Qualys, Inc. (QLYS) Stock Analysis and Metrics

Sector: Technology Industry: Software - Infrastructure CIK: 0001107843

Market Cap 3.57 Bn

P/E 17.86

P/S 5.21

Div. Yield 0.00

ROIC (Qtr) 0.00

Revenue Growth (1y) (Qtr) 9.84

Add ratio to table...

About

Qualys Inc is a provider of a cloud based platform that delivers information technology security and compliance solutions. Its integrated suite of applications helps customers discover and manage IT and operational technology assets assess vulnerabilities quantify cyber risk and implement remediation across on premise endpoints cloud containers and mobile environments. Qualys generates revenue primarily through subscription fees for its cloud based software as a service offerings. Customers pay for access to individual cloud applications or bundles...

Investment thesis

Bull case

Qualys’ channel growth is a clear catalyst that underpins future top‑line acceleration. Channel revenue climbed to 51% of total, up 17% YoY, while direct growth lagged at 4%. The company’s strategic emphasis on partner certification—mROC partners now offering new ROC services—creates a scalable, low‑margin sales channel that can drive multi‑year recurring revenue with minimal incremental cost. As channel partners expand into federal and multinational accounts, each new partnership is a lever that pulls existing customers into deeper, higher‑value product suites such as ETM and TotalCloud. This indirect sales acceleration, coupled with a 44% international mix, positions Qualys to benefit from regional cybersecurity spend rebounds, especially in high‑growth EU and Asia‑Pacific markets where regulatory requirements are tightening. {bullet} The agentic AI‑native Risk Operations Center (ROC) represents a disruptive product differentiation that could unlock substantial upsell and expansion opportunities. ROC centralizes threat confirmation, risk quantification, and autonomous remediation, effectively converting traditional vulnerability exposure lists into actionable, dollar‑based risk metrics that senior executives can use to justify budgets. Qualys is already seeing early wins with a mid‑6‑figure federal expansion, and the FedRAMP High authorization opens doors to new public‑sector opportunities that are typically intractable for competitors. The ability to validate exploits in real time and automatically patch or mitigate them shortens the average exposure window, a metric that resonates strongly with procurement and risk officers. This unique value proposition aligns perfectly with the market shift toward proactive, pre‑breach risk management, positioning Qualys ahead of the curve in a field where many vendors still rely on static vulnerability scoring. {bullet} The recent launch of the QFlex beta pricing model is a hidden catalyst that can accelerate adoption across the pipeline. By allowing customers to align platform spend with evolving threat landscapes and budgeting cycles, QFlex removes a common friction point that often stalls multi‑solution implementations. Management’s positive early feedback suggests that clients are willing to test higher tiers of ETM, which translates directly into higher gross dollar retention and potentially higher net expansion as customers accrue additional risk quantification modules. If QFlex gains traction beyond the beta cohort, it could become a revenue engine that offsets the need for heavy sales and marketing spend, thereby preserving margin while expanding the addressable market. {bullet} Qualys’ focus on integrated patch management and identity security posture management addresses critical pain points that are largely unmet by rival exposure‑management vendors. The company’s ability