Qualys Inc (QLYS) Q4 2020 Earnings Call Transcript

Image source: The Motley Fool.

Qualys Inc (QLYS 0.44%)
Q4 2020 Earnings Call
Feb 10, 2021, 5:00 p.m. ET

Contents:

• Prepared Remarks
• Questions and Answers
• Call Participants

Prepared Remarks:

Operator

Ladies and gentlemen, thank you standing by, and welcome to the Qualys Fourth Quarter 2020 Investor Conference call. [Operator Instructions] [Operator Instructions]

I will now turn the conference over to Mr. Vin Rao, Vice President of Corporate Development and Investor Relations. Sir, you may begin.

Vinayak Rao -- Vice President, Corporate Development and Investor Relations

Good afternoon, and welcome to Qualys' Fourth Quarter 2020 Earnings Call. Joining me today to discuss the results are Sumedh Thakar, our interim CEO; and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance.

Actual results may differ materially from these statements. Factor that could cause results to differ materially are set forth in today's press release and in our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today. And we undertake no obligation to update these statements as a result of new information or future events.

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks and investor presentation are available on the Investor Relations section of our website.

With that, I'd like to turn the call over to Sumedh.

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

Thank you, Vin. Thank you, and welcome, everyone, to our Q4 earnings call. Before we discuss our financial results, I wanted to say a few words about the separate announcement we issued this afternoon. As you have likely seen by now, we disclosed that Philippe Courtot is taking a leave of absence due to health issues unrelated to COVID-19. Please join me in wishing Philippe a speedy recovery.

In connection to this development, our Board of Directors has appointed me as the Interim Chief Executive Officer. As those of you who have been following Qualys know, I have been with Qualys for nearly 20 years. I was appointed Chief Product Officer in June 2014 to lead the transformation of our platform and appointed President in October 2019.

I have been working closely with Philippe for many years and we share the same vision of transforming the way how our customers secure and protect their organization's IT infrastructure and applications with best-in-class, cloud-based IT security and compliance solutions. I have deep appreciation for the tremendous platform we have built, and I'm honored to serve as Qualys' interim CEO. I look forward to working closely with the Board and the rest of the Qualys team to continue building up on our strong business momentum and driving the company toward -- forward while Philippe is out.

Now for my first talk in this role, I will walk you through our earnings results for the fourth quarter and full year 2020. We are pleased to report another quarter of solid revenue growth and profitability. We also saw strong growth of our paid cloud agent subscription, which grew more than 80% over year to 56 million.

Very uniquely, our multifunction agent lightweight cloud agent provides visibility across the entire hybrid environment and is the underlying technology for a number of our IT security and compliance solutions that are natively integrated on our platform. As a result, Qualys customers can deploy VMDR vulnerability management, detection and response, multivector EDR, endpoint detection and Response, policy compliance, file integrity monitoring, patch management, global IT asset inventory and our upcoming XDR offering through a single agent, which differentiates us in our industry.

In addition, we continue to expand our platform's capabilities to take response actions, enabling our customers to respond quickly to security issues in their environment. While the importance of vulnerability management for our customers remains high for them to be able to mitigate the risk, they also are looking for ways to quickly respond to these risks and threats.

As these organizations continue to increase their focus on discovering all their hybrid IT assets, mitigating the risk and detecting and responding to ongoing attacks, Qualys' platform, through single pane of glass, uniquely provides our customers ability to do a complete asset inventory and CMDB centralization, mitigate the risk of breaches with capabilities like VMDR and patch management, as well as, at the same time, detect and respond to attacks using our EDR and upcoming XDR solution.

With the release of our container on-time protection solution and the new SaaS we are offering, as well as our upcoming cloud response solution, we are now expanding similar capabilities in other infrastructure environments as well, giving customers additional opportunities to consolidate their security tools onto the Qualys cloud platform. In terms of our newer paid solutions, we continue to see strong growth for our patch management solution.

In Q4, a leading pharmaceutical firm selected our patch management application over several competing solutions, given its ability to easily and effectively patch remote endpoints without using the limited bandwidth available on their VPN gateways. They chose Qualys because of our ability to discover asset inventory, vulnerability management and patch management through a single agent.

This quarter, we also saw strong traction for our paid global IT asset discovery and inventory application with a large media conglomerate, adopting the application to gain visibility of all their known and unknown assets across multiple environments, identify the end-of-life of their installed software and synchronize with their ServiceNow CMDB.

Finally, we again saw robust growth for our container security application with adoption from a large global IT services company that has already deployed our vulnerability management, patch management, global asset inventory, file integrating monitoring and EDR solutions, further consolidating their security stack with Qualys. In terms of product innovation, we have continued to make strong progress on our product road map.

Some key recent accomplishments include delivering a 360-day integrated vulnerability management, detection and response service to our customers to quickly assess devices impacted by SolarWinds Orion vulnerabilities, Sunburst Trojan detection and stolen FireEye Red Team tools and use the patch management capability to immediately fix their exposure with a single click using the same agent.

We also enhanced Qualys' container security response solution with the addition of deep visibility, runtime defense capabilities and automated enforcement with delivery of Qualys runtime security. We recently introduced a brand-new extension to our platform called SaaS protection and response, SaaSDR which provides a single console for IT and security teams to gain continuous visibility, security and compliance of critical SaaS applications like O365, G Suite, Salesforce as well as Zoom.

