Qualys Inc Q4 2025 Earnings Call Transcript

Qualys Inc (NASDAQ: QLYS) Q4 2025 Earnings Call dated Feb. 05, 2026

Presentation

Operator

d Ladies and gentlemen, thank you for standing by. Welcome to quality fourth quarter 2025 investor call. this time all participants are in a listen only mode. After the speaker’s presentation there will be a question and answer session. To ask a question during the session you would need to press star 11 on your telephone. You will then hear an automated message advising your hand is raised to withdraw your question. Please press Star one one again. Please be advised that today’s conference is being recorded. I would now like to turn the conference over to Blair King, Investor Relations.

Please go ahead.

Blair King — Vice President of Investor Relations & Corporate Development

Thank you. Michelle Good afternoon and welcome to Qualys fourth quarter 2025 earnings call. Joining me today to discuss our results are Smith Thakar, President and CEO and Jumie Kim, our cfo. Before we get started, I’d like to remind you that our remarks today will include forward looking statements that generally relate to our future events or future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today’s press release and our filings with the SEC, including our latest Form 10Q and 10K. Any forward looking statements that we make on this call are based on assumptions as of today and we undertake no obligation to update these statements as a result of new information or future events.

During this call we will present both GAAP and non GAAP financial measures. A reconciliation of GAAP to non GAAP measures is included in today’s earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the investor relations section of our website. So with that I’d like to now turn the call over to sumedh.

Sumedh Thakar — President, CEO & Director

Thank you Blair and welcome to our fourth quarter earnings call. As threat actors continue to compress time to exploit, we believe the next phase of pre breach risk management will be defined by an agentic AI driven risk fabric with out of the box business quantification automated remediation to respond to the speed of these threats. Against that backdrop, we continue to execute well in Q4, demonstrated by another quarter of strong revenue growth and profitability. In my conversations with hundreds of CIOs and CISOs as well as security leaders from many of the world’s largest and most innovative organizations, one message has remained consistently clear.

Reducing cyber risk isn’t about detecting more exposures. It’s about operationalizing a cyber risk management program that aligns spend with risk tolerance. In doing so, CISOs are increasingly prioritizing the unification of fragmented security stack into a centralized risk fabric, one that serves as a credible alternative to single vendor platforms by bringing diverse risk vectors into a prioritized measurable view of risk that the teams can confidently communicate and remediate at machine speed. That message was further amplified at our recently concluded Rock on conference in Mumbai with attendance up over 30% from last year’s event as we again broadened the agenda to include a business track and with the advent of AI which is democratizing cybercrime and enabling adversaries to operate with unprecedented speed and sophistication, this need is only intensifying.

As a result, we believe that the future of pre breach risk management belongs to vendor agnostic agentic AI powered solutions that continuously predict, assess, confirm, quantify, prioritize and remediate risk across on prem and multi cloud environments over the past years. We continue to execute relentlessly towards this vision, delivering meaningful platform innovation to help customers reduce risk faster, operate more efficiently and stay ahead of an increasingly dynamic threat landscape. Accordingly, in 2025 we broadly expanded the Qualys ETM platform to third party data and launch a powerful new orchestration layer that unifies QUALYS and non QUALYS findings, applies our industry leading threat intelligence and delivers a business contextual quantified view of risk with built in prioritization and automated remediation.

Building on this foundation, we introduced an agentic AI risk fabric that assesses and normalizes diverse internal and external data sources, applications and machines. We extended these capabilities with the first. Of a kind agentic AI risk management marketplace, enabling security and IT teams to quickly augment their existing workforce with highly specialized autonomous experts that significantly reduce time to remediation, increase accuracy and reduce costs. To further close security gaps, we again organically enhance ETM with a natively integrated identity security posture management solution. At a time when identities have become part of the new AI perimeter and further flexing the power of our platform, we are now confirming exploits before customers are compromised. While traditional continuous threat exposure management solutions rely on a theoretical risk score and ignore mitigating security controls, ETM takes a fundamentally different approach.

On a single platform it uniquely detects vulnerabilities, validates exploitability, applies remediation and revalidates exploit using Agent VAL agentic AI workflow. The net result is that QUALYS is redefining how organizations manage pre risk risk management. While competitors continue to focus on detecting vulnerabilities or mapping theoretical exposures. QUALIS has moved decisively beyond that model. We are pioneering the first agentic AI Native Risk Operation center rock, a new category in cybersecurity designed to centralize an organization’s response to threats spanning exploit confirmation to autonomous remediation Powered by our ETM solution, the rock represents presents a fundamental divergence from traditional CTAM tools.

Competitors can point to exposures, they can’t quantify cyber risk in dollar terms that matters most of the business and they cannot adequately six step ETM fills that gap. This is what sets qualys apart. We don’t stop at detection and non quantifiable prioritization. We natively integrate CTAM exploit confirmation, risk quantification and remediation operations into a single AI powered workflow leveraging both QUALYS and non qualys data sources. In doing so, our architecture orchestrates and implements a perception reasoning action loop enabling autonomous agents to collect real time telemetry, reason through risk signals, plan response workflows and execute actions.

This enables organizations to holistically predict emerging risks across infrastructure, cloud, application, security, IoT and identities, safely confirm probable exploits, prioritize threats based on business impact, remediate through patching or other compensating controls and verify the effectiveness of the remediated tactic. This end to end vendor neutral approach is catalyzing a paradigm shift in pre breach cyber risk management where customers aren’t just seeing their risk holistically across the risk stack, they’re validating it, quantifying it and reducing it continuously and autonomously at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable, proactive risk reduction that brings customer value.

Armed with this fresh new set of capabilities and early momentum already validating this model, we are now laser focused on accelerating ETM adoption through our VMDR customer base and position qualys for larger upsell opportunities over time. Moving to our Business Update with customers spending 500,000 or more with us growing 4% from a year ago to 215, let me now share a couple of recent wins which illustrate why organizations ready to centralize the response to cyber risk are turning to qualys to help unify their security stack, quantify and remediate risk in their environment and fortify their security operations.

