Qualys Inc (NASDAQ: QLYS) Q3 2025 Earnings Call dated Nov. 04, 2025
Corporate Participants:
Blair King — Vice President of Investor Relations & Corporate Development
Sumedh Thakar — President and CEO
Joo Mi Kim — Chief Financial Officer
Analysts:
Roger Boyd — Analyst
Patrick Colville — Analyst
Mike Cikos — Analyst
Kingsley Crane — Analyst
Shrenik Kothari — Analyst
Junaid Siddiqui — Analyst
Joshua Tilton — Analyst
Garrett Burkam — Analyst
Anik Bamonon — Analyst
Rudy Kessinger — Analyst
Yun Kim — Analyst
Presentation:
Operator
Good day and thank you for standing by. Welcome to the Qualys Third Quarter 2025 Investor Call. At this time all participants are in a listen-only mode. After the speakers’ presentation there will be a question-and-answer session. [Operator Instructions] Please be advised that today’s conference is being recorded.
I would now like to hand the conference over to your first speaker today, Blair King. Please go ahead.
Blair King — Vice President of Investor Relations & Corporate Development
Thank you, Vyonen. Good afternoon and welcome to Qualys third quarter 2025 earnings call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO; and Joo Mi Kim, our CFO.
Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements and factors that could cause results to differ materially are set forth in today’s press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today and we undertake no obligation to update these statements as a result of new information or future events.
During this call we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today’s earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website.
So with that I’d like to now turn the call over to Sumedh.
Sumedh Thakar — President and CEO
Thanks, Blair and welcome to our third quarter earnings call. With threat actors continuing to reduce time to exploit at a fast pace, I believe the future of cybersecurity is moving from attack surface management to risk surface management using agentic AI powered proactive risk management with business quantification and automated remediation. Against this backdrop, we continue to execute well in Q3 demonstrated by another quarter of solid revenue growth and profitability. Over the last couple of years I’ve had the privilege of meeting with hundreds of CISOs, CIOs and security leaders worldwide. From these conversations, one theme has stood out, the need to operationalize cyber risk management in business terms to align budget spend with business risk.
CISOs are looking for a practical approach to consolidate tools where possible and empower their teams to use best-of-breed where it makes sense. They want to seamlessly unify their security toolset into a centralized risk fabric that provides an alternative to single vendor platformization by operationalizing the management of multiple risk vectors to effectively measure, communicate and ultimately remediate the organization’s risk posture. The Risk Operations Center, ROC, powered by Qualys ETM delivers on this ask. At our recently concluded ROCon, Risk Operations Conference in Houston, where we elevated the business risk conversation to feature a specialized CFO and board track, our customers validated this approach. With the broadening of the agenda for ROCon, the attendance was up 20% over last year’s QSC event.
While traditional security operations centers focused on detecting breaches after they happen, Qualys is pioneering the first agentic AI Risk Operations Center ROC, a new category in cybersecurity designed to centralize an organization’s response to threats before they impact the business. Powered by our ETM solution, the ROC process several petabytes of high fidelity data every day, normalizes and correlates intelligence from both Qualys and non-Qualys sources, and equips AI and humans to collaborate in real time, detecting and responding to threats at machine speed. This isn’t about more alerts, it’s about actions that close blind spots before attackers can exploit them.
Unlike traditional continuous threat exposure management, CTEM tools that simply highlight the exposure but lack adequate native remediation capabilities, our differentiated ETM solution combines CRQ, CTEM and native remediation operations to fix the risks that matter most quickly and at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable proactive risk reduction that boards and customers value. Early adoption is already validating the model, with POCs continuing to convert the commercial deployments underscoring both the scale of this opportunity and its parallels to the early days of VMDR and we’re not stopping there.
Our R&D engine is continuing to deliver innovations, rapidly expanding our platform and positioning Qualys for a larger upsell opportunity. In doing so, Qualys is now extending several proven module native capabilities into ETM, empowering organizations to harness them seamlessly across their entire attack surface. By demonstrating — by democratizing trillions of security exposures from both Qualys and third party tools including vulnerabilities, misconfigurations and identities aggregated by our ETM solution, we are unleashing a sophisticated predictive platform that leverages a combination of Qualys TruRisk framework, our TruLens threat management capabilities and a mission-ready agentic AI workforce operating autonomously from discovery to remediation with full ITSM integration.
This unique combination of capabilities identifies strength trending threats in real time, benchmarks risk against peers, assesses organizational impact, and quantifies risks in clear, actionable terms that matter most to the business. As a result, security and IT teams can continuously prioritize ticket and remediate threats based on organizational risk associated with emerging exposure targeting specific industries, asset types and identities. We believe these most recent additions to our ETM solution further advance our differentiation in the market, enhance security operations and significantly accelerate measurable outcomes for customers.
Next up for ETM solution, I’m particularly excited about yet another pioneering capability from Qualys, TruConfirm. TruConfirm flexes the power of our platform to confirm exploitability before customers become compromised. Using automated validation at scale, we remove the guesswork for customers by running safe exploits over the network to confirm whether the attackers will succeed in their breach attempts, while closing the gap between theoretical and actual exposure. This approach further allows customers to be laser-focused on prioritizing only exploitable blind spots for the next logical step, which is automated remediation with TruRisk Eliminate.
