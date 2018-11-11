ForeScout Technologies, Inc. (NASDAQ:FSCT) Q3 2018 Earnings Conference Call November 8, 2018 4:30 PM ET

This call is being broadcast live over the Internet and can be accessed from the Investor Relations website of -- Investor Relations section of ForeScout's website at www.investors.forescout.com.

A few minutes ago, we issued a press release announcing our financial results for the third quarter 2018 as well as guidance for the fourth quarter and full year 2018. We also issued a separate press release announcing our acquisition of SecurityMatters, a leading operational technology provider. These releases can both be found on our Investor Relations website, along with financial -- supplemental financial information that accompany today's remarks.

Before we begin, let me remind you that we will make forward-looking statements during the course of this call, including statements relating to ForeScout's guidance and expectations for the fourth quarter and full year 2018; the market for our products, including business growth factors and customer demand for our products; our competitive position; changes in the threat landscape and the security industry; the ramping of our sales organization and our growth, path to profitability and the impact of the SecurityMatters acquisition on our market and revenue.

The forward-looking statements involve risks and uncertainties, some of which are beyond our control, which could cause actual results to differ materially from those anticipated by these statements. These forward-looking statements apply only as of today, and we undertake no obligation to update these statements in the future. For a detailed description of the risks and uncertainties, please refer to our SEC filings as well as our earnings release. Copies of these documents may be obtained via the SEC or by visiting the Investor Relations section of our website.

Additionally, non -- certain non-GAAP financial measures will be discussed during this call. We have provided reconciliations of these non-GAAP financial measures against the most directly comparable GAAP financial measures in the Investor Relations section of our website as well as in our earnings release.

And now let me hand things over to Mike to discuss our business and provide a review of our third quarter 2018 performance.

Thanks, Michelle, and thanks to everyone for joining us on the call today.

We had a strong third quarter with results that once again exceeded our guidance across all metrics. We continued to execute well amongst the strong backdrop for device visibility and control, capturing market share and also demonstrating leverage in our business model.

Today, we extended our global leadership position in device visibility and considerably expanded our total addressable market with the acquisition of SecurityMatters, which we announced a few minutes ago. SecurityMatters is a leader in visibility in the operational technology or OT space. This is a very natural fit for us as it takes us deeper into a market we already have a strong foothold in, with a company in which we already have been successfully partnering.

By combining our technology strengths, ForeScout now becomes the only vendor able to provide a true end-to-end agentless device visibility and control platform across the extended enterprise. From the campus where we dominate, to the emerging data center and cloud and now even deeper into the OT. We've been thoroughly impressed with the SecurityMatters team, sophistication of their technology and traction with leading customers, which we believe will accelerate our success in the important and fast-growing OT space. I'll touch more upon this transaction later in my remarks, but first, let me share some highlights from our third quarter and then Criss will expand upon later.

Revenue in the quarter grew 23% year-over-year to a record $85.6 million driven by success across the business. Q3 also marked the achievement of non-GAAP profitability for ForeScout. We generated non-GAAP operating income of $4.9 million and non-GAAP EPS per share of $0.10. This demonstrates a leverage in our operating model as we scale and our teams become more productive. Organizations of all sizes, all industries are increasingly recognizing that protecting their network starts with knowing what's on their network.

The massive explosion of IP-connected devices coming online has created the visibility gap that extends from the campus to the data center, cloud and OT networks. This, along with government mandates, like CDM and Comply-to-Connect as well as privacy regulations like GDPR are driving increased awareness around the need for device visibility and helping to drive expanding in this important area of security. While we're still in the early innings of this opportunity, we are highly confident that ForeScout is uniquely positioned to win with our agentless technology that powers our CounterACT solution complemented by our suite of orchestration extended modules.

During the third quarter, we extended deeper into a new verticals and did a great job both landing new customers and expanding within existing ones. We added more than 3 million devices under management, bringing our total of device license sold to just about 60 million. Also, we are pleased to again add more than 100 new logos as we've seen success with sales and marketing programs aimed at driving new customer acquisition. And we continue to succeed in expanding within our install base of nearly 3,100 customers with the lifetime value of our top 20 customers continuing to increase.

Some of our key expansion deals during the third quarter included: a large health care customer that expanded its ForeScout device visibility platform further across its vast campus environment of hospitals and corporate offices, bringing the total number of devices under management with us to almost 2.7 million. Our unique technology can scale and deploy to this magnitude, which is becoming a common requirement of Global 2000 organizations as the number of devices in their environment continues to grow exponentially. Clearly demonstrating just how large our expansion opportunity is, this customer has now spent more than 100 times their initial investment with us in roughly three years and hasn't even expanded outside of the campus yet.