First, an existing Global 50 customer was struggling under the weight of multiple unintegrated security tools, millions of vulnerabilities and limited visibility into the overall risk profile. Traditional prioritization methods were unable to adequately filter critical findings, leaving security and IT teams without the necessary business context to act decisively. Consequently, this customer selected qualys and launched a strategic initiative to unify their security stack by transforming siloed signals spanning on PREM and multi cloud environment into a cohesive agentic AI native risk management solution. This included expanding the ETM deployment to further operationalize the ROC with ingested third party data from several sources resulting in a mid six figure annual bookings upsell.

By consolidating these data sources into the QUALYS platform, we are now delivering this customer a unified orchestration layer and full visibility of their attack surface, centralized risk assessment, quantification, prioritization and remediation workflows while unleashing the operational efficiency of the stack consolidation. This expansion of the ROC underscores the power of our platform and reinforces QUALYS ability to unified siloed risk signals, operate at an autonomous defense layer, strengthen customer outcomes aligned to the business risk tolerance and advance our leadership in the industry. Leveraging our MROC partner ecosystem we are also pulling new business into qualis. During the planning stages of launching a new ETM POC with a Global 200 company in Latin America, we secured a seven figure annual bookings upsell which included our total Cloud CNAPP and policy audit solutions.

This win demonstrates the leverage of our partner led motion and our ability to convert early engagements into meaningful multi solution growth. Turning to our federal business, we achieved a mid six figure expansion with one of the federal government’s most visible shared security services utilized by several large government agencies nationwide. Faced with an overwhelming volume of security issues that limited resources to continuously assess risk across fragmented tools and manual workflows, this customer chose QUALYS for ITS Cloud Native FedRAMP High Authorized Platform to enable a centralized government program that quantitatively prioritizes risk with automated assessment, standard outputs and low operational overhead.

Given the success of this deployment, we are now working towards a multi agency ATM rollout representing a significant upsell opportunity as this shared services team prepares to operationalize its risk operations center. These results alongside another six figure upsell with a separate large federal agency reinforce our proven ability to align technical capabilities with operational outcomes that address modern security challenges and underscore the long term growth opportunity in our federal business. Beyond these wins, we are also gaining more leverage from our partner ecosystem as we continue to endorse a partner first sales motion. Partner led deal registration increase again in Q4 reflecting deeper alignment and execution across the channel.

In addition, with well over a dozen certified MROC partners actively launching new services, momentum continues to build towards a global ROC alliance fueling our capability, harnessing transformative solution sales and bringing new business to Qualus, further contributing to our growth profile. In Q4 we continued beta testing Q Flex to help customers accelerate and maximize adoption of the QUALYS ETM platform. Given the strong customer response and early success of this model, we plan to continue to focus on proactively identifying opportunities to leverage QFLEX to enable select customers and partners to accelerate their adoption of Wallace Solutions in 2026.

In summary, we are fundamentally changing how organizations manage pre bridge cyber risk by unifying CTEV with exploit confirmation, risk quantification and automated remediation powered by an agent in AI risk fabric. Our rapid pace of innovation and strategic investments are driving strong competitive differentiation, deeper rock adoption, broader engagements across large federal agencies, growing partner led execution and initial Q flex success. Looking ahead to 2026, we’ll continue our disruptive innovation, further advance our go to market investments and execute our ROC vision with a balanced approach to long term growth and profitability. With that, I will turn the call over to Jumi to further discuss our fourth quarter results and outlook for the first quarter and full year 2026.

