What changed in QUALYS, INC.'s 2024 10-K compared to 2023?

Across the narrative sections we track, QUALYS, INC. (QLYS) added 241 paragraphs, removed 235, and edited 214 between the 2023 and 2024 10-K filings. The biggest movers are Item 1A. Risk Factors (+122/−115), Item 1. Business (+50/−53), Item 7. Management's Discussion & Analysis (+41/−43).

Did QUALYS, INC. add new Risk Factors in the 2024 10-K?

Yes — Item 1A Risk Factors shows 122 new/edited paragraphs and 115 removed paragraphs versus the 2023 10-K.

What changed in QUALYS, INC.'s MD&A (Item 7) in 2024?

Item 7 Management's Discussion & Analysis shows 41 new/edited paragraphs and 43 removed paragraphs year-over-year. Read the side-by-side diff to see exactly which revenue, margin, and outlook commentary was rewritten.

Did QUALYS, INC. update its Cybersecurity disclosure (Item 1C) in 2024?

Item 1C Cybersecurity has 11 paragraph-level changes between the 2023 and 2024 filings.

Did QUALYS, INC.'s Legal Proceedings (Item 3) change in 2024?

Item 3 shows 2 added/edited paragraphs and 2 removed paragraphs — usually indicating new litigation disclosed or settled cases removed.

Where does this QLYS 10-K diff come from?

The source filings are QUALYS, INC.'s official 2023 and 2024 Form 10-K annual reports from SEC EDGAR. 10q10k.net parses each filing, aligns paragraphs by section (Item 1, 1A, 1C, 2, 3, 7, 7A), and highlights every added, removed and edited sentence side-by-side.

What changed in QUALYS, INC.'s 10-K — 2023 vs 2024

Paragraph-level year-over-year comparison of QUALYS, INC.'s 2023 and 2024 10-K annual filings, covering the Business, Risk Factors, Legal Proceedings, Cybersecurity, MD&A and Market Risk sections. Every new, removed and edited paragraph is highlighted side-by-side so you can see exactly what management changed in the 2024 report.

+241 added−235 removedSource: 10-K (2025-02-21) vs 10-K (2024-02-22)

Top changes in QUALYS, INC.'s 2024 10-K

241 paragraphs added · 235 removed · 214 edited across 8 sections

Item 1A. Risk Factors+122 / −115 · 108 edited
Item 1. Business+50 / −53 · 45 edited
Item 7. Management's Discussion & Analysis+41 / −43 · 37 edited
Item 1C. Cybersecurity+11 / −9 · 9 edited
Item 5. Market for Registrant's Common Equity+8 / −7 · 7 edited

Item 1. Business

Business — how the company describes what it does

45 edited+5 added−8 removed98 unchanged

2023 filing

2024 filing

Biggest changeIt leverages our cloud platform's response capabilities - patching, fixing misconfigurations, killing processes and network connections, and quarantining hosts - to comprehensively remediate cyber security threats identified by Qualys’ XDR. Compliance Policy Compliance (PC): PC performs automated security configuration assessments on IT systems throughout a network, helping to reduce risk and continuously ensure compliance with internal policies and external regulations.

Biggest changeCompliance Policy Compliance (PC): PC performs automated security configuration assessments on IT systems throughout a network, helping to reduce risk and continuously ensure compliance with internal policies and external regulations. PC leverages out-of-the-box library content to fast-track compliance assessments using industry-recommended best practices. PC also provides a centralized, interactive console for specifying baseline standards for different hosts.

By Integrating WAS with manual testing tools and bug bounty solutions, customers can build a comprehensive web application vulnerability testing program. Risk Mitigation Patch Management (PM): PM provides automated patch deployment capabilities for Windows, Linux, Mac and third party software by correlating vulnerabilities and the right set of remediation including patches and configuration fixes.

By Integrating WAS with manual testing tools and bug bounty solutions, customers can build a comprehensive web application vulnerability testing program. Risk Remediation Patch Management (PM): PM provides automated patch deployment capabilities for Windows, Linux, Mac and third party software by correlating vulnerabilities and the right set of remediation including patches and configuration fixes.

CSAM includes External Attack Surface Management (EASM), which allows discovery of internet facing unknown assets. Vulnerability Management Vulnerability Management, Detection and Response (VMDR): VMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets.

CSAM includes External Attack Surface Management (EASM), which allows discovery of internet facing unknown assets. Vulnerability and Configuration Management Vulnerability Management, Detection and Response (VMDR): VMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets.

To support the health and wellness of our workforce, Qualys offers premium health coverage with minimal out-of-pocket contributions for our employees. Corporate Governance. Qualys maintains a Compensation and Talent Committee of the Board of Directors to oversee the company’s compensation policies, plans and benefits programs, and overall compensation philosophy.

To support the health and wellness of our workforce, Qualys offers premium health coverage with minimal out-of-pocket contributions for our employees. Corporate Governance. Qualys maintains a Compensation and Talent Committee of the Board of Directors to oversee our compensation policies, plans and benefits programs, and overall compensation philosophy.

Our Customers We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. As of December 31, 2023, we had over 10,000 customers worldwide, including a majority of the Forbes Global 100.

Our Customers We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. As of December 31, 2024, we had over 10,000 customers worldwide, including a majority of the Forbes Global 100.

Item 1. Business Overview We are a pioneer and leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions.

Item 1. Business Overview We are a leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions.

We are pursuing new customers by targeting key accounts, releasing free IT, security and compliance services and expanding both our sales and marketing organization and network of channel partners. We will continue to seek to make significant investments to encourage organizations to replace their existing security products with our cloud solutions.

We are pursuing new customers by targeting key accounts, releasing free IT, security and compliance services and enhancing both our sales and marketing organization and network of channel partners. We will continue to seek to make significant investments to encourage organizations to replace their existing security products with our cloud solutions.

The PCP is a standalone version of our multi-layer, multi-tenant services architecture and is a fully integrated turnkey solution, making it more scalable, cost effective and faster to deploy within a customer's shared cloud platform. Solutions delivered through our PCP are typically on the same subscription basis as solutions delivered through our shared platform.

The PCP is a standalone version of our multi-layer, multi-tenant services architecture and is a fully integrated turnkey solution, making it more scalable, cost effective and faster to deploy within a customer's shared cloud platform. 7 Table of Contents Solutions delivered through our PCP are typically on the same subscription basis as solutions delivered through our shared platform.

In this regard, we continue to expand our sales execution and marketing functions to increase adoption of our newly developed solutions among our existing customers. • Drive new customer growth and broaden our global reach.

In this regard, we continue to enhance our sales execution and marketing functions to increase adoption of our newly developed solutions among our existing customers. • Drive new customer growth and broaden our global reach.

With our diverse employee population, we uphold the rights to work in an environment that promotes equal opportunity and prohibits discriminatory practices against race, color, national origin, ancestry, medical condition, religious creed (including religious dress and grooming practices), marital status, registered domestic partner status, sex, sexual orientation, gender identity and expression, genetic characteristics and information, age, veteran status, 14 Table of Contents or any other protected characteristic.

None of our U.S. employees are covered by collective bargaining agreements. Employees in certain European countries and Brazil have collective bargaining arrangements at the national level. We believe our employee relations are good, and we have not experienced any work stoppages. 13 Table of Contents Compensation and Benefits Our Competitive Compensation and Benefits Policy.

None of our U.S. employees are covered by collective bargaining agreements. Employees in certain European countries and Brazil have collective bargaining arrangements at the national level. We believe our employee relations are good, and we have not experienced any work stoppages. Compensation and Benefits Our Competitive Compensation and Benefits Policy.

We intend to continue to make significant investments in research and development to extend our cloud platform’s functionality by developing new security solutions and capabilities and further enhancing our existing suite of solutions. • Expand the use of our suite of solutions by our large and diverse customer base.

We intend to continue to make significant investments in research and development to extend our cloud platform’s functionality by developing new security solutions and capabilities and further enhancing our existing suite of solutions. 10 Table of Contents • Expand the use of our suite of solutions by our large and diverse customer base.

Corrective action plans are developed for employees who may be struggling to meet his or her job responsibilities. Employee performance is considered during compensation reviews. In addition to formal reviews, our Human Resources team regularly meets with managers to check in with teams and conducts exit interviews globally.

TotalCloud provides organizations with an all-encompassing solution, delivering fast, agentless, real-time security and compliance across a variety of use cases, including Cloud Workload Protection (CWP), Cloud Detection and Response (CDR), Cloud Security Posture Management (CSPM), Infrastructure as Code (IaC), and Container Security (CS) to offer organizations a single unified solution for comprehensively securing their cloud and multi-cloud environments.