The solution enables our customers to monitor the posture of their users and applications that have access to critical data in the SaaS environment, helping bridge the gap between on-prem as well as SaaS assets, again, through a single platform. We're also excited that we are expanding Qualys VMDR, vulnerability management, detection and response to enterprise mobile devices with the addition, cloud agent support for Android and iOS devices.

As part of their digital transformation, organizations continue to leverage more and more handheld mobile devices to conduct business with access to critical data from these devices. This expansion allows our customers to track vulnerabilities and list configurations on these devices and take appropriate response actions. This builds on top of our product accomplishments from earlier of 2020. Key among them are shipping of Qualys multivector EDR, which leverages the Qualys cloud platform and Qualys Cloud Agent to detect ongoing threats on endpoints, conduct threat hunting and take appropriate response actions.

It further correlates threats with vulnerabilities, providing unique capabilities for proactive mitigation from additional breaches. We also released a comprehensive inventory sync with ServiceNow, Service Graph and configuration management database, CMDB as part of the new Service Graph Connector Program, a new designation within their Technology Partner Program.

With the strategic launch of VMDR early last year, which is a unique all-in-one cloud-based application that automates the entire vulnerability management life cycle across on-premise, endpoints and cloud environment, bringing vulnerability management, threat prioritization and patching into a single end-to-end workflow with single agent. Looking ahead, we are enthused with the additional solutions that we plan to introduce in 2021.

The XDR platform expansion, which seamlessly integrates and correlates data natively collected from all Qualys sensors with additional context from other third-party data sources. This powerful capability will let customers detect threats beyond endpoints. Qualys XDR will also orchestrate the various response actions and help our customers reduce cost and complexity of deploying and managing SIM and source solutions. There -- this capability is currently in private beta with a select design partner customers who have been working with us.

We also plan to expand support for patch management for Linux environments, so customers with cloud agents on these environments can also add Qualys patch management to these additional devices. We will continue adding additional capabilities to our multivector EDR, such as endpoint protection capability, ETP, as well as expanding EDR support into Linux environments. We are working on a major update to our passive scanning technology that will significantly expand our coverage of industrial control systems, operational technology environments as well as detection of IoT devices.

We showcased these solutions at our very well attended QSC user conference, which was a 12-day virtual event held in November 2020. Over 5,000 people across our customer base, partners, prospects, analysts and investors and the media attended the event, and we received very positive feedback. The development of these native solutions at such a rapid pace is possible because of the massive investment we've made in our cloud platform and our strong engineering talent base with over 900 employees now in Pune, India.

These new initiatives open significant incremental market opportunity for us. They also allow our customers to easily and cost effectively consolidate their stack of traditional enterprise security and compliance solutions, while providing them with a single pane of glass view of all assets across on-prem, endpoint, cloud, SaaS and mobile environment. In terms of go-to-market, we are expanding our relationships with existing partners.

Our comprehensive platform with detection and response is becoming increasingly strategic for MSSP partners as they can now provide multiple services and easy upsells to their customers instead of focusing large amount of resources on building such a scalable platform themselves having to integrate multiple other point solutions. Given the increased breadth of our product suite and the launch of VMDR and multivector EDR, we have now embarked on a few additional go-to-market initiatives that leverage the efficiency and effectiveness of our cloud platform.

This is a key element of our profitable growth, driving value for our customers and shareholders. Our go-to-market activities in 2020 through leveraging our cloud platform for new generation with free services. As an example, we launched our free remote endpoint protection solution to help enterprises secure remote workforces by providing instant security assessment visibility and remote patching when it was difficult for them to do this using enterprise solutions over BBM.

We expanded our reach into China by establishing a private cloud platform with a partnership with digital China, the largest value-added provider of integrated IT products, solutions and support for enterprises in China. We launched the Qualys UAE cloud platform in Dubai, which further expands Qualys' operations across these continents in that region.

We extended our partnerships with Deloitte Advisory where Deloitte Advisory partnered with Qualys to integrate VMDR and our multivector EDR offering into Deloitte Hong Kong's Cyber's managed vulnerability services. Armor, a global MSSP, embedded Qualys VMDR into Armor Anywhere, an industry-leading cloud security platform. Our partnership with Armor also includes Qualys CloudView solution for compliance and security portion management of public cloud environments.

We released cloud -- we announced cloud agents general availability on Google Cloud, providing customers with a one-click workload security visibility directly in Google Cloud. Additionally, we natively integrated our container security solution with Google Cloud Artifact Registry. We expanded vulnerability management integration with Microsoft to also include Microsoft Azure Arc to allow customers to perform vulnerability scanning on servers outside of Azure platform.

We partner with Infosys, a global leader in next-generation digital services and consulting to integrate Qualys VMDR and multi-vector EDR into its Cyber Next platform, a managed security service offering. While looking forward to 2021, we plan to meaningfully expand our sales and marketing efforts, given our increased number of solutions including our game-changing VMDR and multivector EDR as well as upcoming XDR offerings. Similar to our efforts on the cloud platform, we are building a marketing platform.

We have recently hired a CMO and are expanding our marketing awareness initiatives for the C levels as well as our lead generation capabilities, leveraging our platform and increasing virtual events. On the sales front, we are expanding our quota-carrying sales headcount or technical account managers, as we call them, and have recruited an EVP of field operations for Americas, a VP of New Business for the U.S. VP of Strategic Alliances for system integrators and VP and GM for our SME/SMB business. In addition, we are also planning to hire a CRO, a Chief Revenue Officer this year.