Our industry-leading capabilities are increasingly being recognized by our customers, partners and third-party analysts. Specifically at Black Hat, Qualys won two Pwnie Awards for our outstanding contribution to threat research, underpinned by our strong leadership in threat intelligence and triage. Equally important, GigaOm recognized Qualys as the leader in patch management, a market Qualys pioneered with over 140 million patches deployed in the last year alone. While some competitors are only beginning to validate this strategy, Qualys has advanced well beyond patching. TruRisk Eliminate closes the untouchable gap, enabling IT and security teams to automate an array of compensating controls when patches are deemed too risky to deploy or simply not available. And with adversaries increasingly exploiting vulnerabilities at AI speed, our umbrella of AI-based automated remediation solutions has evolved into a significant adoption layer, a distinctive competitive advantage and opens new market opportunities for Qualys.
Moving on to our business update. With customers spending $500,000 or more with us growing 5% from a year ago to 211, let me share a couple of recent wins which illustrate why organizations ready to centralize the response to cyber risk are turning to Qualys to help unify their security tools, quantify and remediate risk in their environment, and fortify their security operations. In Q3, one of my favorite wins was with a Global 700 customer that was previously only using Qualys for PCI scanning. This customer, like many organizations were buried under fragmented telemetry, manual spreadsheets and disconnected tools. With little automation their teams were spending more time documenting than reducing risk and consequently were burdened by an onslaught of compliance audits.
This customer chose Qualys to transform siloed risk signals spanning code repositories, endpoints, identity, cloud container and network assets into a cohesive real time risk management solution by consolidating Qualys and non-Qualys data. This included replacing their existing vulnerability management vendor and purchasing three additional Qualys modules including ETM to begin operationalizing the Risk Operations Center with ingested third party data resulting in a mid six-figure annual bookings upsell. By consolidating these data sources into Qualys platform, we are delivering this customer a vendor agnostic orchestration layer with full visibility of their attack and risk surface, centralized risk management, quantification, prioritization and remediation while unleashing the operational efficiencies of security stack consolidation aligned within acceptable risk parameters for the business.
With our innovative technology, unmatched platform effect and focus on reducing risk and friction, this will underscore Qualys’ ability to eclipse legacy siloed solutions and advance our leadership in the industry. It’s also an outstanding example of how we are working with our managed risk operation, mROC partners of choice to activate the ROC with new win business. For the next phase, this customer is evaluating our TotalCloud, Cloud Native CNAPP solution and TruRisk Eliminate solutions while also bringing additional third party tools into Qualys platform representing a significant upsell opportunity. Further leveraging our mROC partner ecosystem to drive new logos was a new six-figure customer win with a major airline in the Middle East. This customer chose Qualys because of our unified detection and remediation capabilities with TruRisk Eliminate.
Nearly nine months after announcing GA with our ETM solution and over 28 PoCs converting to commercial success already we have gained valuable insights into ETM pricing and packaging. As a point of reference, we expect that for every $1 of VMDR, ETM can drive an uplift of up to 100% now that ETM will include cybersecurity asset management as well as other ETM feature enhancements such as those mentioned earlier and third party data ingestion. Given this, starting with our Q1 2026 earnings call, we will shift from reporting Cybersecurity Asset Management LTM bookings to ETM customer penetration as we believe ETM will be evolving into a key pillar of growth for Qualys over the next several years.
Turning to our federal business, we achieved a high six-figure upsell with an existing large government agency. This customer has had previously used multiple legacy and NextGen tools to manage a variety of risk management use cases across their security, IT and DevOps team. In addition to the complexity of using multiple point products, this government agency has become increasingly frustrated with increasing costs associated with legacy on-prem deployments, the efficiencies of operating siloed systems and elongated remediation efforts. With a distinct need to shift several monolithic workloads to micro application across this hybrid environment on a FedRAMP solution, this customer accelerated the consolidation of its security stack over 17 Qualys modules including the MDR, Cybersecurity Asset Management, Total AppSec, TotalCloud, TruRisk Eliminate and Total AI.
Today this customer is leveraging a unified dashboard that provides them with a greater insight and automation than any of the competitive products they evaluated while taking full advantage of the speed and scale of cloud native platform. This alongside a significant seven-figure state win are a testament to the strength we see in our federal, state and local government business and the long-term growth potential of the market. Beyond these wins, we are also increasingly gaining leverage from our partner ecosystem. In Q3 partner-led deal registration increased, demonstrating the success of our partner-first sales motion.
In addition, we have now certified nearly a dozen partners who are actively launching mROC services leveraging ETM to deliver centralized automated pre-breach risk management. Momentum is building towards a global ROC alliance and we expect to certify additional strategic partners in the coming months ahead who are committed to positioning Qualys as their mROC partner of choice. Further contributing to our platform growth is our flexible platform pricing model which we are calling QFlex. We beta tested QFlex in Q3 to help customers accelerate and maximize the adoption of the Qualys Enterprise TruRisk platform. In less than a quarter after introducing this model, we’re seeing notable customer interest and tremendous success.
To give you an example, an existing Global 10 customer made a multi-year commitment under our QFlex program, increasing their annual bookings by over 50% while adding new modules to their subscription count with Qualys. This win reflects our growing capabilities in risk management and we expect the contribution from QFlex to continue to grow. In summary, our continuous innovation, early ROC deployments, strategic wins with federal customer and state agencies, momentum in partner-led initiatives and the initial adoption of QFlex collectively underscore Qualys strength in unifying risk management workflows, reducing operational complexity for customers and addressing today’s toughest security challenges. We believe these achievements not only validate our ongoing investments but also position Qualys as a trusted leader in pre-breach risk cyber risk management, setting the stage for durable growth and long term success.
