Qualys is a cybersecurity company that helps businesses find and fix security risks across their IT systems. Its cloud-based platform offers a wide range of tools for managing vulnerabilities, staying compliant, and detecting threats. With strong profit margins and steady recurring revenue, Qualys is now expanding into risk management and AI security. The question is: Can this trusted security provider keep growing and earn a place in your portfolio?

This is not a financial advice. I am not a financial advisor and I only do these post in order to do my own analysis and elaborate about my decisions, especially for my copiers and followers. If you consider investing in any of the ideas I present, you should do your own research or contact a professional financial advisor, as all investing comes with a risk of losing money. You are also more than welcome to copy me. 

For full disclosure, I should mention that I do not own any shares in Keurig Dr Pepper at the time of writing this analysis. If you would like to copy or view my portfolio, you can find instructions on how to do so here. If you want to purchase shares or fractional shares of Keurig Dr Pepper, you can do so through eToro. eToro is a highly user-friendly platform that allows you to get started on investing with as little as $50.

The Business

Qualys is a cybersecurity company that provides cloud-based tools for identifying and fixing security vulnerabilities across a company’s digital systems. It was founded in 1999 and was one of the first to offer security tools entirely through the cloud. Today, it serves more than 10.000 customers across over 130 countries, including many of the world’s largest companies. The company offers a wide range of tools through one platform. These tools let companies see all their digital systems, whether they are in offices, cloud services, or mobile devices, and check them for weaknesses. When security issues are detected, Qualys supports their resolution through automated features that streamline the process. Everything runs online, so companies do not need to install or manage extra hardware. Because all the tools work together and are easy to expand, it is simpler and more cost-effective than using many separate cybersecurity products. What sets Qualys apart from competitors is that it was built from the start as a cloud-based system. This gives it an edge over older companies that had to move from older, more complex setups. Qualys uses its own lightweight software that runs quietly in the background on a company’s systems, constantly checking for problems. Few competitors offer this kind of constant, automatic protection in such an integrated way. Another advantage is Qualys’s deep experience. It has been collecting data on cyber threats for more than two decades, which helps it spot and prioritize the most dangerous risks faster and more accurately than others. It also helps businesses not only detect problems but fix them, often with automation, so that security teams can respond faster and with fewer tools. Because Qualys is so deeply embedded in a customer’s daily operations, switching to another provider is costly and complicated. That keeps customers loyal. And unlike many fast-growing cybersecurity startups, Qualys is highly profitable, which means it can keep investing in its products without depending on outside funding. Qualys’s competitive moat comes from its cloud-first architecture, its broad and integrated platform, and the depth of its threat intelligence built over more than two decades. These advantages allow it to deliver scalable and reliable security solutions that are deeply embedded in its customers’ operations. The complexity of switching to another provider and the long-standing relationships it has with large enterprises further reinforce its position and make it difficult for competitors to displace.

Management

Sumedh Thakar serves as the CEO of Qualys, a role he assumed in 2021 after nearly two decades with the company. He joined Qualys in 2003 as a software engineer and steadily rose through the ranks, holding key leadership roles across product development, platform strategy, and business operations. His deep technical expertise, combined with a strong understanding of the company’s long-term vision, made him a natural choice to lead Qualys into its next phase of growth. Prior to becoming CEO, Sumedh Thakar served as Chief Product Officer and later as President of Qualys. In these roles, he was instrumental in transforming the Qualys Cloud Platform from a single-product offering into a comprehensive suite of integrated security and compliance applications. Under his leadership, the platform expanded to cover the full range of digital environments, including on-premises infrastructure, endpoints, cloud, containers, and mobile devices. As President, he also played a key role in driving company-wide initiatives around go-to-market strategy, customer success, and international expansion. Before joining Qualys, Sumedh Thakar worked at Intacct, an early pioneer in cloud-based financial software, where he gained early exposure to the SaaS business model. He also spent time at Northwest Airlines, where he developed complex algorithms for revenue management and pricing optimization, an experience that sharpened his analytical skills and problem-solving approach. Sumedh Thakar holds a bachelor’s degree in computer engineering with distinction from Savitribai Phule Pune University. His leadership at Qualys is characterized by a hands-on, product-led approach and a commitment to innovation. He is known for being both pragmatic and forward-looking, with a focus on execution and cross-functional alignment. Earnings call transcripts and public commentary suggest a management team under Sumedh Thakar that is willing to make bold forecasts and take accountability for long-term outcomes. Given his long tenure at Qualys, his deep involvement in the platform’s evolution, and his ability to scale both technology and operations, I believe Sumedh Thakar is well-positioned to lead the company as it navigates a rapidly changing cybersecurity landscape.