We will also continue to invest in R&D and operations as well as other support functions as we continue to scale the organization in anticipation of future growth. We believe these investments will set us up well for long-term and profitable growth. We believe the world after COVID-19 is going to be different. Companies are going to be more focused on reducing costs while increasing business flexibility, which is going to significantly accelerate the transition to cloud-based solutions.

Increasing adoption of our cloud agent and our passive scanning technology, combined with the breadth of our solutions that span across the entire hybrid environment enables us to offer customers greater visibility, accuracy and scalability. This positions Qualys well to enable customers to consolidate their security, IT and compliance stacks with us, providing risk mitigation and threat detection and response on the same platform, while also drastically reducing their overall spend. In conclusion,

Qualys continues to clearly move well beyond vulnerability management and increase its competitive advantage. We are optimistic that the adoption of our newer solutions, including patch management, multivector EDR, container security and upcoming XDR, which solve meaningful problems for our customers. Will provide us the opportunity to increase bookings growth over the long term. In summary, we believe that we are now well positioned to expand our revenues with existing customers as well as continuing to expand our customer base for the years to come.

With that, I will turn the call over to Joo Mi to discuss our fourth quarter financial results and the full year fiscal 2021 guidance.

Joo Mi Kim -- Chief Financial Officer

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period, unless stated otherwise. We're delighted with our increasing Cloud Agent subscriptions, which lays the foundation for future revenue growth and industry-leading profitability, Our Q4 financial and operational highlights included. Revenues for the fourth quarter of 2020 grew 12% to $94.8 million.

Looking forward, we expect Q1 2021 calculated current billings growth to be negatively impacted by the timing and amount of prepaid multiyear subscriptions as well as shorter duration invoicing. Our average deal size decreased 3%. Excluding strategic alliance deals, which normalizes for the impact of channel customers coming off of an OEM relationship, deal size increased 2%. Paid co-agent subscriptions increased to 56 million over the last 12 months, up from 50 million for the 12 months ended in Q3 2020.

And 29% of VM customers opt for renewal in the quarter renewed into a VMDR subscription. Excluding Strategic Alliance deal, VMDR's adoption was 35% total through Q3. Our scalable platform model continues to drive superior margins and generate significant cash flow. Adjusted EBITDA for the fourth quarter of 2020 was $43.4 million, representing a 46% margin versus 44%. Q4 EPS grew 13% and our free cash flow for the fourth quarter of 2020 increased 27% to $31.9 million, representing a 34% margin.

In Q4, we continue to invest the cash we generated from operations back into Qualys, including $6.9 million in capital expenditures for operations including principal payments under capital lease obligations; and $34.8 million to repurchase 352,000 of our outstanding shares. Looking back on the year, we are proud to have continued our product leadership while meaningfully growing earnings and cash flow for our shareholders.

In 2020, we released several new products, features and enhancements. Cloud Agent adoption grew over 80% from 31 million Cloud Agent subscriptions to 56 million. We grew EBITDA by 23% and achieved record EBITDA margin of 47%. We utilized $126.7 million of our cash to repurchase approximately 1.3 million of our outstanding shares. And finally, we grew EPS by 25%. We remain confident in our business model driven by our foundation of nearly 100% recurring revenue and an expanding suite of applications.

Looking to 2021, we are excited about the revenue growth opportunity from our newer solution, including VMDR, patch management and multivector EDR. We expect full year revenue in 2021 to be in the range of $399 million to $402 million, which represents a growth rate of 10% to 11%. In terms of 2021 profitability, we expect to maintain industry-leading margins, leveraging our highly profitable operational model while preserving the ability to further invest to drive future revenue growth.

We expect full year non-GAAP EPS in 2021 to be in the range of $2.60 to $2.65. For Q1, we expect revenue to be in the range of $94.8 million to $95.4 million, which represents a growth rate of 10% to 11%. And we expect non-GAAP EPS in Q1 to be in the range of $0.68 to $0.70. We expect first quarter of 2021 capital expenditures from operations to be in the range of $6 million to $7 million and full year 2021 to be in the range of $30 million to $35 million.

As Sumedh mentioned, we are very excited by the robust adoption of VMDR and the launch of our multivector EDR solution and remain optimistic about the company's future. We feel very confident during this period of uncertainty due to the value provided by our cloud platform as well as our underlying highly scalable and profitable operational model.

With that, Sumedh and I are happy to answer any of your questions.

Questions and Answers:

Operator

Thank you. [Operator Instructions] Our first question comes from Daniel Ives with Wedbush. Your line is open.

Daniel Ives -- Wedbush -- Analyst

Seems well with Philippe and some regards. I just -- look, just back to the business. We just talk about -- in terms of this environment that we're seeing across the board in terms of increased cybersecurity spend, larger deals, both enterprise and federal, just talk about where you guys are positioned there. I mean, is that something that you're seeing in terms of giving you increased confidence for the year?

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

Yes. I think what we're seeing right now is that a lot of our customers, especially if you see some of the recent attacks, they are really looking at solutions that are going to help them detect the issues quicker, faster and take response actions so that they can mitigate this because otherwise, with the plethora of point solutions that are out there, it takes a long time for them to be able to find the breaches that are going on or the misconfigurations that lead to these breaches.