TotalCloud provides organizations with an all-encompassing solution, delivering fast, agentless, real-time security and compliance across a variety of use cases, including Cloud Workload Protection (CWP), Cloud Detection and Response (CDR), Cloud Security Posture Management (CSPM), Infrastructure as Code (IaC), SaaS Security Posture Management (SSPM), and Kubernetes and Container Security (KCS) to offer organizations a single unified solution for comprehensively securing their cloud and multi-cloud environments.

As part of its ongoing review of the performance criteria and compensation of designated key executives, the Compensation and Talent Committee also meets annually with the CEO, the Company’s principal human resources executive, and any other corporate officers as it deems appropriate. Supporting our Team and Community Talent Development and Safety.

As part of its ongoing review of the performance criteria and compensation of designated key executives, the Compensation and Talent Committee also meets annually with the CEO, our principal human resources executive, and any other corporate officers as it deems appropriate. 13 Table of Contents Supporting our Team and Community Talent Development and Safety.

At the end of the subscription term, the channel partner engages with the customer to execute a renewal order, with our sales team providing assistance as required. In 2023, 2022 and 2021, 43%, 42% and 41%, respectively, of our revenues were generated by channel partners.

At the end of the subscription term, the channel partner engages with the customer to execute a renewal order, with our sales team providing assistance as required. In 2024, 2023 and 2022, 46%, 43% and 42%, respectively, of our revenues were generated by channel partners.

It identifies unauthorized or end-of-life and end-of-service software and the absence of required security tools, and assesses the health of the attack surface. Further, CSAM enables response options with threat alerts and software removal and delivers regulatory reporting in support of the Federal Risk and Authorization Management Program ("FedRAMP"), PCI-DSS and other mandates.

This engine automatically distributes remediation tasks to IT administrators upon scan completion, tracks remediation progress and closes open tickets once patches are applied and remediation is verified in subsequent scans. • Big Data Correlation and Analytics Engine.

This engine automatically distributes remediation tasks to IT administrators upon scan completion, tracks remediation progress and closes open tickets once patches or other mitigating actions are applied and remediation is verified in subsequent scans. • Big Data Correlation and Analytics Engine.

In each of 2023, 2022 and 2021, no one customer accounted for more than 10% of our revenues. In 2023, 2022 and 2021, 60%, 60% and 61%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses.

In each of 2024, 2023 and 2022, no one customer accounted for more than 10% of our revenues. In 2024, 2023 and 2022, 58%, 60% and 60%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses.

Shared Cloud Platform Agreements Our shared cloud platform operations are provided by large third-party vendors and are located in the United States, Canada, Switzerland, the Netherlands, United Arab Emirates, Australia, United Kingdom, Italy, the Kingdom of Saudi Arabia and India.

As of December 31, 2023, we have thirty-six issued patents, which expire from 2029 to 2042, several pending U.S. patent applications and an exclusive license to four U.S. patents.

As of December 31, 2024, we have 42 issued patents, which expire from 2029 to 2042, several pending U.S. patent applications and an exclusive license to four U.S. patents.

As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as Cybersecurity Asset Management and Patch Management, we expect to face additional competition in these new markets.

We also seek to replace IT, security and compliance solutions that organizations have developed internally. As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as Cybersecurity Asset Management and Patch Management, we expect to face additional competition in these new markets.

Upon an unknown device detection, users can install a light-weight Qualys self-updating agent (3MB) to turn the device into a managed device or launch a vulnerability scan. • Qualys Certificate Inventory inventories and assesses all Internet-facing certificates to generate SSL/TLS configuration grades, identifies the certificate issuer and tracks certificate expirations to help stop expired and expiring certificates from interrupting critical business functions. 10 Table of Contents Our Growth Strategy We intend to strengthen our leadership position as a trusted provider of cloud-based IT, security and compliance solutions.

Our revenues increased to $554.5 million in 2023 from $489.7 million in 2022 and $411.2 million in 2021.

Our revenues increased to $607.6 million in 2024 from $554.5 million in 2023 and $489.7 million in 2022.

Our shared cloud platform agreements have varying terms through 2027. 12 Table of Contents Competition The expanding capabilities of our IT, security and compliance solutions have enabled us to address a growing array of opportunities in the cloud IT, security and compliance market.

Competition The expanding capabilities of our IT, security and compliance solutions have enabled us to address a growing array of opportunities in the cloud IT, security and compliance market.

As of December 31, 2023, we had 2,188 full-time employees, including 1,016 in research and development, 438 in sales and marketing, 504 in operations and customer support, and 230 in general and administrative. As of December 31, 2023, approximately 75% of our employees were located outside of the United States, with 66% of our employees located in Pune, India.

As of December 31, 2024, we had 2,400 full-time employees, including 1,144 in research and development, 474 in sales and marketing, 554 in operations and customer support, and 228 in general and administrative. As of December 31, 2024, approximately 77% of our employees were located outside of the United States, with 68% of our employees located in India.

The technology underlying our cloud infrastructure enables us to ingest, process, analyze and store a high volume of sensor data coming from our agents, scanners and passive analyzers, and correlate information at very high speeds in a distributed manner for millions of devices. 7 Table of Contents Our cloud platform is delivered to our customers via our 14 global shared cloud platforms, or via our private platform offering, Qualys Private Cloud Platform (PCP), for customers or partners that want the platform to reside within the customer's shared cloud platform.

We intend to expand our relationships with key security consulting organizations, leading cloud service providers, managed security service providers and value-added resellers to accelerate the adoption of our cloud platform. We seek to strengthen existing relationships as well as establish new relationships to increase the distribution and market awareness of our cloud platform and target new geographic regions.

We intend to enhance our relationships with key security consulting organizations, leading cloud service providers, managed security service providers, leading cloud providers and value-added resellers to accelerate the adoption of our cloud platform.

In addition to having more than 50% of the executive team from underrepresented communities, we are also continuing to improve diversity among our growing workforce, with steady increases in recent years in the percentage of women employed among our global workforce and with over half of our US-based employees from underrepresented communities.

Our objective is to continue to improve our hiring, development, advancement, and retention of diverse talent and to foster an inclusive environment. In addition to having more than 50% of the executive team from underrepresented communities, we are also continuing to improve diversity among our growing workforce, with over half of our US-based employees from underrepresented communities.

We also further assign each of our sales teams into groups that focus on adding new customers or managing relationships with existing customers. 11 Table of Contents Our channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customers with services and third-party solutions to help meet those customers’ evolving security and compliance requirements.

Our channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customers with services and third-party solutions to help meet those customers’ evolving security and compliance requirements.

Our customers can subscribe to one or more of our 20+ Cloud Apps based on their initial needs and expand their subscriptions over time to new areas within their organization or to additional Qualys solutions to develop a more complete understanding of their respective environment's IT, security and compliance posture and remediate cybersecurity risk.

We believe that our applications are easy to use and provide our customers with a high level of control because our applications are part of one platform, share a common user interface, utilize the same scanners and agents, access the same collected data, and leverage the same user permissions. 8 Table of Contents Our customers can subscribe to one or more of our 20+ Cloud Apps based on their initial needs and expand their subscriptions over time to new areas within their organization or to additional Qualys solutions to develop a more complete understanding of their respective environment's IT, security and compliance posture and remediate cybersecurity risk.

The key elements of our growth strategy are: • Continue to innovate and enhance our cloud platform and suite of solutions.

Our Growth Strategy We intend to strengthen our leadership position as a trusted provider of cloud-based IT, security and compliance solutions. The key elements of our growth strategy are: • Continue to innovate and enhance our cloud platform and suite of solutions.

Qualys outsources product manufacturing and recycling to suppliers and vendors that follow the highest environmental standards in the industry, such as ISO 14001.

We are committed to advancing supply chain responsibility and strive to enhance transparency and promote greater accountability in our own operations and with our suppliers. Qualys outsources product manufacturing and recycling to suppliers and vendors that follow the highest environmental standards in the industry, such as ISO 14001.

PC leverages out-of-the-box library content to fast-track compliance assessments using industry-recommended best practices. PC also provides a centralized, interactive console for specifying baseline standards for different hosts. By automating requirement evaluation against multiple standards for operating systems, network devices, databases and server applications, PC enables the quick identification of security issues and works to prevent configuration drift.

By automating requirement evaluation against multiple standards for operating systems, network devices, databases and server applications, PC enables the quick identification of security issues and works to prevent configuration drift.

Both our field and inside sales teams are divided into three geographic regions, the Americas; Europe, Middle East and Africa; and Asia-Pacific.

Both our field and inside sales teams are divided into three geographic regions, the Americas; Europe, Middle East and Africa; and Asia-Pacific. We also further assign each of our sales teams into groups that focus on adding new customers or managing relationships with existing customers.

