Qualys (QLYS)
A steady, profitable cybersecurity company
Overview: Qualys provides cloud-based IT, security, and compliance solutions that help organizations protect their systems and applications from cyber attacks and achieve compliance with regulations. The company's solutions enable customers to identify and manage their IT assets, collect and analyze IT security data, discover vulnerabilities, recommend and implement remediation actions.
Generally IT security is implemented by multiple security products, which is known as a defense-in-depth strategy that involves multiple layers to protect against threats. Qualys has a broad product offering and depending on customer size, some could get by with Qualys alone. For the Qualys Cloud Platform, there’s no hardware to buy or manage and it offers real-time visibility in one place, seamless scaling, up-to-date resources, and secure data storage.
Qualys is a small-fish in a big pond of the cybersecurity industry that’s seen a lot of growth capital deployed in recent years. Qualys’ main product and strength is vulnerability monitoring. The cybersecurity field includes lots of angles to protect, respond and remediate weakness and some companies take a much more specialized approach. While many large cybersecurity companies can offer a wide range of products, most companies have clear strengths. For instance, while Qualys’ focus is on monitoring and compliance, others focus on network security, endpoint protection (think different touch points connecting to a network) and threat intelligence.
Products: Qualys was founded in 1999 and launched its first application, Vulnerability Management (VM), in 2000. “Many organizations have an array of heterogeneous point tools that do not interoperate well and are difficult and costly to maintain and integrate, making it difficult for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to obtain a single, unified view of their organization’s security and compliance posture.”
Since inception, the company has steadily added applications. The main product for Qualys is Vulnerability Management, Detection and Response (VMDR) which had 48% penetration of its own customer base. Qualys also offers free services which includes the Global AssetView (GAV), Cloud Inventory (CI) and Certificate Inventory (CRI). Customer can subscribe to one or more of the apps.
The following graphic from the Q4’22 investor presentation neatly organizes the product offering list.
Customer: Qualys sells its suite of products to companies of all different sizes, including enterprise and government entities. There’s over 10,000 paying customers, a level it broke in 2021. Before that, Qualys used to provide the customer count that included those using the freemium version, of which there was 19,000 in 2020. Every 10-K dating back to 2013 (the first 10-K) pointed out that the majority of the Forbes 100 was a customer.
Qualys sells both directly to customers and also through channel partners, such as consultancy companies. In this method, a potential customer who isn’t as sophisticated may work with a consultant, value added reseller or managed security service provider (“MSSP”) as an intermediary. Channel partners make a fee and Qualys then makes a direct relationship. The percent of sales from channel partners has stayed at about 42% annually.
Business model: Qualys has a land and expand business model. Customers initially pay for one or two of the product solutions and Qualys drives growth by upselling existing customers by expanding the scope of solutions and increasing subscriptions into additional applications. This works well given there’s 10,000 paying customers and likely another 10,000 companies actively using the free version, making for a good opportunity to grow.
In addition, Qualys does some bolt-on acquisitions to expand functionality of the platform. Qualys acquired Blue Hexagon in 2022 to enable AI/machine learning to “uncover behavior patterns including active vulnerability exploitation”. The prior year Qualys acquired Kandor Soft Labs to enhance workflow.
Competition: The IT security field is highly fragmented and Qualys competes against small and large companies in the industry. Those listed the competition section of the 10-K filing include Symantec Enterprise Security, which is owned by Broadcom (AVGO), CrowdStrike (CRWD), Palo Alto Networks (PANW), Rapid7 (RPD), Tenable (TENB) and privately-held Axonius, Checkmarx, Flexera, Invicti, Ivanti, Tanium, Helpsystems (by Fortra), Trustwave and Veracode.
While describing competition in its risk factor, Qualys notes that some competitors have greater brand recognition, larger pools of resources for marketing, distribution, product development, customer support, and ability to make acquisitions. In addition, some competitors have broader product offerings and can bundle services, allowing customers to pick a bundled suite, and potentially at a lower price. Bundling applications and offerings generally is important in the space and Qualys is trying to become a one-stop shop for security services.