Another large expansion deal was driven by the Phase 3 of the CDM initiative. One of our longtime civilian U.S. government customers purchased our extended module for ServiceNow to improve automation and integration across 1.6 million devices. We believe this customer will add more extended modules in the future as they realize the deep value of these integrations. This customer has now spent more than 50 times their initial purchase, which also demonstrates our large expansion opportunities.

Within the U.S. government, ForeScout is a foundational partner of the CDM program to improve the cyber hygiene of civilian government networks. As this program moves into Phase 3, which moves from seeing what's on your network to actually taking to action through automation, ForeScout's extended module serves as a critical source of information for Phase 3 tools that are being implemented.

On the new logo front, we landed some exciting new customers during the third quarter. One of these was a large global technology company headquartered in the U.S. that was upgrading their security architecture and required visibility of all assets in their vast network. During the proof-of-concept, ForeScout revealed significantly more devices than they thought they had including numerous rogue IoT devices. We displaced two legacy networking competitors who couldn't scale, couldn't provide real-time visibility or offer the necessary integrations with other IT vendors. This customer purchased ForeScout CounterACT as the visibility platform for more than 100,000 devices in its campus, wired and wireless networks, and our extended modules for Splunk, ServiceNow, Qualys and Symantec to facilitate critical information sharing for improved security intelligence and remediation.

Criss will talk more about the stellar performance we saw from our media sales theme, but among the deals they closed during the quarter was one of the largest retailers in the world. This customer purchased ForeScout CounterACT and extended modules for visibility and orchestration across more than 350,000 devices, including traditional campus IT as well as IoT assets such as closed-circuit televisions, weighing scales and inventory controllers. Our ability to work seamlessly in a highly distributed, heterogeneous environment and integrate with leading third-party tools were the key differentiators that led to our selection.

And in the Americas, we also landed one of the world's largest public transportation organizations to protect their complex operational technology network. This highly strategic deal demonstrates our ability to land OT deals first and then expand into IT environments. Our differentiated ability to provide a true visibility platform in single pane of glass across IT and unique OT assets, our agentless technology, our bidirectional interactions with our other IT products and heterogeneity to work with multivendor switch environments were all reasons that they selected ForeScout.

Before turning the call over to Chris, I want to spend a few minutes discussing our acquisition of SecurityMatters and why this is significant for ForeScout. The convergence of IT and OT is shepherding an unforeseen level of interconnectivity amongst devices and systems. OT networks are no longer physically segregated from the IT network, which has put the enterprise at risk. A number of well-publicized cyberattacks such as WannaCry and NotPetya show just how vulnerable OT networks can be for organizations. The damage from these attacks resulted in significant financial and business disruption. And earlier this year, the Triton malware attacked industrial sites and their safety and controls in the Middle East, nearly causing a disaster.

According to ForeScout research, 79% of organizations with SCADA and ICS networks have suffered a breach in the last 24 months. This stark reality has made virtually every company on the planet with OT networks rethink their security strategy. Previously, OT operators were responsible for security, but now CSOs are quickly assuming coverage, with Gartner estimating that by 2021, 70% of all OT security will be managed directly by the CIO and CSO, up from 35% today. When I meet with customers, I repeatedly hear how CIOs and CSOs want a single integrated platform that lets them discover, classify, assess and control every device across their extended network.

We believe ForeScout is best positioned to fill this need for several reasons. First, most OT systems were built on closed operating systems many years ago and were never designed for security agents to be installed on them. They also cannot withstand the performance burden caused by running traditional active inspection or network scans. ForeScout's unique device visibility capabilities run passively and without an agent, which makes us an ideal solution for these OT environments.

Second, ForeScout's strength has historically been in device visibility and control for the IT portions of their networks. Only recently have we started to see traction in OT. With the addition of SecurityMatters, we now collectively have an offering that can see us deeply onto OT networks and the devices that run on them as ForeScout has historically been able to see on IT devices.

And third, when IT and OT are combined into a single implementation, the numbers of devices get really large and require a solution that can scale massively. We're the only vendor that can run in real time and environments with 2 million or more network devices. With this acquisition of SecurityMatters, we estimate that our current total addressable market will increase by roughly 50% to 2.1 billion devices, up from the previous 1.4 billion devices.

