Gold prices edge lower; heading for weekly losses ahead of U.S.-Russia talks
On Tuesday, 12 August 2025, Qualys Inc (NASDAQ:QLYS) presented at Canaccord Genuity’s 45th Annual Growth Conference, showcasing its robust Q2 performance and strategic initiatives. The company emphasized its focus on expanding its risk management platform and its foray into the federal market, while acknowledging challenges in maintaining growth momentum.
Key Takeaways
- Qualys reported a 10% overall growth with a 45% EBITDA margin in Q2.
- The company is focusing on expanding its Risk Operation Center and Agentic AI capabilities.
- Significant investments are being made in engineering talent in Pune, India, and federal market expansion.
- FedRAMP High authorization positions Qualys uniquely in the federal space.
- Growth is expected to slow in the second half of the year but re-acceleration is anticipated in 2026.
Financial Results
Qualys delivered a solid financial performance in Q2, marked by a 10% overall growth and a 45% EBITDA margin. The net retention rate increased from 103% to 104%, driven largely by existing customers. The company noted an increase in R&D expenses by 8% in Q1 and 15% in Q2 of 2025, with similar growth in sales and marketing. Although the growth rate is expected to slow to 5-7% in the second half of the year, Qualys aims for a full-year growth of 6-8% and aspires to exceed 10% growth in 2026.
Operational Updates
Qualys is making strides in operational efficiency and market reach. The company deployed 110 million patches in 2024, highlighting its commitment to comprehensive vulnerability management. Investments in Pune are aimed at scaling engineering capabilities, while FedRAMP High authorization strengthens its position in the federal market. The introduction of the managed Risk Operations Center (mROC) with partners like BlueVoyant and GuidePoint is expected to enhance partner-driven growth.
Future Outlook
Looking ahead, Qualys is preparing for a re-acceleration in 2026, fueled by new products and enhanced R&D and marketing efforts. The company plans to balance growth with profitability, despite anticipated margin contraction in the near term. Opportunities in the federal sector and through partnerships are seen as key growth drivers, with a focus on expanding the mROC initiative.
Q&A Highlights
During the Q&A session, Qualys highlighted risk management as a core differentiator, focusing on delivering business outcomes through risk quantification and remediation. The company is leveraging AI to boost productivity across coding, customer support, and sales analysis. The Pune operations offer a cost-effective talent pool, and FedRAMP High authorization is expected to unlock new opportunities in the federal market.
In conclusion, Qualys remains confident in its strategic direction and growth potential. For a detailed understanding, readers are encouraged to refer to the full transcript.
Full transcript - Canaccord Genuity’s 45th Annual Growth Conference:
Kingsley Crane, Software Analyst, Canaccord: Everyone, thanks for joining. I’m Kingsley Crane. I’m a software analyst here at Canaccord. With me, we have the Qualys team. We have CEO, Sumedh Thakkar, and CFO, Jimmy Kim.
Thanks for being here.
Sumedh Thakkar, CEO, Qualys: Thank you.
Jimmy Kim, CFO, Qualys: Thank you.
Kingsley Crane, Software Analyst, Canaccord: So let’s kick it off. Let’s start with the recent quarter. You reported strong results last week. What were the key takeaways for you in terms of customer activity, product traction, macro signals?
Sumedh Thakkar, CEO, Qualys: Yeah. We’re pretty pleased with the quarter. I think 10% growth at 45% EBITDA margin is a was a good quarter for us. Overall, the macro has remained roughly the same as we have seen from q one. So there is continuous scrutiny of deals and and kind of people taking time to think through on, how they wanna, you know, do larger purchases.
But for us, being able to move up our net retention rate, from one zero three to one zero four was positive. Overall, we feel like the conversations with our customers in terms of the risk operation center adoption of broader capabilities in in vulnerability management beyond scanning are have been pretty positive. And so good good renewal and good traction in customers in the way we look at buying additional capabilities. That’s reflected in the NRR. Of course, we still have more work to do on new business, which we’re working with our partners on.
