的成果。所有這些都影響著我們的指導方針和我們看待事物的方式。

And that's the base case. Our goal will be to continue to improve our execution on the ETM and ROC. The customer is getting to know that and that to me remains the upside for the business is with the federal -- now with our federal empire that we got and the federal space partners, et cetera. So I think that's kind of where we are with just assuming 103 as we see it right now, but do we continue to work on the upsides in the business that we can potentially have.

這是基本情況。我們的目標是繼續改進我們在 ETM 和 ROC 方面的執行情況。客戶逐漸意識到這一點，對我來說，企業的優勢仍然在於與聯邦政府合作——現在我們擁有了聯邦帝國和聯邦太空合作夥伴等等。所以我覺得這就是我們目前所處的境地，假設我們目前看到的是 103 這個數字，但是我們是否應該繼續努力尋找業務中可能存在的成長點呢？

So does that imply that your expectation, the baseline expectations at EPM, incremental penetrations to install base continues at this relatively slow pace that we're not hitting an inflection point yet?

那麼，這是否意味著您（EPM）的預期，即安裝基礎的逐步滲透率繼續以相對緩慢的速度增長，以至於我們還沒有達到轉折點？

I think it's very early. Like we said at the end of the last year where we had started with POCs, we're super encouraged with what we are seeing with the POCs and the conversion that we're having. But again, it's very early, we're talking about customers that are early adopters. So it's encouraging, but we're not -- we haven't had enough of those to really map out a confirmed trajectory of how that is going to go. So I think as we execute better in the first couple of quarters, that's where we will get to understand even better now.

我認為現在還為時過早。正如我們在去年年底開始進行概念驗證時所說，我們對概念驗證的結果以及我們正在取得的轉換率感到非常鼓舞。但再次強調，現在還處於非常早期的階段，我們談論的是早期採用者客戶。所以這令人鼓舞，但是我們還沒有足夠多的案例來真正規劃出一條確定的發展軌跡。所以我認為，隨著我們在前幾個季度執行得更好，我們就能更好地理解這一點。

That's where, as Joo Mi has talked about in the past, we will start to provide guidance on how ETM is going to -- how ETM is going for us starting the Q1 earnings call for 2026. And so that will allow you to sort of track where we're starting and then how we're going to expand through the next couple of years on that big opportunity that we see right now.

正如 Joo Mi 過去所談到的那樣，我們將從 2026 年第一季財報電話會議開始，就 ETM 的發展方向提供指導——ETM 的發展方向將如何對我們產生影響。這樣一來，您就可以大致了解我們的起步階段，以及在接下來的幾年裡，我們將如何抓住目前看到的巨大機遇，實現擴張。

Okay, thank you.

好的，謝謝。

Rudy Kessinger, D.A. Davidson.

魯迪·凱辛格，D.A.戴維森。

Hey, great. Thanks for taking my question. Joo Mi, I think you said in response to one of Jonathan's questions earlier, I think you said baseline remains around 7% to 8%. I'm not sure if you were referring to the revenue guide for this year or if that was also your expectation for -- roughly what we should expect for current calculated billings for the year.

嘿，太好了。謝謝您回答我的問題。Joo Mi，我想你之前在回答Jonathan的一個問題時說過，基線仍然在7%到8%左右。我不確定您指的是今年的收入預期，還是指我們對今年目前計算出的帳單金額的大致預期。

I would say that we don't give a specific guidance for our current sales. But our expectation is our current billings growth rate will be more or less in line with our revenue growth rate of 7% to 8% for both for full year 2026.

我想說的是，我們目前沒有針對銷售情況給予具體指引。但我們預計，到 2026 年全年，我們目前的帳單成長率將與 7% 至 8% 的營收成長率大致持平。

Yeah. Okay. Got it. And then just maybe kind of a follow-up to the past question. Certainly, it sounds like there's a lot of optimism about the early ETM interest and adoption and whatnot. But at the same time, it's still just being too early to maybe drive an improvement in the net expansion rate or the overall revenue growth rate.

是的。好的。知道了。然後，也許可以算是對先前問題的後續提問。顯然，大家對早期 ETM 的興趣和採用等等方面都抱持著很大的樂觀態度。但同時，現在就推動淨擴張率或整體收入成長率的提高還為時過早。

And I guess just I don't -- we've been hearing that for a few quarters now. Is -- I mean, what needs to go right, whether it's with the channel or utilizing QFlex? Is there a potential that this year we could see enough adoption that we do see expansion rate tick up or revenue accelerate, or is that unlikely just based on the current pipeline?

