QLYS — the cybersecurity cash machine at its cheapest P/E since listing

Today's pick: Qualys, Inc. (NASDAQ: QLYS) — cloud-native vulnerability management and cyber risk SaaS. Current stock price: $100.85 (May 21, 2026 close) 1. The stock is down 35% from its 52-week high of $155.47. All three hard screening criteria are met.

What Qualys does

Qualys (founded in 1999, headquartered in Foster City, California) was one of the first pure-cloud security companies. Its flagship product, VMDR (Vulnerability Management, Detection and Response — the industry term for software that continuously scans an organization's IT infrastructure, finds security weaknesses, and orchestrates fixes), runs on a single lightweight agent deployed across on-premises servers, endpoints, cloud instances, and containers simultaneously. That single-agent architecture is unusual; most competitors require separate tools for each environment 2.

The platform has expanded well beyond scanning. Qualys now covers cloud security (TotalCloud, its CNAPP — Cloud-Native Application Protection Platform — for multi-cloud workload security), API and web application security (TotalAppSec), AI security (TotalAI, for scanning internal large language models and AI deployments), and continuous compliance (Policy Audit for NIST, PCI DSS, HIPAA, and ISO 27001 frameworks). The unifying layer is Enterprise TruRisk Management (ETM), which aggregates signals from all modules through a proprietary scoring engine — TruRisk — fed by 25+ external threat intelligence feeds.

Qualys serves 10,000+ subscription customers across 130+ countries, including 72% of the Forbes Global 50 and 55% of the Forbes Global 500 3. The company holds FedRAMP High Authorization — one of the few cybersecurity platforms that meet the federal government's most stringent cloud security standard.

ROE track record: all three years above 15%

차트를 불러오는 중…

ROE (return on equity — net income divided by shareholders' equity, measuring how efficiently a company generates profit from its equity base) has cleared the 15% channel threshold in every year, by a wide margin 4 5:

FY2023: 41.2% (net income $151.6M ÷ equity $368.2M)
FY2024: 36.4% (net income $173.7M ÷ equity $477.1M)
FY2025: 35.3% (net income $198.3M ÷ equity $561.2M)
TTM: 37.72% (per StockAnalysis / Yahoo Finance)

The moderate decline from 41% to 35% across the three years reflects equity growing slightly faster than net income — the company retains cash and has minimal share issuance — not a deterioration in the underlying business. ROIC (return on invested capital) is 115.7% TTM, which illustrates the asset-light nature of the model: Qualys requires very little incremental capital to grow 2.

Free cash flow: consistent and high-margin

차트를 불러오는 중…

FCF has been positive in every period, with margins that rank highest among all peers in the cybersecurity space 4:

FY2023: $235.8M (42.5% FCF margin)
FY2024: $231.8M (38.2% margin — the dip)
FY2025: $304.4M (45.5% margin — strong recovery)
TTM: $290.5M (42.4% margin); FCF per share $8.03

At a stock price of $100.85, the TTM FCF yield is 7.96% — meaning Qualys generates roughly $0.08 in free cash for every dollar of market capitalization 1.

One honest flag: Q1 2026 FCF came in at $93.6M, down 12.9% year-over-year from $107.6M in Q1 2025 6. The main driver was lower operating cash flow ($95.3M vs $109.6M), not a capital expenditure spike. Operating cash flow fell from $109.6M to $95.3M while revenue still grew 10%, a divergence that bears watching over the next quarter.

Revenue and earnings growth

Revenue has grown every year, though the pace has settled 4:

Period	Revenue	YoY growth	Net income	Net margin
FY2022	$489.7M	—	$108.0M	22.1%
FY2023	$554.5M	+13.2%	$151.6M	27.3%
FY2024	$607.6M	+9.6%	$173.7M	28.6%
FY2025	$669.1M	+10.1%	$198.3M	29.6%
TTM	$684.9M	+10.2%	$201.4M	29.4%

Gross margin has expanded from 79% (FY2022) to 83.1% (TTM), and operating margin from 26.7% to 33.7% 4. Net income compounds faster than revenue because the platform scales without proportionally adding headcount; Qualys employs 2,683 people to generate $685M in revenue.