From a technology perspective, SecurityMatters discovers, classifies, assesses and controls devices deep into the OT network stack. As I just mentioned, this is a similar value proposition that ForeScout brings to the IT stack and what has distinguished us as the market leader in device visibility for the Global 2000. ForeScout's platform provides granular visibility into layers 3, 4 and 5 of the Purdue model, ranging from network gear, PCs, servers and IoT devices. SecurityMatters complements our solution and covers level 0, 1 and 2, which includes many of the non IP-based devices in OT environment such as specialized controllers, actuators and sensors.

We believe the combination of our unmatched technology and scale capabilities will widen the competitive mode in our core market against both legacy competitors and emerging visibility vendors. Only ForeScout can provide a single integrated platform for deep, agentless end-to-end visibility and control across the campus, data center, cloud, and now even deeper into the OT market. As a result, we believe we have a great opportunity to both land new customers as well as accelerate expansion sales within our OT network -- with the OT network of our installed base nearly 3,100 customers.

With that, let me turn the call over to our Chief Financial Officer, Chris Harms, to discuss the detailed financial results for our third quarter 2018 as well as set our guidance for the fourth quarter and full year 2018. Chris?

Thanks, Mike. Thank you for joining us in our call today. Following Mike's remarks, let me dive deeper into ForeScout's third quarter of 2018 financial results and provide some highlights on the SecurityMatters transaction and on our outlook for the fourth quarter and full year 2018. I'll begin by reminding you that except for the revenue results, which are GAAP, all financials we will speak about are non-GAAP, unless stated otherwise.

As Michelle mentioned at the start of this call, non-GAAP to GAAP reconciliations of these financials can be found in our earnings press release and supplemental financial information, both located on our Investor Relations website.

As Mike shared, we had a strong third quarter and are pleased with the results we achieved. Total revenue for Q3 2018 was $85.6 million, an increase of 23% on a year-over-year basis. Product revenue for Q3 2018 was a record $51.1 million, an increase of 18% on a year-over-year basis. Maintenance and professional services revenue was $34.5 million, an increase of 32% year-over-year. I'm particularly pleased with our product revenue growth, which increased 49% over Q2 driven by 157% sequential growth in CounterACT sales.

Looking at Q3 revenue mix by region. The geographic mix of revenue was Americas at approximately 74% total revenue compared to 83% in Q3 2017; EMEA was 16%; and APJ was 10% compared to 11% and 6% in Q3 2017, respectively. I remind you not to read too much into the geographic mix shifts and year-over-year comparisons in any one quarter due to the impact of very large deals, as was the case here, whereby Q3 2017 included a very large deal within the U.S. government that we did not see at the same magnitude in Q3 2018 in the Americas.

Despite the difficult year-over-year comparison, we performed well in the Americas across both commercial and government business. We are pleased with the positive returns we are seeing on our prior sales and marketing investments geared towards international expansion and vertical diversification. Our sales teams are ramping well and landing at some significant new customers. And that is driving both international revenue growth and increased traction into the U.S. commercial markets. Our gross margin for Q3 2018 was 78%, an increase of approximately 100 basis points year-over-year and a decline of approximately 100 basis points sequentially.

Product margin was 83%, consistent with Q3 2017, and a decrease of approximately 300 basis points sequentially. I'm pleased with both our gross margin and product margin trajectory despite the decline sequentially, which was driven by the atypical concentration of extended modules in the product revenue mix in Q2 2018. Product margins continue to be above 80% as we benefit from the tailwinds of the increasing role of extended modules and our product revenue mix and the continuing shift of customers deploying CounterACT in virtual environments that don't require any hardware being provided by ForeScout.

Our maintenance and professional services margin for Q3 2018 was 72%, an increase of approximately 500 basis points year-over-year and essentially flat sequentially. The year-over-year services margin improvement is a result of the growing efficiencies in our customer support organization and the scaling of our prior investments. The services margin was consistent sequentially, representing relatively consistent mix, quarter-to-quarter, between our high-margin support and maintenance revenue and low-margin professional services revenue.

Total operating expenses for Q3 2018 were $62.3 million, an increase of 23% year-over-year. Looking at the components of OpEx. Sales and marketing expense for Q3 2018 was $39.9 million or 47% of revenue, an increase of 23% year-over-year, reflecting continuing investments in our direct and channel selling resources as well as sales engineering and sales enablement teams. Our research and development expense was $12.4 million or 15% of revenue, an increase of 20% year-over-year, reflecting continuing investments in our development teams. General and administrative expense was $9.9 million or 12% of revenue, an increase of 28% year-over-year, reflecting the additional investments in infrastructure related to being a public company.