我想我只是不這麼認為——我們已經連續幾季聽到這種說法了。我的意思是，無論是透過管道還是利用 QFlex，哪些環節需要正確操作？今年是否有可能出現足夠的市場接受度，推動擴張速度加速或營收加速成長？還是說，僅從目前的市場前景來看，這種情況不太可能發生？

Yeah. I mean, all of that needs to go right. I think we're -- I think we've done a lot of innovation. The products are coming out now, which is great. The Agent Val is going to be very interesting for us and the recent identity solution is also very interesting.

是的。我的意思是，所有這些都必須順利進行。我認為我們——我認為我們已經做了很多創新。產品現在陸續上市了，真是太好了。Agent Val 對我們來說非常有趣，最近推出的身份解決方案也非常有趣。

I think a key part of our strategy definitely has been working partners. And so as an example, one of the key areas of focus right now where we are certifying more MRO partners as an example. And we are getting these partners up to speed, and we're getting the partners trained and helping them create their offerings around the risk operation center.

我認為我們策略的關鍵部分無疑是與合作夥伴攜手共進。例如，我們目前的一個重點領域是認證較多的MRO合作夥伴。我們正在幫助這些合作夥伴快速上手，對他們進行培訓，並幫助他們圍繞風險營運中心創建產品和服務。

And the idea here really is that these partners then with those services actually can bring us net new business can bring us upsell opportunities because they don't have to have a replacement conversation maybe with the existing vendor that they might have been selling for the last couple of years.

這裡的想法是，這些合作夥伴及其提供的服務實際上可以為我們帶來新的業務，可以為我們帶來追加銷售的機會，因為他們不必與過去幾年一直在銷售的現有供應商進行替換談判。

They can actually create a service for risk management with MRO on top of their existing VM solution, as an example, by pulling that data into Qualys and then ETM and then charging the customer for the management and the consolidation of their various risk factors, et cetera. So that's an area that we are looking forward to as that matures and as we are in the early days of getting those partners up to speed once those partners then start to take those offerings to their customers, that response will also help us see how that is gaining traction.

例如，他們可以在現有的 VM 解決方案之上，透過 MRO 將資料匯入 Qualys 和 ETM，然後向客戶收取管理和整合其各種風險因素等的費用，從而創建風險管理服務。所以，隨著該領域的成熟，我們對此充滿期待。目前我們正處於讓合作夥伴快速跟上步伐的初期階段，一旦這些合作夥伴開始向他們的客戶提供這些產品，他們的回饋也將幫助我們了解該產品是如何獲得市場的。

Again, early conversations have been great. We've got to see that in the way that these customers -- these partners are bringing us some of their business. I think QFlex has been really a positive thing for when we are taking a customer who has VMDR and then converting over to ETM. That has actually been a really positive thing for customers so that they can kind of build in or certain amount of growth, and they can look at the ability to take the journey of a risk operation center at that pace.

再次強調，早期的溝通非常順利。我們必須從這些客戶——這些合作夥伴為我們帶來業務的方式來看待這個問題。我認為，對我們來說，當客戶擁有 VMDR 系統並需要將其轉換為 ETM 系統時，QFlex 確實發揮了積極作用。實際上，這對客戶來說是一件非常積極的事情，因為他們可以逐步實現一定程度的成長，並且能夠以這樣的速度推進風險營運中心的發展。

And then, of course, we just got our FedRAMP high end of last year, so that's allowed us to have more conversations for the 2026 budget cycle for federal that obviously were not in line in time for 2025. So those conversations after FedRAMP high for '26, '27 are also going to be quite interesting for us. as potential upside.

當然，去年年底我們才拿到了 FedRAMP 的上限，這讓我們能夠就 2026 年聯邦預算週期進行更多討論，而這些討論顯然在 2025 年之前都無法完成。因此，在 FedRAMP 達到 2026 年和 2027 年的高點之後，相關的討論對我們來說也將非常有趣，因為有潛在的上漲空間。

And so I think as Joo Mi has provided sort of the guidance that we see as of now, we're excited about some of these things that can potentially create the opportunity for us to do better than that.