With that, I will turn the call over to Joo Mi to further discuss our third quarter results and outlook for the fourth quarter and full year 2025.
Joo Mi Kim — Chief Financial Officer
Thanks, Sumedh and good afternoon. Before I start, I’d like to note that except for revenue, all financial figures are non-GAAP and growth rates are based on comparison to the prior year period unless stated otherwise.
Turning to third quarter results, revenues grew 10% to $169.9 million. The channel continued to increase its contribution, making up 50% of total revenues compared to 47% a year ago. Revenues from channel partners grew 17% outpacing direct, which grew 5%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By geo, 15% growth outside the US was ahead of our domestic business which grew 7%. US and international revenue mix was 56% and 44%, respectively.
In Q3 gross retention continued to improve, however, upsells remain challenging with our net dollar expansion rate at 104% unchanged from last quarter. In terms of product contribution to bookings, patch management and cybersecurity asset management combined made up 17% of total bookings and 28% of new bookings on an LTM basis. Our Cloud Security Solutions, TotalCloud CNAPP made up 5% of LTM bookings. Reflecting our scalable and sustainable business model, adjusted EBITDA for the third quarter of 2025 was $82.6 million, representing a 49% margin compared to a 45% margin a year ago.
Operating expenses in Q3 increased by 5% to $64.9 million, driven by investments in sales and marketing which grew 9%. As we remain focused on driving growth, we are mindful of where to further increase investments while optimizing returns in others which resulted in EBITDA margin exceeding our expectations in Q3. This demonstrates our ability to maintain high operating leverage, remain capital efficient while continuing to innovate and invest to support our long-term growth initiatives.
With this strong performance, EPS for the third quarter of 2025 grew 19% to $1.86. Our quarterly free cash flow was $89.5 million, representing a 53% margin compared to 37% in the prior year. Year-to-date free cash flow margin was 46% compared to 42% in the prior year. In Q3 we continue to invest the cash we generated from operations back into Qualys, including $901,000 on capital expenditures and $49.4 million to repurchase $366,000 of our outstanding shares. Since commencing our share repurchase program in February of 2018, we repurchased 10.4 million shares and returned $1.2 billion in cash to shareholders. As of the end of the quarter, we had $205 million remaining in our share repurchase program.
With that, let us turn to guidance starting with revenues. For the full year 2025, we expect revenues to be in the range of $665.8 million to $667.8 million, which represents a growth rate of 10%. This compares to prior guidance of $656 million to $662 million. For the fourth quarter of 2025, we expect revenues to be in the range of $172 million to $174 million, representing a growth rate of 8% to 9%. While we believe our platform approach to cyber risk management provides some insulation amidst macro volatility, this guidance assumes continued budget scrutiny in a challenging environment for new business growth in Q4.
Shifting to profitability guidance. We expect full year 2025 EBITDA margin in the mid to high-40s, net free cash flow margin in the low-40s. We expect full year EPS to be in the range of $6.93 to $7.00, up from prior range of $6.20 to $6.50. For the fourth quarter of 2025 we expect EPS to be in the range of $1.73 to $1.8. Our planned capital expenditures in 2025 are expected to be in the range of $5.5 million to $7 million and for the fourth quarter of 2025 in the range of $1.2 million to $2.7 million.
With that Sumedh and I would be happy to answer any of your questions.
Questions and Answers:
Operator
Thank you. At this time we will conduct the question-and-answer session. [Operator Instructions] Our first question comes from Roger Boyd of UBS. Your line is now open.
Roger Boyd
Awesome. Thanks for taking the questions and congrats on a nice quarter. Sumedh can you just double click on some of the pricing you mentioned around ETM earlier? I just wanted to be clear on that 100% upsell metric. Is that inclusive of what you have with cybersecurity asset management and patch and just now with the kind of packaging sort of figured out on that product, just your confidence in kind of the ability to start driving better upsell moving forward. Thanks.
Sumedh Thakar
Yeah, that’s a great question. So from the way the pricing we’re looking at it is the ETM pricing is going to include cybersecurity asset management because as we talk to our customers for building any risk operations center, the foundation is asset inventory and without that you cannot succeed. And so that was a big feedback that came about. So that’s included. What we have added also is the agentic AI capabilities for them to be able to augment their security team with AI agents so that they can really manage outcomes for cybersecurity within their spend and optimize. Because everybody’s being asked about how they’re optimizing their spend even in cyber and the ability to have very focused threat intel that will allow them to validate exploits. So that’s included.
The upsell that we look forward to is then once they have used ETM to be able to get the inventory, to be able to confirm that the exploit can work in their environment, then they purchase TruRisk Eliminate which includes patch as an example and mitigation so that they can get that particular thing actually remediated. Because at the end of the day we can create all kinds of visibility but given that attackers are exploiting vulnerabilities, if you saw the recent mandate report in minus one day on an average, which is even before patches are coming out, the key is going to be about being able to remediate things and mitigate things even if you don’t have a patch available.
So the pricing to answer your question is 100% — up to 100% is what we see with the addition of VMDR, ability to sell to bring in CSAM, agentic AI as well as ability to confirm exploitation. And then from there the upsell will be they will pick an upsell Tru Eliminate so that they it allows them to do more in terms of actually getting an outcome.
Roger Boyd
Really helpful. Thanks for the color.
Operator
Thank you. Our next question is from Patrick Colville of Scotiabank. Your line is now open.