During 2022, our workforce gradually transitioned into a hybrid work schedule, which resulted in a significant portion of our workforce working either in-person on a part-time basis, or remotely on a permanent basis. During 2023, we continued to offer this hybrid work schedule to our workforce. Our top priority remains providing support for our employees, partners, and customers.

Qualys aims to maintain a healthy work-life balance and provide resources to support our employees’ mental and physical well-being. During 2022, our workforce gradually transitioned into a hybrid work schedule, which resulted in a significant portion of our workforce working either in-person on a part-time basis, or remotely on a permanent basis.

We compete with a large and broad array of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a highly fragmented and competitive environment.

We compete with a large and broad array of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a highly fragmented and competitive environment. 12 Table of Contents We compete with large and small public companies, such as CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Invicti, Tanium, and Wiz.

When a channel partner secures a sale, we sell the associated subscription to the channel partner who in turn resells the subscription to the customer, with the channel partner earning a fee based on the total value of the order.

When a channel partner secures a sale, we sell the associated 11 Table of Contents subscription to the channel partner who in turn resells the subscription to the customer, with the channel partner retaining the margin between the price they purchase from us and the price they sell to the end user.

Our company holiday calendar includes events and festivals from many regions and religions, and we include diverse cultural initiatives throughout the year to ensure employees feel represented. Promoting a Healthy Work-life Balance. Qualys aims to maintain a healthy work-life balance and provide resources to support our employees’ mental and physical well-being.

Qualys searches the globe for top talent in an effort to recruit and hire diverse individuals with a variety of skills, experiences, and backgrounds. Our company holiday calendar includes events and festivals from many regions and religions, and we include diverse cultural initiatives throughout the year. Promoting a Healthy Work-life Balance.

In particular, our cloud-based solutions minimize the number of physical servers our customers have to deploy within their own environments, reducing energy consumption on their end. Qualys Cloud Apps, delivering rich content and dashboards visible on any device, also reduce paper and printing costs for our customers. Our Eco-Friendly Operations.

Qualys products, delivered via our multi-tenant cloud platform, enable improved environmental sustainability for our customers. In particular, our cloud-based solutions minimize the number of physical servers our customers 14 Table of Contents have to deploy within their own environments, reducing energy consumption on their end.

The Cloud Apps are self-updating, centrally managed and tightly integrated, and cover a broad range of functionality in areas such as asset management, vulnerability management, risk mitigation, threat detection and response, compliance and cloud security solutions. 8 Table of Contents We believe that our applications are easy to use and provide our customers with a high level of control because our applications are part of one platform, share a common user interface, utilize the same scanners and agents, access the same collected data, and leverage the same user permissions.

The Cloud Apps are self-updating, centrally managed and tightly integrated, and cover a broad range of functionality in areas such as asset management, vulnerability and configuration management, risk remediation, threat detection and response, compliance and cloud security solutions.

Our environmental, health and safety systems, processes and tools in place across our footprint enable Qualys to meet or exceed governmental and industry requirements. We strive to consistently improve how we operate our platforms in energy-efficient networks and data centers as well as pursue sustainability initiatives that reduce energy, waste and materials consumption.

We strive to consistently improve how we operate our platforms in energy-efficient networks and data centers as well as pursue sustainability initiatives that reduce energy, waste and materials consumption. We have 14 multi-tenant platforms across the world, six of which are in collocated facilities. The others are hosted in public cloud environments.

We require our employees and managers to participate in myriad training programs directed at maintaining a harassment-free, diverse, and secure workplace.

Our employees participated in environmental initiatives such as World Environment Day that encourage awareness and action for the protection of the environment, in addition to taking part in local clean-up activities across the world. Training and Development Employee Training. We require our employees and managers to participate in myriad training programs directed at maintaining a harassment-free, diverse, and secure workplace.

In addition, most of our third-party providers continue to advance their own sustainability programs to reduce their environmental impact. Environmental Standards Within Supply Chain . We are committed to advancing supply chain responsibility and strive to enhance transparency and promote greater accountability in our own operations and with our suppliers.

Though data centers are inherently energy-intensive, utilizing collocated facilities allows us to leverage economies of scale for power and cooling. In addition, most of our third-party providers continue to advance their own sustainability programs to reduce their environmental impact. Environmental Standards Within Supply Chain .

We value the communities that support our operations and have several company and employee-led initiatives to support the communities in which we operate. In 2023, our efforts were centered on advancing education, gender equality, and environmental initiatives. Training and Development Employee Training.

During 2024, we continued to offer this hybrid work schedule to our workforce. Our top priority remains providing support for our employees, partners, and customers. Community Engagement . We value the communities that support our operations and have several company and employee-led initiatives to support the communities in which we operate.

Removed

Context Extended Detection and Response (XDR): XDR provides context and clarity to enterprise security operations through risk-focused, single pane of glass visibility and control to improve enterprise-wide threat detection and incident response.

Added

Our cloud platform is delivered to our customers via our 14 global shared cloud platforms, or via our private platform offering, Qualys Private Cloud Platform (PCP), for customers or partners that want the platform to reside within the customer's shared cloud platform.

Removed

In 2021, we acquired certain intangible assets of Kandor Soft Labs Private Ltd. (TotalCloud), strengthening our cloud security solution by allowing customers to build user-defined workflows for custom policies and execute them on-demand for simplified security and compliance.

Added

Patch Management is a component of Qualys' TruRisk Eliminate suite of remediation solutions. TruRusk Eliminate encompasses a broad range of remediation capabilities for organizations when patches are not yet available or feasible to deploy.

Removed

We compete with large and small public companies, such as Broadcom (Symantec Enterprise Security), CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Axonius, Checkmarx, Flexera, Invicti, Ivanti, Tanium, HelpSystems (Tripwire), Trustwave Holdings, Veracode and Wiz. We also seek to replace IT, security and compliance solutions that organizations have developed internally.

Added

We seek to strengthen existing relationships as well as establish new relationships to increase the distribution and market awareness of our cloud platform and target new geographic regions.

Removed

Our objective is to continue to improve our hiring, development, advancement, and retention of diverse talent and to foster an inclusive environment.

Added

In 2024, our efforts were centered on advancing education, technology, local communities, and environmental initiatives. For example, we provided scholarships for women in Science, Technology, Engineering, and Mathematics (STEM), partnered with nonprofit organizations to provide back-to-school backpacks to underserved youth in our community, and donated to food drives and holiday fundraisers to support local families in need, among other initiatives.

Removed

Qualys is focused on building a pipeline of diverse candidates across all our job functions. We define diversity as underrepresented job seekers, like women, minorities, people with disabilities, older workers, and LGBTQIA+ community members. Qualys searches the globe for top talent in an effort to recruit and hire diverse individuals with a variety of skills, experiences, and backgrounds.

Added

Qualys Cloud Apps, delivering rich content and dashboards visible on any device, also reduce paper and printing costs for our customers. Our Eco-Friendly Operations. Our environmental, health and safety systems, processes and tools in place across our footprint enable Qualys to meet or exceed governmental and industry requirements.

Removed

We are fortunate that the nature of our business allows us to successfully operate in this dynamic hybrid environment. We believe that our hybrid policy will be a key enabler to support the broad needs of critical on-site to remote employees. Community Engagement .

Removed

Qualys India also conducts an assimilation program for new employees, through which feedback is collected as employees join the company. Sustainable Business Operations Our Sustainable Solutions. Qualys products, delivered via our multi-tenant cloud platform, enable improved environmental sustainability for our customers.

Removed

We have 14 multi-tenant platforms across the world, eight of which are in collocated facilities. The others are hosted in public cloud environments. Though data centers are inherently energy-intensive, utilizing collocated facilities allows us to leverage economies of scale for power and cooling.