所以我覺得，鑑於 Joo Mi 目前提供的指導，我們對其中一些事情感到興奮，這些事情可能會為我們創造機會，讓我們做得更好。

Matthew Hedberg, RBC Capital.

Matthew Hedberg，RBC Capital。

Hey, guys. This is Mike Richards on for Matt. Thanks for taking the question. Keeping a little high level here, Anthropic's new model release today put an emphasis on cybersecurity and specifically the model's performance for vulnerability discovery and patching. So I was just wondering if you could talk about what you believe these developments mean for Qualys and maybe the cybersecurity industry more broadly as model providers, you know, look to potentially go deeper into cybersecurity. Thanks.

嘿，夥計們。這裡是麥克理查茲，替馬特報道。感謝您回答這個問題。簡單來說，Anthropic 今天發布的新型號重點在於網路安全，特別是該型號在漏洞發現和修補方面的效能。所以我想知道，您能否談談您認為這些發展對 Qualys 以及更廣泛的網路安全產業意味著什麼，因為模型供應商可能會希望更深入地涉足網路安全領域。謝謝。

Yeah, great question. I think today's announcement was great in terms of that understanding the fact that autonomous AI during the coding process or when you look at the code of a software and pointing agentic AI to that is definitely something that the attackers are looking to leverage and they're leveraging as well to be able to discover vulnerabilities in the code base.

嗯，問得好。我認為今天的公告意義重大，因為它讓我們理解了這樣一個事實：在編碼過程中或查看軟體程式碼時，將自主人工智慧指向該程式碼，這無疑是攻擊者想要利用並正在利用的東西，以便發現程式碼庫中的漏洞。

Now, having the ability to discover a vulnerability in an open source code is one thing, which is what Anthropic is helping, but once you find that this particular code has a particular vulnerability that could be exploited, you need to go find all of the machines running that software all over the customer's environment internally, externally, and then the ability to test that after all the controls that the customer has put in place in their environment on that machine, is that actually exploitable each individual customer's environment in each individual customer's machine?

現在，能夠發現開源程式碼中的漏洞是一回事，這也是 Anthropic 正在幫助實現的，但是一旦你發現某個特定程式碼存在可被利用的特定漏洞，你就需要找到客戶環境中所有運行該軟體的機器（包括內部和外部），然後在客戶環境中針對每台機器實施的所有控制措施之後，測試該漏洞是否真的可以被利用。

And that's the part where I think this Anthropic development actually really helps, again, stress the reason why after a particular vulnerability is discovered and exploit is discovered, why it is important to use an ETM agentic AI type solution to very quickly validate that in your environment and then actually fix it and apply a fix autonomously because when you're using AI to find these particular vulnerabilities and attackers are using the same model, they are going to try to do their best to very quickly exploit those.

我認為 Anthropic 的這項開發確實在這方面有所幫助，再次強調了在發現特定漏洞和利用方法後，為什麼使用 ETM 智能 AI 解決方案快速驗證其在您的環境中的有效性，然後自動修復並應用修復程序非常重要，因為當您使用 AI 來發現這些特定漏洞時，攻擊者也使用相同的模型，他們會盡力快速利用這些漏洞。

What we feel is we are empowering our customers with ETM and with somebody like Agent Val to actually stay ahead of the gap between discovery of a vulnerability to the exploitation that we can actually leverage ETM with agentic -- Val to then actually find this issue in their specific environment on their specific machine and then protect them very quickly by actually being able to patch that. And so that's really the main differentiator.

我們認為，透過 ETM 和像 Agent Val 這樣的工具，我們能夠賦能客戶，讓他們在發現漏洞和利用漏洞之間保持領先。我們可以利用 ETM 和 Agent Val 在客戶的特定環境中找到問題，並透過快速修補漏洞來保護他們。所以這才是真正的主要差異。

I think in a way it's great to show the power of what AI is able to provide for the attackers to find issues in open source and then it signifies even more the value of the ETM platform to actually find that during the runtime and not just in the code base as Anthropic is doing today.

我覺得從某種意義上說，這很好地展現了人工智慧能夠為攻擊者提供的力量，讓他們能夠發現開源軟體中的問題，這更凸顯了 ETM 平台的價值，它能夠在運行時發現這些問題，而不僅僅是像 Anthropic 目前所做的那樣在程式碼庫中發現。

Thank you.