And today, we feel that with the platform, which focuses on both aspects of security, which is the risk mitigation as well as the threat detection and response capabilities, we feel like our platform is well-positioned for that. And in our conversations with our customers, and when -- as I mentioned a couple of examples where customers are adding capabilities of patch management to those agents that already have VMDR as an example or looking to add EDRs so that they can consolidate that agent and get to the point of getting the information across these different solutions quickly, they see the value in what we are doing.

And obviously, as they look to ingest the Qualys platform and integrate that into their current environment, this is something that we work with them. Some of it is part of the free services that we offer, so they can see the value of the platform and what it brings to them. So we feel that the customers will be looking at a solution like Qualys essentially to consolidate their solutions, not just from a perspective of spend but also just being able to get to the issues for security quicker and faster rather than spending large amount of dollars on putting together these point solutions through SIM, etc, and then having a lot of analysts having to read through those to find the issues that they have.

Daniel Ives -- Wedbush -- Analyst

Great, thank you.

Operator

Thank you. Our next question comes from Yun Kim of Loop Capital Market. Your line is open. Thank you. Again, sorry to hear about Philippe and hoping for a quick recovery. Joo Mi, quick question on the guide. It looks like based on your Q1 guidance and guidance for the year, you are expecting a somewhat consistent year-over-year growth throughout the year for 10% to 11%? But shouldn't we expect to see VMDR adoption seeing a tailwind on the revenue growth, at least or in the second half of the year? Just trying to better understand if there are other dynamics to revenue growth that we're not thinking about?

Joo Mi Kim -- Chief Financial Officer

Yes. So it's true that with the newer solutions, we're very optimistic about the VMDR, patch management, even multi-vector EDR, which is newer. Well, as for adoption of newer products and when it's going to translate into revenue, it's a bit uncertain, and historically, what we've guided to when setting the annual revenue guidance, really, we look at our current bookings and pipeline to inform our guidance.

And because of that, this is the visibility that we have right now. In Q1, the guidance that we have is basically what we expect to achieve based on the opportunity that we see ahead. And then for the latter half of the second half of the year, it's a little bit too early to tell, but we thought that it was prudent to guide to the 10% to 11% growth for the full year.

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

And if I can add to that, VMDR is definitely something that we see customers really asking for it, and we see that it takes them sometimes based on their environment to deploy VMDR. But once they have that -- and which drives the adoption of the agents.

We are seeing, as I give that example -- in also earlier in the year, we saw some customers are able to move very quickly to add additional services within a couple of weeks. In other cases, customers do take time to integrate that into their security portfolio before they can then move on to additional capabilities that VMDR forms the base for.

Yun Kim -- Loop Capital Market -- Analyst

Okay. Great. And Sumedh, first, congrats on the CEO appointment. Clearly, the VMDR adoption is going well. You have the big XDR launch coming up. At least from the product perspective, you guys have definitely become a full platform provider now. So the next step is your go-to market. And obviously, the sales force ramp.

In your prepared remarks, there's a lot of hiring plans, but can you give us some insight into how aggressive you are planning to add the sales capacity this year? And also, any update regardless of your go-to-market plans in the hyperscale cloud environment, which has you in -- PCP? And is that -- are those channel -- the hyperscale cloud environment, that channel largely driven by new customer adds?

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

Yes. So I think first to address on the sales motion. I think as you saw, we've already started on the hiring, as I mentioned, we hired EVP for field operations in the U.S. and VP for New Business in the U.S., VP and GM for SME/SMB business and then as I mentioned, we will also be hiring a Chief Revenue Officer this year. And there's many other things that we're doing.

So it's not just hiring of the salespeople. Of course, we plan to increase the count of our quota-carrying sales folks. But in addition, we've also really bolstered our marketing platform, having a CMO. We also hired a few Heads of Product -- VP of Product for Cloud and VMDR and a few of these other areas, really to help package better the platform, work with our sales team for better sales enablement.

And so a combination of all of those things is what we are optimistic about, will drive the expansion in the revenue. And I think that's really the strategy there in terms of just how we are going to proceed there in the future. As far as the GCP and the Azure environment goes, I think that's -- a lot of it is about built-in capability. And this is where our platform really quickly allows these customers who are moving into the cloud environment to be able to leverage not just vulnerability management, but patching, in some cases, the cloud environment, hosting critical data, like FedRAMP, they need file integrating monitoring, they need EDR.

So we are well=positioned to provide those once they get the agent. So what we have focused with Google and Azure, and everyone is the back-end integration of getting our agent integrated and you saw talk about those announcements that happened in 2020, that is to get that back-end integrated into their platform. So then the customers who could be in -- and we see a mix, sometimes. It's like new customers who are looking to quickly build a solution, they leverage the building capability. In other cases, existing customers do take a hybrid approach where they leverage Qualys platform for certain capabilities.

They have the built-in integration in Azure so that they can provide their end users quick visibility into what they need to fix, whereas the security team is then able to look at the visibility of the overall security portfolio within the Qualys console. So we feel that as more organizations are moving into more real cloud-native rearchitecture of their solution, I think we provide a pretty robust integration and also the opportunity to add more capabilities quickly because then that agent is seamlessly dropped onto those virtual devices running in those environments.

Yun Kim -- Loop Capital Market -- Analyst

Great, thank you so much for that detailed answer, and congrats on the appointment again, Sumedh.