Operating income for Q3 2018 was $4.9 million or 6% of revenue compared to operating income of $3.2 million or 5% of revenue in Q3 2017. This positive operating margin evidence is the leverage we can achieve in our business. However, at this moment, we are maintaining our long-term model of sustained annual operating margin attainment in 2020, as we continue to invest across our business to help drive future growth. Net income was $5.1 million or 6% of revenue compared to net income of $2.6 million or 4% of revenue in Q3 2017. Net income per share for Q3 2018 was $0.10 compared to net income per share of $0.08 in Q3 2017.

We ended the third quarter with total deferred revenue of approximately $162 million, an increase of $15 million sequentially. The combination of revenues plus sequential change in deferred revenue provided Q3 billings of $101 million. Unlike Q1 and Q2 2018, whereby changes in deferred revenue and billings were significantly impacted by nonstandard contractual terms, Q3 represents a return to normalize state, whereby product billings and product revenue track closely, as evidenced this quarter, whereby product billings increased 19% year-over-year and product revenue increased 18% year-over-year.

From a cash perspective, we finished the third quarter with cash, cash equivalents and investments of $210 million. Free cash flow used in the quarter was $13.6 million compared to $1.7 million generated in Q3 2017. Free cash flow margin was negative 16% compared to positive 2% in Q3 2017. I'm very pleased with our free cash flow performance for Q3, which puts us at approximately $1 million free cash flow positive year-to-date.

Let me provide some transaction highlights on the SecurityMatters acquisition. We paid approximately $113 million in cash and have closed the transaction. This will impact our cash balance at the end of the fourth quarter. Given the timing of the close this acquisition, we remain confident in our cash position at current levels, which reflects our year-to-date free cash flow positive performance. And when coupled with our history of running the Company close to free cash flow neutral, we believe we're adequately positioned to run our business without the need for additional capital.

SecurityMatters revenue contribution during this stub period between closing and December 31, 2018, will not be material to ForeScout's financial results. We do, however, expect the contribution to accelerate in 2019. And we'll be incorporating those expectations into our 2019 guidance, which we will provide in February. Lastly, from a profitability standpoint, this acquisition does not have an impact on our long-term profitability goals, which we are tracking in the right direction on key levers to get us there.

Now I'll finish up with our guidance for the fourth quarter of 2018 as well as updated guidance for the full year. For the fourth quarter of 2018, we expect total revenue to be in the range of $75.8 million to $78.8 million, representing year-over-year growth of 23% at the midpoint. This reflects our confidence in the business and the minimal revenue contribution from SecurityMatters during this period.

Turning to the bottom line. We expect operating loss in the fourth quarter 2018 to be in the range of $10.5 million to $9.5 million. And loss per share in the range of $0.26 to $0.24 based on approximately 42.8 million weighted shares outstanding. We expect the impact of the SecurityMatters acquisition to be slightly dilutive in the fourth quarter. For the full year 2018, we're updating our guidance and now expect total revenue to be in the range of $288.7 million to $291.7 million, representing growth of 29% at the midpoint. The increase reflects our outperformance in Q3 and confidence in our pipeline for Q4.

We expect our operating loss in the range of $26.7 million to $25.7 million. And the loss per share to be in the range of $0.69 to $0.67 based on approximately 40.9 million weighted shares outstanding. We continue to factor expectations on large deals into our guidance, which can vary -- which can create variability and are factored into our guidance.

Now let me turn the call back over to Mike for some closing comments. Mike?

Thanks, Criss. It's now been just over 1 year since our IPO. And I'm very pleased with the consistent results that we've delivered in our first year as a publicly traded company. Over half of our employees have now been with ForeScout for more than 2 years and they are passionate and focused on our large and growing market opportunity for device visibility and control. The significant investments in sales and marketing, engineering, support and G&A that we have made over the past 3 years are paying off and positioning ForeScout to scale.

We have a best-in-class platform used by some of the most important organizations around the world and are continuing to land new logos and help drive our significant expansion opportunity. I'm excited for what's to come in the quarters ahead for ForeScout as we build on our technology platform in exciting new ways and continue to capitalize on our significant market opportunity. Thank you again to everyone for joining us today and for the continued support from our investors, our employees, customers and partners.

[Operator Instructions] Our first question comes from the line of Sterling Auty with JP Morgan.

Sterling Auty

Let's start with the acquisition of SecurityMatters. Mike, can you give us a sense -- given that it's agentless, I imagine it's watching different protocols and understands devices from lots of different manufacturers. Can you maybe give us a sense of either how many protocols or how many manufacturer types of sensors and devices it can monitor out of the box versus maybe -- is there any kind of configuration work that's necessary that will take professional services to get up and running in an OT environment?

