About Qualys

Qualys, Inc. (Qualys) operates as a provider of a cloud-based platform delivering information technology (IT), security and compliance solutions. The company's integrated suite of IT, security and compliance solutions delivered on Qualys' Enterprise TruRisk Platform enables its customers to identify and manage their internal and external IT and operational technology (OT) assets across on-premises, endpoints, cloud, containers, and mobile environments; collect and analyze large amounts of IT security data; discover and prioritize vulnerabilities; quantify cyber risk exposure; recommend and implement remediation actions; and verify the implementation of such actions. This helps organizations protect their systems and applications from ever-evolving cyber-attacks and helps achieve compliance with internal policies and external regulations. The company's cloud platform addresses the growing IT, security and compliance complexities and risks that are amplified by the dissolving boundaries between IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets. Organizations use the company's integrated suite of solutions to cost-effectively obtain a unified view of their internal and external IT and OT asset inventory, as well as security and compliance posture across globally-distributed IT infrastructures as its solution offers a single platform for information technology, information security, application security, endpoint, developer security and cloud teams. IT infrastructures are more complex and globally-distributed today than ever before, as organizations of all sizes increasingly rely upon a myriad of interconnected information systems and related assets, such as servers, databases, web applications, routers, switches, desktops, laptops, other physical and virtual infrastructure, and numerous external networks and cloud services. In this environment, new and evolving digital technologies intended to improve organizations' operations can also increase vulnerability to cyber-attacks, which can expose sensitive data, damage IT and physical infrastructures, and result in serious financial or reputational consequences. In addition, the rapidly increasing amount of data and devices in IT environments makes it more difficult to identify and remediate vulnerabilities in a timely manner. The predominant approach to IT security has been to implement multiple disparate security products that can be costly and difficult to deploy, integrate and manage and may not adequately protect organizations. The company designed its cloud platform to transform the way organizations secure and protect their IT infrastructures and applications. The company's cloud platform offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security and compliance assessments, and remediation for an organization's IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network perimeter, on endpoints or in the cloud. Since inception, the company's solutions have been designed to be delivered through the cloud and to be easily and rapidly deployed on a global scale, enabling faster implementation and lower total cost of ownership than traditional on-premise enterprise software products. The company's customers, ranging from some of the largest global organizations to small businesses, are served from its globally-distributed cloud platform, enabling it to rapidly deliver new solutions, enhancements and security updates. The company provides its solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions require customers to pay a fee in order to access each of the company's cloud solutions. The company generally invoices its customers for the entire subscription amount at the start of the subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription. The company continues to experience revenue growth from its existing customers as they renew and purchase additional subscriptions, as well as from the addition of new customers to its cloud platform. The company's cloud platform is used by over 10,000 customers worldwide, including a majority of the Forbes Global 100. Platform The company's cloud platform consists of a suite of IT security, compliance, web application security, asset management and cloud security solutions, which it refers to as the Qualys Cloud Apps, that leverage its shared and extensible core services and its highly scalable multi-tenant cloud infrastructure. The company also provides open application program interfaces, or APIs, and other developer tools that allow third parties to embed its technology into their solutions and build applications on its platform. The company's cloud platform utilizes physical and virtual sensors, and cloud agents that provide its customers with continuous visibility enabling customers to respond to threats immediately. Customers can extend visibility to all known IT infrastructure using its Out-of-Band Configuration Assessment sensor for systems that are air-gapped or otherwise difficult to assess. The company's cloud platform automatically gathers and analyzes security and compliance data in a scalable, state-of-the-art backend. The technology underlying its cloud infrastructure enables it to ingest, process, analyze and store a high volume of sensor data coming from its agents, scanners and passive analyzers, and correlate information at very high speeds in a distributed manner for millions of devices. The company's cloud platform is delivered to its customers via its 14 global shared cloud platforms, or via its private platform offering, Qualys Private Cloud Platform (PCP), for customers or partners that want the platform to reside within the customer's shared cloud platform. The PCP is a standalone version of the company's multi-layer, multi-tenant services architecture and is a fully integrated turnkey solution, making it more scalable, and faster to deploy within a customer's shared cloud platform. Solutions delivered through the company's PCP are typically on the same subscription basis as solutions delivered through its shared platform. The company's PCP utilizes hardware and software owned by it and is physically located on the customer's premises. The customer is not permitted to take possession of the software or access the software code. The company also offers its PCP as a subscription-based platform services to the customer using a virtual version of its software. This virtualized PCP allows the company to extend its security and