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

Thank you.

Operator

Thank you. Our next question comes from Matt Hedberg of RBC Capital Markets. Your line is open.

Matt Hedberg -- RBC Capital Markets -- Analyst

Great. Thanks for taking my question, And our thoughts go out to Philippe as well. You guys -- when Sun Burst and SolarWinds hit, you guys had a lot of really helpful press releases out sort of talking about the benefits of the Qualys platform. Obviously, it didn't impact your Q4 revenue. But I'm curious if you could talk about -- has it aided pipeline generation? And I assume you're probably not including it in your guidance, but maybe just talk about if that's helping kind of the go-to-market pipeline initiative?

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

Well, it's a two -- sort of a two-pronged approach, right? One is, obviously, we put out these services just like we did with the free endpoint security solution, we put these services out, first and foremost, to help our existing customers get a handle of their environment, may be able to use modules that they don't have from Qualys right now, haven't purchased, but then be able to use that to mitigate the risk.

So when we did that 60-day free service around Solargate, we -- what's really unique is that not just where we're providing the detection of these vulnerabilities that were part of the FireEye stolen tools, which we, as we published, was like in millions that are out there. We also provided the ability for these customers to leverage the Qualys patch management capability for free to immediately patch those vulnerabilities, right?

So that's the big difference, that it's not just where you're saying, "Hey, you run a scan and you see the findings." Where we focus on is if you already have Qualys agent and you're not using patch management here, we turn it on and within a few hours, you're able to patch these hosts for these vulnerabilities, and you can see the ease of use of that platform.

And while obviously, that generates additional lead and things like that, the goal there really for us is to establish that let's call it, like a proof-of-concept or credibility with our customers, help them see the ease at which that they can leverage the additional capabilities from Qualys once they already have VMDR or they can quickly move to the MDR, and they can grow from there. And once that is established, that -- at the end of the day, that doesn't necessarily mean that the customer is immediately going to purchase that solution.

But what it does is that it creates the foundation for them to understand that they have a solution already in place that they can move quickly whenever there maybe existing solution is coming up for renewal or replacement. And so we look at it more as just creating that opportunity to showcase to them the capabilities of the platform. And as you know, we don't really push our customers to being a subscription service to buy, buy, buy immediately.

We really work with them on their schedule and their comfort but the key there for the free services, which is a key part of our go-to-market, is just being able to have that ability to showcase to them, "Hey, if you already have an agent within a couple of hours, you can see the ADR events for that on these critical systems."

Matt Hedberg -- RBC Capital Markets -- Analyst

That's helpful. And then I just wanted to ask or kind of dig into kind of core VM growth. Obviously, you're seeing a lot of growth. You talked about Cloud Agent subscription growth of 80%. And there's a lot of new products that are launching but I guess my question is, with a 10% to 12% -- or a 10% to 11% guide this year.

I mean, I kind of think of that as kind of like the VM growth rate. Is there something that's suppressing VM a bit? I mean, is it a COVID headwind? Just trying to get a better understanding of how you're thinking about sort of the core growth. Obviously, you've got growth outside of that that's aiding. But just kind of core VM would be helpful.

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

Well, I mean, core VM, really, we changed the game for VM last year, right, with VMDR. And so where VM was really in the past just about can you tell me a list of CVs. It has all been transformed by Qualys VMDR into a single capability, which includes the prioritization and the ability to fix those issues as well. And so our -- and that's why you see the excitement in our customers to move to a vulnerability management solution that does all of those together in a single agent, as an example, right?

And -- but obviously, when they look at that and they want to move to that, it does -- they may have an existing batch management solution, a batch management team that is different from the security team. So there's a process that they go through to work through with these customers and -- sorry, with their teams internally to figure out the right way where maybe they may, in some cases, they may start smaller for patch management in certain areas, in cases we see patch management is driving the VMDR sale as well.

In some cases, the customer takes time to integrate VMDR into their solution. And in last year, we also saw, in some cases, we had a customer that was able to move to Qualys Patching because they already had VMDR for 250,000 assets within two weeks. So it's just different for different customers based on where they are in their journey, their environment. So in some cases, we saw that with COVID, the remote endpoint need for patching drove quicker adoption of patch management. In other cases, teams are taking longer to go through their process of implementing these solutions.

Matt Hedberg -- RBC Capital Markets -- Analyst

Thank you very much.

Operator

Thank you. Our next question comes from Shebly Seyrafi of FBN Securities. Your line is open.

Shebly Seyrafi -- FBN Securities -- Analyst

Yes, so thank you very much. Can you talk about the potential for the company to reaccelerate growth to the mid-teens? I know you're waiting for the new products to ramp. But when they are ramping, whether it's maybe later this year or early next year, do you think the potential is there to grow in the mid-teens?

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

You see, look, we've really been focusing on, as you saw on the platform, right, not just the core VM and VMDR, but also you saw some of the new services that we announced like SaaS and getting into additional environments. So what our focus has been is to get that platform to the level where, as customers are looking to consolidate maybe in a few months, later this year, early next year, whenever that is, that we have all of the capabilities lined up for them to be able to move into the Qualys platform. And so we are hopeful with all of these changes and that additional go-to-market initiative that we have put in place, we are hopeful for an acceleration of growth in the next few years.