But overall, we’re pleased with the quarter.
Kingsley Crane, Software Analyst, Canaccord: Right. So you’ve been vocal about the evolution of vulnerability management or VM as you’re moving Qualys into a unified platform for for risk management. Can you help investors understand why that shift resonates with security buyers and then how that extends your runway to increase existing customer spend?
Sumedh Thakkar, CEO, Qualys: Yeah. Great question. Look, I think as we have seen in the last many years, overall, everything is moving digital. And so just the the breadth of infrastructure, and applications people are deploying is significantly more than what has been in the past. And so, as, vulnerability detection is creating significant amount of findings, and it is getting to the point where customers cannot really or has has been getting to the point where customers cannot really fix everything that has been detected.
They need to find the right things that have an impact to the business and prioritize those. And we saw that remediation really was the only thing that create made you safer at the end of the day. Right? You could detect and detect and build dashboards, but can you help fix the right things? And so five years ago, we were one of the first ones in in our segment to really come up with the idea of unified patch management with the same solution.
And at the time, you know, there was a little bit of like, well, is this going to work? But given that just in 2024, Qualys agents deployed 110,000,000 patches was a great validation that security buyers are looking for remediation capabilities. And, so for us, we we saw that, the movement towards remediation was important last few years. And now we’re seeing that, overall, there are way too many findings, and people really want to be able to prioritize with the budget spend that they have and where they can actually have a measurable impact to their business. And so while there are a lot of technical findings, people struggle with, well, what what do 10,000, you know, high CV findings mean to my business of $500,000,000 a year?
How likely is that that I will lose 10,000,000 a day if an attack happens? Right? And so we’re seeing that move towards broader, vulnerability management adoption, from asset management, vulnerability management, configuration management, into more of a broader risk management that is tied to monetary loss, that people see. Right? And that’s kind of where the evolution is happening, and we were happy to have been really ahead of that compared to our competition and coming up with patch management and asset management capabilities.
Kingsley Crane, Software Analyst, Canaccord: Right. So you talked about the number of alerts that that organizations are dealing with, but there’s also just the number of tools that they’re trying to integrate in the security stack, and their their lists are becoming bloated. We typically hear that buyers are overwhelmed with the number of security companies that that they’re they have in their stack. So in the context of that, how do you differentiate your consolidation play from, I guess, maybe closer peers like Attendable or Rapid7 and then bigger picture like CrowdStrike or even Wiz?
Sumedh Thakkar, CEO, Qualys: Yeah. Great. See, look, the the evolution of IT infrastructure is going really fast, right, when you move look from on prem to cloud for to virtualization, virtualization to cloud container and then now AI. And so customers will always have new risks that come up, and you always have companies that, you know, startups that will respond pretty quickly, maybe come up with a a key solution. And that has created that little bit of a bloat in software, security software where people have gone out and bought a bunch of different tools to address individual capabilities.
And there is always opportunity for meaningful consolidation in adjacent areas the way we’re doing in vulnerability management overall, consolidating patching, consulting asset management, etcetera. But then you also have this overall approach that customers want to take where they want to have certain best of breed solutions that they really want to empower their teams, as an example, like a code scanning tool. They want to be able to leverage the code scanning tool that they like. They might want to use a specific container security tool because it works best in operationalizing in their environment. And so I I feel like what we’re seeing is there is a move to consolidate in adjacencies and adjacent areas within where they want to reduce their toolset, but then they also want the flexibility to have a singular view of their overall security posture as it ties to the business while maintaining some of the best of breed solutions from different vendors.