Joo Mi Kim — CFO & Principal Accounting Officer

Thanks Ned and good afternoon. Before I start, I’d like to note that except for revenues, all financial figures are non GAAP and growth rates are. Based on comparison to the prior year period. Unless stated otherwise, we’re pleased to report a healthy finish to the year, highlighting our continued execution, financial discipline and scalable business model. For the full year we grew revenues by 10% to 669.1 million and achieved adjusted EBITDA margin of 47% even with. Continued 14% growth in investments in sales and marketing. Net income in EPS grew 13% and 15% to 257% and 7.07 per diluted share respectively, and free cash flow reached 304.4 million or 45% of revenues, all. Of which exceeded our expectations for the year. Turning to fourth quarter results, revenues grew. 10% to 175.3 million. The channel continued to increase its contribution, making up 51% of total revenues compared. To 48% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 4%. As a result of our strategic emphasis. On leveraging our partner ecosystem to drive. Growth, we expect this trend to continue. By geo, 15% growth outside the US. Was ahead of our domestic business which grew 6%. US and international revenue mix was 56% and 44% respectively. With customers confirming their prioritization of security. Within IT budgets, we anticipate the selling. Environment in 2026 to remain similar to. Last year with a low to mid. Single digit growth in security spend persisting for the foreseeable future. Reflecting the Sentiment Our gross dollar retention. Rate remained comfortably above 90% but saw a modest sequential decline in Q4, with. Our net dollar expansion rate at 103%, down from 104% last quarter. In terms of product mix, our differentiated new products continue to drive growth with. All three of the following increasing contribution. To bookings in 2025 First, Cybersecurity Asset Management combined with ETM made up 10%. Of total bookings and 13% of new. Bookings in 2025, up from last year’s. 8% and 9% respectively. Next, Patch Management made up 8% of total bookings and 16% of new bookings in 2022, up from last year’s 7% and 16% respectively. Lastly, Total Cloud made up 5% of. Total bookings in 2025, up from 4% a year ago. We believe that these differentiated products combined. Will continue to increase contribution to bookings. In 2026, given our opportunity to increase. Market share and maximize share of wallet. Turning to profitability, Adjusted EBITDA for the fourth quarter of 2025 was $82.6 million, representing a 47% margin, same as last year’s. Operating expenses in Q4 increased by 11% to $68.9 million, driven by investments in. Sales and marketing, which grew 18%. With this strong performance, EPS for the fourth quarter of 2025 was 1.87 per diluted share and our free cash flow was 74.9 million, representing a 43% margin. Compared to 26% in the prior year. In Q4, we continue to invest the. Cash we generated from operations back into. Qualys, including 724,000 on capital expenditures and $44.7 million to repurchase 328,000 of our outstanding shares. Since commencing our share repurchase program In. February of 2018, we’ve repurchased 10.7 million shares and returned over $1.2 billion in cash to shareholders. As of the end of the quarter. We had $160.5 million remaining in our share repurchase program. We’re pleased to announce that our board. Has authorized another increase of $200 million. To the share repurchase program, bringing the. Total available amount for share repurchases to $360.5 million. With that, let us turn to guidance. Starting with revenue for the full year. 2026, we expect revenues to be in. The range of 717 to 725 million, which represents a growth rate of 7 to 8%. For the first quarter of 2026 we. Expect revenues to be in the Range. Of 172.5 to 174.5 million, representing a. Growth rate of 8 to 9%. This guidance assumes no material change in our net dollar expansion rate with moderate. Growth contribution from new business in 2026. Shifting to profitability guidance for the full year 2026, we expect EBITDA margin to be in the mid-40s, implying mid teens increase in operating expenses and free cash. Flow margin in the low 40s. We expect full year EPS to be in the range of 7.17 to 7.45. For the first quarter of 2026, we. Expect EPS to be in the range. Of 1.76 to 1.83. Our planned capital expenditures in 2026 are. Expected to be in the range of. 8 to 12 million and for the. First quarter of 2026 in the range. Of 1.2 to 2.6 million. In 2026 with respect to operating expenses, we plan to align our product and marketing investments to focus on specific initiatives aimed at driving more pipeline, accelerating our partner program and expanding our federal vertical. As a percentage of revenues, we expect. To prioritize an increase in investments in. Sales and marketing with more modest increases. In engineering and gna. With that sumed and I would be. Happy to answer any of your questions.

Question & Answers

Operator

Thank you. As a reminder to ask a question, please press star 11 on your telephone and wait for your name to be announced. To withdraw your question, please press star 11 again. And the first question comes from Jonathan Ho with William Blair. Your line is open.

Jonathan Ho — Analyst, William Blair

Hi, good afternoon and congratulations on the strong quarter. Can you talk a little bit more about some of your Q Flex offerings and how it potentially helps remove friction and perhaps encourages broader adoption of your platform?

Sumedh Thakar — President, CEO & Director

Yeah, thank you very much. And that’s a great question. You know we’ve talked about this last quarter as well. I think if you have to. If you take that in relation to what we are doing with the Risk Operations center and ETI and how we’re differentiating ourselves from the exposure management solutions is that the ability to detect all your assets, find your vulnerabilities, ability to use agentic AI to actually not only prioritize those, which is what a lot of these exposure management solutions do, which is just giving you a score. We’re leveraging the ability to use agentic. AI to confirm those exploits within the. Environment, which is very differentiated from what everybody does, but then after that actually the ability to also remediate those. And so being able to get this. End to end Very quickly, very fast, before attackers are leveraging AI to do the same for your environment. The QFLEX proposal allows the customer, at. Their pace, to then be able to consolidate a lot of these capabilities on a single platform with Qualys and do that over a period of time during their subscription with us, which allows them to maybe initially start with more of that prioritization and confirmation, but then as the year goes by, it allows them then to leverage our eliminate capabilities more and more to be able to focus on getting the outcome of getting these things fixed. And so what we’re excited about is our conversations initially with the customers that have adopted this have been very positive in the fact that the security environment is not a static environment at the beginning of the year.

It is continuously changing throughout the year. And the flexibility that that pricing model offers them to actually be able to leverage different QUALYS capabilities throughout the year as the threats change is a very big positive for them. So really happy with the feedback we have gotten in the beta phase and this year 2026, we look forward to doing more of that and moving more towards a GA model for that.

Jonathan Ho — Analyst, William Blair

Got it, Got it. And then just in terms of some of your comments around AI, I mean clearly you’re seeing a lot of customer interest here. Can you maybe help us understand like customer is in terms of their AI journey and also help us understand what that uplift opportunity looks like for qualys. So if you, if you start selling more of these agentic products, you know, AI sort of native products, you know, how do we, how do we think about, you know, how that can impact sort of net retention going forward? Thank you.

Sumedh Thakar — President, CEO & Director

Sure. Yeah, I think a lot of people. Talk about, you know, AI is embedded in their platform. I think where we differentiate ourselves is the, what we have done is introduce the concept of a AI agent marketplace within the platform, which allows the customers to actually augment their workforce, their security team, which we have talked about this for years, that there’s never been enough talent in the security space. So the ability to get agent Sarah, who is an expert in patches data, the ability to get agent Val, who’s an expert agent with skill sets that can autonomously make calculations and decisions on exploitation remediation.

So the ability to say, look, I want to employ this particular agent on the platform to achieve a task which otherwise would take me weeks and months to hire a consultant to get that outcome. What we’ve done with our agent take AI capabilities is not only have those built in throughout the platform, but with agent take AI we can now actually have these agents that feel like they’re really part of that team and they can help you get those outcomes. And the way we have really positioned this is that customers who are leveraging vmdr, they get a really high quality list of findings, but then as they cross sell into etm, they get the ability to not only do the prioritization of these vulnerabilities, but they get the agent AI capabilities which then allow them to do achieve different tasks.