compliance solutions without the complexity and cost associated with deploying traditional enterprise software. Qualys Core Services The company's core services enable its customers to detect vulnerabilities, measure and remediate cyber risk through integrated workflows, management and real-time analysis and reporting inside their organizations, on the perimeter, on endpoints or in the cloud. The company's core services constitute dynamic and customizable dashboards and centrally managed, self-updating integrated Cloud Apps, through a natively integrated unified platform. The company's interactive, dynamic dashboards and cloud platform allow its customers to aggregate and correlate all of their IT, security and compliance data in one place, drill down into details, and generate reports customized for different audiences. The company's cloud platform's powerful Elasticsearch clusters enable customers to instantly find detailed data on any asset. The company's core services include: Asset Tagging and Management: Enables customers to easily identify, categorize and manage large numbers of assets in highly dynamic IT and OT environments and automates the process of inventory management and hierarchical organization of all internal and external assets. Built on top of this core service is the Qualys GAV framework, which is a global asset inventory service enabling the company's customers to search for information on any asset, scaling to millions of assets for customers of all sizes, helping IT and security personnel to search assets and maintain an up-to-date inventory on a continuous basis. Reporting and Dashboards: A highly configurable reporting engine that provides customers with reports and dashboards based on their roles and access privileges. Questionnaires and Collaboration: A configurable workflow engine that enables customers to easily build questionnaires and capture existing business processes and workflows to evaluate controls and gather evidence to validate and document compliance. Remediation and Workflow: An integrated workflow engine that allows customers to automatically generate helpdesk tickets for remediation to manage compliance exceptions based on customer-defined policies, enabling subsequent review, commentary, tracking and escalation. This engine automatically distributes remediation tasks to IT administrators upon scan completion, tracks remediation progress and closes open tickets once patches are applied and remediation is verified in subsequent scans. Big Data Correlation and Analytics Engine: Provides Elasticsearch capabilities for indexing, searching and correlating large amounts of security and compliance data with other security incidents and third-party security intelligence data. Embedded workflows enable customers to quickly assess risk and access information for remediation, incident analysis and forensic investigations. Alerts and Notifications: Creates email notifications to alert customers of new vulnerabilities, malware infections, scan completion, open trouble tickets and system updates. Qualys Cloud Apps Qualys' Enterprise TruRisk Platform and its Cloud Apps help organizations escape this tool-fragmentation dilemma by drastically simplifying their security stacks and regaining unimpeded visibility across their on-premises, endpoints, cloud, container, and mobile environments. The Cloud Apps are self-updating, centrally managed and tightly integrated, and cover a broad range of functionality in areas such as asset management, vulnerability management, risk mitigation, threat detection and response, compliance and cloud security solutions. The company's customers can subscribe to one or more of its 20+ Cloud Apps based on their initial needs and expand their subscriptions over time to new areas within their organization or to additional Qualys solutions to develop a more complete understanding of their respective environment's IT, security and compliance posture and remediate cybersecurity risk. Many of the company's customers use multiple Cloud Apps, some of which are noted below: Asset Management Cybersecurity Asset Management (CSAM): CSAM is an all-in-one solution that leverages the power of the company's cloud platform with its multiple native sensors and CMDB synchronization to continuously inventory known and unknown assets, discover installed applications, and overlay business and risk context to establish asset criticality. It identifies unauthorized or end-of-life and end-of-service software and the absence of required security tools, and assesses the health of the attack surface. Further, CSAM enables response options with threat alerts and software removal and delivers regulatory reporting in support of the Federal Risk and Authorization Management Program (FedRAMP), PCI-DSS and other mandates. CSAM includes External Attack Surface Management (EASM), which allows discovery of internet facing unknown assets. Vulnerability Management Vulnerability Management, Detection and Response (VMDR): VMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. VMDR continuously assesses these assets for the latest vulnerabilities and applies the latest threat intel analysis to prioritize actively exploitable vulnerabilities. VMDR automatically detects the latest superseding patch for the vulnerable asset and easily deploys it for remediation. Finally, VMDR quantifies risk across vulnerabilities, assets and groups of assets helping organizations proactively reduce cyber risk exposure and track cyber risk reduction over time. By delivering all this in a single app workflow, VMDR automates the entire process and significantly accelerates an organization's ability to respond to threats, thus preventing possible exploitation across on-premises, endpoints, cloud, containers, and mobile environments. Web Application Scanning (WAS): WAS continuously discovers and catalogs web applications - including new and unknown ones - and detects vulnerabilities and misconfigurations in web apps and APIs. Scaling to thousands of scans, it conducts incisive, thorough and precise testing of browser-based web apps, mobile app backends, and Internet of things (IoT) services. WAS' powerful API enables integration with other systems and allows teams to detect issues within DevOps environments early in the application development process. Bundled malware detection capability with WAS uses reputational, behavioral, antivirus, and heuristic analyses to identify and