Qualys is a cloud security company that helps businesses find and fix software vulnerabilities across their entire digital networks. It generated $611 million in revenue in 2024, growing 11% compared to the previous year. While the business has matured from its hypergrowth phase, it remains an exceptionally efficient machine, producing $230 million in free cash flow and maintaining gross margins above 83%.
The investment thesis on Qualys is that it is successfully moving beyond simple scanning to become a unified risk platform that automates the entire process of finding and patching security holes. Its real asset is the Qualys Cloud Agent, a piece of software installed on millions of devices that provides a continuous, live feed of security data that is difficult for competitors to displace once embedded.
We view Qualys as a high-quality, cash-generative business that is currently overlooked because its growth has slowed to the high single digits. It is one of the few cybersecurity companies that is both highly profitable and continues to gain ground in the critical vulnerability management market.
Qualys stock has stayed mostly flat over the last five years but recently jumped as investors regained interest. The price fell earlier this year, yet it started to climb again because the company is moving beyond simple software checks to offer tools that automatically fix security holes for big businesses and government agencies.
What does it do?
Qualys is a mature cloud software business that earns money by selling annual subscriptions to its security and compliance platform. The company provides a suite of applications that allow IT teams to see every device on their network, identify software bugs or misconfigurations, and prioritize which ones to fix based on actual risk. Customers pay a recurring fee based on the number of apps they use and the number of devices (assets) being monitored. Once the Qualys "Cloud Agent" is installed on a company's servers and laptops, it becomes a permanent part of their security infrastructure, making the service very difficult to turn off.
Where does revenue come from?
Almost all of Qualys's revenue comes from cloud-based subscriptions, which provide highly predictable cash flow. The company organizes its offerings into several main lines: Vulnerability Management, Detection and Response (VMDR), Cloud Security, and Compliance. In the first quarter of 2026, the company generated $175.6 million in total revenue, which was entirely driven by its subscription model.
Revenue by Geography
Who are its customers?
Qualys serves more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100 companies. The business is heavily weighted toward large enterprises that have complex global networks to secure. Because it serves the largest companies in the world, the revenue is diversified across many different industries, from banking to healthcare. In 2026, management noted that early engagement is growing for its "QFlex" and "Risk Operations Center" solutions, which target these same large enterprise clients.
What gives it staying power?
Qualys has strong staying power because its software agents are deeply embedded into millions of customer devices, creating high switching costs. Removing Qualys would require a massive manual effort to uninstall agents and re-train staff on a new system. This results in high retention rates and steady, recurring revenue.
Where is it headed?
Qualys is heading toward "Autonomous Exploit Validation," using AI to not only find bugs but automatically verify if they can actually be used by hackers. The goal is to move from a "scanning" company to a "Risk Operations" company that solves the problem of security staff being overwhelmed by too many alerts. If this works, Qualys becomes the central "system of record" for all cyber risk in a company.
Revenue and earnings are showing steady, disciplined growth despite a broader slowdown in corporate IT spending. Revenue reached $175.6 million in the most recent quarter, a 10% increase that reflects the company's ability to cross-sell more apps to its existing 10,000+ customers.
Qualys is a premier cash generator, with a free cash flow margin that consistently tracks its high operating profits. The company produced $300 million in free cash flow in 2025, and its gross margins of 83.2% are among the highest in the entire software industry, proving it can grow without needing massive new capital.
The balance sheet is exceptionally clean, with virtually no debt and a significant cash pile used for consistent share buybacks. With a debt-to-equity ratio of just 0.09x, the company has total financial flexibility to weather economic downturns or fund small, strategic acquisitions to boost its AI capabilities.
Qualys is one of the most financially disciplined companies in cybersecurity, prioritizing high margins and cash flow over growth at any cost.
The company's profitability is exceptional, with a non-GAAP operating margin of 46% in the most recent quarter. This high level of efficiency allows Qualys to fund its own research and development and return cash to shareholders through buybacks without taking on debt.
Revenue growth has slowed to the high single digits, which could suggest the core vulnerability management market is reaching saturation. Investors should watch the adoption of new products like TotalCloud and the Risk Operations Center to see if they can re-accelerate growth back into the double digits.
