Executive Summary / Key Takeaways

• Pioneering Risk Operations: Qualys (NASDAQ:QLYS) is redefining cybersecurity with its Agentic AI-powered Risk Operations Center (ROC) and Enterprise TruRisk Management (ETM) solution, shifting focus from reactive threat detection to proactive, quantifiable risk reduction. This strategy aims to unify disparate security tools and provide business-contextual risk insights.
• Robust Financial Performance: The company reported strong Q3 2025 revenue growth of 10% year-over-year to $169.9 million, coupled with an impressive adjusted EBITDA margin of 49%. Full-year 2025 revenue guidance was raised to $665.8 million to $667.8 million, reflecting continued demand for its subscription services.
• Technological Leadership and Innovation: Qualys's organic platform is a key differentiator, with recent innovations like TruConfirm for exploit validation, TruRisk Eliminate for automated remediation, and TotalAI for AI Security Posture Management. These advancements aim to deliver measurable outcomes and address emerging threats.
• Strategic Partner-First Approach: A deliberate shift towards a partner-first sales motion is accelerating growth, particularly in international markets, with partners actively launching Managed Risk Operations Center (mROC) services. This strategy is expected to drive top-line growth and ETM penetration.
• Attractive Valuation and Growth Catalysts: Despite macroeconomic headwinds, Qualys's strong fundamentals, including consistent revenue and earnings growth, a debt-free balance sheet, and superior returns, suggest an attractive investment profile. The company's focus on ETM, federal expansion, and flexible pricing models (Q-Flex) are poised to be significant growth catalysts.

The Dawn of Proactive Cyber Defense: Qualys's Strategic Evolution

Qualys, Inc., a pioneer in cloud-based security since its inception in 1999, is spearheading a fundamental shift in cybersecurity: from merely managing attack surfaces to actively managing risk surfaces. This evolution is powered by its innovative Agentic AI and the Enterprise TruRisk Management (ETM) solution, which forms the core of its Risk Operations Center (ROC). The company's mission is to deliver innovative security solutions that enable organizations to identify, protect, and comply with evolving cyber threats, providing a unified view of their security posture across diverse IT infrastructures.

The cybersecurity market is experiencing robust growth, with global spending projected to reach $212 billion in 2025, marking a 15.1% increase from 2024. The cloud security market alone is estimated at $40.81 billion in 2025, with a projected CAGR of 12.87% through 2034. This expansion is driven by the increasing frequency and sophistication of cyberattacks, rapid digital transformation, and the proliferation of cloud computing and IoT devices. Qualys's strategy directly addresses this dynamic landscape by offering a platform that moves beyond traditional vulnerability detection to quantifiable, proactive risk reduction.

Technological Edge: Agentic AI and the TruRisk Platform

Qualys's technological differentiation is rooted in its organically developed, cloud-native platform, which processes petabytes of high-fidelity data daily. This platform integrates and normalizes security signals from both Qualys and third-party tools, including competitors like CrowdStrike (CRWD), Tenable (TENB), and Wiz, to provide a holistic view of an organization's cyber risk. This vendor-agnostic orchestration layer is a critical differentiator, allowing customers to unify their security toolsets without requiring a complete rip-and-replace of existing solutions.

A cornerstone of Qualys's innovation is its Agentic AI platform, which features a marketplace of Cyber Risk AI Agents. These autonomous agents are designed to automate complex business processes, adapt to customer environments, and achieve end-to-end outcomes for cybersecurity teams, significantly reducing time to remediation and increasing accuracy. The company has already seen 20% to 25% efficiency gains internally by leveraging AI in its development efforts, even reducing the need for QA hires. This internal efficiency underscores the power of AI that Qualys is now extending to its customers.