The Numbers

The first number we will look into is the return on invested capital, also known as ROIC. We want to see a 10-year history, with all numbers exceeding 10% in each year. Qualys has consistently achieved a ROIC above 10% over the past nine years, with the figure increasing year over year in most of them. This strong and rising ROIC is a result of how efficiently the company turns investment into profit. As a cloud-based business, Qualys does not rely on physical hardware, which keeps delivery costs low and makes it easy to scale across global markets. Its subscription-based model generates steady, recurring income without requiring large ongoing investments. The platform is highly integrated, with a single lightweight agent powering multiple tools. This setup allows Qualys to operate efficiently and support its customers with fewer resources. Over time, the company has also built a deep library of threat intelligence, which enhances its detection capabilities and supports premium pricing without heavy spending on sales or research. Combined with disciplined capital allocation and strong free cash flow, these factors enable Qualys to reinvest profitably and maintain high returns on capital year after year. Given the scalability of its model, the stickiness of its platform, and its ongoing focus on profitable growth, there is good reason to believe that Qualys will continue to generate high ROIC in the years ahead.

The next numbers are the book value + dividend. In my old format this was known as the equity growth rate. It was the most important of the four growth rates I used to use in my analyses, which is why I will continue to use it moving forward. As you are used to see the numbers in percentage, I have decided to share both the numbers and the percentage growth year over year. To put it simply, equity is the part of the company that belongs to its shareholders – like the portion of a house you truly own after paying off part of the mortgage. Growing equity over time means the company is becoming more valuable for its owners. So, when we track book value plus dividends, we’re essentially looking at how much value is being built for shareholders year after year. Qualys’s equity has grown steadily in most years and reached a record high in 2024. This consistent growth is largely driven by the company’s strong profitability. Instead of paying dividends, Qualys reinvests its earnings back into the business, which steadily increases equity over time. Although it does buy back shares, the amount of profit retained far outweighs the cost of these repurchases, resulting in a net gain. The company also keeps its debt levels low and manages capital with discipline, allowing it to expand without relying on outside financing. Altogether, this reflects a stable and efficient business model that continues to build long-term value for its shareholders.

Finally, we will analyze the free cash flow. Free cash flow, in short, refers to the cash that a company generates after covering its operating expenses and capital expenditures. I use levered free cash flow margin because I believe that margins provide a better understanding of the numbers. Free cash flow yield refers to the amount of free cash flow per share that a company is expected to generate in relation to its market value per share.  It is not surprising that Qualys has managed to deliver positive free cash flow every year over the past decade. The company has steadily grown its free cash flow over many years, with only a slight dip in 2024. Even with that minor decline, it continues to maintain a strong free cash flow margin, well above industry norms. This consistent performance is the result of a highly efficient business model. Qualys operates a cloud-based, subscription-driven platform that generates reliable recurring revenue without requiring large investments in physical infrastructure. Once the platform is built, onboarding new customers involves minimal additional cost, allowing a significant portion of revenue to convert into cash. The company also runs lean operations, using a single lightweight software agent to support a broad range of services. With low capital spending and disciplined use of cash, Qualys consistently turns a large share of its profits into free cash flow. That cash is primarily used to repurchase shares, meaning investors benefit from a shrinking share count as free cash flow grows. The free cash flow yield is currently higher than usual, which is not necessarily a sign that the stock is cheap, but an indication that shares are trading at a more attractive valuation than they have in many years. However, we will revisit valuation later in the analysis.

Debt

Another important aspect to consider is a company’s debt. It is crucial to determine whether the business holds a manageable amount of debt, ideally one that could be paid off within three years, by looking at the long term debt to earnings ratio. In the case of Qualys, the analysis is straightforward: the company has no long term debt. In fact, Qualys has remained debt free since its IPO, which is a strong positive signal. As a result, debt is not a concern when evaluating Qualys as an investment.

Exclusive Discounts on Seeking Alpha – Elevate Your Investing Today!

For those serious about investing, here's your chance to upgrade your strategy with exclusive offers you won't find anywhere else. These special discounts are available only through the links below—don’t miss out!

1. Seeking Alpha Premium: Access comprehensive financial data, earnings transcripts, in-depth analysis, market news, and more. Perfect for investors who want an edge in making informed decisions.

   Special Price: $269/year (originally $299) + 7-day free trial.

   Sign up for Premium here.