The vulnerability management market is worth approximately $10 billion today and is growing at roughly 12% annually as businesses move more of their operations to the cloud. Pricing power is structural because once a security scanner is embedded into a company's workflow, it is rarely removed due to the risk of creating "blind spots" in protection. Qualys is a mature leader in this space, and while its growth has slowed, it remains a critical anchor in the security budgets of the world's largest companies.
The cybersecurity market is rationally structured but increasingly dominated by large platform players who want to bundle multiple services together. The primary competitive force is "platformization," where customers prefer buying one large suite of tools rather than dozens of small, specialized ones. This favors established players like Qualys but puts pressure on pricing for standalone products.
Tenable is the most dangerous direct threat because it has a similar focus on vulnerability management and a loyal base of security practitioners. CrowdStrike and Palo Alto Networks are also major threats because they use their dominance in other security areas to "bundle" in vulnerability tools, potentially squeezing Qualys's market share. CrowdStrike's expansion into risk management represents the most significant long-term threat to Qualys's core business.
Qualys is holding its ground by expanding its platform into remediation and cloud security, though it is no longer the fastest-growing player. The company's 83% gross margins prove it still possesses significant pricing power despite intense competition.
The primary source of protection for Qualys is high switching costs generated by its proprietary Cloud Agent. Once the Qualys agent is installed on hundreds of thousands of a company's servers, the operational cost and risk of switching to a rival are prohibitive. This "lock-in" is evidenced by the company's elite 28.8% return on invested capital (ROIC).
The combination of 83% gross margins and 29% net margins proves that Qualys has a durable advantage that allows it to maintain high profitability even as competitors enter the space. These numbers are consistent with a real, wide moat built on technical integration rather than just a favorable business cycle.
The moat is currently stable, but its long-term strength depends on Qualys's ability to maintain its "agent" advantage as more workloads move to serverless cloud environments.
Consistently delivered 40%+ non-GAAP operating margins while raising 2026 revenue guidance to $727M.
Generated $300M in FCF in 2025 and uses it for consistent share buybacks.
CEO Sumedh Thakar has been with the company for over 20 years, showing deep institutional commitment.
Capital Allocation Track Record
Qualys management is exceptionally disciplined, prioritizing long-term profitability and cash flow over the "growth at any cost" mentality common in cybersecurity. CEO Sumedh Thakar has a deep technical background and has successfully steered the company through the transition from on-premise scanning to a full cloud-native platform. The team has a proven record of hitting their guidance and maintaining elite 83% gross margins, which demonstrates superior operational control and a refusal to engage in destructive price wars.
The leadership-continuity risk is low because Thakar is a long-tenured insider who was promoted from within, ensuring the company’s culture of financial discipline remains intact. While the thesis relies on their ability to innovate in AI, there is a credible bench of executives like CISO Jonathan Trull who understand the enterprise security landscape. There are no significant dual-class control or board independence concerns that would worry a long-term owner.
Qualys is moving from a high-growth "scanner" company to a high-margin "remediation" platform. The inflection point is the adoption of its AI-driven Risk Operations Center (ROC), which aims to re-accelerate growth while maintaining elite profitability. Our projections assume Qualys maintains high-single-digit to low-double-digit revenue growth as it matures. The focus is on cash flow generation, where Qualys remains a leader, with margins expected to stay in the top tier of all software companies.
AI-driven remediation automates the patching of critical security vulnerabilities. If Qualys can successfully automate the fixing of bugs, it doubles its addressable market from "scanning" to "fixing."
Consolidating the security stack into a single unified platform. Enterprises want fewer vendors; Qualys wins if it can replace 3-4 smaller tools with its unified TruRisk platform.
Expansion into Cloud Native Application Protection (CNAPP). As companies move more to the cloud, Qualys's TotalCloud solution provides a major new revenue stream outside of traditional servers.
Competition from larger "platform" giants like CrowdStrike and Palo Alto. If giants bundle vulnerability tools for free, Qualys's pricing power and growth could be severely compressed.
Rapid shift to serverless computing makes "agent-based" security less relevant. If the industry moves away from the servers where Qualys agents live, its primary moat could slowly erode.