Patrick Colville
Thanks for taking my question guys. I guess I want to ask a two parter. One is on the Fed. I know the Fed is like a more nascent notion for Qualys but what are you guys seeing in the Fed especially kind of in the first couple of weeks of 4Q given the shutdown? And then the other question I’d like to ask is about the competitive environment. And the reason I ask this one is it’s the one we get most from investors and it’s like is the competitive environment changing for Qualys given noise from vendors like Crowdstrike and others who are claiming to be entering the space and winning share. So are you coming up against different companies now versus a year ago? And results speak for themselves. Win rates seem high. But can you talk to that as well? Thank you.
Sumedh Thakar
Yeah, that’s a two part question, so let me stay focused. So answer both of them. So first one is on the federal side. As you already know, we’re at our very, very early innings and we made the investment and the commitment to get FedRamp High, which has really created very, very powerful conversations. I mean I have the pleasure of actually being out in D.C. and having some very critical meetings there to start to have the conversation around Risk Operations Center, how it can help the government and essentially bring efficiency.
And so you kind of have the DOGE which is of course that is driving people to think more of efficiency in terms of how they can consolidate different things. And that’s where the Risk Operation Center as a way to eliminate fixing things that don’t really matter to the risk has really resonated well with our federal customers. Today it’s not just the spend of the tool, it is the amount of spend you put in remediating things that the tool is telling you which is a waste of time and money if those things are not even exploitable.
So for us what we are seeing is it’s very exciting early conversations. We see lots of opportunities over the next few years. Of course when you have the current scrutiny that is going on, sometimes people are taking a bit of a wait and watch opportunity. In other cases we’re actually seeing opportunities coming to us because of the focus on being able to be efficient in terms of the Risk Operation Center. So it’s a mixed bag. But overall from what we see right now is we don’t have as much exposure or revenue to that. But we do see that this is an area that we have committed to invest over the next few years and FedRamp was our first step. And now with our focus on the conference we did in D.C. and we are going to continue to invest in the federal space moving forward.
On the vulnerability management and competition side, I think if you — I was really excited to see that Qualys got the leader position in GigaOm’s patch management above many of the other vendors that have been out there. Because really with what we have been seeing and what I saw a few years ago and why we have been talking about how vulnerability management is evolving less about detecting more and more CVEs most people are barely fixing 5% of the CVEs that are being discovered because it’s creating so much noise. So while there are other players that talk about discovering more CVEs, the focus for Qualys and what we are doing with Risk Operation Center has been about how we are helping customers really narrow down.
And we did that at our conference, ROCon conference where we showed a nice little representation of how 62 million findings after applying the right agent in threat intelligence went down to 2 million findings that really mattered in terms of any risk. And then further after applying business context went down to only 300,000. And so our focus has been shifting towards how do we help the customer actually pinpoint exactly what matters from a threat intel perspective, but then also how can we help them immediately fix it. Because if attackers are attacking things in four hours, you don’t have time to go and create Jira tickets and ServiceNow tickets and wait for other teams to use different patching solutions and different mitigation solutions to do that.
And so what we’re doing now, what we’re seeing is really an evolution of that is customers really like our capabilities, accuracy of detection, etc. But we have also opened up the platform now with ROC to be able to ingest data from other areas like OT or other EDR tools that might be collecting CVEs so that we can help customers actually narrow down that focus of what really matters. And the key exciting thing is for them to be able to get things fixed with Qualys, which is something that. And validating the exploit and then getting it fixed with Qualys is what is focused for most of our customers right now. So primarily we see Tenable Rapid7. Yes, occasionally we see some of the other tools that are talking about giving more CVEs, but customers are focusing more on how do we get the key things remediated quicker rather than discovering more which they are not fixing anyway.
Patrick Colville
Thank you, Sumedh, that’s super helpful.
Operator
Thank you. Our next question is from Mike Cikos of Needham. Your line is now open.
Mike Cikos
Great, thanks for taking the questions guys. I just wanted to double check and congrats on the quarter here. Was there any one-time benefits to revenue or CCB that we need to take into account on our side? And then secondly as a follow-up, Joo Mi, great to see the results. Net dollar retention obviously remains here at 104%. What needs to happen for that net dollar retention to actually start ticking up from where we are today? Thank you.
Joo Mi Kim
Yeah, with respect to CCB, nothing specific to call out. It was a solid quarter as usual. You do get some benefits or negative impact from out of cycle renewals, but nothing material that we think that’s specific to this quarter. So it was really a solid growth quarter from an execution standpoint. Net dollar expansion rate, we’d love to get that up from 104% and upward. And this is part of the reason why Sumedh had commented on the fact that we’ve been really focused on making sure that we’re delivering the message in terms of how ETM could be beneficial to our existing customers as well as new process.
And so as we look to the cohort of customers that are up for renewal in each respective quarter, we’re making sure that they understand the value that they could potentially see from, whether they’re looking to upsell from CSAM to ETM or cross-selling with adding ETM to their existing VMDR solution, we think that that could be a meaningful impact to our net dollar expansion rate.
Mike Cikos
Thank you so much.
Operator
Thank you. Our next question is from Kingsley Crane of Canaccord Genuity. Your line is now open.
Kingsley Crane
Hi. Thanks for taking the question and congrats on a really great quarter. If we think about agentic AI within the Risk Operation Center, Total AI within VM and in the CNAPP suite, it all requires significant development resources. So how are you prioritizing R&D spend across those initiatives and just what metrics do you use to evaluate resource allocation? Thanks.
