Qualys : Q4 FY 2025 Prepared Remarks

Qualys Q4 FY2025 Earnings Prepared Remarks

Foster City, Calif., - February 5, 2026 - Qualys, Inc.(NASDAQ: QLYS), a leading provider of disruptive cloud-based IT, security, and compliance solutions, today announced financial results for the fourth quarter ended December 31, 2025.

Blair King, Investor Relations

Good afternoon, and welcome to Qualys' fourth quarter 2025 earnings call.

Joining me today to discuss our results are Sumedh Thakar, our president and CEO, and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks, and investor presentation are available on the Investor Relations section of our website. With that, I'd like to turn the call over to Sumedh.

Sumedh Thakar, president and CEO

Thanks, Blair, and welcome to our fourth-quarter earnings call.

As threat actors continue to compress time-to-exploit, we believe the next phase of pre-breach risk management will be defined by an agentic AI-driven risk fabric with out-of-the-box business quantification and automated remediation. Against that backdrop, we continued to execute well in Q4, demonstrated by another quarter of strong revenue growth and profitability.

In my conversations with hundreds of CIOs, CISOs, and security leaders from many of the world's largest and most innovative organizations, one message has remained consistently clear.

Reducing cyber risk isn't about detecting more exposures. It's about operationalizing a cyber risk management program that aligns spend with risk tolerance. In doing so, CISOs are increasingly prioritizing the unification of fragmented security stacks into a centralized risk fabric. One that serves as a credible alternative to single-vendor platforms by bringing diverse risk vectors into a prioritized, measurable view of risk that their teams can confidently communicate and remediate at machine speed. That message was further amplified at our recently concluded ROCon conference in Mumbai, with attendance up over 30% from last year's event as we again broadened the agenda to include a business track. And, with the advent of AI, which is democratizing cybercrime and enabling adversaries to operate with unprecedented speed and sophistication, this need is

only intensifying. As a result, we believe the future of pre-breach risk management belongs to vendor-agnostic, agentic AI-powered solutions that continuously predict, assess, confirm, quantify, prioritize, and remediate risks across on-prem and multi-cloud environments. Over the past year, we continued to execute relentlessly toward this vision, delivering meaningful platform innovation to help customers reduce risk faster, operate more efficiently, and stay ahead of an increasingly dynamic threat landscape.

Platform Innovation:

Accordingly, in 2025, we broadly opened the Qualys Enterprise TruRisk Platform to third-party data and launched a powerful new orchestration layer that unifies Qualys and non-Qualys findings, applies our industry-leading threat intelligence, and delivers a business-contextual, quantified view of risk with built-in prioritization and automated remediation. Building on this foundation, we introduced an Agentic AI risk fabric that accesses and normalizes diverse internal and external data sources, applications, and machines. We extended these capabilities with a first-of-its-kind Agentic AI risk management marketplace, enabling security and IT teams to quickly augment their existing workforce with highly specialized autonomous experts that significantly reduce time-to-remediation, increase accuracy, and reduce costs. To further close security gaps, we again organically enhanced ETM with a natively integrated Identity Security Posture Management (ISPM) solution at a time when identities have become part of the new perimeter. And, further flexing the power of our platform, we are now confirming exploits before customers are compromised. While traditional Continuous Threat Exposure Management (CTEM) solutions rely only on theoretical risk scores and ignore mitigating security controls, ETM takes a fundamentally different approach. It uniquely detects vulnerabilities, validates exploitability, applies remediation, and revalidates exploit using agent Val's agentic AI workflows .

The net result is that Qualys is redefining how organizations manage pre-breach cyber risk. While competitors continue to focus on detecting vulnerabilities or mapping exposures, Qualys has moved decisively beyond that model. We are pioneering the first agentic AI-native Risk Operations Center (ROC), a new category in cybersecurity designed to centralize an organization's response to threats spanning exploit confirmation to autonomous remediation. Powered by our ETM solution, the ROC represents a fundamental divergence from traditional CTEM tools. Competitors can point to exposures; they don't quantify cyber risk in dollar terms that matter most to the business, and they don't adequately fix them. ETM fills that gap. This is what sets Qualys apart.