Qualys has eight mutual peers in its proxy (each company lists each other as a peer): Rapid7 (RPD), Tenable (TENB), CrowdStrike (CRWD), Varonis Systems (VRNS), Five9 (FIVN), New Relic (NEWR), SPS Commerce (SPSC) and HubSpot (HUBS). The first three peers are routinely listed in the competition section of the 10-K.
Focusing on the competition, Qualys breaks them out by security type in their investor presentation seen below. Some of these such as Crowdstike are currently specialized and have a strength in IT security, with an emphasis on endpoint security. Others have more broader offerings, similar to Qualys.
As you can see, there’s a fair amount of overlap of some of these companies, particularly Rapid7 who also covers IT security, Web App Security and Container Security. Tenable also covers three product lines. While there is some overlap in product offerings between these companies, each has their own unique strengths and focuses. Qualys and Rapid7 both have a strong focus on vulnerability management and compliance, while CrowdStrike and Palo Alto Networks focus on endpoint protection and threat intelligence.
If you take a look at the graphic below, it adds another important nugget about the cybersecurity market – a lot of the companies are at different business stages and sizes. Palo Alto Networks is the largest by sales and market-cap. Crowdstike and SentinelOne are younger in the company cycle with each still in the hyper and strong growth phase. Crowdstrike had 54% YoY growth last year off a revenue base of $2.24B. SentinentelOne, which debuted in a June 2021 IPO, had 114% YoY growth in 2022.
The dark horse of the cybersecurity space is Microsoft (MSFT) which has quietly built an enormous business. Microsoft doesn’t breakout the segment on its quarterly filings, however, management occasionally gives the revenue figure in conferences. CEO Sateya Nadella gave an update of the security business in the January earnings:
“Over the past 12 months, our security business surpassed $20 billion in revenue as we help customers protect their digital estate across clouds and endpoint platforms. We're the only company with integrated end-to-end tools spanning identity, security, compliance, device management and privacy informed and trained on over 65 trillion signals each day. We are taking share across all major categories we serve. Customers are consolidating on our security stack in order to reduce risk, complexity and cost.”
The $20B compares to $15B in the prior year, and $10B the year before that. For context, that’s more revenue than all of the peers Qualys listed and it grew at 33% YoY in 2022.
One data point I do like to see in Qualys versus most peers is the profitability. A lot of the SaaS group sport high free cash flow and high gross margins. When you step down a level on the income statement to operating margins, Qualys fares significantly better than peers, largely due to SG&A and stock-based compensation. The following graphic shows SG&A and EBIT margins for all companies in the software sub-sector, with Qualys highlighted.
Capital Allocation: Qualys has leveraged its solid margin profile into good capital allocation. Over the last 10 years back to 2013, Qualys earned cumulative net income of $504M and free cash flow of $946M. It has spent 19.5% of the operating cash flow on capex, according to the history of cash statements. With the free cash flow left, only 2.8% was spent on acquisitions. The bulk of free cash flow has gone to stock repurchases at 91.2%. Qualys has never given a dividend, opting for buybacks instead. Those headline numbers compare to Palo Alto Network which spent 12.6% of cash flow from operations on capex, 36% of free flow on acquisitions and 58.8% of free cash on buybacks.
In both cases, the count of shares outstanding has risen, though not as high for Qualys. Palo Alto Networks has seen its shares outstanding increase by 40.1% since 2013 while Qualys’ shares outstanding has only increased 17.6%. The effect here is generally the same. Dilution through stock based compensation offset by some buybacks. Palo Alto Networks did do a noteworthy acquisition in 2020 that was partially paid for in stock.
Given Qualys’ relative good margins, the company has an ability to repurchase a meaningful amount of shares. I like seeing the company lean into repurchases while still spending 20% of its operating cash flow on capex. Qualys introduced buybacks in 2018 and the outstanding count of shares has reduced since 2019.