Sumedh Thakar
Yeah, that’s a great question and I think it’s really the focus for us on investment in R&D and sales and marketing. So at the beginning of the year we started with the plan to hire a CRO from a sales perspective and put focus on hiring more engineers, etc., to be able to deliver on all the capabilities that we’re talking about. And I think as we have, I’m pretty happy with our focused execution with the level of investments that we have made and the way Sean, who’s our VP of Global Sales have executed with the team to give us a solid quarter.
And so the focus for us now is to really, from a sales marketing perspective to focus on working with Sean and team so that we can get efficiencies from what we are seeing cross functional between our sales team, our product management team, etc. And then on the R&D side we have had really good success with leveraging AI internally within our own development efforts. And as an example, we have pretty much stopped hiring anybody in QA anymore. We are seeing 20% to 25% efficiency gain with our best engineers. And ironically, it’s actually the best engineers who are getting the most benefit out of using AI.
And so in a way, with all the things that we are doing with adding AI into the Risk Operation Center, AI is benefiting us in adding those without significant increase in our R&D expense. And so I think at this point, the way we are looking at it is we’re going to continue to leverage AI and of course we’re going to invest back in our business, but no need really at this point for us to look at having CRO as the team is executing well, focused with what our goals are.
And then on the R&D side again, we of course, if you see the innovations that are coming out is at a pretty rapid pace, we will of course continue to invest in R&D, but it’s all going to be looked at from the lens of what kind of investment we will make in terms of people versus AI tools and how those tools are going to give us the required efficiency or I would say unexpected efficiency in some cases. And so we’re excited about what we’re going to be able to do from both adding the Risk Operations Center agentic AI capabilities while internally also using agentic AI across the board, not just in R&D but also in sales and other areas as well.
Joo Mi Kim
And just to add to that, we are extremely focused on making sure that we have the right team structured and the focus areas from a product development standpoint, we have different teams working on whether it be Total AI or ETM. And because of that we are continuing to increase the hiring the R&D, the engineers. It’s just that the geographic mix of incremental hire has shifted more to be in India, which has helped from an R&D expense standpoint. But we are making sure that we’re working across the different orgs or different functional areas within the engineering team to make sure that we’re prioritizing in the right manner.
Kingsley Crane
Really helpful. Thank you.
Operator
Thank you. Our next question is from Shrenik Kothari of Baird. Your line is now open.
Shrenik Kothari
Yeah, thanks for taking my question and echoing my congrats to the team. Sumedh the TruConfirm announcement definitely sounds like a step function moving from, as you said, the risk going to automated exploit validation and at scale. Just curious, do you envision this also becoming sort of a pillar like ETM as in monetizing it standalone or you think of it as becoming an on-ramp to move customers into broader ETM? And then just with the POCs converting and all the large enterprise consolidations you talked about like how should we think about the ETM trajectory ahead and have a quick follow-up for Joo Mi?
Sumedh Thakar
That’s a great question. And you look, I mean I think I’ll say that at the end of the day for risk management, you only manage your risk if you have eliminated the right risk. Right? Just building dashboards and as I said, dashboard tourism is not helping with just visibility. And so at the end of the day for that to happen you need to have three things. You need to be able to collect data from multiple sources so you can get a broader picture of the view. And you’re applying threat intelligence and you’re seeing some of the traditional CTEM which has been around for many years. Some of the CTEM solutions are just giving you we consolidated data and here it is.
And so they are giving you a theoretical view of what might be exploitable in the environment. But with TruConfirm included as part of ETM, we are going a step further relative to these CTEM visibility only platforms, giving them the ability to actually confirm and that’s included as part of ETM. It’s not an additional upsell, but that helps us differentiate from the CTEM only solutions, gives them the ability to confirm in their environment that then exploit actually works. And then the upsell from there is real. And that’s kind of how we look at the beachhead for converting our customers from VMDR to ETM is that that conversion then will allow us to upsell them to the actual eliminate capability.
Because again like I said, if attackers are looking are starting to exploit vulnerabilities, even before patches are being made available, it is really about speed. And so you need to be able to quickly detect the vulnerability. You need to be able to then confirm that it is exploitable in your environment rapidly. And then the next logical step has to be a automated AI driven fix so that you can get it fixed before the attackers get there. And that’s really where the Risk Operation Center is not just a CTEM solution, it really is more than a CTEM solution which is just giving you dashboards.
Shrenik Kothari
Got it. Super helpful. And Joo Mi, very quickly Sumedh mentioned about the AI driver for automated remediation and orchestration scale into the model, mROC partner delivery again also reducing the heavy lifting internally. So just curious, as partners increasingly monetize these services, how should we think about incremental leverage and how we’re thinking about that? Thanks.
Joo Mi Kim
Yeah, I think that mROC will really help us to grow the top line because how we see the new product and value proposition in terms of the customers being able to really see how ETM could help them from a risk management standpoint, they will need assistance from the partners to really make sure that they’re implementing the tool they’re utilizing in the appropriate way and they’re maximizing the ROI from their respective like customization that’s required from the organizational standpoint.
So with working hand in hand with the partners to help us to accelerate the top line growth for us, we think that we will get some leverage from a margin perspective. But really the unit economics, we don’t really see a material shift there. I think we’re already seeing some, some kind of benefit as we continue to shift more of our business to the partner side and then layering on top that mROC, professional services or additional implementation help that the customers might see will help to accelerate that revenue growth and the ETM penetration.