Shebly Seyrafi -- FBN Securities -- Analyst

Okay. And also, your percentage of VM customers up for renewal who are renewed with VMDR. I think it didn't really grow that much. It was like 35% adjusted, the same as last quarter. Why do you think it didn't grow? And where do you see that percentage going to by, say, the end of the year?

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

So I think we think that 35% is a good percentage of an adoption for our customers especially when you have customers that are larger. So it really depends in that particular quarter, what is the mix of customers that is up for renewal. So if those customers who have, for whatever reason, are going to take time to -- because as you see with VMDR, it's not just the vulnerability management fee.

It comes with additional capabilities like asset inventory and patch deduction and prioritization. So the customers need to also be able to ingest and that capability into the current security program. And so that may need some resource on their side to line up maybe developers to get API calls, etc. So it just depends on that quarter, what mix of customers comes up and what they are ready to do.

As you know, we don't really push, push, push on them to do it because it is a subscription-based business. But what we do expect, obviously, is that we've already had these people converted. So as the next quarters come around, the convergence will build on top of the existing conversions that we've already done, right? So obviously, we see that to the next few quarters, we will see more and more of our customer base getting converted to VMDR.

Shebly Seyrafi -- FBN Securities -- Analyst

Thank you.

Operator

Thank you. Our next question comes from Erik Suppiger of JMP Securities. Your line is open.

Erik Suppiger -- JMP Securities -- Analyst

Question And again, I send our best wishes for a speedy recovery for Philippe. The hiring, it sounds like you're going to step up hiring in sales, but my impression was that you've been hiring as quickly as you could in sales in the past. What are you going to do to accelerate your hiring efforts there?

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

Yes. So I think we've -- as you saw already in the last couple of quarters with the list of the key hires that we have done. We have already started on that journey to accelerate the hiring on the sales and marketing, right? So we have some key folks hired, not just on the sales side, but also, as I mentioned, on the VPF product side who are going to help the sales enablement as well as bringing in the CMO and bringing in additional headcount on the quota-carrying salespeople.

But part of that, as I mentioned, right, we are also going to be hiring a Chief Revenue Officer who will come in and have a focused approach toward accelerating our revenue and what are the various things that we can do in addition to these hires that we have done to better approach to customers, positioning our platform, positioning our portfolio and having them look at Qualys as an option to their existing security solutions. So that's really the direction that we are going, and we've already started on that journey today.

Erik Suppiger -- JMP Securities -- Analyst

And then how are you looking at operating margin, if you -- in terms of longer-term targets? Are you going to be -- right now, you're in the upper 30s. Where do you think that your longer-term target will fall if you're going to be stepping up some of your investments?

Joo Mi Kim -- Chief Financial Officer

Yes. So I mean, this year, we set a record EBITDA margin of 47%. The way we think about it is we really have the industry-leading margins. And where we're focused right now is better balancing growth with profitability. We don't see a scenario where we wouldn't have the industry-leading margins regardless. So what we've said before was even with an increase in investment, as Sumedh has talked about in sales and marketing, R&D as well as customer support and operations and G&A we think that our EBITDA margin at the end of the day will be above 40% range.

And that with an acceleration in revenue, which will come. In turn following the investment, I think that we will still be -- have a really great profile. And a very optimistic because, especially with the traction that we've been able to make with hiring the sales leadership as well as marketing leadership, we do think that the acceleration will be happening on the hiring front as well because we have the leaders in place.

Erik Suppiger -- JMP Securities -- Analyst

Okay. And you said it will be around 40% or above 40%, did you say?

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

Yes, it will be above 40%.

Erik Suppiger -- JMP Securities -- Analyst

Okay, very good, thank you.

Operator

Thank you. Our next question comes from Sterling Auty of JPMorgan. Your line is open.

Matt -- JPMorgan -- Analyst

This is Matt [Phonetic] on for Sterling. You mentioned a few metrics, excluding a channel partner that turned off your OEM solution. I was wondering if you could elaborate a bit more on that and if there was any impact to the quarter in terms of revenue? And how is that affecting your guidance for the next six weeks?

Joo Mi Kim -- Chief Financial Officer

Yes. It's not a trend. It's actually just normalizing for channel customers who are coming to direct off of an OEM relationship. So for example, under our strategic alliance,deal, we had one partner where it was an OEM relationship. That partner had multiple different customers at the endpoint and they decide to come direct.

And so obviously, that did impact number of like renewal deals up for renewal in Q4. And so normalizing for that noise, it ended up being about 35% of VM customers who were up for renewal, end of quarter renewed into VMDR. And if you take a look at on the dollar impact as well, it's trending nicely. So it wasn't a negative impact at all.

Matt -- JPMorgan -- Analyst

Great. That's very helpful for clearing that up. Just a follow-up question. There's a big jump in long-term deferred this quarter. But just trying to see if you could provide any additional color on that impact? And should we kind of expect a higher level of long-term deferred as an overall part of the mix?

Joo Mi Kim -- Chief Financial Officer

Yes. So it's -- that's really driven by customers. So what we've seen is with VMDR, we've seen that average contract length has been trending up, and that's actually demonstrated by the RPO -- disclosed in our 10-Q and the 10-K. It's been going up, and I think that's a testament to how our customers really see the value in our product.

They're not afraid to sign up for more than a year. And so that really drove the increase long-term deferred. But it's not something that we push on customers, like Sumedh said, it's really up to the customer. And so if they're willing to sign up for more than a year, it's great because they lock it in, it's like lock the price in, it's better for them, and that's reflected in our financials.