We don't stop at detection and non-quantifiable prioritization. We natively integrate CTEM, exploit confirmation, contextualized Cyber Risk Quantification (CRQ), and remediation operations into a single AI-powered workflow, leveraging both Qualys and non-Qualys data sources. In doing so, our architecture orchestrates and implements a perception-reasoning-action loop, enabling autonomous agents to collect real-time telemetry, reason through risk signals, plan response workflows, and execute actions. This enables organizations to holistically predict emerging risks across infrastructure, cloud, application security, IoT, and identities, safely confirm probable exploits, prioritize threats based on business impact, remediate through patching or other compensating controls, and verify the effectiveness of the remediation tactic. This end-to-end vendor-neutral approach is catalyzing a paradigm shift in pre-breach cyber risk management, where customers aren't just seeing their risk holistically across their security stack; they're validating it, quantifying it, and reducing it, continuously and autonomously at scale. By aligning security and IT decisions directly with business priorities, we are providing organizations with measurable, proactive risk reduction that boards and customers value. Armed with this fresh new set of capabilities, and early momentum already validating this model, we are now laser-focused on accelerating ETM adoption throughout our Vulnerability Management, Detection, and

Response (VMDR®) customer base and positioning Qualys for larger upsell opportunities over time.

Q4 Business Update:

Moving to our business update. With customers spending $500,000 or more with us growing 4% from a year ago to 215, let me now share a couple of recent wins, which illustrate why organizations ready to centralize their response to cyber risk are turning to Qualys to help unify their security stacks, quantify and remediate risk in their environments, and fortify their security operations.

First, an existing Global 50 customer was struggling under the weight of multiple unintegrated security tools, millions of vulnerabilities, and limited visibility into its overall risk profile. Traditional prioritization methods were unable to adequately filter critical findings, leaving security and IT teams without the necessary business context to act decisively. Consequently, this customer selected Qualys and launched a strategic initiative to unify its security stack by transforming siloed risk signals spanning on-prem and multi-cloud environments into a cohesive, agentic AI-native risk management solution. This included expanding their ETM deployment to further operationalize their ROC with ingested third-party data from several sources, resulting in a mid-six-figure annual bookings upsell. By consolidating these data sources into the Qualys platform, we are now delivering this customer a unified orchestration layer with full visibility of their attack surface, centralized risk assessment, quantification, prioritization, and remediation workflows while unleashing the operational efficiencies of security stack consolidation. This expansion of their ROC underscores the power of our platform and reinforces Qualys' ability to unify siloed risk signals, operate as an autonomous defense layer, strengthen customer outcomes aligned to the business's risk tolerance, and advance our leadership in the industry.

Leveraging our mROC partner ecosystem, we are also pulling new business into Qualys. During the planning stages of launching a new ETM POC with a global 200 company in Latin America, we secured a seven-figure annual bookings upsell, which included our TotalCloud CNAPP and Policy Audit solutions. This win demonstrates the leverage of our partner-led motion, and our ability to convert early engagement into meaningful, multi-solution growth.

Turning to our Federal business, we achieved a mid-six-figure expansion with one of the federal government's most visible shared cybersecurity services utilized by several large government agencies nationwide. Faced with an overwhelming volume of security issues and limited resources to continuously assess risk across fragmented tools and manual workflows, this customer chose Qualys for its cloud-native FedRAMP High Authorized platform to enable a centralized government program that quantitatively prioritizes risk with automated assessment, standard outputs, and low operational overhead. Given the success of this deployment, we are now working toward a multi-agency ETM roll-out, representing a significant upsell opportunity as this shared services team prepares to operationalize its ROC. These results, alongside another six-figure upsell with a separate large federal agency, reinforce our proven ability to align technical capabilities with operational outcomes that address modern security challenges and underscore the long-term growth opportunity in our Federal business.

Beyond these wins, we're also gaining more leverage from our partner ecosystem. As we continue to endorse a partner-first sales motion, partner-led deal registration increased again in Q4, reflecting deeper alignment and execution across the channel. In addition, with well over a dozen certified mROC partners actively launching new services, momentum continues to build toward a

global ROC alliance, fueling our capacity, harnessing transformative solution sales, and bringing new business to Qualys.

Further contributing to our growth profile, in Q4, we continued beta testing QFlex to help customers accelerate and maximize adoption of the Qualys Enterprise TruRisk Platform. Given the strong customer response and early success of this model, we plan to continue to focus on proactively identifying opportunities to leverage QFLex to enable select customers and partners to accelerate their adoption of Qualys solutions in 2026.

In summary, we are fundamentally changing how organizations manage pre-breach cyber risk by natively unifying CTEM with exploit confirmation, risk quantification, and automated remediation powered by an agentic AI risk fabric. Our rapid pace of innovation and strategic investments are driving strong competitive differentiation, deeper ROC adoption, broader engagements across large federal agencies, growing partner-led execution, and initial QFlex success. Looking ahead to 2026, we'll continue our disruptive innovation, further advance our go-to-market investments, and execute our ROC vision with a balanced approach to long-term growth and profitability.