Q1 2026 (the most recent quarter) continued this pattern. Revenue was $175.6M (+10% year-over-year), beating the $173.7M consensus estimate. Non-GAAP diluted EPS was $1.95, beating the $1.70–$1.80 range by roughly 8–15% 7. CEO Sumedh Thakar said on the call: "We are pioneering a new category in pre-breach risk management by bringing autonomous exploit validation, risk quantification, and remediation together within a single AI-driven risk fabric." 7

FY2026 guidance was raised to $721M–$727M revenue (8–9% growth) and non-GAAP EPS of $7.44–$7.65 — above the prior range of $717–$725M and $7.17–$7.45 6.

One data point to watch closely: calculated current billings grew only 8% in Q1 2026, slower than the 10% revenue growth 7. Billings growth averaging 9.1% over the last four quarters — below revenue growth — is a soft forward indicator that demand is not accelerating.

Valuation: the cheapest multiple in the stock's listed history

QLYS valuation snapshot (May 21, 2026)

Current price $100.85 · Market cap $3.44B · Enterprise value $2.86B

Trailing P/E

0.00−57.2%vs 5Y avg 42.19×

Forward P/E

0.00

EV/EBITDA

0.00−54.2%vs 5Y avg ~25.5×

P/FCF

0.00

P/B

0.00−58.4%vs 10Y median 15.0×

통계 카드를 불러오는 중…

The current trailing P/E of 18.05× sits 57% below its 5-year average of 42.19× — the widest discount in the stock's history 8. Year-end P/E has fallen every year since 2021: 77× → 44× → 53× → 31× → 26× → 18× (current). EV/EBITDA at 11.69× is 54% below the 5-year simple mean of ~25.5× 2.

Against peers, Qualys is the only profitable company in the group with a sub-20× trailing P/E:

	QLYS	CRWD	PANW	FTNT	ZS	TENB	RPD
Trailing P/E	18.05	n/a (loss)	140.4×	50.2×	n/a (loss)	n/a (loss)	20.6×
Forward P/E	13.10	133.6×	69.7×	41.5×	40.5×	12.71×	4.5×
P/FCF	12.19	125.9×	57.5×	38.9×	29.0×	10.7×	3.0×
EV/EBITDA	11.69	n/a	130.8×	39.0×	n/a	70.0×	13.5×
Rev growth YoY	10.1%	21.7%	14.9%	14.2%	23.3%	11.0%	1.9%
Gross margin	83.2%	74.8%	73.5%	80.3%	76.6%	78.2%	69.7%
FCF margin	~42%	27.2%	36.0%	34.3%	31.6%	25.4%	18.1%

Data from StockAnalysis as of May 22, 2026. 2 9 10 11 12 13 14

CrowdStrike Holdings (cloud-native endpoint security and threat intelligence, Qualys's largest platform-level competitive threat in vulnerability management), Palo Alto Networks (diversified network security platform; Prisma Cloud overlaps with VMDR), and Zscaler (cloud zero-trust network access — less direct overlap) all trade at 40–134× forward earnings while running at lower margins and carrying losses on a GAAP basis. QLYS's forward P/E of 13.10× is cheaper than every profitable cybersecurity peer in this group except Rapid7.

Rapid7 (InsightVM full-stack vulnerability management — the most direct QLYS competitor by product category) deserves a separate note: its stock is down roughly 70% over the past year, it carries negative net cash, and its FY2026 guidance implies a revenue decline. Rapid7's cheap multiples reflect a business in distress, not a bargain comparable to QLYS. Tenable Holdings (Nessus scanner and Tenable One exposure management — Qualys's other most direct competitor) trades at a forward P/E of 12.71× with materially lower FCF margins (25% vs 42%).

Balance sheet: $677M net cash, no financial debt

As of March 31, 2026, Qualys holds $729.4M in total cash and investments ($279.5M cash + $191.9M short-term investments + $258M long-term marketable securities) 6:

Total debt: $52.2M — 100% operating lease obligations; no bonds, no bank loans, no convertible notes
Net cash (cash + ST investments − debt): $419.1M ($11.59/share)
Net cash including LT investments: $677.1M ($19.23/share)
Debt/Equity: 0.09
Interest income (TTM): $25.2M — Qualys earns interest rather than paying it

Deferred revenue (subscriptions billed but not yet recognized) was $393.8M at quarter-end, equal to roughly 57% of TTM revenue — a forward revenue visibility indicator that is strong for a company of this size 5.

The company expanded its buyback program by $200M on February 5, 2026 (total cumulative authorization: $1.6B) 15. In Q1 2026, Qualys repurchased $53.5M of stock, up from $39.7M in Q1 2025. Shares outstanding declined 2.54% year-over-year to 35.2M.