Item 1A. Risk Factors

Risk Factors — what could go wrong, per management

108 edited+14 added−7 removed223 unchanged

2023 filing

2024 filing

Biggest changeOur operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including: • the level of demand for our solutions, from both existing and new customers; • the extent to which customers subscribe for additional solutions; • changes in customer renewals of our solutions; • timing of deals signed within the applicable fiscal period; • seasonal buying patterns of our customers; • timely invoicing or changes in billing terms of customers; • the length of our sales cycle for our products and services; • price competition; • the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors; • the introduction or adoption of new technologies that compete with our solutions; • decisions by potential customers to purchase IT, security and compliance products or services from other vendors; • general economic conditions, both domestically and in the foreign markets in which we sell our solutions; • changes in foreign currency exchange rates; • changes in the growth rate of the IT, security and compliance market; • actual or perceived security breaches and incidents, technical difficulties or interruptions with our service; • failure of our products and services to operate as designed; • publicity regarding security breaches and incidents generally and the level of perceived threats to IT security; • the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates; • the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business; • pace and cost of hiring employees; • expenses associated with our existing and new products and services; • the timing of sales commissions relative to the recognition of revenues; • insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solutions; • our ability to integrate any products or services that we have acquired or may acquire in the future into our product suite or migrate existing customers of any companies that we have acquired or may acquire in the future to our products and services; • future accounting pronouncements or changes in our accounting policies; • our effective tax rate, changes in tax rules, tax effects of infrequent or unusual transactions, and tax audit settlements; • the amount and timing of income tax that we recognize resulting from stock-based compensation; • the timing of expenses related to the development or acquisition of technologies, services or businesses; and • potential goodwill and intangible asset impairment charges associated with acquired businesses. 16 Table of Contents Further, the interpretation and application of international laws and regulations in many cases is uncertain, and our legal and regulatory obligations in foreign jurisdictions are subject to frequent and unexpected changes, including the potential for various regulatory or other governmental bodies to enact new or additional laws or regulations or to issue rulings that invalidate prior laws or regulations.

Biggest changeOur operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including: • the level of demand for our solutions, from both existing and new customers; • the extent to which customers subscribe for additional solutions; • changes in customer renewals of our solutions; • timing of deals signed within the applicable fiscal period; • seasonal buying patterns of our customers; • timely invoicing or changes in billing terms of customers; • the length of our sales cycle for our products and services; 15 Table of Contents • price competition; • the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors; • the introduction or adoption of new technologies that compete with our solutions; • decisions by potential customers to purchase IT, security and compliance products or services from other vendors; • general economic conditions, both domestically and in the foreign markets in which we sell our solutions; • changes in foreign currency exchange rates; • changes in the growth rate of the IT, security and compliance market; • actual or perceived security breaches and incidents, technical difficulties or interruptions with our service; • failure of our products and services to operate as designed; • publicity regarding security breaches and incidents generally and the level of perceived threats to IT security; • the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates; • the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business; • pace and cost of hiring employees; • expenses associated with our existing and new products and services; • the timing of sales commissions relative to the recognition of revenues; • insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solutions; • our ability to integrate any products or services that we have acquired or may acquire in the future into our product suite or migrate existing customers of any companies that we have acquired or may acquire in the future to our products and services; • future accounting pronouncements or changes in our accounting policies; • our effective tax rate, changes in tax rules, tax effects of infrequent or unusual transactions, and tax audit settlements; • the amount and timing of income tax that we recognize resulting from stock-based compensation; • the timing of expenses related to the development or acquisition of technologies, services or businesses; and • potential goodwill and intangible asset impairment charges associated with acquired businesses.

If so, in addition to the possibility of regulatory investigations and enforcement actions, fines, lawsuits and other claims, other forms of injunctive or operations-limiting relief, and damage to our reputations and loss of goodwill, we could be required to fundamentally change our business activities and practices or modify our solutions and may face limitations in our ability to develop new solutions and features, any of which could have an adverse effect on our business.

If so, in addition to the possibility of regulatory investigations and enforcement actions or other proceedings, fines, lawsuits and other claims, other forms of injunctive or operations-limiting relief, and damage to our reputations and loss of goodwill, we could be required to fundamentally change our business activities and practices or modify our solutions and may face limitations in our ability to develop new solutions and features, any of which could have an adverse effect on our business.

Similarly, the California Consumer Privacy Act (“CCPA”) requires covered companies to, among other things, provide new disclosures to California consumers and affords such consumers new rights to opt-out of certain sales of personal information. The CCPA also creates a private right of action for statutory damages for certain breaches of information.

Similarly, the California Consumer Privacy Act (“CCPA”) requires covered companies to, among other things, provide certain disclosures to California consumers and affords such consumers rights to opt-out of certain sales of personal information. The CCPA also creates a private right of action for statutory damages for certain breaches of information.

On each of October 30, 2018, October 30, 2019, May 7, 2020, February 10, 2021 and February 9, 2023, we announced that our board of directors had authorized an increase of $100.0 million, and on each of November 3, 2021 and May 4, 2022, we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program.

On each of October 30, 2018, October 30, 2019, May 7, 2020, February 10, 2021 and February 9, 2023, we announced that our board of directors had authorized an increase of $100.0 million, and on each of November 3, 2021, May 4, 2022 and February 7, 2024, we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program.

We cannot predict the impact of the CCPA, CPRA, or other evolving privacy and data protection obligations on our business or operations, but they may require us to modify our data processing practices and policies and incur substantial costs and expenses in an effort to comply.

We cannot predict the impact of the CCPA, CPRA, or other evolving privacy, data protection and cybersecurity obligations on our business or operations, but they may require us to modify our data processing practices and policies and incur substantial costs and expenses in an effort to comply.

In the United States, these include, for example, rules and regulations promulgated under the authority of the Federal Trade Commission, the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and state breach notification laws.

The trading price of our common stock has been, and may continue to be, subject to significant fluctuations in response to a number of factors, most of which we cannot predict or control, including: • announcements of new solutions, services or technologies, commercial relationships, acquisitions or other events by us or our competitors; • fluctuations in stock market prices and trading volumes of securities of similar companies; • general market conditions and overall fluctuations in U.S. equity markets; • variations in our operating results, or the operating results of our competitors; • changes in our financial guidance or securities analysts’ estimates of our financial performance; 33 Table of Contents • changes in accounting principles; • sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders; • additions or departures of any of our key personnel; • announcements related to litigation; • changing legal or regulatory developments in the United States and other countries; and • discussion of us or our stock price by the financial press and in online investor communities.

The trading price of our common stock has been, and may continue to be, subject to significant fluctuations in response to a number of factors, most of which we cannot predict or control, including: • announcements of new solutions, services or technologies, commercial relationships, acquisitions or other events by us or our competitors; • fluctuations in stock market prices and trading volumes of securities of similar companies; • general market conditions and overall fluctuations in U.S. equity markets; • variations in our operating results, or the operating results of our competitors; • changes in our financial guidance or securities analysts’ estimates of our financial performance; • changes in accounting principles; • sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders; • additions or departures of any of our key personnel; • announcements related to litigation; • changing legal or regulatory developments in the United States and other countries; and • discussion of us or our stock price by the financial press and in online investor communities.

These provisions include: • authorizing “blank check” preferred stock, which could be issued by our board of directors without stockholder approval and may contain voting, liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and could thwart a takeover attempt; • a classified board of directors whose members can only be dismissed for cause; • the prohibition on actions by written consent of our stockholders; • the limitation on who may call a special meeting of stockholders; • the establishment of advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon at stockholder meetings; and • the requirement of at least two-thirds of the outstanding capital stock to amend any of the foregoing second through fifth provisions.

These provisions include: • authorizing “blank check” preferred stock, which could be issued by our board of directors without stockholder approval and may contain voting, liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and could thwart a takeover attempt; • a classified board of directors whose members can only be dismissed for cause; • the prohibition on actions by written consent of our stockholders; • the limitation on who may call a special meeting of stockholders; 34 Table of Contents • the establishment of advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon at stockholder meetings; and • the requirement of at least two-thirds of the outstanding capital stock to amend any of the foregoing second through fifth provisions.

Our platform, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and adversely impact our reputation and future sales.

Our platform, products, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and adversely impact our reputation and future sales.

In addition, continued governmental budgetary challenges in the United States and Europe, inflationary pressures and potential for a recession, and geopolitical turmoil in many parts of the 19 Table of Contents world, including the ongoing military conflicts in parts of Eastern Europe and the Middle East, and other disruptions to global and regional economies and markets in many parts of the world, as well as uncertainties related to changes in public policies such as domestic and international regulations, taxes or international trade agreements, have and may continue to put pressure on global economic conditions and overall spending on IT security and may further increase inflation, both in the U.S. and globally, which could increase our operating costs in the future and reduce overall spending on IT security.

In addition, continued governmental budgetary challenges in the United States and Europe, inflationary pressures and potential for a recession, and geopolitical turmoil in many parts of the world, including the ongoing military conflicts in parts of Eastern Europe and the Middle East, and other disruptions to global and regional economies and markets in many parts of the world, as well as uncertainties related to changes in public policies such as domestic and international regulations, taxes or international trade agreements, have and may continue to put pressure on global economic conditions and overall spending on IT security and may further increase inflation, both in the U.S. and globally, which could increase our operating costs in the future and reduce overall spending on IT security.

The loss of the services of our senior management or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of operations. 25 Table of Contents If we are unable to hire, retain and motivate qualified personnel, our business may suffer.