Matt -- JPMorgan -- Analyst

Great, thanks guys.

Operator

Thank you. Our next question comes from the Nehal Chokshi of Northland Capital. Your line is open.

Nehal Chokshi -- Northland Capital -- Analyst

Yes, thank you. So I just want to double-click on the 1Q '21 guidance in the context of your short-term billings growth of 12% and 10% for the full year or maybe it was the other way around. Anyhow, it seems like good billings on a short-term billings basis. And excluding the strategic relationship that you talked about, which is not affecting anything at all. In reality, it just seems like -- I want to understand why are you guiding to a deceleration in revenue growth given the robust short-term billings that you saw in the most recent quarter?

Joo Mi Kim -- Chief Financial Officer

Yes. If the current billings tend to fluctuate -- if you take a look at -- because we're a subscription base so our revenue gets amortized over 12 months. So our current selling impact from earlier in 2020 is actually taking place and having an impact in Q1 revenue as well. So for example, our current billings grew by 7% in Q2, kicked up to 8% in Q3. And then Q4 was strong, entered to 12%, but there are puts and takes, right? They're a natural fluctuation.

And if you just take a look at the revenue amortization schedule, it ends up being that based on total revenue, which approximately 85% is already booked based on the prior ASV, right? And so this is the visibility that we have right now, ending the quarter or estimating the quarter will end at about 10%. And then the other factor that I want to highlight is, typically, Q1 is lighter just because in the number of days that gets impacted. So this quarter, especially on -- in terms of the year-over-year, we are losing a day. And then the quarter-over-quarter, we are losing two days. And so that actually impacts the revenue guidance as well.

Nehal Chokshi -- Northland Capital -- Analyst

I see. That's helpful. And then slide 15, is the recurring slide that you guys have, but the data from there does look good. It does attest to increasing spend due to the platform approach. Is it possible that you're seeing elevated customer churn in the SME segment that, that particular slide does not necessary capture?

Joo Mi Kim -- Chief Financial Officer

In terms of our retention, and that's -- honestly, we've done this -- we've seen very strong retention on strong growth. I think that what's really been impacted from COVID is new and potentially upsell. But in terms of our retention rate, nothing significant has changed and we haven't seen a downward trend in both enterprise or SME/SMB.

Nehal Chokshi -- Northland Capital -- Analyst

Okay, thank you.

Operator

Thank you. Our next question comes from the line of Hamza Fodderwala of Morgan Stanley. Your line is open.

Hamza Fodderwala -- Morgan Stanley -- Analyst

Thank you for taking my question. And I'd also like to extend my best wishes to Philippe on a speedy recovery. Sumedh, my first question for you, kind of a follow-up to the SolarWinds question. I want to drill into it asset discovery specifically, right? Because that's one area I think we heard a lot about coming out of the supply chain attacks, really trying to figure out kind of what assets are exposed.

Can you talk a little bit about the prioritization of that service specifically? I know you're not going to see anything in your pipeline right away. The attack was -- just happened in December. But I'm wondering if -- in terms of your customer conversations and when you speak to customers from SolarWinds, is that something that comes up a lot.

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

Yes, absolutely. This is something that we're hearing a lot from our customers because if you look at a little bit of the mechanics of the attack, I mean, that was the supply chain where the software came in, Trojan horse software, but then there was also lateral movement within the environment, there was lateral movement into the SaaS environment. So there was elements of O365 accounts.

That went back and forth between the email and the O365 environment as well as the EV that was in-house. And so the first thing that everybody really stumbled on is to say, what do I have in my environment, right? Where do I have this trojanized software, even before I get into knowing whether I have vulnerabilities or issues or not. And that's where that asset inventory and the ability for us to give them one of the most accurate views of their inventory within that entire environment. That includes assets that are managed and unmanaged.

So with the combination of our agents and passive scanner, really that conversation is coming up more and more. And also leading into conversation about what am I running? Where's -- is there end-of-life software that I'm running? What do I need to do about that? What -- where I find end-of-life software are trojanized version, what assets is that particular asset speaking to in the environment? So that's where that combination.

And this was the point I was trying to make earlier is that your first approach is going to be, what I need to find, and I need to find if there is an impact, right? That's where your threat detection and response, which is your EDR, XDR solutions are going to come into play. Then, I need to make sure that I'm taking all of the remediation actions to be able to make sure that I'm mitigating my risk by identifying other devices in the environment that may not be properly configured, that can be leveraged for lateral movement, etc.

And if you tie in our SaaS release that we just did, which gives you the configuration of your O365, Zoom, Salesforce, etc. So now you add this other element that also makes sure that as customers move into hybrid environment, they're able to see a much more holistic picture the platform, the -- definitely, the starting point for all of that is that global asset inventory and the fact that it is bundled as part of the platform and that they don't have to go and get another solution to deploy for finding their inventory is definitely helpful, and that's what we hear from our customers.

Hamza Fodderwala -- Morgan Stanley -- Analyst

Got it. And then just maybe a follow-up on go to market. You announced a number of skilled leadership appointments right, you're looking for a CRO currently. I'm wondering who was the de facto Head of Sales before? I mean, was it Philippe? And also, do you think that this is a function of maybe -- of adding capacity? Or do you think that there has to be sort of more changes in the sales organization structure?