Competitive moat

Qualys's defenses are quantifiable rather than just asserted. Three concrete anchors:

Market recognition. Gartner named Qualys a Leader in its 2025 Magic Quadrant for Exposure Assessment Platforms (published November 10, 2025) — the category that formalizes the shift from reactive vulnerability scanning to continuous risk assessment 16. VMDR has won the SC Awards Europe Best Vulnerability Management Solution three consecutive years (2023, 2024, 2025). In the Gartner Peer Insights survey, VMDR holds 4.4 out of 5 stars across 525 enterprise reviews.

Detection scale. VMDR detects 103,000+ CVEs (Common Vulnerabilities and Exposures — the global index of known security flaws). Qualys claims 96% of critical and zero-day vulnerabilities are detected ahead of competitors, averaging a 16-hour lead 3. The platform deployed 110M+ patches directly in 2024. Detection speed matters because a 16-hour window on a zero-day is the difference between exposure and breach.

Margin edge. Qualys's 83.2% gross margin and ~42% FCF margin are the highest in the peer set above — higher than CrowdStrike (74.8% gross), Palo Alto Networks (73.5%), Tenable (78.2%), or any other listed cybersecurity peer 2. That margin gap reflects the efficiency of the single-agent architecture — one platform delivery mechanism covering multiple use cases, no hardware, no on-prem professional services burden. Andy Hubbard, Cyber Defense Lead at Aberdeen, described the practical output: "We now have close to perfect visibility on our assets and the vulnerabilities on them. You're able to present a picture to leadership — and technically deliver that remediation as well." 3

The net dollar retention rate is approximately 103% 17, meaning existing customers are expanding their Qualys spend modestly year-over-year. This is not a hypergrowth number — CrowdStrike has historically run 120%+ — but it signals the platform is not losing wallet share within its installed base.

Risk factors

1. Anthropic Mythos — AI disruption risk (material)

On April 7, 2026, Anthropic launched Claude Mythos Preview, a large language model that demonstrated autonomous exploitation of zero-day vulnerabilities across all major operating systems and browsers 18. Mythos found a 27-year-old vulnerability in OpenBSD, a 17-year-old remote code execution flaw in FreeBSD's NFS implementation, and a 16-year-old bug in FFmpeg's H.264 codec. On Firefox's JavaScript engine, Mythos achieved a 72.4% exploit success rate — versus 0% for Sonnet 4.6 and roughly 1% for Opus 4.6.

Mythos Preview vs prior models: Firefox JS exploit success rates — Exploit success rates by model on Firefox JS engine vulnerabilities — Mythos Preview (72.4%) vs. Sonnet 4.6 (0%) and Opus 4.6 (~1%). 18

The bear thesis is direct: if an AI model can autonomously find and rank critical vulnerabilities faster and cheaper than a SaaS subscription, Qualys's core scan-and-prioritize value proposition gets commoditized. Seeking Alpha lowered its QLYS rating from Strong Buy to Buy in April 2026 specifically citing Mythos as a structural threat 19.

Anthropic itself acknowledged the risk, writing that "the transitional period may be tumultuous" even if AI ultimately benefits defenders more than attackers over the long run 18. Qualys's response — framing itself as an "AI-native Risk Operations Center" and rolling out "Agent Val" for autonomous exploit validation — is the correct strategic pivot, but it remains unproven whether it will retain pricing power against AI-native alternatives.

2. Systematic insider selling with zero buys (meaningful)

Between November 2025 and May 2026, the three most senior Qualys executives sold approximately $12.4M in shares through Rule 10b5-1 pre-arranged trading plans, with no insider purchases recorded in the same window 20:

CEO Sumedh Thakar: ~$5.68M sold in every month from September 2025 through January 2026 (prices ranging from $126 to $155)
CFO Joo Mi Kim: ~$5.80M sold November 2025 through February 2026
General Counsel Bruce Posey: ~$1.11M sold December 2025 through May 2026 (including $325,710 at $100.25 on May 19 — within days of the current price)

Rule 10b5-1 plans are pre-set and do not require the executive to be acting on current information. The pattern is nonetheless notable: selling was consistent across all three officers simultaneously, prices ranged from $100–$155, and insider ownership is only 0.67%–1.00% of shares outstanding, which is extremely low for a $3.4B company 21.