Management and Incentives: Qualys has been led by Sumedh Thakar as CEO since February 2021. Thakar is a longtime employee, initially joining the company in 2003 and rising up the engineering ranks. He was promoted to vice president, engineering in 2010, then chief product officer, president and then interim CEO until taking the reins on a permanent basis in April 2021. At 46, he spent most of his career with Qualys. He’s come into the CEO role at a good age and should have a long runway ahead of him.
Qualys separated the CEO and chair of the board duties in 2021 when Thakar took over from prior CEO Philipee Courtot, an industry pioneer, who stepped away in 2021 for health reasons. Now the chair is Jeffrey Hank who's been on the board since 2010 and was elevated to chairman in January 2023. Hank has a background in accounting and was previously chief accounting officer of Inuit (INTU).
Joo Mi Kim rejoined Qualys as CFO in June 2020 after working as vice president, FP&A, investor relations and operations from June 2016 to June 2018. She left to take on CFO roles at two other technology companies.
Unsurprisingly, only a small portion of executive pay is in the form of salary, and therefore +90% of the total compensation is based on performance. Thakar’s salary was 4.2% of his target total compensation in 2021, and other executives were set at 7.2% of their target total compensation. Executives then have a max cash bonus (referred to as non-equity incentive compensation) equal to 50% of their salary, or 100% in the case of CEO Thakar. Qualys has favored quarterly goals for determining payout of cash bonuses.
“Our Compensation and Talent Committee decided this was the most appropriate measure of time to determine achievement of short-term goals because it aligns with the time periods for which we give external guidance.”
According to the April 2022 Proxy, cash bonuses had goals for 2021 set to bookings growth, revenue growth and non-GAAP EPS. The metrics were the same as 2020, but the calculation of non-GAAP EPS changed in 2021 to better account for stock repurchases, which is nice to see (executives couldn’t hit EPS by juicing buybacks). Chief Revenue Officer Allan Peters, who resigned in February, had different goals that were tied to bookings, with a specific weight given to new bookings and upsell bookings.
The equity compensation changed in 2021 to begin including performance-based equity awards to non-CEO executives, unlike in prior years where executives other than the CEO received just RSUs. The inclusion of performance-based restricted stock units (“PRSUs”) is a nice inclusion to better motivate leadership. PRSUs will vest based on annual revenue growth and adjusted EBITDA margins. Even though it’s based on a three-year period, the goals for each year are set at the beginning of that year, so it still feels a bit short-term in nature. Thakar was paid an equal amount of RSUs and PRSUs, according to grant date fair value (“GDFV”) while the target value of the PRSUs for other executives was half the value of the RSUs.
Outlook: Qualys is a relatively mature cybersecurity company having debuted in a September 2012 IPO. Therefore, there’s plenty of historical financials to look at. Qualys has had a fairly steady growth picture. No year has had revenue growth lower than 12.9% YoY (2021) while no year was higher than 23.7% (2015). The growth picture did slow for most of 2016 - 2021, but reversed course and picked up in 2021 and accelerated further in 2022 with 19.1% YoY growth.
The 2023 consensus revenue estimate is $556.3M, representing growth of 13.6%. The 2024 consensus estimate is also expecting about 13.5% growth. Qualys itself issued sales guidance for 2023 of $555M (13.3% YoY) and GAAP EPS of $2.58 (both are mid-points). Note that the growth outlook is softer in 2023 as compared to 2022 largely due to macro headwinds that began to deteriorate growth and bookings in Q4’22.
Management discussed this on the February 9 earnings call when they delivered guidance. CEO Thakar said:
“We saw the macro and from our perspective, deteriorate in Q4, and that thing that was reflected in are softer than expected bookings, both on new and upsell. And I think we see opportunity for us to continue to work with our sales team, improve their execution and I think -- those are some of the things that -- changes that we have put in place that we are looking forward to. As we get into Q1 and FY '23, we've sort of not assumed any change in that macro or productivity or anything like that when we looked at the guidance.”
