Qualys : Q1 FY 2024 Investor Presentation

Investor Presentation

SecurityandCompliancefortheDigitalTransformation

Sumedh Thakar, President and CEO

Joo Mi Kim, CFO

May 7, 2024

Safe harbor

This presentation includes forward-looking statements within the meaning of the federal securities laws. Forward-looking statements generally relate to future events or our future financial or operating performance. Forward-looking statements in this presentation include, but are not limited to, the following list:

• our business and financial performance and expectations for future periods, including the rate of growth of our business and market share gains;
• our expectations regarding our Qualys Enterprise TruRisk Platform and the benefits and capabilities of our platform;
• our expectations regarding the growth, benefits and market acceptance of the Qualys Enterprise TruRisk Platform;
• our total addressable market;
• our expectations regarding the timing of future products and features;
• the benefits of our new and upcoming products, features, integrations, collaborations and joint solutions;
• our strategy and our business model and our ability to execute such strategy;
• our guidance for revenues, EBITDA margin, capital expenditure, GAAP EPS and non-GAAP EPS for the second quarter and full year 2024; and
• our expectations for the number of weighted average diluted shares outstanding and the GAAP and non-GAAP effective income tax rate for the second quarter and full year 2024.

Our expectations and beliefs regarding these matters may not materialize, and actual results in future periods are subject to risks and uncertainties that could cause actual results to differ materially from those projected. These risks include:

• our ability to continue to develop platform capabilities and solutions;
• the ability of our platform and solutions to perform as intended;
• customer acceptance and purchase of our existing solutions and new solutions;
• real or perceived defects, errors or vulnerabilities in our products or services;
• our ability to retain existing customers and generate new customers;
• the budgeting cycles and seasonal buying patterns of our customers, and the length of our sales cycle;
• the general market, political, economic and business conditions in the United States as well as globally;
• our ability to manage costs as we increase our customer base and the number of our platform solutions;
• the cloud solutions market for IT security and compliance not increasing at the rate we expect;
• competition from other products and services;
• fluctuations in currency exchange rates;
• unexpected fluctuations in our effective income tax rate on a GAAP and non-GAAP basis;
• our ability to effectively manage our rapid growth and our ability to anticipate future market needs and opportunities; and
• any unanticipated accounting charges.

These additional risks include those set forth in our filings with the Securities and Exchange Commission, including our latest Form 10-Q and 10-K. The forward-looking statements in this presentation are based on information available to us as of today, and we disclaim any obligation to update any forward-looking statements, except as required by law. We also remind you that this presentation will include a discussion of GAAP and non-GAAP financial measures. The non-GAAP financial measures are not intended to be considered in isolation or as a substitute for results prepared in accordance with GAAP. The GAAP financial measures, and a reconciliation of the non-GAAP financial measures discussed in this presentation to the most directly comparable GAAP financial measures are included in the appendix of this presentation.

2

Investment highlights

Industry-leading cloud security and compliance platform for comprehensive risk management

Multiple levers of recurring revenue growth

Scalable business model and industry- leading profitability

Uniquely positioned to capitalize on stack consolidation and cloud transformation

3

Challenges of measuring and reducing risk

With every tool measuring risk differently, what are the top 10 Risks?

	Disparate Security Tools
SaaS	Code

IT / IOT

Vuln Management

Applications

Public Cloud

Data

Disparate Measurement Tools

Qualitative

Severe / Critical	Category 1,2,3 etc..
Urgent / Low	Medium / High
Pass / Fail

Quantitative

10, 50, 100

1-5

CVSS

1-10

4

Extending the security eco system

Multiple siloed tools send endless alerts

Network

Exposures

Cloud

Misconfiguration

Excessive IAM

Permissions

Application

Vulnerabilities

Suspicious

Behavior

API

out-

of-the-box connectors

CSV

file uploads

REST

APIs

Qualys Enterprise

TruRisk Platform

Aggregates and Normalizes

Siloed Data Points

Discovers, Quantifies, and

Prioritizes Risk

Integrated, Actionable, and

Automated Risk Reduction

and Remediation

Collects, unifies and correlates risk factors with threat and business context to holistically measure risk

Communicates risk and insights in terms of business impact

Seamlessly recommends and comprehensively reduces cyber and business risk

5

The Enterprise TruRisk Platform

End-to-End Cyber Risk Management

Qualys TruRisk™

A natively integrated single agent, single source of truth

Discover all assets,

including external assets with business context

Asset

Management

Detect and prioritize vulnerabilities, misconfigurations

according to TruRisk

Vulnerability &

Configuration

Management

Remediate cyber risk

with automated patching and intelligent workflows

Risk

Remediation

Monitor, detect, respond and prevent

threats with risk and business context

Threat

Detection

Response

Enforce and report on compliance, audit-

ready

Compliance

AI/ML

PLATFORM SERVICES

1st Party	API	LIGHTWEIGHT			SENSORS		3rd Party
OSS				Data
	AGENT
	APPLICATIONS	OPERATING SYSTEMS	CLOUD / CONTAINERS / VMs​	IT / WORKSTATIONS / SERVERS​		IOT	EXTERNAL DEVICES

6

	Asset Management	Vulnerability	Remediation	Threat Detection	TotalCloud

The Enterprise TruRisk Platform

Cybersecurity Asset Management

Discover All Assets

Get inside-out and outside-in visibility of all assets with an attackers view of the network

Get Complete Asset Context & Visibility

Add business context, tags, enhance visibility by seamlessly integrating with CMDB's, Third Party & ITSM solutions, bring business context into asset criticality for managing risk

Identify Security Gaps

Detect EOL/EOS software, unmanaged assets, unauthorized software, missing business critical software, evaluate cyber risk per subsidiary, inventory open-source software, packages & libraries

7

Asset Management	Vulnerability	Remediation	Threat Detection	TotalCloud

The Enterprise TruRisk Platform

VMDR

Measure Cyber Risk

Quantify risk across vulnerabilities, assets, and groups of assets helping organizations proactively reduce risk exposure and track risk reduction over time with Qualys TruRisk

Communicate Cyber Risk

Communicate risk across different teams, business units and geographic locations by leveraging dashboards, reports and ITSM tools

Reduce Risk Faster

Unify security and IT threat response paths for faster remediation with seamless integration between ITSM tools and path management solutions. Automate and orchestrate operational tasks with Qualys Qflow

8

Asset Management	Vulnerability	Remediation	Threat Detection	TotalCloud

The Enterprise TruRisk Platform

Advanced Remediation

Eliminate Cyber Risk

Deploy the right remediation or mitigations based on Qualys research, Qualys TruRisk, and 25+ threat feeds

Save time and reduce MTTR

Leverage smart automation, ensure software is always up-to-date, mitigate new weaponized vulns automatically before patches are deployed, leverage virtual patching capabilities

Consolidate IT-Security Stack

Work with your SCCM, rollback mitigation when patch deployed, link

ITOps and SecOps workflows with one tool

9

Asset Management	Vulnerability	Remediation	Threat Detection

The Enterprise TruRisk Platform

Threat Detection and Response

Protect Against Zero-day threats

Leverage behavior & AI/ML-based antivirus to thwart exploits, ransomware, phishing attacks, and zero-days

Unify VM, Patching, and Endpoint Security

Correlate endpoint threats to identify vulnerabilities actively exploited in your environment with integrated patch management

Automate & Orchestrate

Comprehensive endpoint (EDR) and Cloud Detection and Response with enterprise integrations (i.e., SIEM, ITSM, CMDB)

TotalCloud

10