Good day, and thank you for standing by. Welcome to the Qualys Third Quarter 2025 Investor Call. [Operator Instructions] Please be advised that today's conference is being recorded. I would now like to hand the conference over to your first speaker today, Blair King. Please go ahead.

Thank you, Briana, and good afternoon, and welcome to Qualys' Third Quarter 2025 Earnings Call. Joining me today to discuss our results are Sumedh Thakar, our President and CEO; and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements and factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events. During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. And as a reminder, the press release, prepared remarks and investor presentation are all available on the Investor Relations section of our website. So with that, I'd like to now turn the call over to Sumedh.

Thanks, Blair, and welcome to our third quarter earnings call. With threat actors continuing to reduce time to exploit at a fast pace, I believe the future of cybersecurity is moving from attack surface management to risk surface management using Agentic AI-powered proactive risk management with business quantification and automated remediation. Against this backdrop, we continue to execute well in Q3 demonstrated by another quarter of solid revenue growth and profitability. Over the last couple of years, I've had the privilege of meeting with hundreds of CISOs, CIOs and security leaders worldwide. From these conversations, one theme has stood out, the need to operationalize cyber risk management in business terms to align budget spend with business risk. CISOs are looking for a practical approach to consolidate tools where possible and empower their teams to use best-of-breed where it makes sense. They want to seamlessly unify their security tool set into a centralized risk fabric that provides an alternative to single vendor platformization by operationalizing the management of multiple risk vectors to effectively measure, communicate and ultimately remediate the organization's risk posture. The Risk Operations Center, ROC, powered by Qualys ETM delivers on this ask. At our recently concluded ROCon, Risk Operations Conference in Houston, where we elevated the business risk conversation to feature a specialized CFO and Board track, our customers validated this approach. With the broadening of the agenda for ROCon the attendance was up 20% over last year's QSC event. While traditional security operations centers focused on detecting breaches after they happen, Qualys is pioneering the first Agentic AI Risk Operations Center, ROC, a new category in cybersecurity designed to centralize an organization's response to threats before they impact the business. Powered by our ETM solution, the ROC processes several petabytes of high-fidelity data every day, normalizes and…

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period, unless stated otherwise. Turning to third quarter results. Revenues grew 10% to $169.9 million. The channel continued to increase its contribution, making up 50% of total revenues compared to 47% a year ago. Revenues from channel partners grew 17%, outpacing direct, which grew 5%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By geo, 15% growth outside the U.S. was ahead of our domestic business, which grew 7%. U.S. and international revenue mix was 56% and 44%, respectively. In Q3, gross retention continued to improve. However, upsells remain challenging with our net dollar expansion rate of 104%, unchanged from last quarter. In terms of product contribution to bookings, Patch Management and Cybersecurity Asset Management combined made up 17% of total bookings and 28% of new bookings on an LTM basis. Our cloud security solutions, TotalCloud CNAPP made up 5% of LTM bookings. Reflecting our scalable and sustainable business model, adjusted EBITDA for the third quarter of 2025 was $82.6 million, representing a 49% margin compared to a 45% margin a year ago. Operating expenses in Q3 increased by 5% to $64.9 million, driven by investments in sales and marketing, which grew 9%. As we remain focused on driving growth, we are mindful of where to further increase investments while optimizing returns and others, which resulted in EBITDA margin exceeding our expectations in Q3. This demonstrates our ability to maintain high operating leverage, remain capital efficient while continuing to innovate and invest to support our long-term growth initiatives. With this strong performance, EPS for the…

[Operator Instructions] Our first question comes from Roger Boyd of UBS.

Awesome. Congrats on a nice quarter. Sumedh, can you just double-click on some of the pricing you mentioned around ETM earlier. I just wanted to be clear on that 100% upsell metric. Is that inclusive of what you have with cybersecurity asset management and patch? And just now with the kind of packaging sort of figured out on that product, just your confidence in kind of the ability to start driving better upsell moving forward.