to deploy 140 million patches in the past year underscores the depth of its automation stack, delivering a service that moves beyond detection to remediation. In an era where average time to remediate is shrinking to near‑real‑time for high‑priority assets, customers increasingly demand solutions that can keep pace with rapid patch releases and zero‑day exploit confirmation. By bundling patch management with ETM, Qualys positions itself as the only provider that can both surface and fix vulnerabilities at scale, thereby creating a virtuous cycle of adoption, retention, and upsell. {bullet} The strategic expansion into TotalCloud (CNAPP) further diversifies Qualys’ product portfolio and tapers dependence on traditional vulnerability scanning. As organizations migrate to multi‑cloud environments, the need for cloud‑native application protection grows exponentially. TotalCloud’s policy audit and misconfiguration controls are complementary to the agentic AI capabilities, allowing customers to embed continuous compliance into the same platform that drives patching and risk quantification. Early 7‑figure upsell wins in both global and federal segments demonstrate that TotalCloud is already generating high‑margin revenue, and its integration with existing ETM workflows can accelerate the adoption curve for new customers seeking a single, consolidated security stack. {bullet} Qualys’ strong financial discipline—$304 million free cash flow and 45% free‑cash‑flow margin—provides a robust runway to invest in product development, partner ecosystems, and strategic acquisitions. The company’s disciplined capital allocation, evidenced by a $44.7 million share‑repurchase and a raised $200 million authorized repurchase pool, signals confidence in intrinsic value and creates positive shareholder economics. The consistent 47% EBITDA margin, even after a 14% increase in sales and marketing spend, demonstrates operational efficiency that can absorb the planned mid‑teens rise in operating expenses without eroding profitability. This financial cushion allows Qualys to pursue incremental margin expansion through the introduction of higher‑margin add‑on modules such as the agentic AI marketplace and potential future licensing of ROC capabilities. {bullet} Qualys’ governance of the partner ecosystem—over a dozen certified mROC partners—offers a scalable, defensible moat. Partners are incentivized to deliver end‑to‑end risk operations services that leverage Qualys’ platform, creating a network effect that both upsells existing customers and attracts new ones. The partners’ ability to reduce staffing costs through agentic AI means they can price services aggressively while maintaining healthy margins, thereby pulling more revenue into Qualys through service registrations and referral deals. As the partner ecosystem matures, the company’s pipeline depth should increase, creating a self‑reinforcing cycle of discovery, solution packaging, and revenue capture that is difficult for competitors to replicate. {bullet} Finally, Qualys is capitalizing on a fundamental structural shift in cybersecurity spend: the move from siloed, post‑breach solutions to unified, pre‑breach risk fabrics. CIOs and CISOs are explicitly stating that they need a single platform that unifies asset discovery, vulnerability detection, risk quantification, and automated remediation. Qualys’ integrated stack satisfies this need and is already being adopted by large enterprises and federal agencies. This industry‑wide trend creates a large and growing addressable market in which Qualys can capture higher share, especially as the competitive landscape consolidates around comprehensive risk management offerings.