alert on malware infecting a user's websites. By Integrating WAS with manual testing tools and bug bounty solutions, customers can build a comprehensive web application vulnerability testing program. Risk Mitigation Patch Management (PM): PM provides automated patch deployment capabilities for Windows, Linux, Mac and third party software by correlating vulnerabilities and the right set of remediation including patches and configuration fixes. It continuously gathers and uploads telemetry about installed software, open vulnerabilities and missing patches to its cloud platform. The resulting shared visibility of assets and their posture enables IT and security teams to collaborate using common vulnerability-centric terminology and provides a consistent data set to analyze, prioritize, deploy and verify patches more efficiently. Custom Assessment and Remediation (CAR): CAR enables security architects to create custom scripts in popular scripting languages, user-defined controls and automation, all seamlessly integrated within existing programs to quickly assess, respond to and remediate threats across global hybrid environments. Threat Detection and Response Multi-Vector Endpoint Detection and Response (EDR): Traditional endpoint detection and response solutions focus only on endpoint activity to detect attacks. As a result, they lack the full context to analyze attacks accurately. This leads to an incomplete picture and a high rate of false positives and negatives, requiring organizations to use multiple point solutions and large incident response teams. The company's highly scalable platform fills the gaps by bringing a new multi-vector approach and the unifying power to EDR, providing vital context and comprehensive visibility to the entire attack chain, from prevention to detection to response. EDR unifies different context vectors like asset discovery, rich normalized software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, in-depth endpoint telemetry, and network reachability with a powerful backend to correlate it all for accurate assessment, detection and response. Context Extended Detection and Response (XDR): XDR provides context and clarity to enterprise security operations through risk-focused, single pane of glass visibility and control to improve enterprise-wide threat detection and incident response. It leverages the company's cloud platform's response capabilities - patching, fixing misconfigurations, killing processes and network connections, and quarantining hosts - to comprehensively remediate cyber security threats identified by Qualys' XDR. Compliance Policy Compliance (PC): PC performs automated security configuration assessments on IT systems throughout a network, helping to reduce risk and continuously ensure compliance with internal policies and external regulations. PC leverages out-of-the-box library content to fast-track compliance assessments using industry-recommended best practices. PC also provides a centralized, interactive console for specifying baseline standards for different hosts. By automating requirement evaluation against multiple standards for operating systems, network devices, databases and server applications, PC enables the quick identification of security issues and works to prevent configuration drift. PC works to prioritize and track remediation and exceptions, while demonstrating a repeatable auditable process for compliance management. File Integrity Monitoring (FIM): FIM logs and centrally tracks file change events on common enterprise operating systems in organizations of all sizes. FIM provides customers with a simple way to achieve centralized cloud-based visibility of activity resulting from normal patching and administrative tasks, change control exceptions or violations, or malicious activity - then reports on that system activity as part of compliance mandates. FIM collects the critical details needed to quickly identify changes and root out activity that violates policy or is potentially malicious. FIM helps customers to comply with change control policy enforcement and change monitoring requirements. Cloud Security Qualys TotalCloud is a Cloud-Native Application Protection Platform (CNAPP), which provides an integrated suite of security capabilities designed for multi-cloud environments. It provides complete visibility and cyber-risk exposure assessment across cloud assets, enabling continuous discovery and monitoring of the cloud landscape to identify risks and maintain compliance. With its FlexScan technology, TotalCloud offers comprehensive assessment features that include no-touch, agentless, API, and snapshot-based scanning, along with agent and network-based scanning for thorough vulnerability detection. The TruRisk component allows for a unified risk view, correlating vulnerabilities, security controls, and compliance across resources to prioritize and reduce cyber risks effectively. For real-time defense, TotalCloud's InstaProtect continuously monitors all cloud assets to detect and protect against evolving and unknown threats. Remediation is streamlined through the company's QFlow technology, which provides no-code, drag-and-drop workflows for efficient vulnerability management. TotalCloud provides organizations with an all-encompassing solution, delivering fast, agentless, real-time security and compliance across a variety of use cases, including Cloud Workload Protection (CWP), Cloud Detection and Response (CDR), Cloud Security Posture Management (CSPM), Infrastructure as Code (IaC), and Container Security (CS) to offer organizations a single unified solution for comprehensively securing their cloud and multi-cloud environments. Free Services The company also offers organizations of all sizes free security and compliance services based on its cloud platform: Qualys Global AssetView app automatically creates a continuous, real-time inventory of known and unknown assets throughout a user's global IT footprint across on-premises, endpoints, cloud, containers, and mobile environments. The app also automatically normalizes and categorizes assets to ensure clean, reliable, and consistent data. In-depth asset details provide fine-grained visibility on the system, services, installed software, network, and users. It also detects any device that connects to a user's networks, via passive scanning technology. Upon an unknown device detection, users can install a light-weight Qualys self-updating agent (3MB) to turn the device into a managed device or launch a vulnerability scan. Qualys Certificate Inventory inventories and assesses all Internet-facing certificates to generate SSL/TLS configuration grades, identifies the certificate issuer and tracks certificate expirations to help stop expired and expiring certificates from interrupting critical business functions. Growth Strategy The company intends to strengthen its leadership position as a trusted provider of cloud-based IT, security and compliance solutions. The key elements of the company's growth strategy are to continue to innovate and enhance its cloud platform and suite of solutions; expand the use of its suite of solutions by its large and diverse customer base; drive new customer growth and broaden its global reach; and selectively pursue technology acquisitions to bolster its capabilities and leadership position. Customers The company markets and sells its solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. As of December 31, 2023, the company had over 10,000 customers worldwide, including a majority of the Forbes Global 100. The company sells its solutions to enterprises and government entities primarily through its field sales force and to small and medium-sized businesses through its inside sales force. The company generates a significant portion of sales through ots channel partners, including managed security service providers, value-added resellers and consulting firms in the United States and internationally. Sales and Marketing Sales The company markets and sells its IT, security and compliance solutions to customers directly through its sales teams, as well as indirectly through its network of channel partners. The company's global sales force is organized into a field sales team, which focuses on enterprises, generally including organizations with employees, and an inside sales team, which focuses on small to medium-sized businesses, which generally include organizations. Both the company's field and inside sales teams are divided into three geographic regions, the Americas; Europe, Middle East and Africa; and the Asia-Pacific. The company also further assigns each of its sales teams into groups that focus on adding new customers or managing relationships with existing customers. The company's channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customers with services and third-party solutions to help meet those customers' evolving security and compliance requirements. As such, these partners offer its IT, security and compliance solutions in conjunction with one or more of their own products or services and act as a conduit through which the company can connect with these prospective customers to offer its solutions. The company's channel partners include security consulting organizations, leading cloud providers, managed service providers and resellers. For sales involving a channel partner, the channel partner engages with the prospective customer directly and involves the company's sales team as needed to assist in developing and closing an order. When a channel partner secures a sale, the company sells the associated subscription to the channel partner who in turn resells the subscription to the customer, with the channel partner earning a fee based on the total value of the order. Once the order is completed, the company provides these customers with direct access to its solutions and other associated back-office applications, enabling it to establish a direct relationship as part of ensuring customer satisfaction with its solutions. In 2023, 43% of the company's revenues were generated by channel partners. Marketing The company's marketing programs include a variety of online marketing, advertising, conferences, events, public relations activities and web-based seminar campaigns targeted at key decision makers within its prospective customers. The company has a number of marketing initiatives to build awareness and encourage customer adoption of its solutions. The company offers free trials and services to allow prospective customers to experience the quality of its solutions, to learn in detail about the features and functionality of its cloud platform, and to quantify the potential benefits of its solutions. Customer Support Qualys Support delivers 24x7x365 day customer technical support from global centers located in Foster City, California; Raleigh, North Carolina; and Pune, India. The company recruits senior level technical personnel and trained subject matter experts who work closely with engineering and operations personnel to resolve issues quickly. The company's IT, security and compliance solutions can be deployed easily and are designed to be implemented and operated without the need for significant professional services. The company also offers various training programs as part of its subscriptions to all of its customers. In addition, the company leverages the insights drawn from its customers to further improve the functionality of its IT, security and compliance solutions. Shared Cloud Platform Agreements The company's shared cloud platform operations are provided by large third-party vendors and are located in the United States, Canada, Switzerland, the Netherlands, United Arab Emirates, Australia, United Kingdom, Italy, the Kingdom of Saudi Arabia and India. The company's shared cloud platform agreements have varying terms through 2027. Competition The company competes with large and small public companies, such as Broadcom (Symantec Enterprise Security), CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Axonius, Checkmarx, Flexera, Invicti, Ivanti, Tanium, HelpSystems (Tripwire), Trustwave Holdings, Veracode and Wiz. Intellectual Property The company relies on a combination of trade secrets, copyrights, patents and trademarks, as well as contractual protections, to establish and protect its intellectual property rights and protect its proprietary technology. As of December 31, 2023, the company had thirty-six issued patents, which expire from 2029 to 2042, several pending U.S. patent applications and an exclusive license to four U.S. patents. The company has a number of registered and unregistered trademarks. The company requires its employees, consultants and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation and other proprietary information. History Qualys, Inc. was founded in 1999. The company was incorporated in the state of Delaware in 1999.