   
   

2. Alpha Picks: Get stock recommendations from a portfolio that gained +177% compared to the S&P 500's +56% from July 2022 through the end of 2024.

   Special Price: $449/year (originally $499).

   Sign up for Alpha Picks here.

   
   

3. Alpha Picks + Premium Bundle: The ultimate investment package with a $159 discount!

   Special Price: $639/year (originally $798).

   Get the Bundle here.

   
   

I use Seeking Alpha daily for its reliable insights and actionable strategies. These deals are available exclusively through my links, so take advantage of them now to level up your investment journey!

Act quickly - these prices won't last forever!

Risks

Competition is a risk for Qualys. The company operates in a highly fragmented and competitive environment, where it faces pressure from both established players and fast-growing newcomers. Direct competitors like Tenable and Rapid7 offer similar cloud-based vulnerability management solutions and actively target Qualys’s customer base. In some cases, these competitors are growing revenue faster and positioning themselves as more agile alternatives. At the same time, large cybersecurity and IT vendors such as Microsoft and Palo Alto Networks are bundling vulnerability scanning, compliance, and endpoint protection into broader security platforms. These bundled offerings can reduce the need for standalone solutions like those provided by Qualys, shrinking its addressable market. This competitive landscape puts downward pressure on pricing. To win or retain customers, Qualys may have to offer discounts or more flexible terms, which could reduce gross margins and impact profitability. Larger competitors with broader product portfolios also have the advantage of bundling services, allowing them to offer lower prices without compromising overall revenue. To stay competitive, Qualys must continuously innovate and expand its product capabilities. However, there is no guarantee that new solutions will be launched quickly enough or deliver the enhanced functionality customers expect. If Qualys’s product development falls behind or fails to meet market demand, it risks losing ground to more agile competitors.

Security incidents are a risk for Qualys. As a provider of IT security solutions, Qualys is a high-profile target for cyberattacks. If hackers are able to breach its systems or disrupt its services, the consequences could be particularly damaging, not just operationally, but reputationally. Customers trust Qualys to help protect their own data and infrastructure, so any sign that Qualys’s own platform is vulnerable could undermine confidence and lead to lost business. The company is exposed to a wide range of threats, from traditional cybercriminals to highly sophisticated attacks by nation-state actors. These attacks could be aimed at stealing sensitive data, disrupting the availability of Qualys’s cloud platform, or accessing customers’ systems through Qualys as an entry point. Even if no data is stolen, a service outage or performance issue caused by a security incident could damage Qualys’s reputation and make it harder to retain or win customers. Adding to the risk is the fact that Qualys, like many companies, has increased its reliance on remote work. This has expanded its attack surface and made it more challenging to secure every endpoint and connection. The company also uses third-party service providers and infrastructure partners, which introduces additional risks that may be outside its direct control. A breach or outage at one of these partners could still affect Qualys’s services. If a significant security breach were to occur, it could result in customer losses, lawsuits, regulatory investigations, and increased costs related to incident response and system upgrades. Even with insurance coverage in place, Qualys may not be fully protected from the financial and reputational fallout.

The inability to renew existing subscriptions is a key risk for Qualys, given that its business model relies on recurring revenue from annual software subscriptions. Most customers sign one-year contracts with no obligation to renew. If customers decide not to renew, downgrade their usage, or negotiate more favorable terms, it can lead to slower revenue growth or even a decline in overall income. These decisions may be influenced by factors such as satisfaction with the platform, shifting budget priorities, or changing internal IT strategies. This risk becomes more pronounced when considering the maturity of the vulnerability management market. After more than two decades in business, Qualys has already captured a significant portion of the enterprise customer base, especially in North America and Europe. In these regions, most large organizations already use some form of vulnerability management solution, either from Qualys or a competitor. As a result, acquiring new customers has become more difficult, and future growth depends increasingly on expanding relationships with existing clients by selling additional modules or services. However, upselling into an already saturated base is not guaranteed. Many customers face budget constraints or may be cautious about expanding their vendor footprint. If Qualys cannot drive additional adoption of newer solutions, such as cloud security or endpoint detection, its revenue growth could slow to low single digits. In this context, renewals are not just about maintaining revenue, but also about preserving the foundation for any future expansion.