And as you look at how customers are thinking of headcount, et cetera in the agent AI world, these really help them get to those outcomes pretty quickly. And then of course, in addition to that, with our total AI offering, we’re also helping customers detect, find and address vulnerabilities and misconfigurations that are coming up in the AI workload that they have. And so with that, we look forward to customers bringing more data around their own agentic, around their own AI solutions into Qualys etm. And we believe that the agent AI capabilities are a differentiator for customers to upgrade from or to cross sell from VMDR into etm.

As well as looking at some of the other exposure management solutions where they just give you a score, this will allow them to actually use an agentic AI to get patching done pretty fast and pretty quickly. And so we see that that differentiation can be the catalyst for us, for customers to pick ETM over some of those other exposure management solutions that are out there.

Jonathan Ho — Analyst, William Blair

Thank you.

Operator

Thank you. And the next question will come from Kingsley Crane with canaccord. Your line is open.

William Kingsley Crane

Hi, congrats on the quarter. You answered some of this in the prior response, but we’d just love to hear more about how AgentVal is elevating ETM from an efficacy perspective and just how AgentVal is reducing total man hours at the customer level and how that’s resonating with customers. Thanks.

Sumedh Thakar — President, CEO & Director

Thanks Kingsley. I wish. Unfortunately the call is only an hour, but I could talk about this forever. But look, I think we’ve seen the history of this evolution back when Kenner started somewhat with. This is like everybody’s giving you theoretical scores, right? Based on the vulnerability findings and CV information that is out there. Unfortunately, a theoretical score does not actually mean that a high score does not mean that the customer may not have other controls in place that mitigate that actual exploit from working in their environment. They might have a firewall, they might have something else memory protection that is enabled that the typical scanner or a typical exposure management solution will not pick up.

What AgentVal does is leverages that decision making, autonomous decision making process to basically look at the findings, look at the scoring, but then actually the ability to run a very safe exploit against the. Asset to confirm whether that vulnerability is. Actually exploitable in their environment, on their machine or it is not. Not just a theoretical score. And what typically happens is when the security team gives these scores to the IT team, they spend a lot of time trying to chase down these find only to feel like oh this was a false positive because look, we already have a control in place and a lot of time is wasted in arguing back and forth. What the customers really want to be able to do is not waste their IT team’s time on fixing things that actually are not exploitable in their environment.

And the ability to for sure confirm by running an actual exploit in a safe manner that this is or is not exploitable means that the IT teams will be saving significant amount of time not chasing down ghost scores and will actually have a absolute confirmation that yes, it is a very highly exploitable vulnerability. But I don’t need to worry about it because I have other controls that are mitigating this or it is highly exploitable, attackers are using IT and I don’t have a protection in my environment. So instead of just chasing scores I can actually go and focus on fixing these and that’s going to make it a lot safer.

So it’s a significant time saving for the customer. Because of this agent GUI workflow, they can actually then significantly reduce the number of findings that they have. And you know, the other thing is. That once the exploit is confirmed on. Your environment, you don’t have the time to create JIRA tickets and servicenow tickets to then have people go and manually make the remediation. As soon as you know that this is exploitable in your environment, confirm you want to be able to use another. Agent to immediately kick off remediation and get it fixed. And you feel a lot more comfortable. Because now you have confirmed that this is exploitable. It’s not theoretical. So people are going to want to also save time and not leave the exposure open for a long time by being able to run that exploit and then also automatically run that remediation. And you know you cannot show up for the AI fight today with your JIRA tickets and your service note tickets. You got to be able to do automation and autonomous decision making to get things fixed and that’s the differentiator.

William Kingsley Crane

Yeah, it’s really exciting times and it’s good that you’re Leading the way here for Jumi. It’s been a remarkable year for Qualys. You guided to 7% at the midpoint entering last year and you put up 10 and now you’re guiding closer to eight this year. How can we think about the levers for upside to growth this year? Thanks.

Joo Mi Kim — CFO & Principal Accounting Officer

Yeah, 2025 was a solid year from an execution standpoint. It was a very exciting year for us with ETM having gone live at end of 2024. We’ve had a significant number of discussions with our existing customers in terms of how we can increase value without them having to double their spend initially with us. And so in doing that and working through our partners, what we were able to do is finalize our pricing and packaging for ETM and identify our key products that are going to be levers for growth in the short term and long term going forward as well.

So 2025, solid year with closing with another 10% growth revenue, which we’re really pleased about. Now, when it comes to current billings, it came in line as expectations from last quarter with 2025 current billings growth of 8%. That’s slightly lower than the 9% that we posted back in 2024 for current billings. So looking ahead to 2026, I think that’s kind of more or less in line with what the baseline case is for us. Looking out, our guidance is really informed by what we see in the business today, the discussions that we’re having, what we expect from the macro and then the spending environment.

With that said, we do anticipate significant upside given what sumed just covered. We have very exciting product discussions with existing customers as well as prospects. I think that we’ve gone ahead and really leveraged our innovation and our power to really deliver what the customers are looking for and what the market is looking for. So we’re excited about the outlook. But with that said, the baseline still remains to be around 7 to 8%.

Operator

Thank you. And our next question will come from Rahul Chopra with Berenberg. Your line is open.

Rahul Chopra

Yes, thank you. I have a couple of questions. I mean, I appreciate these are not your estimates, but if I look at 2023 market share data which you g at that time you had market total market as 64 billion. In the current deck, you are talking about 53 billion market for 2026. At the same time, I can see previously you had 28 market of I think something around 79, 78 billion. Now 29 market is 75 billion. My question here is that basically is the core market shrinking for VM and exposure management appreciate these are not your estimates, but want to understand what you’re thinking about the core estimates in terms of the market itself.

What is it doing? 1 the second question is I wanted to understand your thoughts about the competitive landscape in more general, especially given the service now is acquiring hardness. Obviously that’s going to probably change some dynamics. So we wanted to hear your thoughts on that, please. Thank you.