The loss of the services of our senior management or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of operations. 24 Table of Contents If we are unable to hire, retain and motivate qualified personnel, our business may suffer.

The Tax Cuts and Jobs Act of 2017 introduced a Base Erosion and Anti-Abuse Tax which imposes a minimum tax on adjusted income of corporations with average applicable gross receipt of at least $500 million for prior three tax years and that make certain payments to related foreign persons.

The Tax Cuts and Jobs Act of 2017 (or "TCJA") introduced a Base Erosion and Anti-Abuse Tax which imposes a minimum tax on adjusted income of corporations with average applicable gross receipt of at least $500 million for prior three tax years and that make certain payments to related foreign persons.

These facilities are vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, cybersecurity attacks, terrorist attacks, employee negligence, power losses, telecommunications failures and similar events. The facilities also could be subjec t to break-ins, sabotage, intentional acts of vandalism and other misconduct.

These facilities are vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, cybersecurity attacks, terrorist attacks, employee negligence, power losses, technical errors, telecommunications failures and similar events. The facilities also could be subjec t to break-ins, sabotage, intentional acts of vandalism and other misconduct.

If applicable in the future, these could have an impact on our financial results, the extent of which is currently uncertain. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, sales taxes and value-added taxes against us.

If applicable in the future, these rules could have an impact on our financial results, the extent of which is currently uncertain. We may be audited in various jurisdictions, and such jurisdictions may assess additional taxes, including sales taxes and value-added taxes against us.

Privacy concerns, whether valid or not valid, may inhibit market adoption of our solutions particularly in certain industries and foreign countries. We use AI/machine learning technologies in our solutions that could result in harm to our business and operating results.

Privacy and data protection concerns, whether valid or not valid, may inhibit market adoption of our solutions particularly in certain industries and foreign countries. We use AI/machine learning technologies in our solutions that could result in harm to our business and operating results.

Many of our existing and potential competitors have competitive advantages, including: • greater brand name recognition; • larger sales and marketing budgets and resources; • broader distribution networks and more established relationships with distributors and customers; • access to larger customer bases; • greater customer support resources; • greater resources to make acquisitions; • greater resources to develop and introduce products that compete with our solutions; • greater resources to meet relevant regulatory requirements; and • substantially greater financial, technical and other resources.

Many of our existing and potential competitors have competitive advantages, including: • greater brand name recognition; • larger sales and marketing budgets and resources; • broader distribution networks and more established relationships with distributors and customers; • access to larger customer bases; • greater customer support resources; • greater resources to make acquisitions; • greater resources to develop and introduce products that compete with our solutions; • greater resources to meet relevant regulatory requirements; and 20 Table of Contents • substantially greater financial, technical and other resources.

In this event, we could be required to seek 30 Table of Contents licenses from third parties to continue offering our solutions, to make our proprietary code generally available in source code form, to re-engineer our solutions or to discontinue the sale of our solutions if re-engineering could not be accomplished on a timely basis, any of which could adversely affect our business, operating results and financial condition.

In this event, we could be required to seek licenses from third parties to continue offering our solutions, to make our proprietary code generally available in source code form, to re-engineer our solutions or to discontinue the sale of our solutions if re-engineering could not be accomplished on a timely basis, any of which could adversely affect our business, operating results and financial condition.

If we fail to anticipate market requirements or fail to develop and introduce solution enhancements or new solutions to satisfy those requirements in a timely manner, such failure could substantially decrease or delay market acceptance and sales of our 17 Table of Contents present and future solutions and cause us to lose existing customers or fail to gain new customers, which would significantly harm our business, financial condition and results of operations.

If we fail to anticipate market requirements or fail to develop and introduce solution enhancements or new solutions to satisfy those requirements in a timely manner, such failure could substantially decrease or delay market acceptance and sales of our present and future solutions and cause us to lose existing customers or fail to gain new customers, which would significantly harm our business, financial condition and results of operations.

Significant assumptions and estimates used in preparing our consolidated financial statements include those related to revenue recognition, accounting for income taxes and stock-based compensation. Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results of operations. We prepare our financial statements in accordance with U.S. GAAP.

Significant assumptions and estimates used in preparing our consolidated financial statements include those related to revenue recognition, accounting for income taxes and stock-based compensation. 35 Table of Contents Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results of operations. We prepare our financial statements in accordance with U.S. GAAP.

If a large number of these shares are sold in the public market, the sales could reduce the trading price of our common stock. 34 Table of Contents We cannot guarantee that our share repurchase program will be fully consummated or that it will enhance stockholder value, and any share repurchases we make could affect the price of our common stock.

If a large number of these shares are sold in the public market, the sales could reduce the trading price of our common stock. We cannot guarantee that our share repurchase program will be fully consummated or that it will enhance stockholder value, and any share repurchases we make could affect the price of our common stock.

Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. 28 Table of Contents These privacy, data protection and information security laws and regulations may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions.

Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. These privacy, data protection and information security laws and regulations may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions.

If we fail to comply with export and import regulations, we may be fined or other penalties could be imposed, including denial of certain export privileges. 32 Table of Contents If we are required to collect higher sales and use or other taxes on the solutions we sell, we may be subject to liability for past sales and our future sales may decrease.

If we fail to comply with export and import regulations, we may be fined or other penalties could be imposed, including denial of certain export privileges. If we are required to collect higher sales and use or other taxes on the solutions we sell, we may be subject to liability for past sales and our future sales may decrease.

Therefore, we are subject to risks associated with having international sales and worldwide operations, including: • foreign currency exchange fluctuations; • trade and foreign exchange restrictions; • economic or political instability in foreign markets, including as a result of increasing tensions between India and China; • greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods; • changes in regulatory requirements; • tax laws (including U.S. taxes on foreign subsidiaries); • difficulties and costs of staffing and managing foreign operations; • the uncertainty and limitation of protection for intellectual property rights in some countries; • costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations; • costs of complying with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our solutions in certain foreign markets, and the risks and costs of non-compliance; • heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements; • the potential for political unrest, acts of terrorism, hostilities or war; • management communication and integration problems resulting from cultural differences and geographic dispersion; and 23 Table of Contents • multiple and possibly overlapping tax structures.

Therefore, we are subject to risks associated with having international sales and worldwide operations, including: • foreign currency exchange fluctuations; 22 Table of Contents • trade and foreign exchange restrictions; • economic or political instability in foreign markets; • greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods; • changes in regulatory requirements; • tax laws (including U.S. taxes on foreign subsidiaries); • difficulties and costs of staffing and managing foreign operations; • the uncertainty and limitation of protection for intellectual property rights in some countries; • costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations; • costs of complying with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our solutions in certain foreign markets, and the risks and costs of non-compliance; • heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements; • the potential for political unrest, acts of terrorism, hostilities or war; • management communication and integration problems resulting from cultural differences and geographic dispersion; and • multiple and possibly overlapping tax structures.

Because the interpretation and application of privacy and data protection laws, regulations, standards and contractual obligations are uncertain, it is possible that they may be interpreted and applied in a manner that is, or perceived to be, inconsistent with our data management practices or the features of our solutions.

Because the interpretation and application of privacy and data protection laws, regulations, standards and contractual obligations relating to these matters are uncertain, it is possible that they may be interpreted and applied in a manner that is, or perceived to be, inconsistent with our data management practices or the features of our solutions.

Changes in our income tax provision or adverse outcomes resulting from examination of our income tax returns could adversely affect our operating results. We could be subject to additional taxes.

Changes in our income tax provision or adverse outcomes resulting from examination of our income tax returns could adversely affect our operating results, in which case we could be subject to additional taxes.

For example, many of our customers subscribe to our IT, security and compliance solutions to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council, 21 Table of Contents or the PCI Council, which apply to companies that store cardholder data.

For example, many of our customers subscribe to our IT, security and compliance solutions to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council, or the PCI Council, which apply to companies that store cardholder data.

In addition, it may be suspended or terminated at any time, which may result in a decrease in the price of our common stock. Finally, our share repurchases in 2023 were subject to a new 1% excise tax introduced in the Inflation Reduction Act.

In addition, it may be suspended or terminated at any time, which may result in a decrease in the price of our common stock. Finally, our share repurchases in 2023 and 2024 were subject to the 1% excise tax introduced in the Inflation Reduction Act.

Our reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. However, for the year ended December 31, 2023, we incurred approximately 29% of our expenses in foreign currencies, primarily Euro, British Pounds, and Indian Rupee, principally with respect to salaries and related personnel expenses associated with our European and Indian operations.