Qualys’ channel growth is a clear catalyst that underpins future top‑line acceleration. Channel revenue climbed to 51% of total, up 17% YoY, while direct growth lagged at 4%. The company’s strategic emphasis on partner certification—mROC partners now offering new ROC services—creates a scalable, low‑margin sales channel that can drive multi‑year recurring revenue with minimal incremental cost. As channel partners expand into federal and multinational accounts, each new partnership is a lever that pulls existing customers into deeper, higher‑value product suites such as ETM and TotalCloud. This indirect sales acceleration, coupled with a 44% international mix, positions Qualys to benefit from regional cybersecurity spend rebounds, especially in high‑growth EU and Asia‑Pacific markets where regulatory requirements are tightening. {bullet} The agentic AI‑native Risk Operations Center (ROC) represents a disruptive product differentiation that could unlock substantial upsell and expansion opportunities. ROC centralizes threat confirmation, risk quantification, and autonomous remediation, effectively converting traditional vulnerability exposure lists into actionable, dollar‑based risk metrics that senior executives can use to justify budgets. Qualys is already seeing early wins with a mid‑6‑figure federal expansion, and the FedRAMP High authorization opens doors to new public‑sector opportunities that are typically intractable for competitors. The ability to validate exploits in real time and automatically patch or mitigate them shortens the average exposure window, a metric that resonates strongly with procurement and risk officers. This unique value proposition aligns perfectly with the market shift toward proactive, pre‑breach risk management, positioning Qualys ahead of the curve in a field where many vendors still rely on static vulnerability scoring. {bullet} The recent launch of the QFlex beta pricing model is a hidden catalyst that can accelerate adoption across the pipeline. By allowing customers to align platform spend with evolving threat landscapes and budgeting cycles, QFlex removes a common friction point that often stalls multi‑solution implementations. Management’s positive early feedback suggests that clients are willing to test higher tiers of ETM, which translates directly into higher gross dollar retention and potentially higher net expansion as customers accrue additional risk quantification modules. If QFlex gains traction beyond the beta cohort, it could become a revenue engine that offsets the need for heavy sales and marketing spend, thereby preserving margin while expanding the addressable market. {bullet} Qualys’ focus on integrated patch management and identity security posture management addresses critical pain points that are largely unmet by rival exposure‑management vendors. The company’s ability to deploy 140 million patches in the past year underscores the depth of its automation stack, delivering a service that moves beyond detection to remediation. In an era where average time to remediate is shrinking to near‑real‑time for high‑priority assets, customers increasingly demand solutions that can keep pace with rapid patch releases and zero‑day exploit confirmation. By bundling patch management with ETM, Qualys positions itself as the only provider that can both surface and fix vulnerabilities at scale, thereby creating a virtuous cycle of adoption, retention, and upsell. {bullet} The strategic expansion into TotalCloud (CNAPP) further diversifies Qualys’ product portfolio and tapers dependence on traditional vulnerability scanning. As organizations migrate to multi‑cloud environments, the need for cloud‑native application protection grows exponentially. TotalCloud’s policy audit and misconfiguration controls are complementary to the agentic AI capabilities, allowing customers to embed continuous compliance into the same platform that drives patching and risk quantification. Early 7‑figure upsell wins in both global and federal segments demonstrate that TotalCloud is already generating high‑margin revenue, and its integration with existing ETM workflows can accelerate the adoption curve for new customers seeking a single, consolidated security stack. {bullet} Qualys’ strong financial discipline—$304 million free cash flow and 45% free‑cash‑flow margin—provides a robust runway to invest in product development, partner ecosystems, and strategic acquisitions. The company’s disciplined capital allocation, evidenced by a $44.7 million share‑repurchase and a raised $200 million authorized repurchase pool, signals confidence in intrinsic value and creates positive shareholder economics. The consistent 47% EBITDA margin, even after a 14% increase in sales and marketing spend, demonstrates operational efficiency that can absorb the planned mid‑teens rise in operating expenses without eroding profitability. This financial cushion allows Qualys to pursue incremental margin expansion through the introduction of higher‑margin add‑on modules such as the agentic AI marketplace and potential future licensing of ROC capabilities. {bullet} Qualys’ governance of the partner ecosystem—over a dozen certified mROC partners—offers a scalable, defensible moat. Partners are incentivized to deliver end‑to‑end risk operations services that leverage Qualys’ platform, creating a network effect that both upsells existing customers and attracts new ones. The partners’ ability to reduce staffing costs through agentic AI means they can price services aggressively while maintaining healthy margins, thereby pulling more revenue into Qualys through service registrations and referral deals. As the partner ecosystem matures, the company’s pipeline depth should increase, creating a self‑reinforcing cycle of discovery, solution packaging, and revenue capture that is difficult for competitors to replicate. {bullet} Finally, Qualys is capitalizing on a fundamental structural shift in cybersecurity spend: the move from siloed, post‑breach solutions to unified, pre‑breach risk fabrics. CIOs and CISOs are explicitly stating that they need a single platform that unifies asset discovery, vulnerability detection, risk quantification, and automated remediation. Qualys’ integrated stack satisfies this need and is already being adopted by large enterprises and federal agencies. This industry‑wide trend creates a large and growing addressable market in which Qualys can capture higher share, especially as the competitive landscape consolidates around comprehensive risk management offerings.