Mike DeCesare

I think similar to ForeScout's product, it definitely requires professional services, but it's fairly light in terms of professional services versus the product side. That was one of the biggest attractions for us in SecurityMatters. I think the answer to your question directly is when you look at ForeScout's CounterACT product, the depth of visibility that we see on devices is important because as the number of devices explode exponentially, the more attributes that you can see off a device, gives us a much higher degree of fidelity in knowing the different flavors of devices that are around the world.

And when you look at what we play -- the kind of the way we play in the IT world, the depth of visibility of the open operating system like Windows can be over 1,000 different attributes agentlessly. We've been quite successful at getting customers with the CounterACT product to want to deploy that over in the OT space, but the depth of visibility that we have on those devices has been less than it would be in the IT space.

So think about SecurityMatters as being the opposite of that. The depth of visibility that they provide us across the OT infrastructure is very deep and will let us get very granular in our understanding of what devices are connected to those networks. Similar to the way that the ForeScout product works, in the OT world, you have vendors like Belden and switch infrastructure and other different technologies, and their coverage across that is very comprehensive. I'm not sure, Sterling, that I can answer every single protocol that they integrate with, but their coverage across that OT infrastructure is very comprehensive.

Sterling Auty

We'll give you a pass on that. And then just one follow-up question. Obviously, a very strong commercial -- you had a tough compare in government but I want to ask it this way. Since from some of our researches that maybe the timing of some of the deals across vendors actually may have kind of moved into October. I know there's usually that window where it can extend beyond September 30. Just wondering if you saw some of that? And perhaps, maybe we can end up in a situation where we have a stronger-than-usual December quarter from the government side for ForeScout?

Mike DeCesare

Yes. So first of all, we're very pleased with the results we saw this quarter. I would describe this quarter as very balanced. We saw contribution coming with the international growth for us was really strong, which is an area we've invested in the last couple of years. As you heard in my prepared remarks, we saw material transactions that came out of industries like high tech and retail that haven't traditionally been kind of the focus areas or the areas that we've seen the most strength. And on a little bit more subjective basis, we've seen contributions from sales teams that are very early in their tenure at ForeScout. So those things are all very encouraging for us. I would describe the U.S. government business this quarter as good but not great. We did see a good strong conversion in our, we call the CBM contract, which covers the civilian side of the U.S. government.

Very good strong execution across that area. We did have a number of deals in the Comply-to-Connect side, which would be on the DoD side that we just weren't able to get across the finish line in the third quarter. Whether or not those are going to close in the fourth quarter for us, that's what we're in the process of trying to figure out. When things don't close in the U.S. government fiscal year and they move to the next quarter, it's -- if they didn't have another year to be able to kind of look and evaluate that. So we're happy with the results that we've seen. We're coming off a tough comparable a year ago in the U.S. government and to see the growth that we saw, we're quite pleased with. But as, again, I would describe that as kind of good but not great from an execution perspective in the U.S. government.

Our next question comes from the line of Fatima Boolani with UBS.

Fatima Boolani

Mike, a question for you, just on SecurityMatters. What's the impetus behind doing the deal now? Was it something that you saw in your pipeline, i.e., just increasing sort of activity and conversations on the OT side that sort of catalyzed this move now? Would love to hear sort of the rationale and the impetus behind that.

Mike DeCesare

So again, when we look at our install base, the majority of our customers start by using us in the IT part of their networks. But because our product is both passive and agentless, it makes us quite a good fit for the OT part of their networks. And we do have customers, as we've mentioned to you in the prepared remarks today and the past quarters, we've had customers that have made some significant deployment of our CounterACT product into those spaces. But as the pipeline continues to build, we launched a partnership with SecurityMatters and a couple of other companies in the OT space because we felt like we need a deeper visibility onto that OT stack.

When you get below level 3 of the produce stack, you're dealing with devices that are not IT addressable in all cases. So that's why we decided to kind of approach things from a partnership perspective. But as we got into this, almost immediately, we realized that visibility is just so foundational to what ForeScout does, that we felt the need to acquire and deeply integrate these products together to give an organization a single pane of glass, so to speak, or platform that will give them that visibility across the extended enterprise. So that was the rationale for it.

Fatima Boolani

And maybe a question for you, Criss. Mike talked about, in his prepared remarks, a lot of expansion deals where you went from hundreds of thousands of devices protected to frankly millions of devices protected. And I think you said had like 60 million in totality under management. I'm wondering just off of that pool and sort of what you're seeing from a device capture perspective, what impact that is having or that you are seeing on your, call it, ASPs or per device pricing? I'd really appreciate that color trend.

