Services · the new software · Research Note №1 · Memo 152 of 185QLYS · ← Overview
Vulnerability Management / Cloud Security
QLYS
Qualys
Vulnerability + attack-surface management franchise. TotalCloud + CNAPP + AI-driven prioritisation agents are the services-as-software angle.
PositiveRank 152 · IGV constituent
Last price
$83.17
Market cap
$3.0B
As of
19 April 2026
Live quote sourced from Yahoo Finance. Prices cited in narrative below reflect the original memo date and may be stale.
Scores · adapted framework
Enabler
8 / 10
Autopilot adoption
7 / 10
Disruption risk
5 / 10
Efficiency upside
8 / 10
The Sequoia matrix
Intelligence / Judgment
Intelligence-heavyVulnerability prioritisation (TruRisk), exploit probability scoring, attack-path analysis, asset discovery are all pure intelligence tasks.
Copilot posture
ModerateTruRisk AI copilots help security ops teams triage + prioritise. Executive dashboards + risk reporting.
Autopilot posture
EmergingAutonomous vulnerability triage + patch orchestration in pilot at select customers. Policy-gated automation.
Data moat
StrongDecades of vulnerability scanning data + exploit probability models + customer asset inventory is a deep moat vs. cloud-native entrants.
Execution layer
StrongQualys Cloud Agent + scanner runs across enterprise environments. TotalCloud handles CSPM + CWPP for cloud workloads. Execution surface is the security posture itself.
The memo
State of play · QLYS
QLYS traded near $83.2 in April 2026. FY26 revenue ~$680M, growing low-double-digits. Operating margin high-30s. FCF conversion strong. TotalCloud + VMDR + Container Security differentiated. CEO Sumedh Thakar operationally disciplined. Activist attention previously resolved.
Thesis angle
Qualys's franchise is vulnerability + exposure management — classic intelligence-heavy security work. AI agents substitute security analyst hours across triage + prioritisation + patch orchestration. TruRisk is the copilot; autonomous triage is the autopilot. Services-as-software read: vulnerability management is a natural agent workload; Qualys has the scan data + asset inventory + customer base.
The framing
Bulls see Qualys as a quality security franchise with AI agent optionality + strong margins + healthy cash flow. Bears cite Tenable (TENB) + Rapid7 + Wiz competition + cloud-native alternative growth. Services-as-software read is thesis-positive.
Two forces, opposite directions
Tailwind · Exposure management + autonomous triage + AI agents.
Security ops teams are understaffed; vulnerability + patch workloads are repetitive + intelligence-heavy. AI agents in TruRisk + patch orchestration substitute analyst hours directly. Cloud security posture management is a growth adjacency. Outcome pricing on risk reduction emerging.
TruRisk AI agent adoption growing
TotalCloud CSPM + CWPP expansion
Margin + FCF strong
Outcome pricing on risk reduction
Buyback + disciplined capital
Headwind · Tenable + Rapid7 + Wiz competition.
Tenable is a direct competitor in exposure management. Rapid7 + CrowdStrike + Wiz compete across broader security. Cloud-native security startups (Orca, Lacework) compete in CSPM. Qualys must sustain TotalCloud growth + AI differentiation.
Tenable direct competitor
Rapid7 + CrowdStrike + Wiz broader competition
Cloud-native CSPM startups (Orca, Lacework)
Growth ~low-double-digits
Net new logo growth modest
TotalCloud + outcome pricing the levers.
Qualys product surfaces
Surface
Mix
AI posture
Thesis read
VMDR (core vuln mgmt)
~60%
TruRisk + AI triage
Thesis-core
TotalCloud (CSPM/CWPP)
~20%
Cloud security agents
Thesis-core
Patch + Compliance
~15%
Autonomous patching
Thesis-core
Other
~5%
Mixed
Thesis-adjacent
All core Qualys products are thesis-aligned — agents across vulnerability, cloud, patch workflows.