Qualys · QLYS · Investment Risks

AI Overview

Activity & Business Results Financials Risks

Nearly Half of Revenue Flows Through Channel Partners Who Have No Obligation to Prioritize the Company

About 49% of revenues in 2025 came through third-party channel partners (resellers and distributors), up from 43% in 2023. These partners are not exclusive — they can sell competitor products at any time, and losing even one major partner with little notice could meaningfully hurt sales with no quick replacement available.

Customers Can Walk Away Every Year, Making Renewal Rate Critical

The company sells annual subscriptions, meaning every customer relationship must essentially be re-won each year. If customers are dissatisfied, face budget cuts, or find a cheaper alternative, they simply don't renew. A drop in renewal rates would not show up immediately in revenue (because revenue is recognized over the subscription term), but would quietly erode future quarters.

Solutions Must Actually Catch Threats — Failure or False Alarms Damage Credibility

The core product promises to find security vulnerabilities. If it misses real threats or flags false ones, customers lose trust in the tool. The company openly acknowledges its solutions "rely on information from third-party data providers" for threat intelligence — if that external data is wrong, the product looks unreliable. In a field where accuracy is the entire value proposition, this is a direct business risk.

Competing Against Much Larger, Better-Resourced Rivals

Named competitors include CrowdStrike, Palo Alto Networks, Tenable, and Rapid7, as well as privately held players like Wiz (being acquired by Google). These companies have bigger sales teams, stronger brand recognition, and the ability to bundle competing features into broader product suites at discounted prices — a combination that can undercut this company without those rivals even breaking a sweat.

70% of Employees Are in India, Creating Concentrated Operational Dependency

As of December 31, 2025, roughly 70% of the company's total workforce is located in India. Any disruption — regulatory changes, labor law shifts, geopolitical tension, or currency moves affecting the Indian Rupee (which represents a meaningful share of the 31% of expenses denominated in foreign currencies) — could significantly impact operating costs and business continuity.

FedRAMP Certification Is a Gatekeeper to Government Revenue

The company has invested to earn FedRAMP authorization (a U.S. government security certification required to sell cloud services to federal agencies). If this certification is lost or not renewed, the company could be locked out of the government market entirely, and existing government contracts could be put at risk, potentially triggering liability.

Evolving Global Privacy Regulations Add Ongoing Compliance Costs and Legal Exposure

The company handles sensitive security and IT data across many countries, putting it squarely in the crosshairs of GDPR (fines up to 4% of global revenue or €20 million), CCPA/CPRA, NIS2, the EU Data Act (applicable September 2025), and a patchwork of state and international laws. The rules keep changing, enforcement is escalating, and non-compliance in even one jurisdiction could result in significant fines and reputational damage.