And so instead of sort of like, hey, you you have to replace all your tools with a single vendor solution, which we when we talk to CSOs, they don’t find that very realistic that they’re gonna really have only one vendor across everything. And that’s the dynamics that we’re seeing in terms of you know, with with our risk operation center approach is really consolidating in areas like cloud security, vulnerability management, patch management, and then while giving the customer the flexibility to be able to pull data from other tools that they might have very specialized capabilities like IT, IoT, or or OT environments, etcetera, to get that singular view.
Kingsley Crane, Software Analyst, Canaccord: So we’ve talked a bit about this, but there’s always this pendulum between best of breed and platform in security. Identity is becoming more of a battleground right now with Palo Alto acquiring CyberArk. One of the things Nikesh Arora said, whether he means it or not, is that when he sees a market start to inflect, that’s when they that’s when they identify that they wanna go after that market and become have that become a more meaningful part of their platform. So in in terms of your business, how do you think about breadth first step Yeah. When building out the platform and, you know, when to double down on the existing strengths versus when to expand?
Sumedh Thakkar, CEO, Qualys: That is a very good question because similar to what I mentioned previously, our conversation with CSOs are well, first of all, when you talk about holistic risk management, you have infrastructure security, cloud security, application security. And identity is definitely one area of risk management. Right? Like, you could have all of your systems fully patched. But if identity is compromised, it still creates the same amount of risk to losing that $100,000,000 as it would if you had a vulnerability.
Right? So there is an overall feeling that you wanna have a consolidated review of the risk. And, the approach that, what Qualys is taking based on our conversation with CSOs is that they don’t necessarily find that realistic to replace everything that they have with a single vendor. They do feel like there’s areas of consolidation that we were doing with that. But then when we talk about the risk operation center, like a formalized risk management process, and our enterprise risk management platform gives them the right flexibility in the mix where they can consolidate in certain areas while keeping the best of breed.
And so the way we are addressing that is at Black Hat, we also announced a identity security posture management capability. But that capability is does not necessarily require the customer to go and replace all their identity security solutions that they already have. However, it actually does plug into the common tools like Okta, etcetera, to pull in identity related risk information and then combine that with cloud security information, with infrastructure security information to give them a singular scoring. So this gives them the flexibility to maintain the best solutions that they would like for identity while giving them the flexibility to be able to see, from a broader platform perspective, if there is a $100,000,000 at risk, what is the probability of that happening, and how much of that risk is really coming from identity versus cloud misconfiguration versus on prem security. And so our approach to platform is giving customers the flexibility to consolidate in certain areas and allow them to plug in the tools that they have rather than going out and saying you replace everything with with my solution and life will be beautiful.
Kingsley Crane, Software Analyst, Canaccord: Yeah. Yeah. That flexibility and our ability is really, really important for customers. I’d be remiss if I did not talk about AI. Lasted five questions.
Yeah. So you recently unveiled some agentic AI capabilities Yeah. To augment the the risk operation center. Can you just tell us more about how this could reduce, operational overhead and then also, potentially reduce mean time to resolution?
Sumedh Thakkar, CEO, Qualys: Yeah. Look. I’m a I’m a technologist. I’ve been an engineer for many years. And so, I stay away from the hype sometimes when you have the hype that happened in AI.
And I think generative AI was good as a starting point, but I don’t think anybody had the patience to sit there and keep asking questions all day long to get responses. You needed a way to operationalize that. And that’s really where agentic AI in the last year or so has been very interesting because it really makes generative AI usable and operational in the background. And so look, risk operations is you you are taking 10,000,000 findings and figuring out which 20 of those actually are meaningful to your business to prevent a ransomware attack as an example. So that needs a certain amount of work that somebody needs to do.
They have to look at the scan data. They have to look at was it properly scanned. You know, when was it scanned? It’s in the last thirty days. How many of these vulnerabilities are actually on assets that are critical?