Sumedh Thakar
And Shrenik, just to kind of add to what Joo Mi said, I called that out as an example in our earnings call where an mROC partner brought this new logo opportunity to Qualys in the Middle East, one of the largest airlines, because they were excited about, not because of just margin here or there. They were excited about the ability to provide high value risk management services to their customer if they brought that customer to Qualys versus just selling them some other VM scanner that would just give them more findings and they would have to do a lot of work to provide value on top of that. So that strategy around mROC partners are bringing not just ETM, but they’re also bringing us other customers, other deals with the understanding that these engagements with Qualys will lead to services revenue for these companies.
Shrenik Kothari
Great. Thanks a lot Sumedh, Joo Mi. Appreciate it.
Junaid Siddiqui
Thank you. Our next question is from Junaid Siddiqui of Truist Securities. Your line is now open. Great. Thank you for taking my question. As you pivot more into a platform play, are you seeing any changes in sales cycles from customers?
Sumedh Thakar
I mean, I think nothing notable to call out for. I think there’s good and bad at times for us to be able to show the value of the platform by ingesting data from tools that they already have can be a win. Instead of saying you need to do a deployment of our agents and scanners everywhere to see the value that Qualys brings and then the pricing allows them to think about maybe eliminating their existing solution over a period of time. And so I think today, I think so far we are in the early days, but we’re seeing especially with the ROCon conference that we had and the partner advisory, I mean, sorry, the product advisory board where we had a lot of the top banks out there. I think the feedback is a lot of excitement around this operation center as a focus area rather than just kind of trying to do a like to like scanner to scanner replacement and the time and effort it takes. This is something that they feel like, you know, it’s something that they can justify in terms of moving quickly.
Now of course it is something that is new. Everybody’s looking at this year. So it is allowing them to figure out how they are going to budget. Some people have the budget now, some people are looking at it to budget for next year’s purchases. But overall the conversation has been pretty positive. And I think the goal for us is to not only — existing customers not only bring the Qualys findings into ETM, but that value they get out of that is going to encourage them to bring a lot of other findings and other assets that are not currently in Qualys. And so we are seeing that with some of the early adopter customers they started with bringing Qualys VMDR findings into ETM but then quickly pivoted after seeing the value to bringing sometimes twice as many assets into Qualys as they had before from other tools, increasing the license count for ETM.
So that’s kind of how we’re looking at it as we progress is that it’s going to help us be much quicker in POCs and we don’t have to walk away. If a customer already has a competing VM scanner, we can actually just ingest the data, show them the value, show them the business value and then grow from there rather than doing prolonged POCs that involve deployment of agents and scanners which ultimately they see the value in that but it is sometimes just take a longer cycle. So I think net net, I think it’s early days, we’ll see how it develops. But so far in the initial engagements we have had it’s been pretty exciting and fairly quick moving.
Junaid Siddiqui
Great, thank you.
Operator
Thank you. Our next question is from Joshua Tilton of Wolfe Research. Your line is now open.
Joshua Tilton
Hey guys, thanks for sneaking me in and congrats on a great quarter. I’ve been bouncing around a few calls tonight, so I’m actually going to ask a pretty high level question. And my question is we have the privilege of covering three publicly traded vulnerability management vendors and you guys are all kind of growing at different rates. And I guess my question to you is are the deltas in your growth rates a function of things changing within the VM market and therefore some of you are growing faster, taking share, growing slower within VM or the delta and the growth rates because some of you have taken these broader platform plays and you have these non-VM products that are separating the growth between these three players. And if it’s the latter, I guess can you just help us understand which of the product the non-VM products for you are really driving the separation and growth that we’re seeing at Qualys versus some of the other players? Thanks.
Sumedh Thakar
I would just say that some of us just have an awesome organic platform. That’s why we are growing at a different pace. But having said that, I think the — look, I think we’ve talked about this for a few years. VM has been changing and people are less focused on just scanning and more focused on prioritization, remediation. And that’s why we pivoted towards, if you recall, patch management a few years ago and we got GigaOm giving us that number one spot in their analysis for Qualys which was a great achievement for us just within four years getting the number one over established players.
We’re also pivoting more with ETM towards the ability to not just not only collect data from multiple tools as well as our own tools, but also ability to prioritize with threat intel. We have award-winning threat intelligence. So we talked about that and then the ability for us to actually confirm the vulnerabilities exploitable by exploiting it and then getting it fixed. And so what we are seeing and we have been reporting on how Eliminate patch management has been growing as a percentage of our LTM bookings. And then we also talked about now about our focus on ETM and how starting at the earnings call for Q1 we’re going to focus more on the penetration for ETM within our customer base which is elevating from VMDR to ability to give them a broader risk operation center. And then the upsell from that is going to be the Eliminate capabilities to get things fixed.
And so with the engagement that we have with our customers, there is a big focus from customers on a business alignment of cybersecurity spend. The ability to look at risk from a business perspective and what we are doing now in the organically developed platform that we have that integrates so many different things together I think is helping customers get a very quick and simplified view of their actual risk and the ability to actually remediate before attackers get there versus competitors have multiple acquisitions with multiple separate tools that don’t really work with each other and they’re not able to get that kind of, in my belief they’re not able to get the kind of response that we are able to give very quickly whenever there is something going on and that’s the feedback that we have been getting from customers.
Joshua Tilton
Sumedh you had me at organic platform, but maybe just a follow up for Joo Mi. If I missed it, I apologize. But any way to think about how we should expect billings growth to finish or current billings growth to finish this year?
Joo Mi Kim
Yeah, I think that Q4 because it was a very strong quarter, a tough compare for last year, we do expect grant billing to be a few percentage points below the revenue growth rate ending the year. So maybe think about it from like 2025 full year current billings growth at around 8%.