Yes, that's a great question. So from the way the pricing we're looking at it is the ETM pricing is going to include Cybersecurity Asset Management because as we talk to our customers, for building any Risk Operations Center, the foundation is asset inventory and without that, you cannot succeed. And so that was a big feedback that came about. So that's included. What we have added also is the Agentic AI capabilities for them to be able to augment their security team with AI agents so that they can really manage outcomes for cybersecurity within their spend and optimize because everybody has been asked about how they're optimizing their spend even in cyber. And the ability to have very focused threat intel that will allow them to validate exploits, so that's included. The upsell that we look forward to is then once they have used ETM to be able to get the inventory to be able to confirm that the exploit can work in their environment. Then they purchase TruRisk Eliminate, which includes patch as an example and mitigation so that they can get that particular thing actually remediated. Because at the end of the day, we can create all kinds of visibility, but given that attackers are exploiting vulnerabilities, if you saw the recent Mandiant report in minus 1 day on an average, which is even before patches are coming out, the key is going to be about being able to remediate things and mitigate things even if you don't have a patch available. So the pricing, to answer your question is 100% -- up to 100% is what we see with the addition of VMDR ability to bring in CSAM, Agentic AI, as well as ability to confirm exploitation. And then from there, the upsell will be they will -- they can upsell to eliminate so that they -- it allows them to do more in terms of actually getting an outcome.

Our next question is from Patrick Colville of Scotiabank.

I guess I want to ask 2 parts. One is on the Fed. I know the Fed is like a more nascent notion for Qualys, but what are you guys seeing in the Fed's, especially kind of in the first couple of weeks of 4Q given the shutdown. And then -- and the other question I'd like to ask is about the competitive environment. And the reason I ask this one is the one we get most from investors. And it's like is the competitive environment changing for Qualys, given noise from vendors like CrowdStrike and others who are claiming to be entering the space and winning share. So are you coming up against different companies now versus a year ago? And results speak for themselves, win rates seem high, but can you talk to that as well?

Yes, that's a 2-part question. So let me stay focused to answer both of them. So first one is on the federal side, as you already know, we are at our very, very early innings, and we made the investment and the commitment to get FedRAMP high, which has really created very, very powerful conversations. I mean I have the pleasure of actually being out in D.C. and having some very critical meetings there to start to have the conversation around Risk Operations Center, how it can help the government and essentially bring efficiency. And so you kind of have the dose, which is, of course, that is driving people to think more of efficiency in terms of how they can consolidate different things, and that's where the Risk Operations Center as a way to eliminate, fixing things that don't really matter to the risk has really resonated well with our federal customers. Today, it's not just the spend of the tool. It is the amount of spend you put in remediating things that the tool is telling you, which is a waste of time and money if those things are not even exploitable. So for us, what we are seeing is -- it's a very exciting early conversations. We see lots of opportunities over the next few years. Of course, when you have the current scrutiny that is going on, sometimes people are taking a bit of a wait-and-watch opportunity. In other cases, we're actually seeing opportunities coming to us because of the focus on being able to be efficient in terms of the Risk Operations Center. So it's a mixed bag. But overall, from what we see right now is we don't have as much exposure revenue to that part. We do see that this is an area…

Our next question is from Mike Cikos of Needham.

I just wanted to double check and congrats on the quarter here. Was there any onetime benefits to revenue or CCP that we need to take into account on our side? And then secondly, as a follow-up, Joo Mi, great to see the results. Net dollar retention obviously remains here at [ 104 ] what needs to happen for that net dollar retention to actually start picking up from where we are today?

Yes. With respect to CCP, nothing specific to call out, it was a solid quarter. As usual, you do get some benefit or negative impacts from out-of-cycle renewals, but nothing material that we think that's specific to this quarter. So it was really a solid growth quarter from an execution standpoint. Net dollar expansion rate, we'd love to get that up from [ 104 ] and upward, and this is part of the reason why Sumedh had commented on the fact that we've been really focused on making sure that we're delivering the message in terms of how ETM could be beneficial to our existing customers as well as new prospects. And so as we look to the cohort of customers that are up for renewal in each respective quarter, we're making sure that they understand the value that they could potentially see from whether they're looking to upsell from CSAM to ETM or cross-selling with adding ETM to their existing VMDR solution, and we think that, that could be a meaningful impact during the dollar expansion rate.

