QLYS (Qualys, Inc.): Themes, ETFs, and Basket Ideas
Last updated June 2026
Short answer
What does Qualys, Inc. do?
Qualys (QLYS) is a cloud-based cybersecurity company best known for vulnerability management. Its platform continuously scans an organization's IT assets (servers, endpoints, cloud workloads, web apps, and containers) to find security weaknesses, misconfigurations, and missing patches, then helps prioritize and remediate them. The flagship products are VMDR (Vulnerability Management, Detection and Response) and a growing suite covering cloud security posture, compliance, web application scanning, and patch management.
Qualys sells primarily through a subscription SaaS model, so revenue is recurring and high-margin, and the company is notably profitable for a security vendor, generating strong free cash flow. Customers are typically mid-size and large enterprises plus government agencies that need continuous visibility into their attack surface. Founded in 1999 and headquartered in Foster City, California, Qualys is a long-established, financially disciplined player in a sector where many peers prioritize growth over profitability.
Where is Qualys, Inc. heading?
1. Vulnerability management core.
Qualys is a recognized leader in continuous vulnerability management, a foundational security category that grows as attack surfaces expand across cloud, containers, and remote endpoints. The sticky, subscription-based core generates durable recurring revenue and strong renewal rates among large enterprises and governments.
2. Platform expansion.
Qualys is broadening beyond scanning into cloud security posture management, patch management, web application security, and risk-based prioritization via TruRisk. Cross-selling these modules into the existing base lifts revenue per customer without heavy new-logo costs, the classic SaaS land-and-expand motion.
3. Profitability and free cash flow.
Unusually for cybersecurity, Qualys runs at high operating margins and converts a large share of revenue to free cash flow. That financial discipline, plus consistent buybacks, differentiates it from cash-burning growth peers and supports the stock during risk-off periods.
4. Risk-based prioritization.
The TruRisk approach scores and ranks vulnerabilities by actual business risk rather than raw counts, addressing alert overload. As enterprises shift from finding everything to fixing what matters, this positioning aligns Qualys with how security teams now operate.
Risks worth tracking: Qualys competes against larger, better-funded platforms (Tenable, Rapid7, CrowdStrike, Microsoft) that are bundling vulnerability and exposure management into broader security suites, pressuring standalone vendors. Growth has decelerated to more modest rates as the core market matures, and the company is a relatively small cap in a sector that rewards faster expanders. Larger platform players can undercut on price or include comparable scanning for free inside bundles. Customer concentration in vulnerability management leaves Qualys exposed if newer categories like cloud and exposure management consolidate around competitors. Its conservative growth profile can underperform in momentum-driven markets.
Earnings and valuation (approximate, early 2026)
A simple financial snapshot. These are approximations and refresh quarterly; for current figures see Qualys, Inc.'s investor relations page or your broker.
- Revenue (TTM): ~$650 million
- Revenue growth: High-single to low-double-digit
- Operating margin: ~30% (GAAP); higher non-GAAP
- Free cash flow margin: Strong (often ~40% of revenue)
- Net income (TTM): Solidly profitable (~$150 million range)
- P/E (TTM): ~30x
- Dividend yield: None (buybacks instead)
- Recurring revenue: Predominantly subscription / SaaS
Qualys trades as a profitable, cash-generative SaaS security name rather than a hypergrowth disruptor. Its multiple reflects steady recurring revenue and high margins, balanced against slower growth than platform peers. Valuation tends to compress when growth decelerates and expand when cross-sell and exposure-management momentum reaccelerate.
QLYS's competitors
Vulnerability and exposure management
Tenable and Rapid7 are the closest direct competitors in scanning and vulnerability management. Microsoft Defender Vulnerability Management bundles comparable capability into broader security licensing, pressuring standalone pricing.
Cloud security posture
Wiz, Palo Alto Networks (Prisma Cloud), CrowdStrike, and Microsoft compete in cloud security posture and workload protection, the category Qualys is expanding into beyond traditional scanning.
Broad security platforms
CrowdStrike, Palo Alto Networks, and Microsoft increasingly fold vulnerability and exposure management into consolidated platforms, the main strategic threat to point-product vendors like Qualys.
Using QLYS in a Walnut basket
The most useful question to ask about a single stock is rarely “will it go up?”. It's “does this fit a thesis I actually believe in, and how do I size it alongside other stocks that fit the same thesis?” That's what Walnut is built for.