The Enterprise TruRisk Management (ETM) solution is central to the ROC concept. It combines Cyber Risk Quantification (CRQ), Continuous Threat Exposure Management (CTEM), and native remediation operations to fix the risks that matter most, quickly and at scale. A key enhancement to ETM is TruConfirm, which uses automated validation to run safe exploits over the network, confirming exploitability before customers are compromised. This removes guesswork and allows customers to prioritize only exploitable blind spots for remediation with TruRisk Eliminate. TruRisk Eliminate, which includes Patch Management, also offers the ability to automate compensating controls when patches are unavailable or too risky, addressing the "unpatchable gap". This is crucial in an environment where adversaries exploit vulnerabilities rapidly, sometimes even before patches are released.

Qualys's TotalCloud CNAPP (Cloud-Native Application Protection Platform) is another significant technological differentiator. It provides comprehensive attack path analysis, enhanced risk quantification, and automated no-code, low-code cloud workflow remediation across multi-cloud and container environments. This solution integrates cloud risk into a holistic business risk view, offering business quantification that many competitors lack. Furthermore, the introduction of Identity Security Posture Management (ISPM) natively into ETM unifies the identity risk surface by continuously analyzing identity systems for misconfigurations and excessive privileges.

These technological advancements are not merely features; they are strategic enablers. They contribute to Qualys's competitive moat by offering a more integrated, automated, and business-aligned approach to cybersecurity. The ability to quantify risk in financial terms and provide native remediation capabilities directly translates into tangible benefits for customers, such as reduced operational complexity, lower costs, and improved security outcomes. This comprehensive, platform-centric approach positions Qualys to capture a larger share of the expanding cybersecurity market, particularly as organizations seek to consolidate tools and optimize their security spend.

Financial Performance and Strategic Momentum

Qualys has demonstrated consistent financial performance, reflecting the effectiveness of its cloud-native platform and strategic initiatives. For the three months ended September 30, 2025, total revenues grew 10% year-over-year to $169.9 million. This growth was primarily driven by increased demand for subscription services, with 95% of the increase coming from existing customers and 5% from new customers. International markets showed strong momentum, with foreign revenue growing 15% year-over-year, outpacing domestic growth of 7%.

The company's profitability remains robust, with an adjusted EBITDA of $82.6 million in Q3 2025, representing a 49% margin, an increase from 45% a year ago. This strong margin performance highlights Qualys's scalable business model and efficient operations. Net income for the quarter was $50.3 million, resulting in diluted EPS of $1.39. For the nine months ended September 30, 2025, net income was $145.2 million, and diluted EPS was $3.97.

Qualys maintains a healthy liquidity position, with $663.6 million in cash, cash equivalents, and marketable securities as of September 30, 2025.

The company's free cash flow for Q3 2025 was $89.5 million, representing a 53% margin. This strong cash generation supports ongoing investments in product innovation and strategic initiatives, as well as shareholder returns through its share repurchase program, which had approximately $205.2 million remaining as of September 30, 2025.

The strategic emphasis on a partner-first sales motion is yielding tangible results. In Q3 2025, partner-led revenues grew 17% year-over-year, making up 50% of total revenues, up from 47% a year ago. This trend is expected to continue, leveraging the partner ecosystem to drive growth and ETM penetration. The introduction of the Q-Flex pricing model, allowing customers to purchase Qualys Units (QLUs) for flexible module utilization, is also gaining traction, with one Global 10 customer making a multiyear commitment that increased annual bookings by over 50%.

Competitive Landscape and Strategic Positioning

The cybersecurity market is highly competitive and fragmented, with Qualys competing against a range of established and emerging vendors. Key competitors include large public companies like CrowdStrike, Palo Alto Networks (PANW), Rapid7 (RPD), and Tenable Holdings, as well as specialized private providers.

Qualys differentiates itself through its integrated, cloud-native platform and its focus on proactive risk management with business quantification. While competitors like Tenable offer strong exposure management solutions with Q3 2025 revenue growth of 11%, Qualys's ETM solution goes further by natively integrating remediation and exploit validation (TruConfirm). Tenable reported a Q3 2025 non-GAAP operating margin of 23.3%, while Qualys's adjusted EBITDA margin was 49% in Q3 2025, suggesting superior operational efficiency.