Our reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. However, for the year ended December 31, 2024, we incurred approximately 29% of our expenses in foreign currencies, primarily the Euro, British Pound, and Indian Rupee, principally with respect to salaries and related personnel expenses associated with our European and Indian operations.

Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code.

Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not 29 Table of Contents provide warranties or other contractual protections regarding infringement claims or the quality of the code.

Economic weakness, customer financial difficulties, supply chain constraints, change in interest rates, inflationary pressures and potential for a recession, and constrained spending on IT security, as well as longer sales cycles, which factors we have experienced in 2023, have resulted and may in the future result in decreased revenue and earnings.

Economic weakness, customer financial difficulties, change in interest rates, inflationary pressures and potential for a recession, and constrained spending on IT security, as well as longer sales cycles, which factors we have experienced in 2023 and 2024, have resulted and may in the future result in decreased revenue and earnings.

If other cloud service providers experience security incidents, loss of customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole, including our solutions, may be negatively impacted.

If other cloud service providers experience security incidents, loss, unavailability, or unauthorized processing of customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole, including our solutions, may be negatively impacted.

We and our service providers face threats from a variety of sources, including attacks on our networks and systems from numerous sources, including traditional “hackers,” sophisticated nation-state and nation-state supported actors, other sources of malicious code (such as viruses and worms), ransomware, social engineering, denial of service attacks, and phishing attempts.

We and our service providers face threats from a variety of sources, including attacks on our networks and systems from numerous sources, including but not limited to traditional “hackers,” sophisticated nation-state and nation-state supported actors, other sources of malicious code (such as viruses and worms), ransomware, social engineering, denial of service attacks, and phishing attempts.

Our customers have no obligation to renew their subscriptions after their subscription period expires, and they may not renew their subscriptions at the same or higher levels or at all. As a result, our ability to grow depends in part on customers renewing their existing subscriptions and purchasing additional subscriptions and solutions.

Our customers have no obligation to renew their subscriptions 17 Table of Contents after their subscription period expires, and they may not renew their subscriptions at the same or higher levels or at all. As a result, our ability to grow depends in part on customers renewing their existing subscriptions and purchasing additional subscriptions and solutions.

Any inability to adequately address privacy concerns, even if unfounded, or any actual or perceived inability to comply with applicable privacy or data protection laws, regulations and privacy standards, could result in cost and liability to us, damage our reputation, inhibit sales of subscriptions and harm our business.

Any inability to adequately address concerns relating to privacy, data protection, or cybersecurity, even if unfounded, or any actual or perceived inability to comply with applicable privacy or data protection laws, regulations and privacy standards relating to these matters, could result in cost and liability to us, damage our reputation, inhibit sales of subscriptions and harm our business.

It remains unclear how United Kingdom data protection laws or regulations will develop in the medium to longer term and how data transfers to and from the United Kingdom will be regulated. Additionally, we have self-certified under the EU-U.S. Data Privacy Framework and a related program, the Swiss-U.S.

Additionally, for the year ended December 31, 2023, approximately 23% of our revenue s were generated in foreign currencies. Accordingly, changes in exchange rates may have a material adverse effect on our business, operating results and financial condition.

Additionally, for the year ended December 31, 2024, approximately 25% of our revenue s were generated in foreign currencies. Accordingly, changes in exchange rates may have a material adverse effect on our business, operating results and financial condition.

The United Kingdom has adopted new standard contractual clauses (“UK SCCs”), that became effective as of March 21, 2022, and which also are required to be implemented. The EU-U.S. Data Privacy Framework, Swiss-U.S.

Any of these factors could create downward pressure on pricing and gross margins, and could adversely affect our renewal rates, as well as our ability to attract new customers.

Any of these factors could create downward pressure on 16 Table of Contents pricing and gross margins, and could adversely affect our renewal rates, as well as our ability to attract new customers.

Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations regarding the collection, use, disclosure and retention of personal information.

Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations regarding the collection, use, disclosure, retention, transfer, and other processing of personal information.

The privacy, data protection, and information security laws and regulations we must comply with also are subject to change. For example, the United Kingdom has enacted a Data Protection Act, and has implemented legislation referred to as the “UK GDPR,” that substantially implement the GDPR in the United Kingdom following the United Kingdom’s exit from the European Union.

The privacy, data protection, and cybersecurity laws and regulations we must comply with also are subject to change. For example, the United Kingdom has enacted a Data Protection Act, and has implemented legislation referred to as the “UK GDPR,” which substantially implement the GDPR in the United Kingdom following the United Kingdom’s exit from the European Union.

While we were able to assert in our Annual Report on Form 10-K that our internal control over financial reporting was effective as of December 31, 2023 , we cannot predict the outcome of our testing in future periods.

While we are able to assert in our Annual Report on Form 10-K that our internal control over financial reporting was effective as of December 31, 2024 , we cannot predict the outcome of our testing in future periods.

Patent and other intellectual property disputes are common in our industry. Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us.

Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us.

We and our service providers could be a target of cyber-attacks or other malfeasance designed to impede the performance of our solutions, penetrate our network security or the security of our cloud platform or our internal systems, misappropriate proprietary information and/or cause interruptions to our services.

We and our service providers could be a target of cyber-attacks or other malfeasance designed to impede the performance of our solutions, penetrate our network security or the security of our cloud platform, products, or our internal systems, misappropriate proprietary information, gain access to our customers' systems and data, and/or cause interruptions to our services.

On February 7, 2024 we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.2 billion to date ($1.0 billion as of December 31, 2023) .

On February 6, 2025 we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.4 billion to date ($1.2 billion as of December 31, 2024).

Our failure to recruit additional channel partners, or any reduction or delay in their sales of our solutions or conflicts between channel sales and our direct sales and marketing activities may harm our results of operations. Even if we are successful, these relationships may not result in greater customer usage of our solutions or increased revenues.

Our failure to effectively manage our relationship with channel partners, or any reduction or delay in their sales of our solutions or conflicts between channel sales and our direct sales and marketing activities may harm our results of operations. Even if we are successful, these relationships may not result in greater customer usage of our solutions or increased revenues.

A breach in or incident impacting our data security, an attack against our service availability, or any breach, incident, or attack impacting our third-party service providers, could impact our networks or networks secured by our solutions, creating system disruptions or slowdowns and exploiting security vulnerabilities of our solutions, and the information stored on our networks or those of our third-party service providers could be accessed, used, publicly disclosed, altered, lost, or stolen, which could subject us to liability and cause us financial harm.

A breach in or incident impacting our data security, an attack against our service availability, or any breach, incident, or attack impacting our third-party service providers, or a technical error or outage, could impact our networks or networks secured by our solutions, creating system disruptions or slowdowns and exploiting security vulnerabilities of our solutions, and the information stored on our networks or those of our third-party service providers could be accessed, used, disclosed publicly or to 18 Table of Contents unauthorized persons, altered, lost, destroyed, or stolen, which could subject us to liability and cause us financial harm.

As of December 31, 2023, we had approximately 36.9 million shares of our common stock outstanding. In addition, as of December 31, 2023, there were approximately 1.4 million options and 1.1 million restricted stock units outstanding. If such options are exercised and restricted stock units are released, these additional shares will become available for sale.

As of December 31, 2024, we had approximately 36.5 million shares of our common stock outstanding. In addition, as of December 31, 2024, there were approximately 1.3 million options and 1.1 million restricted stock units outstanding. If such options are exercised and restricted stock units are released, these additional shares will become available for sale.

Our solutions could be used to collect and store personal information of our customers ’ employees or customers, and therefore privacy and other data handling concerns could result in additional cost and liability to us or inhibit sales of our solutions. We collect the names and email addresses of our customers in connection with subscriptions to our solutions.

Our solutions could be used to collect and store personal information of our customers ’ employees or customers, and therefore privacy and other data handling concerns could result in additional cost and liability to us or inhibit sales of our solutions. We collect certain personal and confidential information of our customers in connection with subscriptions to our solutions.

Many countries have enacted legislation to apply the Pillar Two directive for tax years beginning in January 2024, which generally provides for a minimum effective tax rate of 15% on the income arising in each jurisdiction where the Company operates. We do not anticipate these rules to have an impact on our current year’s financial results.

Many countries have enacted legislation to apply the Pillar Two directive for tax years beginning in January 2024, which generally provides for a minimum effective tax rate of 15% on the income arising in each jurisdiction where the Company operates. These rules do not impact our current year’s financial results as the Company is below the revenue threshold.

The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years and may continue to fluctuate substantially in the future.

The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent 23 Table of Contents years and may continue to fluctuate substantially in the future.

We may be unsuccessful in maintaining legitimate means for our transfer and receipt of personal data from the EEA or Switzerland.