Chris Harms

Yes. Our ASPs on CounterACT, actually this has continued a whole consistent -- with levels we've seen for the last few years. What we're seeing then is the layering on top of that as we're been selling the extended modules so the value of the device increases because we're holding the CounterACT ASP per device at a consistent level. And then by selling those extended modules, we're extracting more value on a per device level. And as Mike stated upon, we're still at the kind of early steps and stages of extended modules. We think there's still a lot of monetization of devices that we've sold already, where we've captured the CounterACT value of that but still have more expansion value as they layer on more software on top of each of those devices. So yes, ASPs continue to hold, to answer your question.

Our next question comes from the line of Rob Owens with KeyBanc Capital.

Rob Owens

Yes. I guess to start it off, maybe can you talk a little bit about what lands look like now versus where it was before. It seems like you might be seeing larger transactions upfront, more extended modules being attached upfront. Just curious, number one, are you seeing those deal sizes increase for initial customers? And number two, as you're moving outside kind of your three traditional verticals, or the three traditional verticals of security in general, more technology and other things that you saw success in. What are sales cycles looking there? Are they beginning to pick up?

Mike DeCesare

Okay. So I'll take it in the order you asked. I think, first, as far as the land side, I mean, the short answer is our product works and it installs quickly and gets ROI in a very aggressive and immediate fashion. So we're comfortable with customers that want to buy on a gradual basis and roll our product out as it fits their business. But we are increasingly seeing, especially when there's a competition -- when there was a replacement of an existing technology and maybe the date from the risk and compliance teams hasn't moved out, we're seeing an increase, in certain cases, of customers that are willing to buy the entire product set upfront because they're still trying to make the same deadline they were kind of as they started that project off. But we're comfortable with both and we see both.

And we welcome the zero to platform in one transaction, and we love customers that want to buy on a more ongoing basis. So there's not really one size that fits all there. The second part of it, relative to the vertical mix, there's not -- interesting question. There's not -- I can't -- I, subjectively, don't think there is a longer sales cycle for us in one industry versus another. We -- this is a big decision. When customers are deciding on bringing their visibility platform in, it's very foundational to their cyber strategy.

The security side, the network side, there's often many organizations that need to get on board and weigh in, which can contribute to the length of the sales cycle. But when -- once we have that customer as a customer, the sales cycles of the add-on business are substantially shorter for us. So whether they're buying more devices from us, whether they're buying an orchestration in used case, all of those things are definitely shorter than the original sale. And if those become a bigger part of our overall business, obviously, that's going to shorten kind of the length of sales cycle across the board for us.

Rob Owens

Great. And then quick one for Criss. The business model for SecurityMatters, is it also perpetual, or was it more in subscription-based?

Chris Harms

It is now 100% upfront revenue model. The ratable part of their business is their maintenance stream.

Our next question comes from the line of Melissa Franchi with Morgan Stanley. Your line is open.

Melissa Franchi

I wanted to dig in again into the Federal business. Mike, you mentioned a deal centered around the CDM initiative or program and how that's entering Phase 3, which is about taking action on devices in the network. If we're thinking about the opportunity around Phase 3, is that ultimately going to be larger for you than what you've seen in Phase 1 and Phase 2 over time?

Mike DeCesare

So the CDM, the way this work is there's a five year term. When these contracts are rolled out, there's a five year window for all the different agencies of the civilian government to become compliant or live. And we're several years into that. So we are still seeing customers that are buying our product to get to visibility mode on the CDM side. Remember, it's not one purchase, right. It's every division, every civilian division of the U.S. government kind of has their own process, their spaces where they go live in kind of batches. But now we're starting to see both the renewables from those original deals as well as the upside for customers that want to move into control.

So could it be bigger for us? It's big. We hardly feel like we're even at the -- we don't feel like we're in a place where we're coming towards the end of CDM. There are some big government contracts that are being awarded out there for Phase 3. So there is definitely quite a bit of money that is moving into this. And when those agencies want to turn on enforcement, there's more effort that needs to be put into that to make sure the rules and that they know what's blocked. And if something gets blocked that's not supposed to, that there's people in place to be able to remediate that. So I'm not sure if I have an educated enough position to tell if it's bigger than the original phase, but it's certainly big for us.

Melissa Franchi

And then one more follow-up for Criss on SecurityMatters. I understand you don't want to guide for 2019, especially since it hasn't closed. But is there any way that you can maybe give us some relative guidelines on how to think about the size of the business, either from a revenue perspective or perhaps, at least, from an OpEx perspective, including headcount add?