CrowdStrike, a leader in endpoint protection, reported fiscal year 2025 revenue growth of 29%, with a non-GAAP subscription gross margin of 80%. While CrowdStrike excels in AI-driven threat detection, Qualys's strength lies in its comprehensive compliance and asset management solutions, offering a more robust framework for continuous monitoring, particularly for organizations with complex regulatory needs.

Palo Alto Networks, with fiscal year 2025 revenue growth of 14.87%, offers a broad suite of network security and cloud protection. Its full-year 2025 non-GAAP operating margin guidance is 28% to 28.5%. Qualys's cloud-native approach and unified platform for IT security data analysis provide a qualitative edge in specialized compliance areas, potentially offering lower operational overhead compared to Palo Alto's broader network security focus.

Fortinet (FTNT), specializing in network security and unified threat management, reported Q3 2025 revenue growth of 14%. Its full-year 2025 non-GAAP operating margin guidance is 34.5% to 35.0%. Qualys's purely cloud-based platform offers greater scalability and flexibility compared to Fortinet's hardware-dependent solutions, making Qualys's offerings easier to manage for distributed enterprises.

The vulnerability management market is expected to grow at an 8% CAGR from 2025 to 2030, reaching $24.08 billion. Qualys's leadership in Patch Management, recognized by GigaOm, and its advanced TruRisk Eliminate capabilities position it strongly in this evolving market. The company's strategy of ingesting data from competitors' tools into ETM allows it to provide a unified risk view, even if customers retain other point solutions, thereby expanding its addressable market and reducing friction in sales cycles.

Outlook and Risks

Qualys has raised its full-year 2025 revenue guidance to a range of $665.8 million to $667.8 million, representing a 10% growth rate. Full-year EPS guidance was also increased to $6.93 to $7.00. This outlook assumes continued budget scrutiny and a challenging environment for new business growth in Q4 2025, with no significant improvement in macroeconomic conditions. The company anticipates a full-year 2025 adjusted EBITDA margin in the mid- to high 40s and a net free cash flow margin in the low 40s.

Strategic investments will continue to focus on sales and marketing, and engineering, to drive pipeline, accelerate the partner program, and expand the federal vertical. Qualys expects a slight contraction in gross margin in 2025 due to data center investments aimed at long-term operational efficiencies.

Key risks include the ongoing macroeconomic uncertainty, which could lead to reduced IT spending and extended sales cycles. The rapidly evolving AI landscape presents both opportunities and risks, with potential for new cybersecurity threats and regulatory obligations. While AI is seen as a significant growth driver, the budgeting for AI security solutions is still in an exploratory phase for many customers, with a full ramp-up expected over several years. The recent departure of the Chief Revenue Officer may also lead to near-term adjustments in strategic plans. However, the company's achievement of FedRAMP High authorization positions it for significant long-term growth in the federal sector, as government agencies seek to modernize their security infrastructure.

Conclusion

Qualys is strategically positioned at the forefront of a cybersecurity paradigm shift, moving towards proactive, quantifiable risk management. Its organically developed, AI-powered Enterprise TruRisk Platform, with solutions like ETM, TruConfirm, and TruRisk Eliminate, offers a compelling value proposition by unifying security insights, providing business context to cyber risk, and enabling automated remediation. This technological differentiation, coupled with a robust financial performance and a focused partner-first go-to-market strategy, underpins a strong investment thesis.

Despite persistent macroeconomic challenges and competitive pressures, Qualys's ability to innovate, drive operational efficiencies, and expand into high-growth areas like federal and AI security demonstrates its resilience and long-term growth potential. The company's commitment to delivering measurable security outcomes, rather than just alerts, resonates deeply with CISOs and boards, positioning Qualys as a trusted leader in the evolving landscape of pre-breach cyber risk management. The continued penetration of ETM and the strategic leverage gained from its mROC partners will be critical indicators of its sustained success and market share expansion in the years ahead.