Sumedh Thakar — President, CEO & Director

Sure. Yeah, I think I’ve been in this qualys for 20 something years and vulnerability management has definitely changed. And if you recall, we’ve been talking about that as the number of assets has increased, the number of CVEs and software has increased, we’re seeing that customers in the traditional way that vulnerability scanning was done is just generating way too much noise. And vulnerability management has evolved, which we have called out many times. And that’s the reason the last few years we’ve been focusing on shifting and focusing on the solutions that customers actually are looking for. So as an example, when we innovated with patch management where the first vendor to do that, and even today we’re not seeing really much traction with others in patch management was yes, not just vulnerability management doesn’t mean you just scan and scan and scan if you cannot get it fixed.

And so as that evolved, we innovated. We came up with patch management as a capability. We came up with cybersecurity asset management that was needed for a successful VM program. Now we have expanded that capability with agent AI with etm because that’s really what customers are looking for is how do you continue to triage that. And then adding a layer of validation is another game changer in our mind from a vulnerability management perspective. And then along the way we’ve also focused on how do we bring total cloud, which is a cnapp solution that we have, which we’re very happy with.

The traction that we’re seeing with that, we’re coming up with agentic AI. So for us it is about how do we continue to track the areas that customers are focusing on and then how do we maximize our share of that spend that they have. And that’s what you’re seeing the progression in the innovation that we are going. And it’s great to see that there is focus and attention on the CTEM exposure management marketplace. As you mentioned, the ServiceNow buying Armis which has been around for a long time, using passive capabilities to detect asset inventory, et cetera.

But the reality again is that today customers don’t want just more vulnerability findings from these solutions. That don’t actually help you fix anything. And so what we are looking forward to is again autonomous workflows, leveraging AgentIC AI to get customers to fix things quickly. As you saw in the recent Mandiant report that the meantime to remediate over the last five years has gone from 63 days to negative one day. So today again with solutions like that, ServiceNow, Armis and other solutions, do you have the time to create ServiceNow tickets and chase people down while attackers are having a free time exploiting your vulnerabilities? So what we feel pretty excited about with our customer conversations is the differentiation that we have that is allowing them to very quickly and accurately get to the things that actually matter to their business, put dollar value loss quantification numbers on it, get the validation, get the vulnerabilities fixed and that is allowing us to differentiate.

And that’s where a lot of the convers we’re seeing are very positive in the focus of not just another exposure management solution, but moving towards a risk operation center. And so our goal here is that of course security market keeps changing, etc. We’re bringing solutions that we are looking forward to maximizing the share of the customer spend focused on the pre breach side of the security and not necessarily the post breach side.

Rahul Chopra

Okay, thank you very much.

Operator

Thank you. And the next question is going to come from Nehal Chokshi with Northland Capital. Your line’s open.

Nehal Chokshi

Yeah, thank you. And nice color there on why the armis acquisition by ServiceNow won’t be impactful. It sounds like a key portion here is that basically they’re lacking patch management. So can you dive a little bit further here and explain why patch management has remained such a differentiator for QUALYS here?

Sumedh Thakar — President, CEO & Director

Yeah, thank you. I think today, if you see right, people are finding millions and millions of findings and the IT team does not want to be spending all their time instead of innovating, going out and fixing so many vulnerabilities without the proper context. And so what we’re seeing is that, and we talked about this a couple of months ago, the QUALYS agents have been able to deploy 140 million patches just in the last 12 months. And in one of the recent GigaOM reports, we replaced as the number one patch management vendor by the analyst. And so the reason why we’re getting so much traction is that in the past, you know, I mean, I remember when I joined Qualys, scanning once a.

Quarter and taking 30 days to fix. All your issues was considered okay, today when the attackers are attacking you within three, four, five hours of the vulnerabilities being disclosed. You need that ability to quickly correlate cve, figure out that it doesn’t matter to your business or that it’s not exploitable in your environment and actually get it fixed. And so our success with patch management really has been a highly integrated solution with VM and not a, you know, just a partnership where you know you’re going out with some other separate solution and trying to bridge that gap. Is highly integrated solution that is quickly able to not only detect that vulnerability, find whether it is actually exploitable in your environment, but then within a matter of minutes, it can actually fix and patch that particular issue.

And so what we’re excited about is the success of patch management the last few couple of years, but also what we did end of last year is moved even further into providing customer more abilities to mitigate the risk of the vulnerability without patching. And I like to call it patchless patching, which is applying mitigating controls on the machine, which has given even more flexibility to our customers. Because sometimes you’re worried about a patch breaking something. How do you balance the worry of patch breaking something with the worry of getting exploited? And many times because of our super deep research in the pet research landscape with our research analysts, we actually are able to figure out the way exploits are working and then find ways to apply mitigations on the machine so that the actual exploit can be blocked.

So at the end of the day, what is the point of all the spend you do in vulnerability scanning is to get the right things fixed before the attackers get there. So the majority, majority of the value that comes in that overall spend is really about the patching part. If you do not patch it. You can build all kinds of dashboards and there’s dashboard tourism going on right now, but those dashboards don’t mean anything if you don’t actually get it fixed. Before the attackers get to it.

Nehal Chokshi

Okay, thank you. And Jimmy, are there any headwinds leading. To expectation of no change in MDR in your calendar 26 guidance that’s embedded in your calendar 26 guidance?

Joo Mi Kim — CFO & Principal Accounting Officer

Yeah, our guidance is assuming no material change in net dollar expansion rate. You could see that it’s always kind of gone up a quarter or down a quarter in the past couple years. And right now, us being starting out the year ending 2025 at 103, we don’t anticipate a material change to that rate.

Nehal Chokshi

But why is that? Why are you expecting no change?