We may be unsuccessful in maintaining legitimate means for our transfer and receipt of personal data from the EEA, United Kingdom, Switzerland, or other jurisdictions.

For the years ended December 31, 2023, 2022 and 2021 , we derived approximately 43%, 42% and 41% o f our revenues from sales of subscriptions for our solutions through channel partners, and the percentage of revenues derived from channel partners may increase in future periods.

For the years ended December 31, 2024, 2023 and 2022 , we derived approximately 46%, 43% and 42% of our revenues from sales of subscriptions for our solutions through channel partners, and the percentage of revenues derived from channel partners may increase in future periods.

If we are unable to successfully manage the challenges of international operations, our business and operating results could be adversely affected. In addition, as of December 31, 2023, approximately 75% of our employees were located outside of the United States, with 66% of our employees located in Pune, India.

If we are unable to successfully manage the challenges of international operations, our business and operating results could be adversely affected. In addition, as of December 31, 2024, approximately 77% of our employees were located outside of the United States, with 68% of our employees located in India.

We currently anticipate that we will retain future earnings for the development, operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to stockholders will therefore be limited to the value of their stock.

We have never declared or paid any cash dividend on our common stock. We currently anticipate that we will retain future earnings for the development, operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to stockholders will therefore be limited to the value of their stock.

In addition, other states have enacted or proposed legislation that regulates the collection, use, and sale of personal information, including, for example, Washington's My Health, My Data Act and legislation similar to the CCPA adopted in Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Montana, Tennessee, Oregon, Florida, Delaware, and Texas.

As of December 31, 2023 , we had an aggregate of 1.8 million shares of our common stock reserved for future issuance under our Restated 2012 Equity Incentive Plan and 0.5 million shares reserved for future purchase under our 2021 Employee Stock Purchase Plan, which can be freely sold in the public market upon issuance.

As of December 31, 2024 , we had an aggregate of 2.3 million shares of our common stock reserved for future issuance under our Restated 2012 Equity Incentive Plan and 0.4 million shares reserved for future purchase under our 2021 Employee Stock Purchase Plan, which can be freely sold in the public market upon issuance.

We believe that our growth will depend, to a significant extent, on our success in recruiting and retaining a sufficient number of qualified sales personnel and their ability to obtain new customers, manage our existing customer base and expand the sales of our newer solutions.

We believe that our growth will depend, to a significant extent, on our success in recruiting and retaining a sufficient number of qualified sales personnel and their ability to, whether directly or indirectly in collaboration with channel partners, obtain new customers, manage our existing customer base and expand the sales of our newer solutions.

Additionally, due to political uncertainty and military actions in parts of Eastern Europe and the Middle East, we and our service providers are vulnerable to heightened 18 Table of Contents risks of cybersecurity incidents and security and privacy breaches from or affiliated with nation-state actors, including attacks that could materially disrupt our systems, operations and services.

Additionally, due to political uncertainty and military actions in parts of Eastern Europe and the Middle East, we and our service providers are vulnerable to heightened risks of cybersecurity incidents and security and privacy breaches and incidents caused or initiated by nation-state or affiliated actors, including attacks that could materially disrupt our systems, operations and services, or impact our customers systems, operations, and services.

In any of these cases, our revenues and operating results could be harmed. If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations.

If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations.

If these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could harm our business. 26 Table of Contents Incorrect or improper implementation or use of our solutions could result in customer dissatisfaction and harm our business and reputation.

We plan to continue to expand our sales force and invest in our sales and marketing activities. Our recent hires and planned hires may not become as productive as quickly as we would like, and we may be unable to hire or retain sufficient numbers of qualified individuals in the future in the competitive markets where we do business.

Our recent hires and planned hires may not become as productive as quickly as we would like, and we may be unable to hire or retain sufficient numbers of qualified individuals in the future in the competitive markets where we do business.

Our business, operating results, financial condition, or prospects could be materially and adversely affected by any of these risks and uncertainties. In that case, the trading price of our common stock could decline, and you might lose all or part of your investment.

Personal privacy has become a significant issue in the United States and in many other countries where we offer our solutions. The regulatory framework for privacy issues worldwide is currently evolving and is likely to remain uncertain for the foreseeable future.

Privacy, data protection, and cybersecurity have become significant issues in the United States and in many other countries where we offer our solutions. The regulatory framework for privacy issues worldwide is currently evolving and is likely to remain uncertain for the foreseeable future.

We compete with large and small public companies, such as Broadcom (Symantec Enterprise Security), CrowdStrike, Palo Alto Networks, Rapid7, Tenable Holdings, as well as privately held security providers including Axonius, Checkmarx, Flexera, Invicti, Ivanti, Tanium, HelpSystems (Tripwire), Trustwave Holdings, Veracode and Wiz. We also seek to replace IT, security and compliance solutions that organizations have developed internally.

We compete with large and small public companies, such as CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Invicti, Tanium, and Wiz. We also seek to replace IT, security and compliance solutions that organizations have developed internally.

Furthermore, it is possible that our patent applications may not result in granted patents, that the scope of our issued patents will be limited or not provide the coverage originally sought, that our issued patents will not provide us with any competitive advantages, or that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes or litigation.

We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions. 30 Table of Contents Furthermore, it is possible that our patent applications may not result in granted patents, that the scope of our issued patents will be limited or not provide the coverage originally sought, that our issued patents will not provide us with any competitive advantages, or that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes or litigation.

This regulation, which took effect in May of 2018, provides for substantial obligations relating to the handling, storage and other processing of data relating to individuals and administrative fines for violations, which can be up to four percent of the previous year’s annual revenue or €20 million, whichever is higher.

For example, the European Union's General Data Protection Regulation (“GDPR”), which took effect in May of 2018, provides for substantial obligations relating to the handling, storage and other processing of data relating to individuals and administrative fines for violations, which can be up to the greater of four percent of the previous year’s annual revenue or €20 million.

The GDPR may be subject to new or changing interpretations by courts, and our interpretation of the law and efforts to comply with the rules and regulations of the law may be ruled invalid.

The GDPR, CCPA, and other laws and regulations relating to privacy, data protection, and cybersecurity may be subject to new or changing interpretations by courts, and our interpretation of the law and efforts to comply with the rules and regulations of the law may be ruled invalid.

To the extent current or potential customers, channel partners, or others believe there has been an occurrence of an actual or perceived failure of our solutions to detect a vulnerability or otherwise to function as effectively as competitive products in any particular test, or indicates our solutions do not provide significant value, our business, competitive position, and reputation could be harmed.

We may experience reluctance or refusal by current or prospective European customers to use our products, and we and our customers may face a risk of enforcement actions by data protection authorities in the EEA relating to personal data transfers to us and by us from the EEA.

We may experience reluctance or refusal by current or prospective customers in these or other jurisdictions to use our products, and we and our customers may face a risk of regulatory enforcement actions or other proceedings relating to personal data transfers to us and by us from the EEA, United Kingdom, and Switzerland.

In addition, our solutions do not currently extend to cover all mobile and personal devices that employees may bring into an organization. As such, our solutions would not identify or address vulnerabilities in all mobile and personal devices, and our customers’ IT infrastructures may be compromised by attacks that infiltrate their networks through such devices.

As such, our solutions would not identify or address vulnerabilities in all mobile and personal devices, and our customers’ IT infrastructures may be compromised by attacks that infiltrate their networks through such devices.

The introduction of products and services embodying new technologies could render our existing solutions obsolete or less attractive to customers. Our business could be harmed if new IT, security and compliance technologies are widely adopted. We may not be able to successfully anticipate or adapt to changing technology or customer requirements on a timely basis, or at all.

Our business could be harmed if new IT, security and compliance technologies are widely adopted. We may not be able to successfully anticipate or adapt to changing technology or customer requirements on a timely basis, or at all.

Additionally, our offerings based on AI/machine learning may expose us to additional claims, demands and proceedings by private parties and regulatory authorities and subject us to legal liability as well as brand and reputational harm. The legal, regulatory, and policy environments around AI/machine learning are evolving rapidly, and we may become subject to new and evolving legal and other obligations.

Our success in acquiring and integrating other businesses, products or technologies could impact our financial position. In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products, services or technologies.

We rely on software-as-a-service vendors to operate certain functions of our business and any failure of such vendors to provide services to us could adversely impact our business and operations. We rely on third-party software-as-a-service vendors to operate certain critical functions of our business, including financial management and human resource management.

We rely on third-party software-as-a-service vendors to operate certain critical functions of our business, including financial management and human resource management.

If we are unable to continue the expansion of our sales force, sales of our solutions and the growth of our business would be harmed.

If we are unable to recruit and retain qualified sales personnel, sales of our solutions and the growth of our business would be harmed.

