Qualys — Business Overview
What does Qualys do?
Qualys provides a cloud-based platform that helps organizations find, track, and fix cybersecurity vulnerabilities across their IT infrastructure. Founded in 1999 and headquartered in Foster City, California, Qualys serves over 10,000 customers worldwide — including a majority of the Forbes Global 100 — across industries such as financial services, healthcare, government, manufacturing, and retail. Its platform covers assets ranging from traditional on-premises servers to cloud environments, endpoints, mobile devices, and operational technology (OT, meaning industrial control systems and connected physical devices).
The platform bundles more than 20 individual applications ("Cloud Apps") covering five main functional areas:
| Area | What it does | Example Products |
|---|---|---|
| Asset Management | Discovers and inventories all IT assets, known and unknown | Cybersecurity Asset Management (CSAM), Enterprise TruRisk Management (ETM) |
| Vulnerability & Configuration Management | Detects weaknesses and misconfigurations across systems | Vulnerability Management, Detection & Response (VMDR), Total Application Security (TAS) |
| Risk Remediation | Automates patching and fixes | Patch Management (PM), Custom Assessment and Remediation (CAR) |
| Threat Detection & Response | Monitors endpoints for active attacks | Multi-Vector Endpoint Detection & Response (EDR) |
| Cloud Security | Secures multi-cloud environments | TotalCloud (TC), a Cloud-Native Application Protection Platform (CNAPP) |
| Compliance | Checks systems against regulatory standards like PCI-DSS, HIPAA, SOX | Policy Audit (PA), File Integrity Monitoring (FIM) |
How does Qualys make money?
Qualys sells its platform through renewable annual subscriptions under a Software-as-a-Service (SaaS) model. Customers pay upfront for access to one or more Cloud Apps, and Qualys recognizes that revenue evenly across the subscription period (called "ratable" recognition). Because customers are invoiced at the start of their term, Qualys collects cash early and carries the balance as deferred revenue on its balance sheet until it is earned. Total revenue grew from $554.5 million in 2023 to $607.6 million in 2024 to $669.1 million in 2025, representing roughly 10% year-over-year growth.
Revenue comes from two main channels — direct sales and channel partners — with partners playing a growing role. In 2025, 49% of revenue was generated through channel partners (up from 43% in 2023), including managed security service providers, value-added resellers, and consulting firms. The remaining 51% came from the company's own field and inside sales teams. No single customer accounted for more than 10% of revenue in any of the past three years, which indicates a healthy spread across the customer base. Growth comes from both new customer additions and existing customers expanding their subscriptions to additional Cloud Apps.
What market does Qualys operate in?
Qualys participates in the broad and rapidly expanding cybersecurity market, specifically within IT security, vulnerability management, and compliance. The company points to several structural drivers: the dissolution of traditional network boundaries as workforces go remote and hybrid, the rapid migration to cloud computing, the explosion in the number of connected devices and assets, and the increasing sophistication of cyberattacks. These forces make it harder for organizations to maintain visibility over their own systems — and more costly when something goes wrong.
The dominant legacy approach — buying many separate, specialized security tools — creates fragmentation that Qualys argues it can replace with a single integrated platform. This "platform consolidation" trend is a significant tailwind for companies like Qualys that offer breadth across asset management, vulnerability detection, patching, compliance, and cloud security in one place. Regulatory pressure (PCI-DSS, HIPAA, FedRAMP, SOX, NIST) also creates sustained compliance-driven demand that is relatively non-discretionary for enterprises.
Who are Qualys's main competitors?
The cybersecurity market is highly fragmented, and Qualys competes across several overlapping categories against both large and small rivals. Named competitors include publicly traded companies CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as private players Invicti, Tanium, and Wiz (which has a pending acquisition by Google). Qualys also competes against home-grown, internally developed tools that large organizations have built themselves.
Qualys's core competitive claim is that its single-platform, cloud-native approach offers lower total cost of ownership and simpler deployment than assembling multiple point solutions. Specific advantages cited include: no hardware to purchase or manage, real-time visibility from a single browser interface without a VPN, easy scanning of globally distributed networks, seamless scaling as customers add users or assets, and one of the largest vulnerability signature knowledge bases in the industry. The company also highlights that all its Cloud Apps share a common data layer, scanners, and user interface — meaning security and IT teams work from the same information rather than reconciling outputs from disconnected tools. That said, Qualys acknowledges that many of its primary competitors have greater name recognition, longer customer relationships, larger marketing budgets, and significantly more resources.
Where does Qualys operate?
Qualys is headquartered in the United States, but the majority of its employees and a significant portion of its revenue come from outside the U.S. In 2025, 56% of revenue came from U.S.-based customers (down from 60% in 2023), meaning 44% was international. The sales organization is divided into three geographic regions: the Americas; Europe, Middle East and Africa (EMEA); and Asia-Pacific.
The company's workforce is heavily concentrated in India, which hosts 70% of its 2,625 full-time employees. A total of 78% of employees work outside the United States, with research and development conducted in the U.S., France, and India. This global R&D and support footprint gives Qualys access to engineering talent at scale but also introduces some concentration risk around a single country.
The cloud platform itself is delivered from 15 globally distributed data centers, with infrastructure located in the United States, Canada, Switzerland, the Netherlands, United Arab Emirates, Australia, the United Kingdom, Italy, Saudi Arabia, and India. Qualys also offers a Private Cloud Platform (PCP) option for customers who need the software to reside within their own environment — an arrangement common in heavily regulated or government sectors. The company does not manufacture physical products; it sells and delivers everything as a cloud service.