Open the AI assistant on Walnut and describe a thesis (for example: “the AI infrastructure buildout”, “dividend growth large-caps”, “global semiconductors”) where QLYS would naturally fit. The AI proposes 5 to 6 constituents with target weights, you review, and you can fund the basket through your broker once you're ready.
Build a basket around QLYS with Walnut
Use Qualys, Inc. as one constituent in a thematic basket Walnut's AI helps you assemble. Describe a thesis you believe in, the AI proposes the holdings and weights, and you approve before any broker order.
FAQ
What is QLYS's ticker symbol?
+
QLYS, listed on Nasdaq. Officially Qualys, Inc. Founded 1999, headquartered in Foster City, California. Trades during US market hours and is available at every major US brokerage. It is a mid-cap cybersecurity name.
What does Qualys do?
+
Qualys provides cloud-based cybersecurity, best known for vulnerability management. Its platform continuously scans IT assets across servers, endpoints, cloud, and containers to find security weaknesses and misconfigurations, then prioritizes remediation. It also offers compliance, cloud security posture, web app scanning, and patch management, sold as subscription SaaS.
Who are Qualys's main competitors?
+
By segment. Vulnerability management: Tenable, Rapid7, and Microsoft Defender Vulnerability Management. Cloud security posture: Wiz, Palo Alto Networks (Prisma Cloud), CrowdStrike, Microsoft. Broad platforms folding in exposure management: CrowdStrike, Palo Alto Networks, and Microsoft are the main strategic threats.
Is Qualys profitable?
+
Yes, notably so for a cybersecurity company. Qualys runs at high operating margins, is solidly net-income positive, and converts a large share of revenue to free cash flow. This financial discipline distinguishes it from many cash-burning, growth-first security peers and supports consistent share buybacks.
What is vulnerability management?
+
Vulnerability management is the continuous process of identifying, assessing, prioritizing, and remediating security weaknesses across an organization's IT assets. Tools scan for missing patches, misconfigurations, and known exploitable flaws, then help teams fix the most dangerous issues first. It is a foundational, ongoing function of enterprise cybersecurity.
Is Qualys a cybersecurity stock?
+
Yes. Qualys is a pure-play cybersecurity company focused on vulnerability and exposure management, cloud security, and compliance. Investors typically hold it as part of a cybersecurity theme, often as the profitable, cash-generative complement to faster-growing platform names.
How does Qualys make money?
+
Qualys makes money primarily through recurring software subscriptions to its cloud platform. Enterprises and governments pay annual or multi-year fees for vulnerability management, cloud security, compliance, and related modules. The SaaS model produces predictable, high-margin recurring revenue and strong free cash flow.
Which ETFs hold Qualys?
+
Cybersecurity-themed ETFs such as those tracking the security and software sectors hold Qualys, typically at modest weights given its mid-cap size. Broad technology and small-to-mid-cap index funds also include it. It is not a large weight in S&P 500 funds.
Is Qualys in the S&P 500?
+
No. Qualys is a mid-cap company and is not an S&P 500 constituent. It appears mainly in cybersecurity, software, and mid-cap thematic funds rather than the large-cap index.
Which thematic baskets typically include Qualys?
+
Cybersecurity themes on Walnut. Qualys is often included as the profitable, free-cash-flow-positive sleeve of a security basket, balancing higher-growth, less-profitable platform names like CrowdStrike and faster expanders in cloud security.
How does Qualys compare to Tenable and Rapid7?
+
All three are core vulnerability-management vendors. Qualys is distinguished by its strong profitability and free cash flow, while Tenable and Rapid7 emphasize their own platform breadth and exposure-management positioning. Competition increasingly comes from larger platforms bundling comparable scanning into broader security suites.
Is Qualys a good stock to buy?
+
Descriptive, not a recommendation. Qualys offers exposure to cybersecurity with unusually strong profitability and free cash flow, balanced against slower growth than platform peers and competition from larger vendors bundling vulnerability management. Whether it suits a portfolio depends on preference for steady, cash-generative SaaS versus faster growth. Walnut is informational, not investment advice.
Walnut is informational, not investment advice. Financial figures on this page are approximations; always verify current numbers with Qualys, Inc.'s investor relations page or your broker before making investment decisions.