The sales execution and productivity could be negatively impacted by the CRO turnover. CFO Kim added,
“We believe our outlook is appropriately derisked from that perspective because if you take -- the assumption that we made in addition to the -- assuming that the current macro continues, is no material gain from the newer product. I mean we do see a huge upside to our guidance if our newer product happened to take off in the second half of this year. However, because of the personnel changes, we believe that the sales rep productivity, even though it was lower in Q4, we're assuming that it continues as it is in 2023.”
As I look at revenue and try to deconsolidate, there’s not a lot that Qualys offers. The company does breakout Direct sales and Partner sales, and also revenue by geographic split between United States and Foreign. Both have been steady in recent years.
I also like what I’ve read about Qualys from research and advisory firm Gartner, with high ratings in ability to execute and completeness of vision, and ability to scale. Qualys apparently has some subpar customer service, user interface and pricing that’s higher than competitors.
Personally, I don’t see the growth slowing much over the next five years. This post isn’t really about the trends of the cybersecurity industry itself. But to keep it high level, hackers are continuing to get more sophisticated and the prevention needs to get equally more sophisticated. There’s also more laws being put into place regarding cybersecurity prevention and Qualys is a great service to meet regulatory needs. As more companies are subject to laws such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and The General Data Protection Regulation (GDPR), more companies will seek out Qualys' services to help them achieve and maintain compliance. For those looking to performatively check a box for business, Qualys is a great option.
Valuation: My DCF model starts with revenue that’s in-line with the consensus view with growth of 13.5%. Again, there’s a macro growth headwind in 2023 that’s dropping the growth rate from 2022. I’m expecting revenue growth to pick up again in 2024 then gradually taper to 11% in five years. My GAAP EBITDA margin is going to be 35% in 2023 and only move slightly higher five years out. Margins were at 36-37% in 2020 and 2021 so it’s feasible that EBITDA margin can be upwards of 36% in the coming years.
It’s no secret stock-based compensation is a material expense at Qualys with the accounting value coming in at about 10%-11% of the revenue each year. Buybacks have also been significant, as mentioned in the capital allocation section. I’m trying to be more precise with the financial model by estimating the future real cost of dilution and offsetting buybacks. Qualys relies on RSUs and PSUs. When they give RSUs, the accounting cost is based on the stock price at the time of the grant, spread out over the vesting period. If the stock goes up, the real cost to the company also increases.
I’m applying a similar approach to stock buybacks by estimating Qualys will spend 80% of it’s free cash flow on buybacks (FCF value before buybacks are subtracted) which will in turn reduce the outstanding count. To make sure I'm not double counting, I am also reducing free cash flow by the buyback amount.
The significant assumptions for the DCF model include a discount rate of 10.5%. Qualys actually has a relatively low beta, so this might be on the high end considering the equity risk premium. There’s also no material debt to consider. During the last five years, Qualys has traded at a EV/EBITDA LTM multiple of 33X and currently trades at 24X LTM EBITDA. I’ve opted for an exit multiple of 21X. The conclusion of the DCF model values Qualys at ~$149.00 which indicates potential upside of 15% compared to the current price.
Summary: I enjoyed learning about Qualys and the cybersecurity industry. Every company felt a little different, and I like the margin profile at Qualys and capital allocation. The company appears to be well run with steady growth. While reading the 10-K, and its changes, I was pleasantly surprised by how little change there was. The stock has some appeal with modest upside remaining, even though my DCF is on the conservative side. I’m still not excited enough to make this a buy and I’d instead consider it a market-perform situation.
Disclosure: This is not advice to buy, sell or hold any stock referenced. Do your own due diligence. I have no position in any stock mentioned in this report. Like any financial analyst, doesn’t mean I’m not biased.