Our next question is from Kingsley Crane of Canaccord Genuity.

Congrats on a really great quarter. If we think about Agentic AI within the risk operations center, TotalAI within VM and then the CNAPP suite, they all require significant development resources to how are you prioritizing R&D spend across those initiatives? And just what metrics do you use to evaluate resource allocation?

Yes, that's a great question. And I think it's really the focus for us on investment in R&D and sales and marketing right? And at the beginning of the year we started with the plan to hire a CRO from a sales perspective and put focus on hiring more engineers, et cetera, to be able to deliver on all the capabilities that we're talking about. And I think as we have -- I'm pretty happy with our focused execution with the level of investments that we have made and the way Shawn, who is our VP of Global Sales, has executed with the team to give us a solid quarter. And so the focus for us now is to really, from a sales and marketing perspective to focus on working with Shawn and team. So that we can get efficiencies from what we are seeing cross-functional between our sales team, our product management team, et cetera. And then on the R&D side, we have had really good success with leveraging AI internally within our own development efforts. And as an example, we pretty much stopped hiring anybody in QA anymore. We are seeing 20% to 25% efficiency gain with our best engineers. And ironically, it's actually the best engineers who are getting the most benefit of using AI. And so in a way, with all the things that we are doing with adding AI into the Risk Operations Center, AI is benefiting us in adding those without a significant increase in our R&D expense. And so I think at this point, the way we are looking at it is we're going to continue to leverage AI. And of course, we're going to invest back in our business. But no need really at this point for us to look at having CRO and the team is executing well focused with what our goals are. And then on the R&D side, again, we, of course, are -- if you see the innovations that are coming out, is a pretty rapid pace, we will, of course, continue to invest in R&D, but it's all going to be looked at from the lens of what kind of investment we will make in terms of people versus AI tools and how those tools are going to give us the required efficiency or I would say, unexpected efficiency in some cases. And so we're excited about what we're going to be able to do from both adding the Risk Operations Center, Agentic AI capabilities while internally also using Agentic AI across the board, not just in R&D, but also in sales and other areas as well.

And just to add to that, we are extremely focused on making sure that we have the right team structured in the focus areas from a product development standpoint. We have different teams working on, whether it be a total AI or ETM. And because of that, we are continuing to increase the hiring, the R&D, the engineers. It's just that the geographic mix of incremental hires has shifted more to be in India, which has helped from an R&D expense standpoint, but we are making sure that we're working across it different orgs or different functional areas within the engineering team to make sure that we're prioritizing in the right manner.

Our next question is from Shrenik Kothari of Baird.

Echoing my congrats to the team. Sumedh, the TruConfirm announcement definitely sounds like a step function moving from, as we said, the risk scoring to automated exploit validation and at scale. Just curious like -- do you envision this also becoming sort of a pillar like ETM as monetizing it standalone? Or do you think of it as becoming an on-ramp to move customers into broader ETM. And then just with the with the POCs converting and all the large enterprise consolidations you talked about, like how should we think about the ETM trajectory ahead? And then I have a quick follow-up for Joo Mi.