So with agentic AI and with the MCB protocol, we really felt like this was a great opportunity to help customers reduce the amount of manual efforts that they were putting in to find out those 20 things that really are meaningful to their business. And so we created this concept of cyber risk agent and a cyber risk agent marketplace. And so the idea is that when you go in to the Qualys Enterprise Risk Management platform, you are basically presented with specialized agents that are available that you can drag and drop. And you can say, I want to patch Tuesday agent. I want a ransomware expert agent.
I want a malware expert agent. And they are very good at doing the task. And underneath that, they will leverage APIs, applications, other generative AI, LLMs, etcetera, to give you an end to end outcome. And so this has been very powerful for our customers in the preview that we just launched where they’re able to say, I can take an agent that is an expert provided by Qualys in the marketplace. I can build my own agent.
And then in the future, we see the potential of bringing on agents from partners that actually will achieve an outcome. As an example, if you have Zscaler, an outcome of your prioritization needs to be apply a policy zero trust policy with Zscaler because of the issue with that particular solution, you can really do that. And so I do feel like, agentic AI is going to be something that every risk operation center is going to need just to really simplify the task and reduce the amount of manual effort that goes in. It’s a different approach because now you’re seeing the CSOs can see they are augmenting their security risk management team with digital workers or however you want to call them that you can actually just say if you look at some of the screenshots, you can actually go and say, I would like to get agent Sarah as part of my team for the next one week so she can really focus on triaging my patches, their vulnerabilities. And that approach has been very positively received by our customers.
Kingsley Crane, Software Analyst, Canaccord: So this is sort of related to to AI and by your work you’re speaking about, and you may may have opinions on this as well. But, you know, AI talent is expensive, but then also AI is allowing developers to be a lot more productive in terms of code creation. Or on the agentic side potentially as this digital workforce. So I guess within your own business, how do you think about the puts and takes of that cost ballooning on the r and d side or driving efficiency throughout the whole business?
Sumedh Thakkar, CEO, Qualys: The way I see that is is the efficiency that it brings with the business. You know, we’re like, we use it for coding at times. We’re using it for custom support, etcetera. It’s just allowing us to scale to do more with the team that we have. And so if I can get that same developer to be producing more code with the use of AI or my customer support agents are able to answer the questions pretty quickly or when we are doing internally, when we look at sales calls and sort of getting a feel of right, like, are are the sales guys just happy years about the deal and dreaming about the deal happening?
Or is the AI confirming that? I think all of it is just making us more productive, and I see that less about reducing sort of the workforce, more about getting more productivity and being able to do more with that work workforce that that we have. So we definitely see there is the certain amount of hype in things with AI, but there’s also use cases with AI that we are leveraging throughout the organization that I think are just helping us be able to do more. And if you look at how rapidly we were able to come out with the agent AI solution, when it hit the market, I think that’s a testament to our the the use of our talent with our engineers and, AI capabilities that they were able to leverage pretty quickly.
Jimmy Kim, CFO, Qualys: Yeah. And if you think about our investment kind of thesis around, r and d and sales and marketing in the last two years in 2023 and 02/2024, part of the reason why r and d expense has grown by less than 5% for both years is because of our heavy, like, engineering force in Pune. We’ve been able to leverage our our entire team in Pune to make sure that we’re making progress on the product road map in in in addition to the GTM strategy and executing on that. But with that said, in 02/2025, it’s truly been an investment year for us with our new products like AgenTik AI development as well as our partner first go to market strategy. Our r and d grew by 8% in q one.
That ramped to 15% in q two. We haven’t really seen that. In addition to r and d growing by 15% year over year in q two, our sales and marketing also grew by 15%. So we are really excited about the opportunities ahead and making sure that we invest ahead of that.
Kingsley Crane, Software Analyst, Canaccord: You brought up Pune, I’m gonna gonna skip ahead to that question. But we need you’re incredibly profitable business, rule of 50 plus, 40% plus EBITDA margins. 74% of your employees are are outside of The US, but you’ve done such a great job finding talent, nourishing talent in in those regions, particularly in Pune, which is significant asset to your business. So just any more you can tell us about how you’re able to do that year after year.