Bear case

Despite channel growth, Qualys’ heavy reliance on partner sales exposes the company to significant execution risk. Channel revenue grew to 51% of total, yet the same growth rate is primarily driven by a 17% YoY increase in channel sales, while direct revenue lagged at 4%. The company’s strategy of shifting more weight to partners requires partners to fully absorb the complexity of ROC, ETM, and TotalCloud, which are not trivial to package and support. If partners fail to scale, or if partner pricing pressures intensify, Qualys could see a deterioration in gross margin and a slowdown in revenue growth. Furthermore, partners often operate with thinner margins, so any downturn in partner performance directly compresses Qualys’ profitability. {bullet} The adoption trajectory for the new agentic AI‑native ROC remains uncertain and may not materialize at the pace implied by management. CEO Thakar repeatedly highlights ROC as a “new category” and a central pillar of future growth, yet the conference call admits that “the full trajectory of adoption remains very early.” With only a handful of partners and a nascent customer base, the product is still in the validation phase, and early wins (mid‑6‑figure federal upsell) may not be representative of broader market acceptance. If ROC fails to achieve the promised autonomous remediation performance, the company could lose credibility, erode customer trust, and see a decline in net dollar expansion, which has already dipped from 104% to 103% sequentially. {bullet} QFlex, the beta pricing model, presents both a potential upside and a critical risk. Management describes QFlex as “very positive” and intends to roll it out on a case‑by‑case basis to avoid down‑selling. However, the beta nature of the program means the pricing structure is not yet proven in a broader market. Customers may be reluctant to commit to a flexible model that could complicate budgeting or result in unpredictable spending. Additionally, the beta status limits the scalability of this revenue driver; if QFlex fails to gain traction, Qualys will have to rely on existing product mix, which is already experiencing modest growth and may not sustain higher gross dollar retention or expansion rates. {bullet} The company’s operating expense trajectory poses a hidden risk to margin sustainability. Q4 operating expenses rose 11% to $68.9 million, with sales and marketing up 18%, driven by a strategic emphasis on channel and federal expansion. Management’s guidance for 2026 foresees a “mid‑teens” rise in operating expenses while maintaining a mid‑40s EBITDA margin. If the cost escalation outpaces incremental revenue—particularly if ETM adoption stalls or federal wins plateau—margin compression will ensue. Historically, the company has managed a 47% EBITDA margin, but the shift toward higher expense growth raises the likelihood of margin erosion in a market where cybersecurity spend is only expected to grow 6‑8% in the coming year. {bullet} Qualys’ focus on AI‑driven vulnerability confirmation and patch automation could backfire if the technology fails to keep pace with attackers’ sophistication. Management emphasizes that agentic AI can confirm exploits and automatically patch them, but the real‑world efficacy of such autonomous agents is still unproven at scale. Missteps—such as false positives leading to unnecessary patches, or failures to detect novel zero‑days—could damage customer trust, increase operational risk, and create costly remediation back‑logs. Moreover, regulators may scrutinize autonomous remediation systems, potentially imposing compliance burdens that could impede product rollout or increase costs. {bullet} The company’s federal business, while promising, is highly concentrated and subject to political and budgetary volatility. Qualys highlights mid‑6‑figure expansions and a multi‑agency ETM rollout as key opportunities. However, federal cybersecurity programs are often subject to shifting priorities, tender cancellations, and budget cuts. If Qualys loses its foothold in the federal market or if new competitors (e.g., ServiceNow’s Armis acquisition) gain a competitive advantage in the public sector, the company’s revenue mix could shift unfavorably. Additionally, the FedRAMP High authorization, while a differentiator, imposes strict compliance requirements that could increase operational overhead and limit the speed at which new federal customers are onboarded. {bullet} The competitive landscape for exposure‑management and risk‑fabric solutions is intensifying. Management repeatedly cites competitors’ focus on detection or exposure scoring as a weakness, yet several vendors (e.g., Tenable, Rapid7, CrowdStrike) are investing heavily in AI‑based risk quantification and automated remediation. If these competitors launch comparable agentic AI capabilities or bundle them with established customer bases, Qualys could lose its differentiation. Moreover, larger incumbents with broader ecosystems may offer integrated threat intelligence or SOC‑as‑a‑service offerings that undercut Qualys’ ROC value proposition, eroding its market share and driving down pricing. {bullet} The company’s channel partner ecosystem, while a source of growth, also introduces risk related to partner retention and pricing power. Partner-led deal registration increased in Q4, but the sustainability of this momentum is unclear. Partners may face margin compression if they cannot pass through the cost of integrating ROC and ETM into their own service portfolios. Additionally, if partners are unable to secure recurring revenue from customers, they may divert sales toward other vendors, weakening Qualys’ channel pipeline. A decline in partner engagement would directly translate into lower sales velocity and a potential slowdown in the company’s revenue growth trajectory. {bullet} Finally, Qualys’ valuation could be sensitive to macroeconomic shifts and cybersecurity spend patterns. Management acknowledges that “the selling environment in 2026 will remain similar to last year with a low to mid‑single‑digit growth in security spend.” In a scenario where security budgets contract or shift toward more cost‑effective, single‑tool solutions, Qualys may struggle to justify its multi‑product, high‑margin pricing model. The company’s guidance of 7‑8% revenue growth and mid‑40s EBITDA margin may appear optimistic if the broader industry slows, especially given the current competitive pressures and the risk of cost inflation in sales and engineering. This could lead to a valuation correction if investors perceive that the company’s growth assumptions are not grounded in a resilient, high‑margin business model.