Chris Harms

Yes. How about if I gave you, it's a substantial $10 million revenue company with about 80 employees.

Our next question comes from the line of Walter Pritchard with Citi. Your line is open.

Walter Pritchard

Hey, wondering on the virtual appliance side, it sounds like you're seeing a bit more traction there. Could you talk about, are you seeing an inflection at this point? And what might be dragging that?

Chris Harms

Yes. Walter, it's the same trend where customers are deploying us without requiring the hardware. It does fluctuate from quarter-to-quarter as we've talked about. Q1, it fluctuated back the other way. But that general trend continues, I see it in the Q3 mix, I see it in all the pipelines taking shape. We will continue to benefit from that tail end of a shift of our software being deployed in a virtual environment. It's definitely one of the tenets to our long-term gross margin profile we've communicated to you.

Walter Pritchard

And then for Mike, on SecurityMatters, I guess as we look at this landscape in OT, you mentioned you'd partnered with a few companies already. I mean, how complete of an offering does this give you? Do you still have -- is that partner, part of it, still a big area? And how should we think about the competitive landscape this might bring in terms of the prior partnership landscape you have?

Mike DeCesare

So I think -- I mean, again, as I mentioned in the prepared remarks, when you look at kind of the high profile breaches, like WannaCry and some of the more larger public company references to that being adversely impacting their quarters, there is a mad scramble around the planet right now for companies to figure out what their cyber security strategy is into the OT space. The reality is that SecurityMatters and the other companies that are in that space are all relatively small. And I see lots of organizations evaluating, but those same organizations, I think, are skeptical to make too big an investment into a company that is just not very well known and isn't very large and the rest. So we ranked SecurityMatters number one in our evaluation that we went through when we're looking at the partnership side of things.

And we are quite comfortable that their technology, and combined with ours today, makes us a very real and stable player in this fast-growing market of OT security. We've also taken an approach of being Switzerland, where we integrate -- that's what customers love about us, is we integrate all the firewall vendors and AV vendors and all the rest out there and we expect to continue to approach that. So we're going to have customers that use us in the IT space that might use a different player in the OT space and we absolutely want to continue to support those customers. But the reality is we expect to make these products so integrated and run at scale in a mixed environment of IT and OT that we're very confident that most of our customers will choose that combined stack from us long term.

Operator

Alex Henderson

A couple of very quick ones. Just going back to the Phase 3 gov CDM project. Is that going to have the same spending time line as normal government spending? Or is there some prefunding around that, that might change the quarterly pattern there? And then, I was hoping you might just give us a couple of data points. What do you think your income tax rate or tax level will be in '19? It's been running around $2.5 million. Does it kind of stay at that level? And what was the headcount?

Mike DeCesare

So why don't I start with that CDM Phase 3 and then Criss can take the second part of your question. So the time line on Phase 3 will be similar to Phase 1 and 2, where they will have 5 years to become compliant. Because most of the civilian agencies are already live on our product in Phase 1, we don't expect them to wait until the end of that window.

One of the beauties of ForeScout is that when we find something concerning on the network, we don't just a kick off a list of notifications to someone who has to go to a manual investigation but we can automate that response. And obviously, as the cyber landscape gets more and more complicated, it's not practical for any organization to put a human being in the middle of every single remediation that is out there.

So we expect organizations to be clamoring for this and to want to get live on Phase 3 quicker, but technically, they have the same 5-year window that they had under the original one.

Alex Henderson

I'm sorry, but the question wasn't really about the multiyear but rather the quarterly pattern of spending. Are they going to have a September fiscal year budget flush, like typical government? Or is it prefunded, therefore, it's smoother over the course of the year?

Mike DeCesare

It's smoother. I mean, when -- since most of the business that we do in the civilian side of the U.S. government is into existing customers, they don't wait and take all their purchases in September. So we see large government deals in almost every quarter that we've got that are out there. And all I was saying to you was that since many of those agencies are now live, they've been waiting for Phase 3 to get launched. We do expect there to be some immediate traction in the sum of those organizations to want to get live on the automation piece of this.

Chris Harms

On the tech side, Alex, the rate you're seeing in terms of the statutory as a function of our total is a good proxy to be using now and definitely continuing to 2019. I think we had a spike in Q1 for kind of a catch up. But if you look at Q4 of last year, Q2, Q3, that rate is a good proxy for '19. Because at a U.S. basis, we'll continue to leverage our NOLs, and so our income tax will really just be that statutory component for the foreseeable couple of years.

Alex Henderson

Headcount?

Chris Harms

Headcount, we don't disclose.