Corporate IT budget tightening slows the adoption of new platforms. A recession could lead customers to stick with "good enough" existing tools rather than upgrading to the full Qualys suite.
Below is our estimate of current and future fair value, with detailed reasoning and assumptions. Fair value is a judgment, not a fact, and other analysts will likely land on different numbers. Use it as one data point in your research, and apply your own discretion in any investing decision.
We use a Forward P/E approach based on next year's earnings power. This framework fits Qualys because the company is highly profitable and generates consistent cash flow, making earnings a more reliable signal of value than the revenue multiples typically used for unprofitable cybersecurity startups.
Applying a 18x multiple to our FY2026 Non-GAAP EPS estimate of $7.55 results in a fair value of $136 per share. A 18x multiple sits comfortably between peers Tenable (which trades at a higher multiple due to faster growth but lower margins) and mature infrastructure software players like Akamai or Norton; the premium over low-growth legacy software is justified by Qualys's Wide Moat and 35%+ operating margins. Our EPS basis is the midpoint of management's raised guidance ($7.44–$7.65) provided in May 2026.
A 5-year Discounted Cash Flow (DCF) cross-check yields a fair value of $131, within 4% of our Forward P/E result. We used a 9.5% discount rate (reflecting the low 0.65 beta but adding a premium for sector volatility) and a conservative 3% terminal growth rate. Since the market is currently pricing in only 2% growth at $112.33, the DCF confirms that even a modest "base case" of 8% annual growth makes the stock look undervalued.
We're assuming Qualys successfully transitions from a passive scanning tool to an active "autonomous remediation" platform via its AI Agentic fabric. The launch of "Agent Val" in March 2026 suggests the technology is already in the hands of customers, aiming to reduce remediation "noise" by 90%, which justifies maintaining high pricing tiers despite slower overall market growth.
We're assuming profit margins remain elite, with Non-GAAP operating margins sustained near 35%. Qualys has historically operated with a lean, SaaS-native infrastructure that allows for 83% gross margins; as long as the company avoids a "price war" in the mid-market, its high profitability provides a massive floor for the valuation.
We're assuming a recovery in investor sentiment toward a 18x Non-GAAP forward multiple. While the stock has traded at higher multiples historically, a 18x multiple is a fair "quality" rating for a business with a wide moat, zero debt, and consistent double-digit earnings growth, even if top-line revenue growth remains in the 8% to 10% range.
The biggest risk is competitive displacement from platform consolidators who bundle vulnerability management for free or at a deep discount. This "good enough" competition could permanently cap Qualys's growth in the high single digits, compressing the forward multiple from 18x to 12x and knocking roughly $45 off the per-share fair value. Watch for any sequential decline in "Calculated Current Billings" as a signal that the sales cycle is lengthening against these larger rivals.
Bear case ($106): Platform consolidation by "all-in-one" vendors like CrowdStrike or Palo Alto Networks causes annual revenue growth to slip below 7%; or Non-GAAP operating margins compress toward 30% as the company is forced to ramp sales spending to defend its vulnerability management niche.
Bull case ($166): Adoption of "Agent Val" and the AI Risk Operations Center re-accelerates revenue growth above 15% by FY2027; or Free cash flow per share exceeds $11.00 as autonomous remediation features increase customer stickiness and pricing power.
Clearthesis wrote this report from 37 sources, including SEC filings, industry research, and recent news.
How did you like this thesis?
Your feedback helps us make reports better for you
© 2026 Clearthesis.ai · Report generated on June 23, 2026
This is an AI-generated analysis for informational purposes only and does not constitute financial advice. Data and analysis may not reflect recent developments if viewed significantly after the generation date. Always conduct your own due diligence before making any investment decisions.
The market is leaning neutral because Qualys is transitioning from a specialized vulnerability scanner into a broader risk platform. The company relies on its proprietary Cloud Agent to automate security patching. Investors see this shift as a way to maintain high profit margins while proving it can grow beyond its traditional scanning roots.
Skeptics think that Qualys is failing to keep pace with modern cloud security competitors. They worry the slow 11 percent revenue growth shows that the product is becoming a commodity as new, nimble companies offer more integrated cloud-native tools that replace the need for older scanning agents.