Joshua Tilton
Super helpful. Thank you.
Operator
Thank you. Our next question is from Jonathan Ho of William Blair. Your line is now open.
Garrett Burkam
Hi, this is Garrett Burkam for Jonathan Ho. Thanks for taking my question. I was just wondering if you could walk us through how you’re thinking about contribution from your new continued product innovations like including AI and new modules around VMDR and mROC versus just continuing to upsell and cross-sell your existing install base. And then also can you just talk about how customer conversations are going with your mROC solution at this point. Just what traction you’re getting there. Thanks.
Sumedh Thakar
Sorry, I didn’t get the first part of the question again. So you’re asking for contributions from…
Garrett Burkam
Yeah, like new modules and new customers versus upselling your existing base in your existing modules?
Sumedh Thakar
Yeah, look, I think every customer is a different part of the journey so we don’t really break it out by individual modules. I think we have been giving color on the contribution of TotalCloud, which is our cloud native CNAPP solution. We’re happy to see the progress it is making, it is early days but it was 5% of the bookings for the quarter and then we also have, we called out patch management and cybersecurity asset management which has been the focus for us the last couple of years and we’re happy with the penetration there.
But we’re also now pivoting more towards the Risk Operations Center ETM solution that we talked about and our goal is going to be just like we did from VM to VMDR a few years ago, really up level our customers from VMDR to ETM solution which we have a very nice existing installed base of vulnerability management customers that we can work on upselling them and cross-selling them to ETM which by the way will include cyber security asset management already and then next above all that we’ll be upselling them to the eliminate solution to actually get things fixed.
And so conversations have been super positive around Risk Operations Center. As I said in the earnings script, one of the big differentiators for us has been the CRQ and the business focus on risk management rather than just giving technical scores. And that was underscored at our ROCon conference in Houston where we added a business track, separate business track for cybersecurity which had sessions with CFOs and board members and insurance companies. And actually because of that we had a 20% increase in attendance because people were really focused on making sense out of from a business perspective.
So the conversations with customers around Risk Operations Center and ETM solution from Qualys has been that they really like that we’re not just a CTEM solution giving them dashboards, we’re actually natively fixing issues for them rapidly as well as we’re giving them AI-based intelligence around the business and for their particular industry. What is the risk of a ransomware? How much money could they lose? Why should they fix this particular vulnerability versus not fix another vulnerability?
So it’s been very positive feedback and we’re excited about that. And so I think as we get into the next year we are really putting a focus on ETM and as part of that, we have based on internal promotions to align well with our go-to-market strategy there with product management. And Jonathan, our CISO also really working on, helping us as a GM for our risk operation solutions to really bring all of our teams to executing more towards ETM and getting the benefit out of upselling our customers to ETM. And that’s where if you see in the Q1 earnings call, we’ll be starting to focus on the opportunity ahead of us. In addition, of course, one of the reasons is like there’s a lot of CNAPP solutions out there.
We see the resonation, what is resonating with customers with our CNAPP solution it’s not so much individual features but it is again the ability to bring the cloud risk as part of the holistic business risk. And so yes, other CNAPP solutions can tell you how many open buckets that you have out to the public. But if you ask them what does that mean in dollar value lost to your company if one of them is compromised, they don’t have answers to that. And so our cloud security solution is actually integrated from a risk perspective to give that business quantification and that’s what the feedback that we’re getting from customers. And so as I look into next year, our focus is going to be on ETM as the big focus to cross-sell our customers. It’s going to be continued investment for long term in the federal market, focus on the continued innovation that we have with Eliminate capabilities and then all of that is going to be underpinned by our work that we are doing with mROC partners, which I think is going to contribute even more to scale our business in 2026.
Operator
Thank you. Our next question is from Joseph Gallo of Jefferies. Your line is now open.
Anik Bamonon
Hi guys, this is Anik Bamonon for Joe Gallo. Really strong quarter. Can you just share some color on where exposure management is in terms of budget prioritization in 2026 and can we expect billings to track in line with your noted 8% for 2025?
Sumedh Thakar
I think I’ll answer the first part is, we’re seeing definitely customers are looking to invest in proactive risk management solutions and as I said that Risk Operation Center where exposure management is part of that business quantification. With the feedback and response that we’re getting from customers, this is definitely an area that they are focusing on. In all the conversations that we had with this year, I think a lot of customers see the Risk Operations Center and the Security Operations Center, ROC and SOC kind of working closely with each other because there is a lot of fatigue currently on the SOC side because of too many alerts.
And the feeling is that if they can focus on better prevention in the first place, that can reduce the number of alerts and reduce the fatigue that they see in the SOC. And people are looking to balance in the early conversations. While I don’t have exact percentage right now, we will see how it evolves in next year. People do talk about balancing their cybersecurity budgets between proactive risk management versus just reactive after the fact that somebody is in your network. And there’s been a lot of that has happened in the past and it’s ultimately you cannot do away with one or the other. You need both so that you can practically reduce risk while having the monitoring needed if there is a compromise to block that.
But there is definitely a focus on customers to prioritize the split between those because again if they don’t prioritize what they’re fixing accurately, then they’re asking and wasting their IT team’s resources and fixing things that don’t actually matter while at the end getting more alerts in their SOCs. So from that perspective, we are seeing conversations around the Risk Operation Center and where exposure management is one part of that are definitely trending. Where customers are liking this ability to think about how much they spend in proactive risk management in terms of business risk and how much risk they would have, which is what I talk about in my keynote as well at the ROCon is moving from attack surface management to risk surface management. You can spend a lot in covering your attack surface, but the risk of loss was only $50,000 and you spent $500,000 your attack surface. That’s not a great business equation. So that’s what we are hearing and seeing from our customers.