That's a great question. And look, I mean I think I would say that at the end of the day for risk management, you only manage your risk if you have eliminated the right risk, right? Just building dashboards and as I said, dashboard tourism is not helping with just visibility. And so at the end of the day, for that to happen, you need to have 3 things. You need to be able to collect data from multiple sources so you can get a broader picture of the view and your you're applying threat intelligence and you're seeing some of the traditional CTEM, which has been around for many years. Some of the CTEM solutions are just giving you, we consolidate the data and here it is. And so they are giving you a theoretical view of what might be exploitable in the environment. But with TruConfirm included as part of ETM, we are going a step further relative to the CTEM visibility-only platforms, giving them the ability to actually confirm and that's included as part of ETM. It is not an additional upsell, but that helps us differentiate from the CTEM only solutions, gives them the ability to confirm in that environment that the exploit actually works. And then the upsell from there is really and that's kind of how we look at the beachhead for converting our customers from the MDR to ETM is that, that conversion then will allow us to upsell them to the actual eliminate capability. Because again, like I said, if attackers are looking -- are starting to exploit vulnerabilities even before patches are being made available, it is really about speed. And so you need to be able to quickly detect the vulnerability, you need to be able to then confirm that it is exploitable in your environment rapidly. And then the next logical step has to be a automated AI-driven fix. So that you can get it fixed before the attackers get there. And if we -- and that's really where the Risk Operations Center is not just a CTEM solution, it really is more than a CTEM solution, which is just giving you dashboards.

Got it. Super helpful. And Joo Mi, very quickly, Sumedh mentioned about the AI driver for automated remediation and orchestration scale into model mROC partner delivery again also reducing the heavy lifting internally. So just curious, as partners increasingly monetize these services, how should we think about incremental leverage and how we're thinking about that.

Yes. I think that mROC will really help us to grow the top line because how we see the new product and value proposition in terms of the customers being able to really see how ETM could help them from a risk management standpoint, they will need assistance from the partner to really make sure that they are implementing the tool they're utilizing in the appropriate way and they're maximizing the ROI from their respective like customization that's required from the organizational standpoint. So with working hand-in-hand with the partner to help us accelerate the top line growth for us, we think that we will get some leverage from a margin perspective, but really the unit economics, we don't really see a material shift there. I think we're already seeing some kind of benefit as we continue to shift more of our business to the partner side and then layering on top that mROC, professional services or additional implementation help that customers might see will help to accelerate that revenue growth and the ETM penetration.

And Shrenik, just to kind of add to what Joo Mi said, I called that out as an example in our earnings calls where an mROC partner, brought this new logo opportunity to Qualys in the Middle East, one of the largest airlines because they were excited about, not because of just a margin here or there, they were excited about the ability to provide high-value risk management services to their customer. If they brought that customer to Qualys versus just selling them some other VM scanner that would just give them more findings and they would have to do a lot of work to provide value on top of that. So that strategy around mROC partners are bringing not just ETM, but they're also bringing us other customers, other deals with the understanding that these engagements with Qualys will lead to services revenue for these companies.

Our next question is from Junaid Siddiqui of Truist Securities.

Great. As you pivot more into a platform play, are you seeing any changes in sales cycles from customers?

I mean, I think nothing notable to call out for. I think on the -- there's good and bad, right, at times for us to be able to show the value of the platform by ingesting data from tools that they already have. Can be a win instead of saying, you need to do a deployment of our agents and scanners everywhere to see the value that Qualys brings and then the pricing kind of allows them to think about maybe eliminating their existing solution over a period of time. And so I think today, I think so far, we are in the early days, but we're seeing, especially with the ROCon Conference that we had and the partner advisory -- I mean -- sorry, the product advisory board where we had a lot of the top banks out there. I think the feedback is a lot of excitement around the Risk Operations Center as a focus area rather than just kind of trying to do a like-to-like scanner to scanner replacement and the time and effort it takes. This is something that they feel like it's something that they can justify in terms of moving quickly now, of course, it is something that is new. Everybody is looking at it this year. So it is allowing them to figure out how they're going to budget. Some people have the budget now, some people are looking at it to budget for next year's purchases. And so -- but overall, the conversation has been pretty positive. And I think the goal for us is to not only existing customers not only bring the Qualys findings into ETM, but that value they get out of that is going to encourage them to bring a lot of other findings and other assets that are not currently in Qualys. And so we are seeing that with some of the early adopter customers. They started with bringing Qualys VMDR findings into ETM, but then quickly pivoted after seeing the value to bringing sometimes twice as many assets into Qualys as they had before from other tools, increasing the license count for ETM. So that's kind of how we're looking at it as we progress is that it's going to help us be much quicker in POCs and we don't have to walk away if a customer already has a competing VM scanner. We can actually just ingest the data, show them the value -- show them the business value and then grow from there rather than doing prolonged POCs that involve deployment of agents and scanners, which ultimately they see the value in that, but it is sometimes -- just takes a longer cycle. So I think net-net, I think will -- it's early days. We'll see how it develops. But so far in the initial engagements we have had, it's been pretty exciting and fairly quick moving.