With that, I'll turn the call over to Joo Mi to further discuss our fourth quarter results and outlook for the first quarter and full year 2026.

Joo Mi Kim, Chief Financial Officer

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that, except for revenues, all financial figures are non-GAAP, and growth rates are based on comparisons to the prior year period, unless stated otherwise.

We're pleased to report a healthy finish to the year, highlighting our continued execution, financial discipline, and scalable business model. For the full year, we grew revenues by 10% to $669.1 million and achieved adjusted EBITDA margin of 47%, even with continued 14% growth in investments in Sales and Marketing. Net Income and EPS grew 13% and 15% to $257.8 million and $7.07 per diluted share, respectively. And, Free Cash Flow reached $304.4 million, or 45% of revenues, all of which exceeded our expectations for the year.

Turning to fourth quarter results, revenues grew 10% to $175.3 million. The channel continued to increase its contribution, making up 51% of total revenues compared to 48% a year ago.

Revenues from channel partners grew 17%, outpacing direct, which grew 4%. As a result of our strategic emphasis on leveraging our partner ecosystem to drive growth, we expect this trend to continue. By geo, 15% growth outside the US was ahead of our domestic business, which grew 6%. US and international revenue mix was 56% and 44%, respectively.

With customers confirming their prioritization of security within IT budgets, we anticipate the selling environment in 2026 to remain similar to last year, with low-to-mid single digit growth in security spend persisting for the foreseeable future. Reflecting this sentiment, our gross dollar retention rate remained comfortably above 90%, but saw a modest sequential decline in Q4, with our net dollar expansion rate at 103%, down from 104% last quarter.

In terms of product mix, our differentiated new products continued to drive growth, with all three of the following increasing contribution to bookings in 2025. First, Cybersecurity Asset Management combined with ETM made up 10% of total bookings and 13% of new bookings in 2025, up from

last year's 8% and 9%, respectively. Next, Patch Management made up 8% of total bookings and

16% of new bookings in 2025, up from last year's 7% and 16%, respectively. Lastly, TotalCloud made up 5% of total bookings in 2025, up from 4% a year ago. We believe that these differentiated products combined will continue to increase contribution to bookings in 2026 given our opportunity to increase market share and maximize share of wallet.

Turning to profitability, adjusted EBITDA for the fourth quarter of 2025 was $82.6 million, representing a 47% margin, same as last year's. Operating expenses in Q4 increased by 11% to

$68.9 million, driven by investments in Sales & Marketing, which grew 18%.

With this strong performance, EPS for the fourth quarter of 2025 was $1.87 per diluted share, and our free cash flow was $74.9 million, representing a 43% margin, compared to 26% in the prior year. In Q4, we continued to invest the cash we generated from operations back into Qualys, including $724 thousand on capital expenditures and $44.7 million to repurchase 328 thousand of our outstanding shares. Since commencing our share repurchase program in February of 2018, we've repurchased 10.7 million shares and returned over $1.2 billion in cash to shareholders. As of the end of the quarter, we had $160.5 million remaining in our share repurchase program. We are pleased to announce that our Board has authorized another increase of $200 million to the share repurchase program, bringing the total available amount for share repurchases to $360.5 million.

With that, let us turn to guidance, starting with revenues: For the full year 2026, we expect revenues to be in the range of $717.0 to $725.0 million, which represents a growth rate of 7% to 8%. For the first quarter of 2026, we expect revenues to be in the range of $172.5 to $174.5 million, representing a growth rate of 8% to 9%. This guidance assumes no material change in our net dollar expansion rate with moderate growth contribution from new business in 2026.

Shifting to profitability guidance, for the full year 2026, we expect EBITDA margin to be in the mid 40s, implying mid-teens increase in operating expenses, and free cash flow margin in the low 40s. We expect full year EPS to be in the range of $7.17 to $7.45. For the first quarter of 2026, we expect EPS to be in the range of $1.76 to $1.83. Our planned capital expenditures in 2026 are expected to be in the range of $8.0 to $12.0 million; and, for the first quarter of 2026, in the range of $1.2 to $2.6 million.

In 2026, with respect to operating expenses, we plan to align our product and marketing investments to focus on specific initiatives aimed at driving more pipeline, accelerating our partner program, and expanding our federal vertical. As a percentage of revenues, we expect to prioritize an increase in investments in Sales & Marketing with more modest increases in engineering and G&A.

With that, Sumedh and I would be happy to answer any of your questions.