Reasons to invest

Enterprise TruRisk Management (ETM) is a reason to invest in Qualys because it marks a shift in how the company delivers value to customers. Instead of just offering individual security tools, Qualys is now positioning itself as a platform for managing business risk in a more complete and strategic way. ETM brings together data from both Qualys products and third-party tools to give companies a single, clear view of their risk. This helps security leaders not only detect problems but also explain the potential financial impact to business executives. For example, instead of saying they fixed a number of technical issues, they can now say that a specific investment helped reduce the risk of losing millions of dollars. This type of insight makes it easier to justify cybersecurity spending and shows how it connects directly to protecting the business. One of the reasons ETM is gaining attention is that it works with tools companies already use. That means customers do not have to rip out existing systems to adopt it. This makes the sales process smoother and allows Qualys to sell ETM as an added layer, rather than a replacement. In many cases, customers who adopt ETM also choose to buy more Qualys modules because they fit naturally into the platform. ETM also creates new opportunities for Qualys’s network of partners, which includes cybersecurity consulting firms, managed service providers, and resellers. These partners have traditionally focused on selling security tools or providing standard monitoring services. With ETM, they can now offer a new category of higher-value, risk-focused services, such as risk quantification, continuous monitoring, tool integration, and risk reporting tailored to business needs. This shift allows partners to grow their own service revenue while positioning Qualys as a key part of their offering. For Qualys, it expands its reach into new customers through partner-led sales and services, without needing to sell or support everything directly. Because these types of managed risk services are still emerging and not widely offered by competitors, ETM helps Qualys stand out in the market and strengthens its role in the broader cybersecurity ecosystem.

TotalAI is a reason to invest in Qualys because it gives the company an early lead in a new and growing area: securing artificial intelligence systems. As more businesses start using AI and large language models in real world applications, many are asking the same question - how do we make sure these systems are secure before we put them into production? Most companies do not even know how many AI models they are running, let alone whether those models are safe. This is where TotalAI comes in. Qualys uses the tools it already has in place at customer sites to automatically discover and scan AI workloads. Customers do not need to install anything new. The system can check whether the AI model is vulnerable, leaking data, or breaking compliance rules. This makes Qualys’s approach both simple and effective, and early feedback from customers has been very positive. Security leaders are especially interested in having a reliable way to assess and approve AI models before they are deployed. They want to ensure that any model going into production meets security and compliance standards, does not expose sensitive data, and behaves as expected. TotalAI provides that level of control and visibility by scanning models for vulnerabilities and other risks early in the process. This gives companies more confidence that their AI tools are secure and ready for real world use. Although the market for AI security is still very new, it represents a big opportunity. Few companies have strong tools in this area, and Qualys is stepping in early. Because TotalAI works with tools customers already use, it is easier to adopt and fits into existing security budgets. Over time, TotalAI could help Qualys sell more to existing customers and attract new ones. As more companies roll out AI and new rules are introduced to regulate it, the need for this kind of protection will only grow.

FedRAMP is a reason to invest in Qualys because it opens the door to a large and underpenetrated opportunity in the U.S. federal market. Qualys is currently working toward FedRAMP High certification, the highest level of cloud security authorization granted by the federal government. This certification is essential for vendors that want to provide cybersecurity services to federal agencies handling sensitive or mission critical data. The certification would position Qualys as one of the few providers offering a comprehensive platform that includes vulnerability management, patching, endpoint detection, and risk management, all approved at the FedRAMP High level. This sets it apart from legacy on premise tools that are still widely used in government IT systems but are often expensive, difficult to maintain, and less adaptable to evolving threats. Management has highlighted that although the current contribution from federal customers is small, it sees major potential in this segment. The federal government is actively looking to modernize its cybersecurity infrastructure, and the Qualys cloud based and cost efficient platform is a strong fit for this shift. Importantly, once a company achieves FedRAMP High status, it gains a valuable competitive advantage. Few rivals are authorized to operate at this level, and the barrier to entry is high. This could help Qualys secure long term contracts, increase its share of federal spending, and build a more diversified revenue base in the years ahead. Qualys has already attracted interest from several federal agencies even before receiving full certification. Once certified, its ability to combine scanning and patching in a single approved solution could make it a more appealing and cost effective alternative to the fragmented tools many agencies use today.

Support the Blog

I want to keep the blog free and accessible for everyone. If you enjoy the content and would like to support it, you can buy me a cup of coffee through PayPal. Every little bit helps and is truly appreciated!

Valuation

Now it is time to calculate the share price. I perform three different calculations that I learned at a Phil Town seminar. If you want to make the calculations yourself for this or other stocks, you can do so through the tools page on my website, where you have access to all three calculators for free.