Joo Mi Kim — CFO & Principal Accounting Officer

Our guidance is informed by what we’re seeing in the pipeline today and what we’re expecting based on our existing customers, what they anticipate buying more over how they’re thinking about spending more with Qualys in 2026. Our preliminary discussions and view into the outlook today implies that assuming kind of similar in line dollar retention, the expectations from an upsell standpoint and then of course a new business, what we expect to land from a logo perspective, this is all informing our guidance and the way we look at things.

Sumedh Thakar — President, CEO & Director

And that’s the base case. Our goal will be to continue to. Improve our execution on the ETM and. Rock the customers getting to know that. And that to me remains the upside. For the business is with federal now with our federal empire that we got and the federal space partners, et cetera. So I think that’s kind of where we are with just assuming 103 as we see it right now. But do we continue to work on. The upsides in the business that we can potentially have?

Nehal Chokshi

So does that imply that your expectations, the baseline expectations that EPM incremental penetration to install base continues at this relatively slow pace, that we’re not hitting an inflection point yet?

Sumedh Thakar — President, CEO & Director

I think it’s very early. So like we said at the end of the last year where we had. Started with po, we are super encouraged. With what we are seeing with the. POCs and the conversion that we’re having. But again, it’s very early. Right. We’re talking about customers that are early adopters. So it’s encouraging. But we’re not. We haven’t had enough of those to really map out a confirmed trajectory of how that is going to go. So I think as we execute better. In the first couple quarters, that’s where we will get to understand even better now that’s where, as Juni has talked about in the past, we will start. To provide guidance on how ETM is going to how ETM is going for us starting the Q1 earnings call for 2026. And so that will allow you to. Sort of track where we’re starting and then how we’re going to expand through the next couple of years on that. Big opportunity that we see right now.

Nehal Chokshi

Okay, thank you.

Operator

Thank you. And our next question will come from Rudy Kessinger with DA Davidson. Your lines open.

Rudy Kessinger

Hey, great. Thanks for taking my question. Jimmy. I think you said in response to one of Jonathan’s questions earlier, I think you said baseline remains around 7 to 8%. I’m not sure if you were referring to the revenue guide for this year or if that was also your expectation for roughly what we should expect for current calculated billings for the year?

Joo Mi Kim — CFO & Principal Accounting Officer

I would say that we don’t give a specific guidance for current billings, but our expectation is that current billings growth rate will be more or less in line with our revenue growth rate. So 7 to 8% for both for full year 2026.

Rudy Kessinger

Yeah. Okay, got it. And then just maybe kind of a follow up to the past question. Certainly it sounds like there’s a lot of optimism about the early ETM interest and adoption and whatnot, but at the same time it’s still just being too early to maybe drive an improvement in the net expansion rate or the overall revenue growth rate. I guess just, you know, I don’t know, we’ve been hearing that for a few quarters now is, I mean, what needs to go right? Whether it’s with the channel or utilizing Q Flex, you know, is there potential that this year we could see enough adoption that we do see, you know, expansion rate pick up or revenue accelerate? Or is that unlikely just based on the current pipeline?

Sumedh Thakar — President, CEO & Director

Yeah, I mean all of that needs to go, right? I think we’re, I think we’ve done a lot of innovation. The products are coming out now, which is great. Agent Val is going to be very interesting for us. And the recent identity solution is also very interesting. I think a key part of our. Strategy definitely has been working with partners. And so as an example, one of the key areas of focus right now where we are certifying more MROC partners as an example and we are getting these partners up to speed and we’re getting the partners trained and helping them create their offerings around the risk operation center. And the idea here really is that these partners then with those services actually can bring us net new business, can bring us upsell opportunities because they don’t have to have a replacement conversation maybe with the existing vendor that they might have been selling for the last couple of years.

They can actually create a service for risk management with Mrock on top of their existing VM solution as an example by pulling that data into Qualys and then ETM and then charging the customer for the management and the consolidation of their various risk factors, etc. So that’s an area that we are looking forward to as that matures and as we are in the early days. Of getting those partners up to speed. Once those partners then start to take those offerings to their customers, that response will also help us see how that is gaining traction again. Early conversations have been great. We got to see that in the. Way that these partners are bringing us. Some of their business. I think Q Flex has been really a positive thing for when we are taking customer who has VMDR and then converting over to etm. That has actually been a really positive thing for customers so that they can kind of build in certain amount of growth and they can look at the ability to take the journey of a risk operational center at that pace. And then of course we just got. Our FedRamp high end of last year. So that’s allowed us to have more conversations for the 2026 budget cycle for federal that obviously were not in time for 2025. So those conversations after Fed ramp high for 26, 27 are also going to be quite interesting for us as potential upside. And so I think as Jumi has provided sort of the guidance that we see as of now, we’re excited about some of these things that can potentially create the opportunity for us to do better than that.

Operator

Thank you. And our next question will come from Matthew Hedberg with RBC Capital. Your line’s open.

Michael Steven Richards

Hey guys, this is Mike Richards on for Matt. Thanks for taking the question. Keeping a little high level here. Anthropic’s new model release today put an emphasis on cybersecurity and specifically the model’s performance for vulnerability discovery and patching. So I was just wondering if you could talk about what you believe these developments mean for qualys and maybe the cybersecurity industry more broadly as model providers look to potentially go deeper into cybersecurity. Thanks.