謝謝。

Patrick Colville, Scotiabank.

派崔克‧科爾維爾，加拿大豐業銀行。

Thanks. This is [Joe Vandergon] for Patrick Colville. Sumedh, can you help us understand, I know you kind of touched on this, but can you help us just better understand the strategy you're taking to get customers to adopt not just vulnerability management, but also prioritization and patch management?

謝謝。這是喬·范德貢（Joe Vandergon）為帕特里克·科爾維爾（Patrick Colville）所做的演講。Sumedh，你能幫我們理解嗎？我知道你之前已經稍微提到過這一點，但你能幫我們更好地理解你正在採取的策略，讓客戶不僅採用漏洞管理，還採用優先排序和補丁管理嗎？

And then I'm wondering, is there a way to think about what percentage of the customer base is just using that basic functionality of vulnerability management?

然後我就在想，有沒有辦法計算出有多少比例的客戶群僅僅在使用漏洞管理的基本功能？

Yeah, great question. I think if you look at what we have been doing with patch management, by the way, and if you look at, we're very happy to see the adoption of patch management, cybersecurity, asset management as the capabilities that take that (inaudible) VMDR and add more execution around execution for success around those lists of CVEs. We're pretty happy and excited to see that.

嗯，問得好。我認為，如果你看看我們一直在做的修補程式管理工作，順便說一句，我們非常高興地看到修補程式管理、網路安全、資產管理等能力得到採用，這些能力使得 VMDR 能夠圍繞 CVE 清單進行更多執行，從而取得成功。我們對此感到非常高興和興奮。

So today, with the ability to provide customers with things like average exposure window, the ability to provide customers the way that that particular vulnerability actually impacts their particular environment. As an example, your typical threat exposure management solutions will give you a score, a risk score, and they will say that this particular issue has a risk or this particular asset has a risk score of 900 on 1,000, and another one has a 750 on 1,000. Which one will you fix first?

因此，如今我們能夠向客戶提供平均暴露窗口等信息，能夠向客戶提供特定漏洞實際影響其特定環境的方式。例如，典型的威脅暴露管理解決方案會給予一個分數，即風險分數，並指出某個特定問題有風險，或某個特定資產的風險分數為 900（滿分 1000），而另一個資產的風險分數為 750（滿分 1000）。你打算先解決哪個問題？

If you just go by the risk score as an example, you're going to see that maybe that risk score of 900 on the 1,000 is on a machine that makes you $2 million a year, but the 750 is one that makes you $500 million a year. Immediately your prioritization switches and is exactly the opposite of what your exposure management solution gave you because now you added a dollar value.

如果僅以風險評分為例，你會發現，風險評分為 900（滿分為 1000）的機器每年能為你帶來 200 萬美元的收入，而風險評分為 750 的機器每年能為你帶來 5 億美元的收入。你的優先順序立即發生了變化，這與你的風險敞口管理解決方案給你的結果完全相反，因為現在你增加了金錢價值。

And once you have that and you know that you're potentially going to have a loss of $500 million because of the exploit of this vulnerability, the next thing that customers want to be able to do is how quickly can I protect myself from making sure that I don't lose that $500 million.

一旦你意識到，由於這個漏洞的利用，你可能會損失 5 億美元，那麼客戶接下來最想做的就是如何盡快保護自己，確保自己不會損失這 5 億美元。

And that's where an integrated patching and integrated mitigation solution like Wallace is super impactful for them because now they don't waste time because once attackers are starting to exploit vulnerabilities, it is just a -- you're sitting duck with an open window and the quicker you can close that window, the better it is going to be. And our customers are really seeing that, that's why the adoption of patch management has been increasing 140 million patches in the last one year is quite a milestone for us. And the ability to sort of give them that visibility to say that, you can -- with this platform, you're not just exposing your exposure, you're actually fixing it is a great story.

