Executive Summary / Key Takeaways

• Qualys delivered a strong Q1 2025 performance, exceeding revenue and EPS expectations and raising full-year guidance, demonstrating resilience despite ongoing macroeconomic scrutiny on IT spending.
• The company is strategically pivoting towards Enterprise TruRisk Management (ETM) and the Risk Operations Center (ROC) concept, aiming to become a vendor-neutral platform that consolidates security findings from diverse sources (Qualys and third-party) to quantify, prioritize, and remediate cyber risk with business context.
• Qualys' differentiated technology, including its cloud-native platform, TruRisk Eliminate capabilities (Patch Management, Mitigate, Isolate, Uninstall), TotalCloud CNAPP, and emerging TotalAI solution, provides a competitive edge by offering integrated workflows, automation, and the ability to address modern threats like AI/LLM vulnerabilities.
• A key go-to-market focus is accelerating growth through channel partners, particularly Managed Risk Operations Centers (mROC), which allows partners to build services around the Qualys platform and expands market reach, especially in the enterprise and federal sectors.
• While facing competitive pressures and macroeconomic headwinds impacting upsell execution, Qualys' strong profitability, cash flow generation, and strategic investments position it to capitalize on the market need for security stack consolidation and quantifiable risk reduction.

Qualys: Building the Risk Operations Center for a Complex World

Qualys, Inc. is a leading provider of cloud-based information technology (IT), security, and compliance solutions. Founded in 1999 with the vision of transforming IT security, the company pioneered cloud-delivered vulnerability management (VM) with its first solution launch in 2000. This early focus on a Software-as-a-Service (SaaS) model and continuous security intelligence laid the groundwork for its evolution into a comprehensive platform player. Today, the Qualys Enterprise TruRisk Platform offers an integrated suite of solutions designed to enable organizations to identify security risks, protect IT systems and applications, and achieve compliance across increasingly complex and globally distributed IT infrastructures, including on-premises, cloud, containers, and remote endpoints.

The cybersecurity landscape is characterized by rapid technological advancements, an escalating threat environment, and evolving regulatory mandates. Organizations grapple with a proliferation of security tools, leading to siloed data, overwhelming alert fatigue, and difficulty articulating the true risk posture to business stakeholders. Against this backdrop, CISOs are under pressure to demonstrate the return on investment (ROI) of their security spend and align cybersecurity initiatives with quantifiable business risk reduction. This environment necessitates a shift from reactive Security Operations Centers (SOCs) focused on post-breach detection to proactive Risk Operations Centers (ROCs) focused on pre-breach risk management. Qualys' strategic response is centered on building this modern ROC, leveraging its cloud-native platform and integrated solutions to consolidate security findings, quantify cyber risk, and enable efficient remediation.

Qualys operates as a single reporting segment, but its business is driven by the adoption of its integrated suite of solutions. While core Vulnerability Management (VM) remains foundational, the company has successfully expanded into adjacent areas. Patch Management and Cybersecurity Asset Management (CSAM) have become significant contributors, making up 15% of total bookings and 24% of new bookings on a Last Twelve Months (LTM) basis as of Q1 2025. This highlights the customer demand for integrated solutions that combine identification with remediation and asset visibility. Cloud Security, particularly the TotalCloud CNAPP offering, is also gaining traction, representing 5% of LTM bookings in Q1 2025 and securing significant seven-figure wins with large enterprises.

The company's competitive positioning is shaped by its differentiated technology and strategic approach. Qualys competes with a range of vendors, from large players with broad portfolios like Palo Alto Networks (PANW) and CrowdStrike (CRWD) to vulnerability management specialists like Tenable (TENB) and Rapid7 (RPD), as well as integrated offerings from cloud providers like Microsoft (MSFT) and open-source alternatives. While some competitors may lead in specific areas like AI processing speed or endpoint detection, Qualys differentiates itself through its natively integrated cloud platform and its strategic focus on consolidating findings from multiple sources (including competitors' tools like Tenable, CrowdStrike, and Wiz) into a unified risk view. This vendor-neutral orchestration layer, embodied by the new Enterprise TruRisk Management (ETM) solution, is a key competitive moat, addressing the customer need to unify disparate tools without requiring wholesale replacement. Qualys' profitability metrics, such as its TTM Net Profit Margin of 29.18% and EBITDA Margin of 34.02%, compare favorably to many competitors, indicating a more efficient operational model. This financial strength provides resources for continued investment in innovation and go-to-market expansion.