The first is called the Margin of Safety price, which is calculated based on earnings per share (EPS), estimated future EPS growth, and estimated future price-to-earnings ratio (P/E). The minimum acceptable rate of return is 15%. I chose to use an EPS of 4,65, which is from the year 2024. I have selected a projected future EPS growth rate of 13%. Finbox expects EPS to grow by 13% in the next five years . Additionally, I have selected a projected future P/E ratio of 26, which is double the growth rate. This decision is based on Qualys' historically higher price-to-earnings (P/E) ratio. Finally, our minimum acceptable rate of return has already been established at 15%. After performing the calculations, we determined the sticker price (also known as fair value or intrinsic value) to be $101,45. We want to have a margin of safety of 50%, so we will divide it by 2. This means that we want to buy Qualys at a price of $50,72 (or lower, obviously) if we use the Margin of Safety price.

The second calculation is known as the Ten Cap price. The rate of return that a company owner (or stockholder) receives on the purchase price of the company essentially represents its return on investment. The minimum annual return should be at least 10%, which I calculate as follows: The operating cash flow last year was 224, and capital expenditures were 12. I attempted to analyze their annual report to calculate the percentage of capital expenditures allocated to maintenance. I couldn't find it, but as a rule of thumb, you can expect that 70% of the capital expenditures will be allocated to maintenance purposes. This means that we will use 8 in our calculations. The tax provision was 36. We have 36,59 outstanding shares. Hence, the calculation will be as follows: (224 – 8 + 36) / 36,59 x 10 = $63,65 in Ten Cap price.

The final calculation is referred to as the Payback Time price. It is a calculation based on the free cash flow per share. With Qualys' free cash flow per share at $6,33 and a growth rate of 13%, if you want to recoup your investment in 8 years, the Payback Time price is $91,25.

Conclusion

I believe that Qualys is an intriguing company with strong management. It has built a moat through its cloud-first architecture, its broad and integrated platform, and the depth of its threat intelligence developed over more than two decades. The company has consistently achieved a high return on invested capital over the past nine years, with ROIC increasing year after year in most cases. It has also grown its free cash flow steadily, maintaining a high levered free cash flow margin. Competition is a risk for Qualys because it faces pressure from direct rivals like Tenable and Rapid7, as well as larger players such as Microsoft and Palo Alto Networks that bundle security offerings into broader platforms. This crowded landscape puts pressure on pricing and forces Qualys to keep innovating to retain customers and defend market share. Security incidents are another risk, as Qualys is both a target and a trusted defender. A major breach or service disruption, even without data loss, could damage its reputation and lead to customer churn or financial harm. The inability to renew existing subscriptions is also a concern, as the company’s recurring revenue model relies on annual renewals, which are not guaranteed. With new customer growth slowing in a mature market, maintaining and expanding relationships with current clients is essential, any decline in renewals could impact both present revenue and long-term growth. Enterprise TruRisk Management is a reason to invest in Qualys because it shifts the company from selling individual tools to offering a strategic platform for business risk management. By helping organizations quantify cyber risk in financial terms and integrate with existing tools, ETM strengthens customer engagement, supports upselling, and opens new service opportunities for partners. TotalAI is another reason to invest, as it gives Qualys a head start in the emerging field of AI security. Its ability to discover and assess AI workloads without requiring additional deployment makes it easy to adopt and well-suited for a growing and underprotected area of cybersecurity. FedRAMP is also a compelling reason to invest. As Qualys works toward FedRAMP High certification, it stands to unlock significant opportunities in the federal sector, where demand is shifting from outdated on-premise tools to cloud-based platforms. Once certified, Qualys will be among the few vendors able to offer a comprehensive, government-approved solution for vulnerability management, patching, and risk assessment. In my view, Qualys is a high-quality company and could represent a strong long-term investment at the Payback Time price of 91 dollars.

My personal goal with investing is financial freedom. It also means that to obtain that, I do different things to build my wealth. If you have some extra hours to spare each month, you can turn a few hours a week into a substantial amount of money in a few years. If you are interested to know how to do it, you can read this post.

I hope you enjoyed my analysis! While I can’t post about every company I analyze, you can stay updated on my trades by following me on Twitter. I share real-time updates whenever I buy or sell, so if you’re making your own investment decisions, be sure to follow along!

Some of the greatest investors in the world believe in karma, and to receive, you will have to give. If you appreciated my analysis and want to get some good karma and show your appreciation, I would kindly ask you to donate a bit to Rolda. It is an organization that helps the animals in Ukraine. Animals are the forgotten souls in a war, and they need all the help they can get. If you have a few bucks to spare, it doesn't matter how little, I will kindly ask you to donate a bit here. Thank you.