Our next question is from Joshua Tilton of Wolfe Research.

Congrats on a great quarter. I've been bouncing around a few calls, so I'm actually going to ask a pretty high-level question. And my question is, we have the privilege of covering 3 publicly traded vulnerability management vendors, and you guys are all kind of growing at different rates. And I guess my question to you is, are the deltas in your growth rate a function of things changing within the VM market and therefore, some of you are growing faster, taking share, growing slower within VM, or the delta in the growth rates because some of you have taken these broader platform plays and you have these non-VM products better separating the growth between these 3 players? And if it's the latter, I guess, can you just help us understand which of the product -- the non-VM products for you are really driving the separation and growth that we're seeing at Qualys versus some of the other players?

I would just say that some of us have just have an awesome organic platform. That's why we are growing at a different pace. But having said that, look, I think, we've talked about this for a few years, VM has been changing and people are less focused on just scanning and more focused on prioritization remediation, and that's why we pivoted towards, if you recall, Patch Management a few years ago and we got GigaOM giving us that #1 spot in their analysis for Qualys, which was a great achievement for us just within 4 years, getting to #1 of our established players. We're also pivoting more with ETM towards the ability to not just -- not only collect data from multiple tools as well as our own tools, but also ability to prioritize with threat intel. We have award-winning threat intelligence, and we talked about that. And then the ability for us to actually confirm the vulnerabilities exploitable by exploiting it and then getting it fixed. And so what we are seeing, and we have been reporting on how Eliminate and Patch Management has been growing as a percentage of our LTM bookings. And then we've also talked about now that our focus on ETM and how starting at the earnings call for Q1, we're going to focus more on the penetration for ETM in our customer base, which is elevating from VMDR to ability to give them a broader Risk Operations Center and then the upsell from that is going to be the Eliminate capabilities to get things fixed. And so I -- with the engagement that we have with our customers, there is a big focus from customers on business alignment of cybersecurity spend, the ability to look at risk from a business perspective. And what we are doing now in the organically developed platform that we have that integrates so many different things together, I think, is helping customers get a very quick and simplified view of their actual risk and the ability to actually remediate before attackers get there versus competitors have multiple acquisitions with multiple separate tools that don't really work with each other. And they're not able to get that kind of -- in my belief, they're not able to get the kind of response that we are able to give very quickly whenever there is something going on, and that's the feedback that we have been getting from customers.

Sumedh, you had me at organic platform. But maybe just a follow-up for Joo Mi. If I missed it, I apologize, but any way to think about how we should expect billings growth to finish or current billings growth to finish this year?

Yes. I think that Q4 because it was a very strong quarter, a tough compare for last year. We do expect current billings to be a few percentage points below the revenue growth rate ending the year. So maybe if you think about it from the like 2025 full year current billings growth at around 8%.

Our next question is from Jonathan Ho of William Blair.

This is Garrett Burkam on for Jonathan. I was just wondering if you could walk us through how you're thinking about contribution from your new and continued product innovations like including AI and new modules around VMDR and mROC versus just continuing to upsell and cross-sell your existing installed base? And then also, can you just talk about how customer conversations are going with your mROC solution at this point? Just what traction you're getting there?

Sorry, I didn't get the first part of the question again. So you're asking for contribution from...

Yes, like new modules and new customers versus upselling your existing base in your existing modules?