Qualys' technological differentiation is central to its investment thesis. The Qualys Cloud Platform itself is a core asset, providing a scalable, multi-tenant architecture that enables continuous security intelligence collection and analysis across diverse environments. This platform offers tangible benefits, including the ability to process vast amounts of security data (over 18 trillion data points mentioned by management) and deliver integrated workflows.

Building on this foundation, Qualys has introduced several key innovations:

• Enterprise TruRisk Management (ETM) / Risk Operations Center (ROC): Positioned as the world's first cloud-based ROC, ETM is designed to ingest security findings from both Qualys modules and third-party tools (like Tenable, CrowdStrike, Wiz). It leverages AI for orchestration, normalizes risk signals, enriches data with threat intelligence and business context, and quantifies cyber risk in financial terms. The "so what" for investors is significant: ETM addresses a major pain point for CISOs (tool sprawl, inability to articulate risk ROI), creates a greenfield market opportunity, and enables Qualys to monetize data aggregation even from competitors' tools. Early interest is strong, with over 25 active POCs underway since its recent GA.
• TruRisk Eliminate: This suite of capabilities extends remediation beyond traditional patching. It includes Patch Management (over 100 million patches deployed in 2024), TruRisk Mitigate (applying specific changes to prevent exploitation even without a patch), TruRisk Isolate (taking high-risk machines off the network), and TruRisk Uninstall (removing end-of-life software/tech debt). These offer flexible, risk-based response options. The "so what" is a strong competitive differentiator, addressing the operational and political challenges of patching and providing solutions for zero-day threats, potentially opening new revenue streams.
• TotalCloud CNAPP: This solution provides comprehensive cloud-native security. Recent enhancements include container runtime protection, attack path analysis, and automated remediation. It offers a unified view across multi-cloud environments. The "so what" is Qualys' ability to compete effectively in the growing cloud security market, consolidating tools and providing a natively integrated alternative to cloud-only vendors, as evidenced by recent seven-figure wins. Qualys also achieved FedRAMP Moderate certification for CNAPP and EDR, with FedRAMP High anticipated later in 2024 or 2025, opening significant opportunities in the federal sector.
• TotalAI: An emerging capability focused on securing AI/LLM technologies. It discovers AI usage, scans for vulnerabilities, detects jailbreaks, and prevents data leakage. The "so what" is Qualys' proactive approach to a new threat vector, leveraging its existing footprint to provide a unique "point-and-shoot" scanning capability for AI models, addressing a top-of-mind concern for CISOs.
• Policy Audit and Audit Fix: These enhance the policy compliance offering by streamlining audit readiness reporting and automating evidence collection and fixes across numerous technologies and frameworks. The "so what" is addressing a growing area of cyber spend focused on compliance automation and cost reduction.

Qualys' strategic initiatives are designed to capitalize on these technological advancements and market trends. A key focus is the partner-first sales motion, which has resulted in channel partners contributing 49% of total revenue in Q1 2025. The launch of the Managed Risk Operations Center (mROC) Partner Alliance in February 2025 is central to this, enabling partners to deliver advisory, integration, monitoring, and remediation services built around the Qualys ETM platform. This approach aims to accelerate revenue paths for partners and drive new logo acquisition and upsells for Qualys. Expanding the federal vertical is another priority, leveraging FedRAMP certifications and a dedicated go-to-market team to address the government's need to replace legacy on-prem solutions with cloud-native alternatives. Investments in sales and marketing (up 11% in Q1 2025) and engineering (up 6% in Q1 2025) are aligned to support these initiatives, balancing growth investments with profitability.

Financially, Qualys demonstrated a strong start to 2025. Revenues for the three months ended March 31, 2025, were $159.9 million, a 10% increase from $145.8 million in the same period last year. This growth was primarily driven by increased demand for subscription services, with 96% of the increase coming from existing customers and 4% from new customers. International markets contributed significantly, accounting for 66% of the revenue increase, outpacing the United States at 34%. Direct sales contributed 51% of total revenue, while partners accounted for 49%, reflecting the increasing importance of the channel.

Gross profit stood at $131.0 million, resulting in an impressive gross margin of 82%, up from 81% in Q1 2024.

