September 25, 2022 - 4:20pm EST by
2022 2023
Price: 141.42 EPS 0 0
Shares Out. (in M): 38 P/E 0 0
Market Cap (in $M): 5,425 P/FCF 0 0
Net Debt (in $M): 0 EBIT 0 0
TEV (in $M): 0 TEV/EBIT 0 0

Sign up for free guest access to view investment idea with a 45 days delay.


 *Please pardon poor formatting, pasting from a doc*


The Vulnerability management segment within the cyber security software industry is a good neighbourhood.


Security is an interesting space because while threats clearly increase in number and cost leading to market size increases (average cost of breach ~$10m), investing directly into particular cyber security product is risky, as threats evolve too fast for any solution to maintain superiority, and product cycles are as a result much shorter than typical SaaS companies


I think a good tactic to play this market dynamic and cyber security infrastructure is one derivative off, vulnerability management (VM), which is the first line of defence against cyber security threats.


What is VM?

VM at its core monitors network, asset base – endpoints – laptops, mobile devices, ipads, to detect vulnerabilities and security breaches through

(1) scan and monitor assets to detect issues and protect them

(2) assess severity

(3) telling them what to do or  fixing issues (sometimes automated)




VM is an emerging but fastest growing segment in the fragmented cybersecurity market, mainly because prevention is better than cure policy has clear cost benefits



VM benefits from underlying market growth. Companies are increasing their usage of VM solutions across more endpoints across their network (VM solutions rarely are adopted across an organization’s entirety of endpoints upfront), leading to greater penetration. End markets in Mobile and IoT grow at 20-30% CAGR. Further companies are sometimes unaware of 30-40% of endpoints in their network


It is recession proof – security screening most defensive area of spend in CIO à seen during COVID


It has a proven return on S&M spend, in which Q, Tenable and Rapid7 typically have converted >70% of S&M spend into annual subscription revenue from 2016-2021, with a much higher lifetime value than the S&M expense.


It has an attractive market structure; it is consolidated among 3 players: Q, Tenable and Rapid7, despite emerging space / fast growth.



Barrier to entry


Instead of spending too much on R&D for new products, VM commoditizes their complement, the actual – good strategy in tech, and invest a lot more in S&M


  • There is higher switching cost given asset management, awareness of endpoints Vs. identity management for iphone, or firewall/anti-virus
  • Network effects – data generated into VM, produce data useful
  • Difficult to reproduce a product



What are some other quality traits?

·      Small cost of overall cost structure

·      Mission critical

·      Sticky recurring revenue –

·      Sold with cloud providers, mid 90s% retention rate

·      Net dollar revenue >100% with expansion

·      Rule of 40 – 60% (revenue growth % + EBITDA margin)

·      Financials:

o   High margins – 47% EBITDA

o   Low labor intensity

o   Low capex

o   High incremental margins as revenue scales / operating leverage




Why is it an attractive M&A target?


One, the company can be vertically integrated, can be acquired by security major as lead into suite of products, by way of Qualys as a bundle and loss leader


Many exit buyers, including Cisco, Crowdstrike (its multiple makes it accretive), ServiceNow – ITSM expanding into VM and Observability and Mining


The second, not mutually exclusive strategic step is to reposition company for Observability & Monitoring upside è Software that is used to evaluate software “being able to ask arbitrary questions about your environment without having to know ahead of time what you wanted to ask. At near its peak, Crowdstrike was trading at 54x sales.


Qualys 1

·      + Qualys traits / is a leader

o   Product scores well on KPC ease of integration with systems, ease of use/user interface, and willingness to pay a premium price

§  Strategy that drives stickiness and upside potential

§  100% cloud-based, 100% SaaS offering since inception,

·      Important in covid

·      Allowing faster deployment providing real-time analytics and monitoring; reduced total cost both

·      to Q (no deployment cost, driving higher margin),

·      to customers (no ongoing maintenance).

§  Single App: Not just VM but also asset management capability, all centered around their VMDR (Detection and Response) –

§  Code base on one Single user interface: Good UX, strong product functionality/engineering

§  This delivery mechanism and UI are important to customers/security professionals given

·       (i) increased movement of customer workloads to the cloud);

·      (ii) ease of use and time saved/avoid having to integrate different solutions – number 1 KPC

o   particularly given the shortage of qualified in-house talent within corporate security departments (even more acute for cloud-based security, specifically).