3. Short interest: 13.38% of float (elevated)

Short interest stands at 4.71 million shares (13.38% of outstanding, 13.48% of float), with 5.07 days to cover based on average daily volume 2. That level is elevated but not extreme. The same 5-day cover number creates a squeeze risk on positive catalysts — and the $200M buyback provides ongoing support.

4. Revenue growth deceleration and billings softness

Revenue growth has decelerated from 19% (FY2022) to ~10% (FY2025/TTM), and FY2026 guidance projects 8–9% 6. Current billings growth of 8% in Q1 2026 averaged 9.1% over the last four quarters — softer than revenue, suggesting deferred revenue is drawing down rather than building. For a company trading at a discount to peers partly on lower growth, the market will respond harshly to any further deceleration.

5. Microsoft partnership termination and pending investigation

In February 2024, Microsoft announced it was ending Qualys as the default vulnerability scanning provider in Microsoft Defender, effective May 1, 2024 22. A Morgan Stanley analyst at the time noted this partnership termination created "top-line risks that may be material." A securities law investigation by law firm Levi & Korsinsky is ongoing (preliminary stage; no formal SEC enforcement action as of May 2026) 22.

6. Analyst consensus is Hold, with some Sells

Post-Q1 2026 earnings (May 6–7, 2026), multiple analysts cut price targets even after Qualys beat estimates 23. Wedbush (Dan Ives) cut from $155 to $125 (maintained Outperform); JPMorgan (Brian Essex) cut from $113 to $87 (maintained Sell — the only major firm with a target below the current price); Scotiabank cut from $135 to $100; Truist cut from $120 to $85 before earnings; William Blair downgraded from Buy to Hold. TipRanks consensus target is $104.54 across 15 analysts — roughly 4% above the current price. Analyst consensus contains a well-documented optimistic bias; that $104 target implying only 4% upside should be treated as a soft floor signal rather than a price objective 24.

Near-term catalysts

Q2 2026 earnings (expected ~August 4, 2026). The key numbers to watch: whether billings growth accelerates back above 10%, whether operating cash flow recovers from the Q1 2026 decline, and how management characterizes competitive displacement risk from AI 6.

QFlex adoption and ETM pipeline. Management flagged "early QFlex success" on the Q1 2026 call. QFlex is Qualys's new flexible licensing model designed to make platform upsell easier. ETM (Enterprise TruRisk Management) deeper adoption in large enterprise accounts is the primary land-and-expand lever. CEO Thakar stated: "Our pace of innovation and targeted investments are driving competitive differentiation, deeper Enterprise TruRisk Management adoption, broader engagements across large federal agencies, growing partner-led execution, and early QFlex success." 25

Ongoing share buybacks. At Q1 2026's $53.5M pace, the remaining $200M authorization covers roughly four more quarters 7. Share count is shrinking 2.5% per year, which mechanically improves per-share metrics even if total earnings are flat.

Short squeeze potential. With 5.07 days to cover at current volumes, any positive earnings surprise or buyback acceleration could produce a sharp reversal. The stock's 52-week low was $74.51; it has already recovered roughly 35% from that floor.

Does QLYS qualify? Screening criteria summary

Criterion	Threshold	QLYS result
Trailing 3-year ROE > 15% (each year)	FY2023, FY2024, FY2025 all > 15%	✅ 41.2% / 36.4% / 35.3%
Positive free cash flow	FCF > 0 every year	✅ $235.8M / $231.8M / $304.4M
Reasonable valuation vs. peers and history	P/E, EV/EBITDA below historical and peer median	✅ P/E 18× (57% below 5Y avg); EV/EBITDA 11.69× (54% below 5Y avg)

All three criteria are met with room to spare.

The case for Qualys is a quality-at-discount argument: 37%+ ROE, 42% FCF margins, $677M net cash, near-zero debt, and a recurring-revenue model with 57% of annual revenue already pre-collected in deferred accounts — trading at forward P/E 13.1× and FCF yield nearly 8%. The case against it is that the 10% revenue growth ceiling is structural (not cyclical), AI models are beginning to challenge the scanning moat directly, and the executives running the company are selling shares every month rather than buying. Neither camp has a conclusive answer yet, but the data are now detailed enough to form a view. The next concrete verification point is Q2 2026 earnings around August 4.

Not financial advice. Past screening criteria results do not guarantee future performance.

Cover image: Qualys headquarters, Foster City, California. Image from Seeking Alpha: Qualys Share Price Pulled Down By Potential Cybersecurity Disruptor