Alex Henderson

And one last question, if I could. Does SecurityMatters require connectors the same way as your current product? And if so, or if not, do you expect to start to extend your connector technology into that platform?

Mike DeCesare

So the way that ForeScout's CounterACT product works and the reason it can be agentless is because we connect into all the different switches around the planet, we connect into all the different firewalls, the wireless concentrators. We get our intelligence from the network. So when you're describing connectors, those would be the connections that we build. SecurityMatters has a substantially complete set of connections into a different set of network infrastructure, which is in the OT space.

Belden is the number one manufacturer that provides the infrastructure into that OT space as one example there. So it's a different set of vendors, but there's a substantially complete set of integrations on that side. Additionally, not that you asked, but because we've been in a partnership with them for almost a year, the integration between SecurityMatters and ForeScout is already built -- has already been built by the SecurityMatters team. So we think we can be quite quick on presenting this joint solution out to our joint customers.

Our next question comes from the line of Jonathan Ruykhaver with R. W. Baird.

Jonathan Ruykhaver

I think that you've commented in the past that around 80% of revenue is installed base expansion. Can you just comment on whether that was the case in 3Q? And then any color on the mix in expansion between CounterACT and extended module? It does sound like the CounterACT product reaccelerated quarter-over-quarter?

Chris Harms

Yes. So on the mix, Jonathan, that's the annual number. So let's just hold off on that, though I will say I expect it to be consistent for all of FY '18 in kind of that 20% of the revenue coming from new customers, 80% from the installed base. And then in terms of the mix, we did see a return kind of back to the levels we thought we were going to see for '18. In terms of the Q3 revenue mix between CounterACT and extended modules, which we've talked about, extended modules has been creeping up and got them kind of that low-teen level for Q3. As I've said to people, Q2 was really the anomalous atypical quarter for extended modules was more than 50% of that product mix and that -- I had visibility in the pipeline, was confident it was going to return back to kind of those normalized mix rates that we had been seeing on the trajectory and that we expected through the second half of '18. And that's exactly how it played out in Q3.

Jonathan Ruykhaver

And then the other question I had is just about the orchestration and automation market. It seems to be a rising. Is it a focus within the industry? I know it's still very early. But kind of curious on how you view the combination of security information and event management with orchestration and automation. And I'm just wondering if some of the orchestration you delivered with extended modules be a partnership that gets absorbed into a broader orchestration platform? And would that potentially erode the value of certain partnerships over time?

Mike DeCesare

Yes. So given that we play in the cyberspace and it becomes more fragmented every year, not less fragmented, customers are constantly looking ways -- for ways to automate actions across that fragmented landscape. So the word orchestration can mean different things to different vendors, but in our space, what we're specifically doing is our base product effectively shows the customer what's on their network, right? We plug into the infrastructure and we show them, we discover them. We see everything that connects, we know what those devices are and we tell them whether those devices are compliant with their own policy.

So when you think about our play into orchestration, we're either typically going to be sharing that rich set of device visibility with a different product that can't get that on our own, or we're going to be taking action on behalf of the product that might kick off a list of notifications but actually can't go down to the switch port like we can and disconnect an actual port. So as exemplified, I mean, our 3 biggest life to date extended modules are ServiceNow, Splunk and Tenable, where we cooperate with them massively inside accounts. And couple of those being players in the orchestration space as well. But that's what we do. We automate actions across that extended landscape.

Jonathan Ruykhaver

Right, okay. So it's definitely -- you're complementary.

Mike DeCesare

Let me just add one more thing to this, too, is we're doing very well on extended modules. I mean, as we shared at the end up '17, 25% of our customers have already bought at least 1 extended module from us. This was another very strong extended modules quarter on the back of Q2. We see a lot of demand. There's lots of organizations out there that have these massive teams of people that are taking the output of 1 cyber product, turn it around and trying to do something on another console of a different cyber product. We automate a lot of that, and our customers are really recognizing this. So we feel quite good about that opportunity long term.

I'm showing no further questions at this time. I would now like to turn the call back over to Michelle Spolver for closing remarks.

Michelle Spolver

Thanks, Wanda, and thanks, everybody, for joining the call today. As always, if you have any further questions, please feel free to reach out to me. Happy to answer them. And we look forward to seeing many of you through our activities in the remainder of the quarter. We'll be at the UBS Conference next Monday. At the Nasdaq London Conference in early December, and then also we look forward to seeing you at various other investors and meetings throughout the quarter. Thanks for your time, and have a good evening.

Ladies and gentlemen, that concludes today's call. Thank you for your participation. You may now disconnect. Everyone, have a wonderful day.