In terms of billings, Joo Mi?
Joo Mi Kim
No, I think that 8% that we believe that we’ll be able to achieve in 2025 for the full year is on track.
Anik Bamonon
Thank you.
Operator
Thank you. Our next question is from Rudy Kessinger of D.A. Davidson. Your line is now open.
Rudy Kessinger
Hey, great. Thanks for squeezing me in here. Just a clarification on that last question, Jim. You said that 8% billings for this year is quote on track. Is that to imply that you think you do 8%-ish again next year or can you just clarify that, please?
Joo Mi Kim
Yeah. So right now, I mean, billings has a tendency to be very lumpy. So for this year, we think that we’re going to end the full year at 8% which implies a lower current billings growth rate for Q4 given the tough compared to one year ago. In terms of next year, it’s a little too early to tell in terms of 2026 what we think that we’ll be able to achieve. A lot of it will depend on what we’ll be able to close a year at when it comes to the net dollar expansion rate. And we are monitoring very closely in terms of the newer product adoption to give us a better sense and clarity into what we think that we should be anticipating for 2026 growth rate.
Rudy Kessinger
Got it. Okay. And then you guys had some pretty decent results the last few quarters now. Growth has been stable at 10% the last four quarters I believe on revenue. You’ve got NRR stable at 104%. What, I guess what would you need to see to maybe give you guys confidence in maybe declaring that you can deliver stable 10% plus growth over the next couple years?
Sumedh Thakar
We’re certainly working towards that. I think the key growth vectors we see right now are converting our VM customer base to VMDR customer base to ETM is an area of focus creating upsells with eliminate on that. We continue to see a lot of interest for our cloud security solution and I think with long term federal opportunity that we are focusing on we have really good conversation with Risk Operation Center on the federal side as well. I think those are the areas that we continue for sort of short term, medium term and long term growth which is again underpinned by our focus on mROC partnerships. But we’re really laser focused next year on our VMDR conversion and the upsells would eliminate.
Operator
Thank you. Our next question is from Yun Kim of Loop Capital Markets. Your line is now open.
Yun Kim
All right, great. Congrats on a solid quarter, Sumedh. On the enterprise true risk management ETM is that primarily a big deal sales motion or is it just the a combination of bunch of products that could be purchased and deployed in multiple phases and collectively that could lead to 100% uplift over time? Just want to get a better understanding of that 100% plus uplift commentary.
Sumedh Thakar
Yeah, I think we feel and with the early response from customers, we feel like we can hold up to up to of course 100% of the VMDR because we’re adding them, we are providing them AI capabilities, agentic AI capabilities marketplace built-in where they can essentially bring on AI agent as part of their team for four weeks as they’re focusing on an audit or for three weeks as they are triaging the ransomware related vulnerability. And so CSAM is also included in that. Ability to test exploits is also included in that. And so we feel like that’s something that is going to be helpful for customers. Primarily it is VMDR, CSAM plus all the new capabilities that are highlighted are what is focused on that.
Now we also talked about QFlex and I think a lot of this is going to go hand in hand as we start seeing scale next year. A lot of these customers who are looking to buy ETM are also going to be interested in our Eliminate platform and also be interested in cloud. And so the QFlex is what sort of you talked about is from ability to provide them a way to try and use different Qualys modules that make sense to them instead of having to go through multiple purchase cycles through the year. And we are going to see a combination of the QFlex pricing with ETM cross sales are the focus for us as we get into next year.
Yun Kim
Okay, great. Looking forward to ETM adoption next year given that it sounds like it’s going to have a big impact. Just Sumedh, you haven’t done any acquisition in a while or anything sizable. If you can just give us an update on your view on acquisition strategy. Obviously you guys are performing very well. The business overall is stable. You got this ETM kicking in starting next year. Obviously you’re very proud of your organically grown platform, but you must see a strategic opportunity to expand your offering to get to that place faster than organically. Are you attempted at all given how dynamic the market is evolving?
Sumedh Thakar
Look, we are always open to all kinds of different opportunities to look at organic small acquisition, some larger acquisition potential as well. That makes sense. We definitely come more from we want to give our customer an organic experience with the platform. Having said that, we have done tuck-in acquisition in the past where if there is a fit with our platform, we’re not shy of looking at something larger. But currently with the way we are executing, focusing and one of the things that happens with ETM now is that, we are able to increase the asset count that the customer has with Qualys by actually bringing data from other tools and may not necessarily need them to essentially buy that particular capability from Qualys as an example, right?
Like now with ISPM identity solution as an example that we have as part of ETM, we can pull an identity from Okta and AD and others and we don’t necessarily have the customer or us to maybe acquire an AD security company. We can work with companies out there while that increases the asset count in Qualys. And so, these dynamics keep changing and we see efficiencies coming out of AI. We are seeing ability for us to look at various players in the market, how they are doing. And we continue to stay focused on our roadmap from an organic experience for our customers while also keeping an eye on the industry and looking at whether it’s going to be a smaller or a larger acquisition we’re definitely continuing to be open to that.
Yun Kim
Okay, great. Thank you so much.
Operator
[Operator Closing Remarks]
Leave a Reply
You must be logged in to post a comment.