正因如此，像 Wallace 這樣的整合修補程式和整合緩解解決方案對他們來說才如此重要，因為現在他們不會浪費時間了。一旦攻擊者開始利用漏洞，你就如同一個敞開的窗口，隨時可能被攻擊，你越快關閉這個窗口，情況就會越好。我們的客戶確實看到了這一點，這就是為什麼補丁管理的採用率不斷提高的原因。過去一年 1.4 億個補丁對我們來說是一個相當大的里程碑。能夠讓他們有機會表達這一點，那就是——有了這個平台，你不僅可以暴露自己的問題，還可以真正解決問題，這是一個很棒的故事。

And our partners are also excited about the ability to not just provide services around more visibility. The ability to actually be the partner for the customer that gets them an outcome of actually the risk reduced is a differentiator. And that's kind of where we are looking forward to continuing our innovation around the exploit validation and the mitigation and patch management solution, as well as awareness building around the risk cooperation center is an area for focus for us.

我們的合作夥伴也對能夠提供更多可見性相關的服務感到興奮。能夠真正成為客戶的合作夥伴，幫助客戶降低風險，這才是真正的差異化優勢。而這正是我們期待繼續在漏洞驗證、緩解和修補程式管理解決方案方面進行創新的地方，同時，提高人們對風險合作中心的認識也是我們關注的重點領域。

And then along the way, risks come from cloud. They come from your standard virtual machines, they come from cloud, that's where we have vocal cloud, they come from identities, have ISPM for that, they come from misconfigurations, and we have policy audit for that, they come from AI now, for which we have (inaudible) AI as an example. So we continue to expand ways to bring more assets into ETM, at the same time we continue to innovate on ways to absolutely get to the final outcome of actually reducing risk with automation and agentic AI as much as you can. And that honestly is really in my mind a big, big differentiator.

然後，在此過程中，風險也來自雲端運算。它們來自標準虛擬機，來自雲端（我們有語音雲），來自身分（我們有 ISPM），來自配置錯誤（我們有策略審計），現在也來自人工智慧（我們有（聽不清楚）人工智慧作為範例）。因此，我們不斷拓展將更多資產引入 ETM 的方法，同時不斷創新，力求透過自動化和智慧 AI 盡可能地降低風險，最終實現這一目標。說實話，在我看來，這確實是一個非常大的差異。

That makes sense. And if I could sneak in one more, I think you mentioned that you're still in beta testing for QFlex and that you're going to leverage it for select partners. Is that just timing or are you not planning to go customer wide with that pricing model?

這很有道理。如果我能再補充一點，我想您曾提到 QFlex 目前仍在進行 beta 測試，並且您將將其用於部分合作夥伴。這只是時間安排上的差異，還是你們不打算對所有客戶都採用這種定價模式？

Yeah, we went on data with QFlex last year, and so we understand that how we could be very additive to the code of customers. So we're it out on a case by case basis because we want to create a win-win scenario for us, right?

是的，我們去年與 QFlex 合作進行了數據分析，因此我們了解我們如何為客戶的程式碼帶來很大的增益。所以我們會根據具體情況逐案處理，因為我們想創造一個對我們雙方都有利的雙贏局面，對吧？

For customers who we feel like they would really benefit and increase their spend with us by giving them this flexibility, we're more than happy to work with them through whether it's through a partner or directly with us.

對於我們認為透過提供這種靈活性能夠真正受益並增加在我們這裡消費的客戶，我們非常樂意與他們合作，無論是透過合作夥伴還是直接與我們合作。

For broadly speaking, we don't want to be in a situation where unintentionally it results in a down sell for us and then also they don't have the ability to try out other products because they're maximizing their budget and thinking through it from that perspective. So right now it's in beta, but in the longer term, we do plan on going to GA with that and potentially with a slightly tweaked structure.

總的來說，我們不希望這種情況發生：無意中導致我們的產品降價銷售，而且由於客戶正在最大限度地利用預算並從這個角度考慮問題，他們也沒有機會嘗試其他產品。所以目前它還處於測試階段，但從長遠來看，我們計劃將其推向正式版，並可能對其結構進行一些調整。

Thank you.

謝謝。

Yun Kim, Loop Capital.

Yun Kim，Loop Capital。

All right, thank you. Sumedh, I think you already touched upon some of my questions already. But how engaged are partners involved in core VM renewals? Or are they, for a lot of them, the newer partners that you attracted last year, are they more about selling new products?