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

Yes. I mean, Philippe was a de facto Head for Sales. However, I was very involved working with Philippe on -- with the field as well. And I think it's a combination, as we mentioned, right? So there's our model. We are very strong believers in our model of the hunters and the farmers. We're not changing that to go and push more and more where customers don't need products.

However, bringing a CRO, bringing that leadership is going to help us find additional ways to focus on where we can approach customers, which customers can be tracked for targeting for ourselves, etc. So while there -- obviously there will be some changes in the way that the new CRO or the new leadership that is coming in is looking to find, as an example, ways to have more of a connect with C-level executives, right?

So that we can evangelize the power of the overall platform rather than just the vulnerability management approach that we have taken. So I think there will be, obviously, newer ideals that we will be looking at and looking to implement. But fundamentally, the what we have been working on, we do believe in that base and the power of that model.

Hamza Fodderwala -- Morgan Stanley -- Analyst

Thank you very much.

Operator

Thank you. [Operator Instructions] Our next question comes from Brian Essex of Goldman Sachs. Your line is open.

Brian Essex -- Goldman Sachs -- Analyst

Good afternoon and thank you for taking the question. And would like to extend my thoughts for a speedy recovery for Philippe as well. Hope all is well with him. Maybe Joo Mi, I know that in the past, you've talked about some hesitation about investing in sales and marketing and bringing on new reps in a period of economic volatility.

Maybe could you talk a little bit about what you're seeing and maybe Sumedh, chime in as well on -- in terms of what you're seeing? I guess that's different now, that gives you a little bit more confidence that you can onboard reps and headcount, the sales and marketing organization where they could ramp efficiently and they might be productive and they'll hit expectations?

Joo Mi Kim -- Chief Financial Officer

I think -- and Joo Mi will obviously answer that part. But what I see right now is that a big part of this is more and more of our newer services are -- have matured and are coming to fruition, and our customers are adopting them and seeing that interest and the speed of adoption in the cases where they have VMDR already.

So that obviously drives our thought process on -- we feel that the if you look at file integrity monitoring, container security, patch management, some of these things are really starting to show very good tracking with our customers and the upsell to them. So I think that is also part of when we look at bringing additional leadership headcount is -- how -- where are we and how ready our customers as well.

Brian Essex -- Goldman Sachs -- Analyst

Got it. And maybe for Joo Mi, so helpful. Joo Mi, if we think about the level of margin contraction we'll see this year as you invest in sales and marketing and R&D. What is -- how should we think about the level of balance to growth and margin expansion going forward? In other words, is there a framework that you're looking at in terms -- with respect to being able to deliver margin expansion after a year of -- or maybe, call it, recovery and we might see better growth in 2022?

Joo Mi Kim -- Chief Financial Officer

Yes. The way we think about it is it's not something that we -- is new to us, right? We've done it before because if you take a look at the company history, like, for example, in our Investor Day, we show the CAGR from 2017. Back in 2017, our current billings grew by 21%, right? And at that point in time, our EBITDA margin was 37%. If you take a look at the EBITDA margin now, we're at 47%.

And so you could argue that we could definitely do a better job in balancing growth with profitability, we should definitely invest more. And that margin expansion was really driven by the sales and marketing underspend relative to that point back in 2017. So in 2017, the sales and marketing as a percentage of revenue was 26%. That is now down to 17%.

And with that said, given our scalable business model and our infrastructure and how we grow, we don't think that we have to go up as high, and that's why we think that our EBITDA margin will be above 40%. But we understand that a month or two before, if we invest more in sales and marketing, that will return and translate into a billings growth and then eventually revenue.

Brian Essex -- Goldman Sachs -- Analyst

Got it, that's helpful. Thank you very much.

Operator

Thank you. I'm showing no further questions at this time. I'd like to turn the call back over to Sumedh Thakar for any closing remarks.

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

Well, thank you, everyone, for attending our earnings call and for all the questions, and we hope that you are safe. We really feel very fortunate to be well-positioned with our cloud platform in an environment where there still are a lot of point solutions that are focusing only on one aspect of security, whether it's just EDR or just vulnerability management.

Today, we have really worked hard to build a platform that is providing multiple different capabilities now including SaaSDR and that -- with VMDR, with multivector EDR forthcoming XDR solution, we continue to invest in expanding the capabilities of our platform and aggressively developing new solutions. Additionally, we are also focused on growing our revenues and maintaining our industry-leading profitability while creating long-term value for our shareholders. I hope all of you remain safe and healthy. Thank you very much.

Operator

[Operator Closing Remarks]

Duration: 61 minutes

Call participants:

Vinayak Rao -- Vice President, Corporate Development and Investor Relations

Sumedh S. Thakar -- Interim Chief Executive Officer and Chief Product Officer

Joo Mi Kim -- Chief Financial Officer

Daniel Ives -- Wedbush -- Analyst

Yun Kim -- Loop Capital Market -- Analyst

Matt Hedberg -- RBC Capital Markets -- Analyst

Shebly Seyrafi -- FBN Securities -- Analyst

Erik Suppiger -- JMP Securities -- Analyst

Matt -- JPMorgan -- Analyst

Nehal Chokshi -- Northland Capital -- Analyst

Hamza Fodderwala -- Morgan Stanley -- Analyst

Brian Essex -- Goldman Sachs -- Analyst

More QLYS analysis

All earnings call transcripts