Yes. Look, I think every customer is a different part of the journey. So we don't really break it out by individual modules. I think we have been giving color on the contribution of TotalCloud, which is our cloud native CNAPP solution. We're happy to see the progress it is making in early days, but it was 5% of the bookings for the quarter. And then you also have -- we called out Patch Management and Cybersecurity Asset Management, which has been the focus for us the last couple of years, and we're happy with the penetration there. But we're also now pivoting more towards the Risk Operations Center, ETM solution that we talked about and our goal is going to be just like we did from VM to VMDR a few years ago, really up level our customers from VMDR to ETM solutions. So which we have a very nice existing installed base of vulnerability management customers that we can work on upselling them and cross-selling them to ETM, which by the way, will include Cybersecurity Asset Management already. And then next step above that, we'll be upselling them to Eliminate solution to actually get things fixed. And so conversations have been super positive around Risk Operations Center, as I said in the earnings script, one of the big differentiators for us has been the CRQ and the business focus on risk management rather than just giving technical scores, and that was underscored at our ROCon Conference in Houston where we added a business track, separate business track for cybersecurity, which had sessions with CFOs and Board members and insurance companies. And actually, because of that, we had a 20% increase in attendance because people were really focused on making sense out of from a business perspective. So the…

Our next question is from Joseph Gallo of Jefferies.

This is [ Anec Bevin ] on for Joe Gallo. Really strong quarter. Can you just share some color on where exposure management is in terms of budget prioritization in 2026? And can we expect billings to track in line with your noted 8% for 2025?

I think I'll answer the first part is we're seeing definitely customers are looking to invest in proactive risk management solutions. And as I said, that the Risk Operations Center where exposure management is part of that in business quantification. With the feedback and response that we're getting from customers. This is definitely an area that they are focusing on in all the conversations that we had with this year. I think a lot of customers see the Risk Operations Center and the Security Operations Center, ROC and SOC kind of working closely with each other because there is a lot of fatigue currently on the SOC side because of too many alerts. And the feeling is that if they can focus on better prevention in the first place that can reduce the number of alerts and reduce the fatigue that they see in the SOC and people are looking to balance in the early conversations, while I don't have an exact percentage right now. we will see how it evolves in next year. People do talk about balancing their cybersecurity budgets between proactive risk management versus just reactive after the fact that somebody is in your network, and there's -- a lot of that has happened in the past. And it's ultimately you cannot do away with one or the other. You need both, so that you can proactively reduce risk while having the monitoring needed, if there is a compromise to block that. But there is definitely a focus on customers to prioritize the split between those because again, if they don't prioritize what they are fixing accurately, then they're asking and wasting their IT teams resources and fixing things that don't actually matter while at the end, getting more alerts in their SOC. So from that perspective, we are seeing conversations around the Risk Operations Center and exposure management is one part of that. We are definitely trending where customers are liking this ability to think about how much they spend into proactive risk management in terms of business risk and how much risk they would have, which is what I talked about in my keynote as well as ROCon is moving from a attack surface management to risk surface management. You can spend a lot in covering your attack surface, but the risk of loss was only $50,000 and you spent $500,000 to your attack surface. That's not a great business equation. So that's what we are hearing and we're seeing from our customers in terms of billings, Joo Mi?

No, I think that 8% that we believe that we'll be able to achieve in 2025 for the full year is on track.

Our next question is from Rudy Kessinger of D.A. Davidson.

Just a clarification on that last question, Joo Mi. You said that 8% billings for this year is "on track." Is that to imply that you think you can do 8%-ish again next year? Or can you just clarify that, please?

Yes. So right now, I mean, billing has the tendency to be very lumpy. So for this year, we think that we're going to end the full year at 8%, which implies a lower current billings growth rate for Q4 given the tough compare to 1 year ago. In terms of next year, it's a little bit too early to tell in terms of 2026, what we think that we'll be able to achieve. A lot of it will depend on what we'll be able to close the year at when it comes to the net dollar expansion rate. And we are monitoring very closely in terms of the newer product adoption to give us a better sense and clarity into what we think that we should be anticipating for 2026 growth rate.