好的，謝謝。Sumedh，我覺得你已經觸及我的一些問題了。但合作夥伴在核心虛擬機器續約的參與度如何？或者，對他們中的許多人來說，他們是你去年吸引的新合作夥伴，他們更專注於銷售新產品嗎？

Yeah. The mROC partners that we work with are pretty excited. We're starting to see these partners launch their own services for risk operation center, which obviously takes some time because they have to come up with the brochures for the services, staff them with the right experts for this quantification, et cetera.

是的。我們合作的mROC合作夥伴都非常興奮。我們開始看到這些合作夥伴推出自己的風險營運中心服務，這顯然需要一些時間，因為他們必須制定服務手冊，配備合適的專家進行量化等等。

But what they are excited about is that instead of just looking at, know, can I get another $0.05, $0.10 of margin on $1, the ability to say that with ROC, they can actually offer shire value services. The service you can offer to a CISO is, hey, we're going to give you a business-oriented cyber risk visibility deck that you can take to your Board every quarter. That's going to make you look very smart in front of the Board. It's a significant value, and they can charge multiple dollars as an example for those services around ETM, which they cannot necessarily do around other areas.

但他們感到興奮的是，他們不再只是考慮“我能否在 1 美元上再賺取 0.05 美元、0.10 美元的利潤”，而是能夠透過 ROC 提供真正有價值的服務。您可以向首席資訊安全長 (CISO) 提供的服務是：我們將為您提供一份面向業務的網路風險可見性演示文稿，您可以每季提交給董事會。那會讓你在董事會面前顯得非常聰明。這是一個相當大的價值，例如，在 ETM 週邊地區，他們可以對這類服務收取數美元的費用，而在其他地區，他們未必能做到這一點。

And with the agentic AI capabilities built in, the partners are excited that that actually can also reduce the spend that they have to do to staff their services teams with people if agentic AI capabilities in the platform can get them a Patch Tuesday report within 24 hours versus taking two weeks for a consultant to manually go and create Excel sheets to do things like that. So very exciting early conversations.

由於平台內建了智慧人工智慧功能，合作夥伴們很高興，如果平台中的智慧人工智慧功能能夠在 24 小時內為他們提供「補丁星期二」報告，而不是讓顧問手動建立 Excel 表格來完成此類工作，那麼實際上還可以減少他們在人員配備服務團隊方面的支出。早期的對話非常精彩。

We're already starting to see some interesting wins, though it's early days, with new business and existing business with those partners that understand the risk story and positioning the broader risk management rather than just, oh here's another list of vulnerabilities that I can provide you. Those conversations are very positive.

雖然現在還處於早期階段，但我們已經開始看到一些有趣的勝利，包括與那些了解風險情況並定位更廣泛的風險管理（而不僅僅是提供另一份漏洞清單）的合作夥伴開展新業務和現有業務。這些對話非常積極。

And so as I said, we're really focused right now on our GTM efforts around training these partners around partnering with them. and introducing them to customers as they introduce us to prospects, et cetera. And as that progresses, I'm excited about the potential that partners can bring customers to us, even if that customer might have another VM scanning solution, they can keep that solution and they can actually bring that customer to us and the partner can make multiple dollars on every dollar of ETM that they sell for us.

所以正如我所說，我們目前真正專注於市場推廣工作，包括培訓這些合作夥伴，讓他們與我們建立合作關係，並將他們介紹給客戶，同時他們也向我們介紹潛在客戶等等。隨著這一進程的推進，我很高興看到合作夥伴能夠為我們帶來客戶，即使該客戶可能已經擁有其他虛擬機掃描解決方案，他們也可以保留該解決方案，並將該客戶帶到我們這裡，合作夥伴可以從他們為我們銷售的每一美元的 ETM 產品中獲得數美元的收益。

Okay, great, that's very helpful. Joo Mi, if you can remind us how renewals are lined up for the year. Is it skewed towards that could have second half of the year consistent with the prior years? Or with the newer products coming in, do you see some early renewals or renewals mix kind of changing up this year?

好的，太好了，這很有幫助。Joo Mi，你能提醒我們今年的續約安排嗎？是否傾向認為下半年的情況與往年一致？隨著新產品的推出，您是否預期今年的早期續約情況或續約組合會有所變動？

Right now, our expectation is that the seasonality remains the same. So same thing as what you saw in 2025, it will be skewed towards the second half of 2026.

目前，我們預計季節性變化將保持不變。所以，就像你在 2025 年看到的那樣，這種情況會偏向 2026 年下半年。

Okay, great. Thank you so much. That's it.