Sumedh Thakar — President, CEO & Director

Yeah, great question. I think today’s announcement was great in terms of that understanding the fact that that autonomous AI during the coding process or when you look at the code of a software and pointing agent AI to that is definitely something that the attackers are looking to leverage and they’re leveraging as well to be able to discover vulnerabilities in the code base. Now, having the ability to discover a vulnerability in an open source code is. One thing, which is what Entropic is helping. But once you find that this particular code has a particular vulnerability that could be exploited, you need to go find all of the machines running that software all over the customer’s environment, internally, externally, and then the ability to test that. After all the controls that the customer. Has put in place in their environment on that machine, is that actually exploitable? Each individual customer’s environment in each individual customer’s machine. And that’s the part where I think this Entropic development actually really helps. Again, stress the reason why after A. Particular vulnerability is discovered and exploit is discovered. Why it is important to use an ATM agentic AI type solution to very quickly validate that in your environment and then actually fix it and apply a fix autonomously. Because when you’re using AI to find these particular vulnerabilities and attackers are going to are using the same model, they are going to try to do their best to very quickly exploit those. So what we feel is we are empowering our customers with ETM and with somebody like Agent VAL to actually stay. Ahead of the gap between discovery of. A vulnerability to the exploitation that we can actually leverage EKM with Agent AI VAL to then actually find this issue in their specific environment, on their specific. Machine and then protect them very quickly. By actually being able to patch that. And so that’s really the main differentiator. So I think in a way it’s. Great to show the power of what. AI is able to provide for the attackers to find issues in open source and then it signifies even more the value of the ATM platform to actually find that during runtime and not just. In the code base as Entropic is doing today.

Michael Steven Richards

Thank you.

Operator

Thank you. And the next question will come from Patrick Colville, Scotiabank. Your line is open.

Joe Vandrick

Thanks. This is Joe Vandrich on for Patrick Colville. Can you help us understand. I know you kind of touched on this, but can you help us just better understand the strategy you’re taking to get customers to adopt not just vulnerability management, but also prioritization and patch management. And then I’m wondering, is there a way to think about what percentage of the customer base is just using that basic functionality of vulnerability management?

Sumedh Thakar — President, CEO & Director

Yeah, great question. I think if you kind of look. At what we have been doing with. Patch management, by the way, and if you look at, we’re very happy to see the adoption of patch management, cybersecurity, asset management as the capabilities that sort of take that vanilla vmdr and add more execution around, execution for success around those list of CVEs, we’re pretty happy and excited to see that. And so today with the ability to provide customers with things like average exposure window, the ability to provide customers the way that that particular vulnerability actually impacts their particular environment. As an example, your typical threat exposure management solutions will give you a score, a risk score and they will say that this particular issue has a risk or this particular asset has a risk score of 900 on 1000 and another one has a 750 on 1000, which one will you fix first? If you just go by the risk score as an example, you’re going to see that maybe that risk score of 900 on 1000 is on a machine that makes you 2 million a year, but the 750 is on one that makes you 500 million a year.

Immediately your prioritization switches and is exactly the opposite of what you are exposure management solution gave you. Because now you added a dollar value. And once you have that and you know that you’re potentially going to have a loss of $500 million because of the exploit of this vulnerability. The next thing that customers want to be able to do is how quickly can I protect myself from making sure that I don’t lose that $500 million. And that’s where a integrated patching and integrated mitigation solution like Wallace is super impactful for them. Because now they don’t waste time.

Because, because once attackers are starting to exploit vulnerabilities, it is just a, you know, you’re sitting duck with an open window and the quicker you can close that window, the better it is going to be. And our customers are really seeing that. That’s why their adoption of patch management has been increasing. 140 million patches in the last one year is quite a milestone for us. And the ability to sort of give them that visibility, to say that you know you can with this platform, you’re not just exposing your exposure, you’re actually fixing it, is a great story.

And our partners are also excited about the ability to not just provide services around more visibility, the ability to actually be the partner for the customer that gets them an outcome of actually the risk reduced is a differentiator. And that’s kind of where we are looking forward to continuing our innovation around the exploit validation and the mitigation and patch management solution, as well as awareness building around the risk operations center is an area for focus for us. And then along the way, risks come from cloud. They come from your standard virtual machines, they come from cloud.

That’s where we have go to cloud. They come from identities. We have ISPM for that. They come from misconfigurations and we have Policy Audit for that. They come from AI now for which we have total AI as an example. So. So we continue to expand ways to bring more assets into etm. At the same time, we continue to innovate on ways to absolutely get to the final outcome of actually reducing risk with automation and agentic AI as fast as you can. And that honestly is really in my mind a big differentiator.

Joe Vandrick

That makes sense. And if I could sneak in one more, I think you mentioned that you’re still in beta testing for Q Flex and that you’re going to leverage it for select partners. Is that just timing or are you not planning to go customer wide with that pricing model?

Joo Mi Kim — CFO & Principal Accounting Officer

Yeah, we went beta with Q Flex. Last year and so we understand that how we could be very additive to solid cohort of customers. So we’re rolling it out on a case by case basis because we want to create a win win scenario for us. If we’re a customer, we feel like they would really benefit and increase their spend with us by giving them this flexibility. We’re more than happy to work with them, whether it’s through a partner or directly with us. Broadly speaking, we don’t want to be in a situation where unintentionally it results in a downsell for us and then also they don’t have the ability to try out other products because they’re maximizing their budget and thinking through it from that perspective.

So. So right now it’s in beta, but in the longer term we do plan on going to GA with that and potentially with a slightly tweaked structure.

Joe Vandrick

Thank you.

Operator

Thank you. And our next question will come from Yun Sun Kim with Loop Capital. Your line’s open.

Yun Suk Kim

All right, thank you. Sumed, I think you already touched upon some of my questions already, but how engaged are partners involved in core VM renewals or a lot of them? The newer partners that you attracted last year, are they more about selling new products?

Sumedh Thakar — President, CEO & Director

Yeah, the MROC partners that we work. With are pretty excited. We’re starting to see these partners launch their own services for risk Operations center, which obviously takes some time because they have to come up with the brochures for the services, staff them with the right experts for risk quantification, et cetera. But what they are excited about is that instead of just looking at, you know, can I get another $0.05, $0.10 of margin on a dollar, the ability to say that with rock they can actually offer higher value services. The service you can offer to a CISO is hey, here’s we’re going to give you a business oriented cyber risk visibility deck that you can take to your board every quarter that’s going to make you look very smart in front of the board is a significant value and they can charge multiple dollars as an example.

