The Thesis
Qualys is a cloud software company that helps large organizations find and fix security holes in their computer networks before hackers can exploit them. The company generated $0.67 billion in revenue last year, representing 10% growth while serving over 10,000 subscription customers. Transitioning from simple scanning to an integrated "risk operations" platform is the structural shift that makes the next phase of growth possible.
The bet here comes down to four specific things.
In our view, there is meaningful upside still ahead, driven by how the market is underestimating the cash-generating power of this platform. The case strengthens only if the company can accelerate revenue growth back into the double digits by late 2026. For long-term investors, Qualys is one of the cleaner ways to own a profitable, high-margin piece of the cybersecurity market.
Numbers at a Glance
What does it do?
Qualys is a maturing business that earns money by selling yearly subscriptions to its cloud-based security and compliance platform. Customers install a single software "agent" on their computers and servers which then reports back to the Qualys Cloud Platform. This platform automatically scans for vulnerabilities, checks if the software is up to date, and highlights which risks are most likely to be attacked. Because it is delivered over the internet, Qualys does not have to manage physical hardware for every client, allowing them to keep a large portion of every dollar as profit.
Where does revenue come from?
Almost all revenue comes from recurring subscriptions to the Qualys Cloud Platform and its various specialized security applications. These applications cover everything from patching software to monitoring cloud servers and checking for digital certificate errors. The business model is highly predictable because once a company integrates Qualys into its security workflow, it rarely switches to a competitor.
Revenue by Geography
Who are its customers?
Qualys serves over 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100 companies. The customer base is heavily weighted toward large enterprises that have thousands of devices to track across global networks. While the company does not disclose a specific user count, it serves massive organizations like Amazon Web Services, Microsoft Azure, and Google Cloud through strategic partnerships. These large clients pay significant annual fees to maintain a unified view of their security risks across hybrid cloud environments.
What gives it staying power?
High switching costs provide the strongest protection because Qualys is deeply embedded into the daily workflows of IT security teams. Once a company has deployed thousands of Qualys agents across its global infrastructure, replacing them with a rival's software is a massive and risky technical undertaking.
Where is it headed?
The company is betting heavily on agentic AI to automate how security teams prioritize and fix vulnerabilities. By using AI to validate which security holes are actually exploitable, Qualys aims to reduce the "noise" for security teams and make their platform indispensable. This shift toward an autonomous Risk Operations Center is intended to keep the platform relevant as cyber attacks become more sophisticated and frequent.
Revenue growth has stabilized in the 10% range, signaling a shift from a hyper-growth story to a steady, high-margin compounder. While the growth rate is lower than in previous years, the Q1 2026 result of $175.6 million shows the business is still expanding its footprint within a massive enterprise market.
Free cash flow is exceptionally high quality, with 2025 FCF of $0.30 billion nearly doubling net income due to the capital-light nature of the cloud platform. Because Qualys collects subscription fees upfront but recognizes them over time, the cash actually hits the bank well before it appears on the profit statement.
The balance sheet is fortress-like, carrying a tiny debt-to-equity ratio of 0.09x and significant cash reserves for future growth or buybacks. This financial flexibility allows the company to invest in AI innovation or acquire smaller technology partners without needing to borrow expensive capital.
Qualys is a financial powerhouse that generates massive cash flows and elite margins while maintaining a debt-free balance sheet.
Profitability remains exceptional with gross margins staying at a world-class 83% even as the company invests in new AI features. This efficiency proves that Qualys can add new capabilities to its platform without significantly increasing the cost to serve each customer.
The single most important risk is the gradual deceleration of revenue growth toward the high single digits. If growth stays below 10% for multiple quarters, the market may revalue the stock as a low-growth utility rather than a technology leader, even if profits remain high.
The cybersecurity market is roughly $180 billion today, growing at 12% annually, and is on track to exceed $320 billion by 2028. This is an elite industry where structural demand is driven by increasing regulation and the rising frequency of ransomware attacks, which prevents a race to the bottom on price. Qualys is a long-standing leader in the vulnerability management niche, providing the "system of record" that enterprises use to prove they are compliant and secure.
The vulnerability management market is shifting from a standalone tool to a feature within larger security platforms. While the barriers to entry for a basic scanner are low, the barriers to building a globally trusted platform with 83% gross margins are immense.
Tenable(TENB) is the most direct threat, often going head-to-head on the accuracy and depth of their security research. CrowdStrike is the most dangerous threat because they can bundle similar features into their existing security agents, potentially removing the need for a separate Qualys subscription. Microsoft(MSFT) also uses its massive enterprise footprint to offer "good enough" security tools that can pressure the pricing of specialized players.
Qualys is holding its ground by expanding its platform into remediation and AI-driven risk validation. This prevents them from being seen as a simple scanning tool that can be easily swapped out.
The primary source of protection is high switching costs created by the deep integration of Qualys agents into enterprise IT systems. Once a company has deployed tens of thousands of these agents and built their compliance reporting around Qualys data, the technical risk of switching to a rival is a massive deterrent. The company's 28.8% ROIC proves that this advantage is real and durable.
The financial numbers are incredibly consistent with a wide moat business. An 83% gross margin combined with a 29% net margin indicates that Qualys has significant pricing power and does not need to spend every dollar it makes just to stay competitive.
The moat is holding steady as Qualys transitions from a simple scanner to an AI-driven risk platform. This shift is critical to maintaining high switching costs as competitors try to bundle similar features.
Consistently raised 2026 revenue guidance to $721M-$727M while maintaining 83% margins.
Generated $0.30B FCF in 2025 while keeping debt to a negligible 0.09x equity.
Thakar has been with Qualys since 2003, providing deep institutional knowledge and continuity.
Capital Allocation Track Record
Qualys is led by a veteran team that prioritizes profitable growth over the "growth at any cost" model common in software. Sumedh Thakar has successfully guided the company through multiple competitive cycles, consistently delivering industry-leading margins and raising financial targets. The management team is highly disciplined, choosing to return cash to shareholders through buybacks while maintaining a fortress balance sheet.
© 2026 ClearThesis.ai · Report generated on May 27, 2026
This is an AI-generated analysis for informational purposes only and does not constitute financial advice. Data and analysis may not reflect recent developments if viewed significantly after the generation date. Always conduct your own due diligence before making any investment decisions.