好的，太好了。太感謝了。就是這樣。

Junaid Siddiqui, Truist.

Junaid Siddiqui，Truist。

Great. Thank you for taking my question. Sumedh, you've talked about the risk operation centers focused on proactive risk management versus the [SUC] focused on detection after the breach being a major differentiator. Just wanted to ask, are you starting to see budgets flow more towards proactive security versus reactive detection and response?

偉大的。感謝您回答我的問題。Sumedh，你曾談到風險營運中心專注於主動風險管理，而 [SUC] 則專注於在違規事件發生後進行檢測，這是一個主要的區別。我想問一下，您是否開始看到預算更多流向主動安全而非被動檢測和回應？

Yeah. Thanks, Junaid, for that question. We definitely see the conversations with our partners who have said, like, look, I've invested a lot over the last few years in EDR, XDR, post-breach solutions around SUC and the innovative. And, of course, there is some focus now on agentic AI SUC solutions that they're looking at to improve that even further. But what they feel is that on the pre-breach side, they have invested -- but they have invested in a bunch of, I call them, XPM tools, which is DSP, ISSP, CSP, but all of them are just giving you multiple dashboards. And there is definitely a bit of a fatigue with these customers and saying these dashboards are not helping me prevent a breach while I have put in place a protection on the post-breach side to try to find attackers, if I can do a better job and operationalize my workflow so that I can take all these findings from multiple tools, you have these code scanners, which are kind of like false positive service sometimes because they give you so many findings.

是的。謝謝朱奈德的提問。我們確實看到了與合作夥伴的對話，他們說，你看，過去幾年我在 EDR、XDR、SUC 和創新方面的後洩漏解決方案投入了大量資金。當然，現在他們也開始關注智慧AI SUC解決方案，以期進一步改進。但他們的感覺是，在資料外洩事件發生之前，他們已經投入了大量資源——他們投資了一堆我稱之為 XPM 工具的東西，例如 DSP、ISSP、CSP，但所有這些工具都只是提供多個儀表板而已。這些客戶確實有點疲憊，他們說這些儀錶板並不能幫助他們防止資料洩露，儘管他們在洩漏發生後採取了保護措施來尋找攻擊者。如果他們能做得更好，優化工作流程，以便能夠整合來自多個工具的所有發現（例如程式碼掃描器），那麼他們就能更好地利用這些工具。程式碼掃描器有時會產生誤報，因為它們會給出很多結果。

The conversations definitely are moving in that there is positive conversation on leveraging budget that they have or asking for more budget over the next couple of years to move in that direction. And the early adoption of ETM that we are seeing is necessary. You essentially we're going and getting budget that they are not always moving away from something that already budgeted for.

對話確實在朝著正面的方向發展，雙方正在積極討論如何利用現有預算，或在未來幾年內要求更多預算，以朝著這個方向發展。我們現在看到的ETM的早期應用是必要的。本質上，我們是在爭取預算，但他們並不總是偏離已經列入預算的項目。

So some customers have started to put budget aside for exposure management, so to say, or RBVM. But when we show them ROC, which is much bigger than exposure management and much more than RBVM, they are actually able to work with us to shift on that budget.

因此，一些客戶已經開始預留預算用於風險敞口管理，或者說基於風險的模型監控 (RBVM)。但當我們向他們展示 ROC 時，它比曝光管理要大得多，也比基於風險的模型監控 (RBVM) 要大得多，他們實際上能夠與我們合作，調整預算。

So I definitely feel like there is more of a focus last year and into this year on, we need to do a better job at proactive risk management. We've done a lot of work around the reactive side. Let's focus to get better on the proactive side.

因此，我感覺去年以及今年，我們更重視主動風險管理，我們需要在這方面做得更好。我們在響應式設計方面做了很多工作。讓我們集中精力，在主動性方面做得更好。

Great, thank you.

太好了，謝謝。

[Jason Jang], Wolfe Research.

[Jason Jang]，Wolfe Research。

Hey, guys. It's Joshua Tilton from Wolfe Research. Can you guys hear me?

嘿，夥計們。我是來自 Wolfe Research 的 Joshua Tilton。你們聽得到我說話嗎？

Yes, Josh.