For those services around etm, which they cannot necessarily do around other areas. And with the agent AI capabilities built in, the partners are excited that that actually can also reduce the spend that they have to do to staff their services teams with people if agentic AI capabilities in the platform can get them a batch Tuesday report within 24 hours versus taking two weeks for a consultant to manually go and create Excel sheets to do things like that. So very exciting Early Conversations we’re already starting to see some interesting wins though. It’s early days with new business and existing business with those partners that understand the risk story and positioning the broader risk management rather than just okay, here’s another list of vulnerabilities that I can provide you.

Those conversations are very positive and so as I said I that we’re really focused right now on our GTM efforts around training these partners, around partnering with them and introducing them to customers as they introduce us to prospects, et cetera. And as that progresses, I’m excited about the potential that partners can bring customers to us. Even if that customer might have another VM scanning solution, they can keep that solution and they can actually bring that customer to us and the partner can make multiple dollars on every dollar of ATM that they sell for us.

Yun Suk Kim

Okay, great. That’s very helpful. Jumi, if you can remind us how renewals are lined up for the year. Is it skewed towards second half of the year consistent with the prior years or with the newer products coming in? Do you see some early renewals or renewals mix kind of changing up this year?

Joo Mi Kim — CFO & Principal Accounting Officer

Right now our expectation is that the seasonality remains the same. So same thing as what you saw in 2025. It will be skewed towards the second half of 2026.

Yun Suk Kim

Okay, great. Thank you so much. That’s it.

Operator

Thank you. And the next question will come from Junaid Siddiqui with Truwist. Your line is open.

Junaid Siddiqui

Great. Thank you for taking my question. Sumed you’ve talked about the Risk Operations Center’s focus on proactive risk management versus the stock’s focus on detection after the breach being a major differentiator. Just wanted to ask, are you starting to see budgets flow more towards proactive security versus reactive detection and response?

Sumedh Thakar — President, CEO & Director

Yeah, thanks Junaid for the question. We definitely see the conversations with our partners who said look, I’ve invested a lot over the last few years in edr, xdr, post breach solutions around SOC and the Innovate. And of course there is some focus now on AgentIC AI SoC solutions that they’re looking at to improve that even further. But what they feel is that on the pre breach side they have invested but they have invested in a bunch of, I call them XPM tools which is dspm. I have split spm I have cspm, but all of them are just giving you multiple dashboards.

And there is definitely a bit of a fatigue with these customers and saying these dashboards are not helping me prevent a breach. While I have put in place a protection on the post breach side to try to find attackers. If I can do a better job and operationalize my workflow so that I can take all these findings from multiple tools. You know you have these code scanners which are kind of like false positive service sometimes because they give you you so many findings. The conversations definitely are moving in that there is positive conversation on leveraging budget that they have or asking for more budget over the next couple of years to move in that direction.

And the early adoption of ETM that we are seeing is necessary. Essentially we’re going and getting budget that they are not always moving away from something that already budgeted for. So some customers had started to put budget aside for exposure management so to say, or rbvm. But when we show them rock, which is much bigger than exposure management and much more than rbvm, they are actually able to work with us to shift on that budget. So I definitely feel like there is a more of a focus last year and into this year on hey, we need to do a better job at proactive risk management.

We have done a lot of work around the reactive side. Let’s focus to get better on the practice side.

Junaid Siddiqui

Great, thank you.

Operator

Thank you. And the next question will come from Jason Jiang with Wolf Research.

Joshua Tilton

Hey guys, it’s Joshua Hilton from Wolf Research. Can you guys hear me?

Sumedh Thakar — President, CEO & Director

Yes, Josh.

Joshua Tilton

Awesome Sumed. I want to follow up on your answer when you were asked about kind of Anthropic’s blog post today on cybersecurity and I just want to re ask the question but I want to ask it in a much more simpler way is the way to think about it that a lot of the functionality that Anthropic was talking to was more around application security testing and kind of some of the vulnerability discovery that happens before you would use a traditional VM tool. And again I just play a security expert on tv so if I’m thinking about it the wrong way, please let me know.

But. But is that kind of the right way to think about it?

Sumedh Thakar — President, CEO & Director

Right now a lot of that focus. Is on looking at open source code and looking going through the code base to look at commit logs, et cetera around that code to find the vulnerabilities in that particular code base. Now that code base is then compiled into some piece of application software which then is running all over the place across millions of machines, in different customer environments, behind different firewalls, et cetera. So, so generally that’s sort of where we see Wallace focus is more around once those vulnerabilities are discovered or attackers starting to use those, how do we then quickly assess those in a runtime rather than application code discovery time, which is where a lot of these AI agents are focusing on.

Joshua Tilton

Makes total sense. And then maybe just a quick follow up for Jumi. I think in the past there’s been several leadership changes throughout the years where there was always a plan to kind of invest to reignite growth. And I’m just curious, when we think about the EPS guidance for the full year, how do you think about the level of investment for 26 that’s baked into that EPS guidance versus prior years when maybe you’ve had one of these kind of new CRO in place or other leadership roles being filled?

Joo Mi Kim — CFO & Principal Accounting Officer

Yeah, we’re really pleased to start off the year strong with all key positions filled with a strong executive team who’s tenured. So keeping that in mind, last year we had guided to low 40s EBITDA margin coming off of 2024’s 47%. So the implied gap or implied margin contraction was significantly higher than what you’re seeing today. We closed out the year 2025 with 47% EBITDA margin. We’re guiding to mid-40s for EBIT slight contraction, but it’s not as significant as what we had guided to at the beginning of 2025.

Joshua Tilton

That’s a lot of sense. Thank you so much guys.

Operator

Thank you. This does conclude today’s question and answer session and this also concludes today’s conference call. Thank you so much for participating. And you may now disconnect.