Q
Qualys, Inc.
QLYS · Technology
Q4 FY2025
Earning ended Dec 31, 2025Report generated Mar 10, 2026
Mandatory Compliance Utility Hiding Inside a Misread Incumbent
The market is treating Qualys as a shrinking standalone security tool losing share to integrated platforms — it is missing that the compliance and audit-trail lock-in creates a fundamentally different retention dynamic than discretionary security tooling, and the business is being priced today as if the competitive erosion has already happened rather than as a risk that is still playing out.
Flowly Score
Apr 16 Close
+197%$84.09
Fair Value
$250.00
69
Strongat $84.09
Business Strength7/10
One of the most profitable software businesses in cybersecurity, with switching costs deepened by compliance audit trails that enterprises genuinely cannot afford to rebuild — but the cloud-native architecture moat has eroded as competitors caught up, and the TruRisk platform pivot is still mid-proof with no confirmed growth inflection.
Financial Resilience8/10
The cash conversion profile is nearly flawless — every dollar of accounting profit is backed by more than a dollar of operating cash, capex has collapsed toward zero, and the balance sheet carries only modest debt relative to annual free cash flow generation; this business can fund itself through almost any macro environment without dilution or distress.
Growth & Trajectory5/10
The deceleration from double-digit growth to a 7-8% guided ceiling is real and management's own guidance assumes no improvement in net dollar expansion — new product bookings from Patch Management and CSAM are genuinely encouraging, but they are not yet large enough to bend the overall revenue curve back upward.
Valuation8/10at $96.36
A 6%-plus free cash flow yield on a business with 30%-plus ROIC, near-zero reinvestment requirements, and mandatory compliance renewal dynamics is pricing in a deterioration scenario that the underlying retention data does not yet confirm — the multiple compression from historical peaks to current levels has likely overshot the actual degradation in business quality.
Risk5/10
The threat is concrete and named: CrowdStrike with agents already on tens of millions of endpoints and Microsoft with Defender bundled into E5 licensing that enterprises are already paying for — both can offer 'good enough' vulnerability management at a price point Qualys structurally cannot match, and any acceleration in vendor consolidation decisions puts Qualys near the top of the rationalization list.
The investment case rests on a specific and underappreciated asymmetry: you are buying one of the most capital-efficient software businesses in existence at a multiple that implies either stagnant growth or meaningful competitive erosion, while the actual retention evidence — a net dollar expansion rate that is flat but not collapsing, 25 years of compliance workflow entrenchment, FedRAMP certification locking out most competitors from the federal channel — suggests the deterioration thesis is being priced in faster than it is occurring. When a business generating free cash flow at this yield requires almost no capital to sustain that earnings power, the margin of safety is unusually wide even under pessimistic assumptions. Where this business is heading depends almost entirely on whether the AI-native security pivot is product reality or marketing narrative. The early signals from Patch Management and CSAM bookings are genuinely encouraging — these are modules that deepen integration rather than add standalone subscriptions — but the 103% net dollar expansion rate is the single most honest number in the entire earnings report, and it is telling you that the installed base is not yet meaningfully accelerating its spend. If the Risk Operations Center vision converts into measurable upsell velocity over the next two annual renewal cycles, growth re-rates upward and the multiple expansion compounds that. If it does not, the business settles into a zero-growth cash cow posture — valuable, but permanently de-rated. The single biggest specific risk is not abstract platform consolidation — it is CrowdStrike's agent footprint. They already own the endpoint relationship at thousands of the same enterprises that run Qualys, the agent is already deployed, and the incremental cost to add vulnerability management to that footprint is close to zero for the customer. A CISO rationalizing vendors in a tight budget environment faces an easy calculation: consolidate onto the platform they cannot remove anyway. That dynamic — not AI, not Microsoft, not some theoretical future competitor — is the concrete threat that could compress Qualys's renewal rates faster than the current data suggests.