Sumedh Thakkar, CEO, Qualys: Yeah. It’s been a great investment for us, and it really has allowed us to have scale, to be able to hire talent at scale in in with to match our vision of all the different things that we wanted to do. And, you know, Pune, just being one of those university towns where there’s a lot of colleges, universities where we see a lot of people graduating even from coming from outside of Pune coming there, graduating. And it’s it’s grown up as a as a Silicon Valley hub in India as well. And we’re now seeing a lot of I mean, we started there, like, twelve years ago, and now we’re seeing a lot of other companies following that because of the security.
I mean, when when we went there, it was really pretty much Symantec and was the only one out there. But now you pretty much have everybody from, you know, CrowdStrike to Symantec, and everybody is there. And so it has become so which is good because it allows us to have good talent, availability, and a talent pool. And developers who are really up to speed, around the latest technology that, we have been leveraging. And so that has given us the ability really to, do more and scale more and, and be able to augment our US team with, r and d that we can do in different broader areas at the same time.
So we’re pretty happy with how that has, worked out for us.
Kingsley Crane, Software Analyst, Canaccord: Right. So federal has been a big focus for you recently. You just held your second annual public sector risk conference. Can you just tell us more about some of the developments in in that area and then Yeah. You know, the Washington DC office Yeah.
That can accelerate some of that.
Sumedh Thakkar, CEO, Qualys: Yeah. Great. So look. For the last few years, I mean, our federal revenue has been less than 5%. Right?
And so for us, we really see this as a big opportunity for us in the future to grow where in the past, the federal government was more about on prem solutions and data not going out. However, the last few years, they are modernizing their infrastructure, we’re seeing the the use of FedRAMP. And so we became FedRAMP Moderate, like, four, five years ago, which has been great for us. But we’ve also really invested, and, you know, anybody who’s gone through that will know it really takes dedication and investment to get FedRAMP high. And so we were very excited, last week to announce that our platform, you know, we’re able to get FedRAMP high, which means we’re the only FedRAMP High platform that can do asset patch and vulnerability management as well as cloud all in a single platform.
And we with the investment that we are putting, building out a team, we did our conference and timely right now with the focus on government efficiency. We are working with customers in the federal space similar to what we’re seeing in the commercial side. They also wanna be able to leverage the concept of a risk operation center that is going to take all their findings, triage them down to the 2% that really matter to their their mission. And we also in our conversations, we also see that this is an opportunity for leaders in these, organizations, agencies to be able to communicate that a way to bring efficient like, you cannot bring more efficiency with the same on prem tools that you have been using. And if you look at where we have found success in some of the recent ones last few quarters that we’ve talked about is always replacing an on prem scanner and an on prem patching solution with a single quality solution.
Right? And so, at the conference that we had, we talked about the risk operation center for government use and the ability to leverage and move to a FedRAMP high solution with modern, capabilities away from on prem scanners into cloud based scanners that are FedRAMP high gives more flexibility, more efficiency, and more security for these government agencies. And so we are we look at this as a growth opportunity for us over the next few years, and we’re going to continue to invest, in that and build out the team. And now with FedRAMP High, we’re excited about the opportunities that it can open up for us over the next few quarters.
Kingsley Crane, Software Analyst, Canaccord: So partners are critical to to the motion, but you also recently launched your managed risk operations center in Rock. Nice list of initial partners, BlueVoyant, GuidePoint, NetHive. Can you tell us about how you think that list may grow and then how you’re helping to foster the development of that of that platform?
Sumedh Thakkar, CEO, Qualys: Yeah. Look. We believe that for us to bring scale for growth to our business partners are gonna be key. And, you know, look. Four years ago, we were sixty forty, 60 direct 40 partner, and we have done pretty well, I think, to move that mix to fifty one forty nine.