Got it. Okay. And then you guys had some pretty decent results in the last few quarters now. Growth has been stable at 10% the last 4 quarters, I believe, on revenue. You've got NRR stable at 104%. What -- I guess, what would you need to see to maybe give you guys confidence in maybe declaring that you can deliver a stable 10% plus growth over the next couple of years?

Well, we're certainly working towards that. I think the key growth vectors we see right now are converting our VM customer base to -- VMDR customer base to ETM is an area of focus, creating upsell with Eliminate on that. We continue to see very -- a lot of interest for our cloud security solution. And I think with a long-term federal opportunity that we are focusing on, we have really good conversations with Risk Operations Center on the federal side as well. I think those are the areas that we continue for sort of short-term, medium-term and long-term growth, which is again underpinned by our focus on mROC partnerships. But we're really laser-focused next year on our VMDR to ETM conversion and the upsells will Eliminate.

Our next question is from Yun Kim of Loop Capital Markets.

Congrats on a solid quarter. Sumedh, on the Enterprise TruRisk Management, ETM, is that primarily a big deal sales motion? Or is it just a combination of a bunch of products that could be purchased and deployed in multiple phases and collectively that could lead to 100% uplift over time. Just want to get a better understanding of that 100% plus uplift commentary.

Yes, I think we feel and with the early response from customers, we feel like we can hold up to, of course, 100% of the VMDR because we're adding them -- we are providing them AI capabilities, Agentic AI capabilities, marketplace built in, where they can essentially bring on an AI agent as part of their team for 4 weeks as they're focusing on an audit or for 3 weeks as they are triaging the ransomware related vulnerabilities. And so CSAM is also included in that. Ability to test exploits is also included in that. And so we feel like that's something that is going to be helpful for customers, primarily it is VMDR, CSAM plus all the new capabilities that I highlighted, or what is focused on that now. We also talked about Q-Flex and I think a lot of this is going to go hand-in-hand as we start seeing scale next year. A lot of these customers who are looking to buy ETM are also going to be interested in our Eliminate platform and also be interested in cloud. And so the Q-Flex is what sort of you talked about is from an ability to provide them a way to try and use different Qualys modules that make sense to them instead of having to go through multiple purchase cycles through the year and we are going to see a combination of the Q-Flex pricing with ETM cross-sells are the focus for us as we get into next year.

Okay. Great. Looking forward to ETM adoption next year, given that it sounds like it's going to have big impact. Just -- Sumedh, you haven't done any acquisition in a while or anything sizable. If you can just give us an update on your view on acquisition strategy. Obviously, you guys are performing very well. The business overall is stable. You got this ETM kicking in starting next year. Obviously, you're very proud of your organically growing platform, but you must see a strategic opportunity to expand your offering to get to that place faster than organically, are you tempted at all given how dynamic the market is evolving?

Look, we are always open to all kinds of different opportunities to look at organic small acquisition, some larger acquisition potential as well. That makes sense. We definitely come more from -- we want to give our customer an organic experience with the platform. Having said that, we have done tuck-in acquisition in the past where if there is a fit with our platform, we're not shy of looking at something larger. But currently, with the way we are executing, focusing -- and one of the things that happens with ETM now is that we are able to increase the asset count that the customer has with Qualys by actually bringing data from other tools and may not necessarily need them to essentially buy that particular capability from Qualys, as an example, right? Like now with ISPM identity solution, as an example, that we have as part of ETM, we can pull an identity from Okta and AD and others, and we don't necessarily have the customer to us -- to maybe acquire an AD security company. We can work with companies out there while that increases the asset count in Qualys. And so these dynamics keep changing, and we see efficiencies coming out of AI. We are seeing ability for us to look at various players in the market, how they are doing. And we continue to stay focused on our road map from an organic experience for our customers while also keeping an eye on the industry and looking at whether it's going to be a smaller or a larger acquisition, we're definitely continuing to be open to that.

Thank you. This now concludes the question-and-answer session. Thank you for your participation in today's conference. This does conclude the program. You may now disconnect. Goodbye.