Despite channel growth, Qualys’ heavy reliance on partner sales exposes the company to significant execution risk. Channel revenue grew to 51% of total, yet the same growth rate is primarily driven by a 17% YoY increase in channel sales, while direct revenue lagged at 4%. The company’s strategy of shifting more weight to partners requires partners to fully absorb the complexity of ROC, ETM, and TotalCloud, which are not trivial to package and support. If partners fail to scale, or if partner pricing pressures intensify, Qualys could see a deterioration in gross margin and a slowdown in revenue growth. Furthermore, partners often operate with thinner margins, so any downturn in partner performance directly compresses Qualys’ profitability. {bullet} The adoption trajectory for the new agentic AI‑native ROC remains uncertain and may not materialize at the pace implied by management. CEO Thakar repeatedly highlights ROC as a “new category” and a central pillar of future growth, yet the conference call admits that “the full trajectory of adoption remains very early.” With only a handful of partners and a nascent customer base, the product is still in the validation phase, and early wins (mid‑6‑figure federal upsell) may not be representative of broader market acceptance. If ROC fails to achieve the promised autonomous remediation performance, the company could lose credibility, erode customer trust, and see a decline in net dollar expansion, which has already dipped from 104% to 103% sequentially. {bullet} QFlex, the beta pricing model, presents both a potential upside and a critical risk. Management describes QFlex as “very positive” and intends to roll it out on a case‑by‑case basis to avoid down‑selling. However, the beta nature of the program means the pricing structure is not yet proven in a broader market. Customers may be reluctant to commit to a flexible model that could complicate budgeting or result in unpredictable spending. Additionally, the beta status limits the scalability of this revenue driver; if QFlex fails to gain traction, Qualys will have to rely on existing product mix, which is already experiencing modest growth and may not sustain higher gross dollar retention or expansion rates. {bullet} The company’s operating expense trajectory poses a hidden risk to margin sustainability. Q4 operating expenses rose 11% to $68.9 million, with sales and marketing up 18%, driven by a strategic emphasis on channel and federal expansion. Management’s guidance for 2026 foresees a “mid‑teens” rise in operating expenses while maintaining a mid‑40s EBITDA margin. If the cost escalation outpaces incremental revenue—particularly if ETM adoption stalls or federal wins plateau—margin compression will ensue. Historically, the company has managed a 47% EBITDA margin, but the shift toward higher expense growth raises the likelihood of margin erosion in a market where cybersecurity spend is only expected to grow 6‑8% in the coming year. {bullet} Qualys’ focus on AI‑driven vulnerability confirmation and patch automation could backfire if the technology fails to keep pace with attackers’ sophistication. Management emphasizes that agentic AI can confirm exploits and automatically patch them, but the real‑world efficacy of such autonomous agents is still unproven at scale. Missteps—such as false positives leading to unnecessary patches, or failures to detect novel zero‑days—could damage customer trust, increase operational risk, and create costly remediation back‑logs. Moreover, regulators may scrutinize autonomous remediation systems, potentially imposing compliance burdens that could impede product rollout or increase costs. {bullet} The company’s federal business, while promising, is highly concentrated and subject to political and budgetary volatility. Qualys highlights mid‑6‑figure expansions and a multi‑agency ETM rollout as key opportunities. However, federal cybersecurity programs are often subject to shifting priorities, tender cancellations, and budget cuts. If Qualys loses its foothold in the federal market or if new competitors (e.g., ServiceNow’s Armis acquisition) gain a competitive advantage in the public sector, the company’s revenue mix could shift unfavorably. Additionally, the FedRAMP High authorization, while a differentiator, imposes strict compliance requirements that could increase operational overhead and limit the speed at which new federal customers are onboarded. {bullet} The competitive landscape for exposure‑management and risk‑fabric solutions is intensifying. Management repeatedly cites competitors’ focus on detection or exposure scoring as a weakness, yet several vendors (e.g., Tenable, Rapid7, CrowdStrike) are investing heavily in AI‑based risk quantification and automated remediation. If these competitors launch comparable agentic AI capabilities or bundle them with established customer bases, Qualys could lose its differentiation. Moreover, larger incumbents with broader ecosystems may offer integrated threat intelligence or SOC‑as‑a‑service offerings that undercut Qualys’ ROC value proposition, eroding its market share and driving down pricing. {bullet} The company’s channel partner ecosystem, while a source of growth, also introduces risk related to partner retention and pricing power. Partner-led deal registration increased in Q4, but the sustainability of this momentum is unclear. Partners may face margin compression if they cannot pass through the cost of integrating ROC and ETM into their own service portfolios. Additionally, if partners are unable to secure recurring revenue from customers, they may divert sales toward other vendors, weakening Qualys’ channel pipeline. A decline in partner engagement would directly translate into lower sales velocity and a potential slowdown in the company’s revenue growth trajectory. {bullet} Finally, Qualys’ valuation could be sensitive to macroeconomic shifts and cybersecurity spend patterns. Management acknowledges that “the selling environment in 2026 will remain similar to last year with a low to mid‑single‑digit growth in security spend.” In a scenario where security budgets contract or shift toward more cost‑effective, single‑tool solutions, Qualys may struggle to justify its multi‑product, high‑margin pricing model. The company’s guidance of 7‑8% revenue growth and mid‑40s EBITDA margin may appear optimistic if the broader industry slows, especially given the current competitive pressures and the risk of cost inflation in sales and engineering. This could lead to a valuation correction if investors perceive that the company’s growth assumptions are not grounded in a resilient, high‑margin business model.