And so more partners are and the partner business is good. It’s efficient. It brings good upsells for us. Why? And we have done this well while maintaining our margin as well.
Right? And so we see that as we continue to work with partners, that’s gonna be the opportunity for Qualys to bring scale to our business, especially as we get into cloud security, etcetera. However, with partners, it’s also important that instead of sort of negotiating on, I can give you three more points than the other solution for the resell, we pivot the conversation towards how can these partners get more services business when they’re leveraging Qualys compared to just a few points on a dollar when they’re selling other solutions. And that’s where we came up with the concept of a managed risk operations center as as customers are looking at formalizing the risk management process. Because for many years, SOC has been what you use for detecting threat after somebody’s in your environment.
Proactive risk management, there is a movement more towards better board reporting, better aligning risk management to the business. However, these customers don’t have the expertise to be able to do it themselves. And so MROC allows specific partners that we work with closely to quantification, provide services like risk remediation risk monitoring, risk remediation. And so we believe that creating a capability where even if the customer even if the partner has sold a competing solution in the past, they don’t need to go and have a replacement conversation. They can actually leverage the Qualys Risk Operation Center and provide mRock services to bring data from other solutions into Qualys and provide services around that.
So that is exciting for them. Right? So instead of saying few more cents on a dollar for a resell, if they can make $5 for services for every dollar of Qualys they sell. And so that’s where the excitement about the mRock has been is that it, first of all, it allows the partners to go into a very crowded MDR market to come up with a new offering, which is around managing risk and risk management. And then they can essentially make more services dollars than just simple resale type opportunities.
So that’s been exciting, and we see that this can get partners excited to bring more business to Qualys and drive scale for us over the next couple of years.
Kingsley Crane, Software Analyst, Canaccord: Jimmy, you’ve had a really strong first half of the year and a stronger q two than we’ve seen in recent years. So how should we think about, the cadence of growth in the back half of the year? And then anything you can tell us about aspirations to potentially grow 10% plus next year?
Jimmy Kim, CFO, Qualys: Yeah. We had a really strong first half of the year, and so we were pleased with the growth primarily driven by our existing customers. I think that we were disappointed, a year ago when our net dollar expansion rate continued to decline to one zero two percent. Like Sumed mentioned, it ticked up to one zero three. It’s been there for a couple quarters now.
We’re really pleased to see that tick up to 104% this quarter. And so what we’re seeing for the second half of this year, if you’re looking at it from a current billings perspective, it is a tougher compare. We did perform well from a current billing standpoint in the second half of last year. So because of that, the implied growth rate for the second half of this year is going to be more around five to 7%. So the full year is gonna end at around six to 8%.
With that said, we are hoping that it will start reaccelerating, with the ramp of the ETM and our newer products with the, AgenTeq AI feature next year. So because of that, we are continuing to invest in in the r and d and sales and marketing front because we see the potential acceleration, opportunity into 02/1926. It’s a little too early for us, but our aspiration is to better balance growth and profitability. So the margin contraction will likely continue in in the in the near future, but we do see an opportunity to kind of look forward to the margin expansion once this rebalancing of partner versus direct revenue kind of more or less moderates.
Kingsley Crane, Software Analyst, Canaccord: It’s it’s been really impressive performance. I know we kinda started a little bit late, so is there anything else that you’d like to leave the audience with?
Sumedh Thakkar, CEO, Qualys: I think we’re pretty excited about the opportunities ahead of us, especially when you look at our leverage of the partners, our federal business, and just really new offering with the risk operations center. We know we had Black Hat. We had set up a a mock risk operations center. It was great to see a lot of people lined up to sort of experience that. So it’s about creating a new category that’s resonating well.
And so we’re we’re pretty excited about risk management as an area in cybersecurity that actually is providing business outcomes would be the differentiator for us. So we going to continue to grow profitably, and that’s something that we are very excited about and looking forward to the
This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.