·      Q’s broader product suite vs. its competitors, and its organic product development (vs. Tenable, which acquired many of its capabilities) provides a competitive advantage in this regard.

o   Datapoints

§  Expanding TAM: Average number of products per customer risen from 1.8 in Q316 to 2.6 Q3 2019, as customers continue to adopt products outside of the core VM solution

§  Spending more: Enterprise customers with 4+ solutions spend >5x 273k with Q vs 1 solution average 49k

·      Enterprise customers with 4+ solutions spend >5x 273k with Q vs 1 solution average 49k

·       13% 5+ solutions, 26% 4+, 46% 3+, retention rates for 3+ 97%, 4+ 99%

§  Company-wide retention of 99% in 2018, including upsell

·      Sticky

o   Only vendor in all of Google/Amazon/Msft Azure; cloud vendors partner with 3P to embed security features in platforms

o   cloud vendors unlikely to enter

·      Dollar retention rate is the rate of prior year Enterprise ARR (excluding upsell and downsell) averaged over the last 4 quarters

o   Product development velocity, not merely extensions of same product, to capture larger TAM or expand it


Strong financial record and Growth Prospects


Qualys has a strong track record of revenue and earnings growth with no negative growth, and strong margins (>40% margins) vs peers negative EBITDA, and pricing power, with quarterly ASPs are expanding.


In terms of growth, the market size of VM is $2bn, but adjacent market sizes at $20-30b, which includes Endpoint security, Cloud security, IT Asset Management, Compliance, Web Application Security, VM. They are growing rapidly in government segment – FBI using AWS since 2018, Pentagon into Azure in 2019.

Low hanging fruit – operational optimization opportunity

Ops intervention - Q has more SM efficiency than Tenable and Rapid7, but among the lowest S&M spend and revenue growth amongst its peer group


New CEO Sumedth has 18 years of experience, SWE background, and is seen as an organic operational CEO guy vs previous CEO and founder, Phillipe Courtot, unfortunate as his departure may be, is good for company.


For example, Courtot’s view was that the technical account engineers should sell, there was no commission structure that scales with sales, and salespeople were paid lower than Tenable/Rapid7.


They have no CMO, invests very little in product marketing, brand advertising, trade shows, only just hired Chief Revenue Officer; Phillipe Courtot used to handle Marketing.


There is also a huge channel optimization strategy. Q largely relies on small channel partners, while increasing as a % of sales (now 40% but previously was 10%, still under 50%), Tenable is at 90%. Why are channel partners important? They have aligned incentives and help customers developed bundled comprehensive offerings, and have a far-wider reach than direct sales force.


Lastly, there is a large pricing optimization and middle market opportunity.


Q currently does not change product pricing (with rare exceptions), even when a given product is delivered toward a mid-market client, which generally requires less after-sales support and, thus, is expected to be higher incremental margin vs. enterprise customers

The low level of sales enablement has further increased salesforce chum and resulted in lower average tenure

Given Q’s product scalability, a multi-tiered pricing package to cater toward different market segments/product requirements (e.g., a lower-priced offering catered toward the mid-market, with less after-sales support) grow outside its core enterprise segment



What do you need to believe?

·      Sales grow at ~15% - market looks to grow at 17%~

·      EBITDA margin – 48%

·      FCF ~ 40-50% margin , YTD 47% vs 44% same period last year

·      Fundamentals wise,

o   You need to believe that VM is a high growth, attractive segment of cyber security with long-term tailwinds

o   Q is a high quality market leading asset

·      For a takeover, you need to believe that

o   There is significant scope for operating intervention not realizable in public markets

o   Q has more SM efficiency than competitors in Tenable and Rapid7, but among the lowest S&M spend and revenue growth among its peer group.

Competitive landscape


Overall picture is Qualys is better than its nearest competitors, Tenable, Rapid, on a few dimensions

·      Profitability - Tenable is not profitable; Rapid7 profitable but less pricing power

o   Reason: Tenable and Rapid 7 – invested lot more in SM, producing higher revenue growth at expense of profitability

o   Q has benefited significantly from operating expense leverage, and now generates 43% EBITDA margins, Tenable OpEx has grown more closely in line with revenue – and remains unprofitable (36% OpEx CAGR vs 39% revenue CAGR)

·      % Subscription revenue

o   Q is the only 100% SaaS, cloud based VM platform in an integrated security stack

o   Tenable about 85% subscription Rapid 7 have 65% subscription revenue

·      Market share

o   Most of Rapid7 displacement is via Tenable in mid-market segment

·      Target Market

o   EM focused, emerging SMB offering

·      M&A - Tenable has grown largely through M&A vs less so for Rapid 7 and Q

·      Product -

o   Q is fundamentally a higher quality product given cloud based model and broader capabilities 

o   Target customer- tech savvy customer who likes a customized, highly functional product

·      Strategy - Qualys looking to its Cloud Agent, RPD going down Analytics route Incident Detection & Response (what do we do once the bad guys get in?). 




I do not hold a position with the issuer such as employment, directorship, or consultancy.
I and/or others I advise do not hold a material investment in the issuer's securities.


Profitable earnings growth

Multiple re-rating as market recognizes quality

continued market share gains

Potential take-private by PE

    show   sort by    
      Back to top