是的，喬希。

Awesome. Sumedh, I want to follow up on your answer when you asked about kind of Anthropic's blog post today on cybersecurity. And I just -- I want to re-ask the question, but I want to ask it in a much more simpler way. Is the way to think about it that a lot of the functionality that Anthropic was talking to was more around application security testing and kind of some of the vulnerability discovery that happens before you would use a traditional VM tool? And again, I just play a security expert on TV. So if I'm thinking about it the wrong way, please let me know. But is that kind of the right way to think about it?

驚人的。Sumedh，我想就你今天問到的 Anthropologie 關於網路安全的部落格文章的回答做個後續問題。我只是想——我想重新問這個問題，但我想用一種更簡單的方式來問。是不是可以這樣理解：Anthropic 所談論的許多功能都更多地圍繞著應用程式安全測試以及在使用傳統 VM 工具之前進行的一些漏洞發現？再說一遍，我只是在電視上扮演一個安全專家。如果我的想法有誤，請告訴我。但這種思考方式真的正確嗎？

Yeah. Right now, a lot of that focus is on looking at open-source code and going through the code base to look at commit logs, et cetera, around that code to find the vulnerabilities in that particular code base. Now, that code base is then compiled into some piece of application software, which then is running all over the place across millions of machines in different customer environments, behind different firewalls, et cetera.

是的。目前，許多工作都集中在查看開源程式碼，並瀏覽程式碼庫，查看程式碼的提交日誌等，以發現特定程式碼庫中的漏洞。現在，程式碼庫被編譯成某種應用程式軟體，然後軟體在不同的客戶環境中，在不同的防火牆後面，在數百萬台機器上運行。

So generally, that's sort of where we see -- while its focus is more around once those vulnerabilities are discovered or attackers starting to use those, how do we then quickly assess those in a runtime rather than application code discovery time which is where a lot of these AI agents are focusing on.

所以總的來說，我們看到的是——雖然它的重點更多地在於一旦發現這些漏洞或攻擊者開始利用這些漏洞，我們如何在運行時快速評估這些漏洞，而不是在應用程式碼發現時評估這些漏洞，而這正是許多人工智慧代理所關注的。

Makes total sense. And then maybe just a quick follow up for Joo Mi. I think in the past, you know, there's been several leadership changes throughout the years where, you know, there was always a plan to kind of invest to reignite growth.

完全有道理。然後或許可以簡單跟進一下 Joo Mi 的情況。我認為在過去，你知道，這些年來經歷了幾次領導層更迭，每次都會有一個投資計畫來重振成長。

And I'm just curious when we think about the EPS guidance for the full year, how do you think about the level of investment for '26 that's baked into that EPS guidance versus prior years when maybe you've had one of these kind of new CRO in place or other leadership roles being filled?

我很好奇，當我們考慮全年的每股收益預期時，您如何看待 2026 年的每股收益預期中包含的投資水平，與往年相比，例如當初任命了新的首席營收官或其他領導職位時？

Yeah. We're really pleased to start off the year strong with all key positions filled with a strong executive team who's tenured. So keeping that in mind, last year, we had guided to low-40s EBITDA margin coming off of 2024 47%. So the implied gap or implied margin contraction was significantly higher than what you're seeing today. We cooked up the year 2025 with 47% EBITDA margin. We're guiding to mid-40s for EBITDA. It's a slight contraction, but it's not as significant as what we had guided at the beginning of 2025.

是的。我們很高興今年開局強勁，所有關鍵職位都已填補，並組建了一支經驗豐富的強大管理團隊。因此，考慮到這一點，去年我們預測 EBITDA 利潤率將達到 40% 左右，而 2024 年的目標利潤率為 47%。因此，當時的隱含缺口或隱含保證金收縮幅度遠高於您今天所看到的。我們預測 2025 年的 EBITDA 利潤率為 47%。我們預計 EBITDA 將達到 40% 左右。雖然略有收縮，但遠沒有我們在 2025 年初預測的那麼顯著。

Makes a lot of sense. Thank you so much, guys.

很有道理。非常感謝各位。

Thank you. This does conclude today's question-and-answer session, and this also concludes today's conference call. Thank you so much for participating, and you may now disconnect.

謝謝。今天的問答環節到此結束，今天的電話會議也到此結束。非常感謝您的參與，您現在可以斷開連接了。