This reflects operational efficiencies, although management noted some slight pressure in prior quarters due to data center investments. Operating expenses totaled $79.2 million, increasing 7% year-over-year, primarily driven by investments in sales and marketing and R&D headcount and programs. Income from operations was $51.8 million (32% margin), and net income reached $47.5 million (30% margin), up from $39.7 million (27% margin) in Q1 2024. Diluted EPS was $1.29, a significant increase from $1.05 in the prior year period. Adjusted EBITDA was $74.8 million, maintaining a strong 47% margin. The Net Dollar Expansion Rate was 103% as of March 31, 2025, unchanged from the prior quarter, indicating stable upsell performance despite the challenging macro environment.

Qualys maintains a robust liquidity position. As of March 31, 2025, cash, cash equivalents, and marketable securities totaled $639.9 million.

The company generated $109.6 million in net cash from operating activities in Q1 2025, a substantial increase from $85.5 million in Q1 2024, driven by higher net income and favorable working capital changes. Free cash flow was $107.6 million, representing a strong 67% margin.

Qualys continues to return value to shareholders through its share repurchase program, with $303.8 million remaining under the authorization as of March 31, 2025. Material cash requirements include operating lease obligations, totaling $57.1 million as of March 31, 2025, with $14.0 million due within the next 12 months, including payments for the recently early-renewed Foster City headquarters lease extending through 2034.

Looking ahead, Qualys provided optimistic guidance despite acknowledging ongoing macroeconomic uncertainty. For the full year 2025, the company raised the lower end of its revenue guidance, now expecting revenues between $648 million and $657 million, representing 7% to 8% growth. Second quarter 2025 revenue is projected to be between $159.7 million and $162.7 million (7% to 9% growth). Full-year 2025 Adjusted EBITDA margin is expected in the low-to-mid 40s, implying a 15% to 17% increase in operating expenses as the company invests in strategic initiatives. Full-year EPS guidance was also raised to a range of $6.00 to $6.30. This outlook assumes continued budget scrutiny and a challenging environment for new business growth, with the Net Dollar Expansion Rate expected to remain around 103%. Management emphasized that the guidance reflects a prudent view while positioning the company for long-term growth through focused investments in pipeline generation, accelerating the partner program, and expanding the federal vertical.

Investing in Qualys involves considering several risks. Macroeconomic conditions, including inflation, rising interest rates, and potential recessionary pressures, could lead to reduced IT spending and extended sales cycles, impacting revenue growth. The highly competitive cybersecurity market, with larger players and specialized vendors, could exert pricing pressure and challenge market share gains. Qualys' ability to successfully innovate and gain market acceptance for new solutions like ETM and TotalAI is crucial, and failure to do so could hinder growth. Risks associated with international operations, including foreign currency fluctuations and compliance with diverse regulations, could affect financial results. While Qualys' cloud platform is a strength, any security incident or service disruption could harm its reputation and business. Reliance on third-party software and open-source components also presents potential risks. The company's financial results rely on estimates and judgments, and changes could impact reported performance.

Conclusion

Qualys is positioning itself at the forefront of cybersecurity risk management with its integrated Enterprise TruRisk Platform and the innovative Risk Operations Center (ROC) approach. By focusing on consolidating security findings from diverse sources, quantifying risk with business context, and enabling efficient remediation, Qualys directly addresses the critical challenges faced by CISOs in today's complex threat and budget-constrained environment. The company's strong Q1 2025 performance, characterized by solid revenue growth, impressive profitability, and robust cash flow generation, underscores the value proposition of its platform and provides a solid financial foundation for continued investment.

While macroeconomic headwinds and competitive intensity, particularly in emerging areas like AI security, present challenges, Qualys' strategic pivot towards ETM/ROC, acceleration of its partner-led go-to-market strategy (including mROC), and ongoing technological innovation in areas like TruRisk Eliminate and TotalCloud CNAPP offer compelling avenues for future growth. The raised full-year guidance, despite cautious assumptions regarding the near-term macro environment, reflects management's confidence in the company's ability to execute on its strategic vision. For investors, Qualys represents an opportunity to invest in a profitable, cash-generative cybersecurity company that is strategically aligned with the evolving needs of the market, leveraging its differentiated platform and expanding ecosystem to drive long-term value creation.