Geographical Breakdown of Revenue (2025)

Peer comparison

Companies in the Software - Infrastructure

S.No.	Ticker	Company	Market Cap	P/E	P/S	Total Debt (Qtr)
1	MSFT	Microsoft Corp	3,104.33 Bn	24.78	9.75	40.26 Bn
2	ORCL	Oracle Corp	522.13 Bn	31.93	8.15	124.72 Bn
3	PLTR	Palantir Technologies Inc.	323.79 Bn	140.90	61.98	-
4	PANW	Palo Alto Networks Inc	167.34 Bn	128.76	16.91	-
5	CRWD	CrowdStrike Holdings, Inc.	154.59 Bn	-949.11	32.12	0.75 Bn
6	FTNT	Fortinet, Inc.	94.31 Bn	49.10	13.27	0.50 Bn
7	SNPS	Synopsys Inc	93.61 Bn	75.04	11.69	10.04 Bn
8	NET	Cloudflare, Inc.	73.23 Bn	-830.72	31.45	1.29 Bn

Research Tools

Developers

Qualys, Inc. (NASDAQ: QLYS)

About

Investment thesis

Bull case

Bear case

Geographical Breakdown of Revenue (2025)

Peer comparison

Research Tools

Developers

Qualys, Inc. (NASDAQ: QLYS)

About

Investment thesis

Bull case

Bear case

Geographical Breakdown of Revenue (2025)

Peer comparison

Create an account

Sign In

Reset Password