Any failure to successfully implement our operating strategy or the occurrence of any of the events or circumstances set forth in this “Risk Factors” section in this Annual Report on Form 10-K could result in our actual operating results being different from our guidance, and the differences may be adverse and material.

In light of the foregoing, investors are urged not to rely upon our guidance in making an investment decision regarding our common stock. 33 Table of Contents Any failure to successfully implement our operating strategy or the occurrence of any of the events or circumstances set forth in this “Risk Factors” section in this Annual Report on Form 10-K could result in our actual operating results being different from our guidance, and the differences may be adverse and material.

Additionally, although we price our products and subscriptions worldwide in U.S. Dollars, Euro, British Pounds, Canadian Dollars, Japanese Yen and Indian Rupee, currency fluctuations in certain countries and regions may negatively impact actual prices that partners and customers are willing to pay in those countries and regions, or the effective prices we realize in our reporting currency.

Dollars, Euros, British Pounds, Canadian Dollars, Japanese Yen, Indian Rupees, Australian Dollars and Singapore Dollar, currency fluctuations in certain countries and regions may negatively impact actual prices that partners and customers are willing to pay in those countries and regions, or the effective prices we realize in our reporting currency.

In addition, the risks and 15 Table of Contents uncertainties discussed below are not the only ones we face. Our business, operating results, financial performance or prospects could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material.

Our business, operating results, financial performance or prospects could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material.

U.S. export controls may require submission of an encryption registration, product classification and/or annual or semi-annual reports. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export authorization for our solutions, when applicable, could harm our international sales and adversely affect our revenues.

Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export authorization for our solutions, when applicable, could harm our international sales and adversely affect our revenues.

Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a determination is made. 32 Table of Contents Risks Related to Ownership of Our Common Stock Market volatility may affect our stock price and the value of an investment in our common stock and could subject us to litigation.

… 49 more changes not shown on this page.

Item 1C. Cybersecurity

Cybersecurity — threats and controls disclosure

9 edited+2 added−0 removed15 unchanged

2023 filing

2024 filing

Biggest changeThe security measures the CSIRT employs are consistent with relevant requirements of the National Institute of Standards and Technology (“NIST”), Federal Risk and Authorization Management Program (“FedRAMP”), International Organization for Standardization (“ISO”), and Federal Information Security Management Act (“FISMA”).

Biggest changeThe CSIRT is responsible for identifying, managing, and responding to security incidents against Qualys' infrastructure and corporate IT systems. The security measures the CSIRT employs are consistent with relevant requirements of the National Institute of Standards and Technology (“NIST”), Federal Risk and Authorization Management Program (“FedRAMP”), International Organization for Standardization (“ISO”), and Federal Information Security Management Act (“FISMA”).

For additional information regarding whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factor entitled “Our platform, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and adversely impact our reputation and future sales.” We have not currently encountered any cybersecurity threats that have materially impaired our operations or financial standing.

For additional information regarding whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factor entitled “Our platform, products, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and adversely impact our reputation and future sales.” We have not currently encountered any cybersecurity threats that have materially impaired our operations or financial standing.

The processes by which our CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents, include prompt communication from the CSIRT describing the severity and impact of the incident and status throughout the incident handling lifecycle and routine monitoring of key risk indicators.

The processes by which our CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents, include prompt communication from the CSIRT and PSIRT describing the severity and impact of the incident and status throughout the incident handling lifecycle and routine monitoring of key risk indicators.

We devote significant resources and designate high-level personnel, including our Chief Information Security Officer (“CISO”) who reports to our Chief Executive Officer, to manage the risk assessment and mitigation process. As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with human resources, IT, and management.

We devote significant resources and designate high-level personnel, including our Chief Information Security Officer (“CISO”) who reports to our Chief Executive Officer, to manage the risk assessment and mitigation process. 36 Table of Contents As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with human resources, IT, and management.

Our CEO is also a cybersecurity industry expert who has deep insight and over two decades of experience in cybersecurity, technology and information security. Our CISO and our Security Steering Committee, along with other senior executives including the CEO and CTO, review and manage our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above.

Our CEO is also a cybersecurity industry expert who has deep insight and over two decades of experience in cybersecurity, technology and information security. 37 Table of Contents Our CISO and our Security Steering Committee, along with other senior executives including the CEO and CTO, review and manage our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above.

We have also adopted certain guidelines from NIST and the United States Computer Emergency Readiness Team. 37 Table of Contents Our Incident Response Program and Plan describes the major phases of an incident management lifecycle which includes the preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.

We have also adopted certain guidelines from NIST and the United States Computer Emergency Readiness Team. Our Incident Response Program and Plan describes the major phases of an incident management lifecycle which includes the preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.

The QSOC and CSIRT teams drive these exercises to participants via various cyber security incident scenarios in the form of multiple injects. Exercise participants primarily consist of members from various Qualys departments such as security operations, IT operations, network operations, and other departments depending on the selected scenario.

The Cybersecurity Fusion Center and CSIRT teams drive these exercises to participants via various cyber security incident scenarios in the form of multiple injects. Exercise participants primarily consist of members from various Qualys departments such as security operations, IT operations, network operations, and other departments depending on the selected scenario.

Qualys' 24x7 Security Operations Center (“QSOC”) and CSIRT conduct Incident Response Plan testing and training on a periodic basis through tabletop exercises or simulated attack scenarios. This testing appraises our readiness to respond to such scenarios and tests the completeness and accuracy of the incident response plan.

Qualys' 24x7 Cybersecurity Fusion Center and CSIRT conduct Incident Response Plan testing and training on a periodic basis through tabletop exercises or simulated attack scenarios. This testing appraises our readiness to respond to such scenarios and tests the completeness and accuracy of the incident response plan.

Management is committed to notifying the Audit and Risk Committee, and the full Board in the event of a cyber incident that is confirmed to have a material effect on Qualys, or in the event that Qualys has identified a cyber risk that is likely to have a high probability of having a material impact on Qualys if not mitigated. 38 Table of Contents

Management is required to notify the Audit and Risk Committee, and the full Board in the event of a cyber incident that is confirmed to have a material effect on Qualys, or in the event that Qualys has identified a cyber risk that is likely to have a high probability of having a material impact on Qualys if not mitigated.

Added

We have also established a Product Security Incident Response Team (“PSIRT”) that identifies, assesses, and responds to security incidents, risks, and vulnerabilities associated with Qualys’ commercial products. The Qualys PSIRT investigates vulnerabilities and incidents across the entire Qualys product portfolio.

Added

PSIRT coordinates product impact assessments and fixes based on industry standards such as the Common Vulnerabilities and Exposure (“CVE”) and Common Vulnerability Scoring System (“CVSS”). PSIRT operates in alignment with relevant requirements and industry standards and coordinates its activities with the CSIRT.

Item 2. Properties

Properties — owned and leased real estate

2 edited+0 added−0 removed1 unchanged

2023 filing

2024 filing

Biggest changeItem 2. Properties Our principal executive offices are located in Foster City, California, where we occupy a 76,922 square-foot facility under a lease expiring on April 30, 2028. We also have 281,787 square feet of office space in Pune, India under a non-cancellable lease expiring in February 2025.

We operate shared cloud platforms at third-party facilities in United States, Canada, Switzerland, the Netherlands, United Arab Emirates, Australia, United Kingdom, Italy, the Kingdom of Saudi Arabia and India. Our shared cloud platform agreements have varying terms through 2027.

Item 3. Legal Proceedings

Legal Proceedings — active lawsuits and investigations

2 edited+0 added−0 removed1 unchanged

2023 filing

2024 filing

Biggest changeItem 3. Legal Proceedings From time to time we may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. As of December 31, 2023, there has not been at least a reasonable possibility that we have incurred a material loss from any ongoing legal proceedings, individually or taken together.

Biggest changeItem 3. Legal Proceedings From time to time we may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. As of December 31, 2024, there has not been at least a reasonable possibility that we have incurred a material loss from any ongoing legal proceedings, individually or taken together.

For more information, please refer to Note 9 in the accompanying notes to the consolidated financial statements, which is hereby incorporated by reference. Item 4. Mine Safety Disclosures Not Applicable. 39 Table of Contents PART II

Item 5. Market for Registrant's Common Equity

Market for Common Equity — stock, dividends, buybacks

7 edited+1 added−0 removed3 unchanged

2023 filing

2024 filing

Biggest changeDecember 31, 2018 December 31, 2019 December 31, 2020 December 31, 2021 December 31, 2022 December 31, 2023 Qualys, Inc. $ 100.00 $ 111.55 $ 163.06 $ 183.60 $ 150.16 $ 262.62 NASDAQ Global Select Market $ 100.00 $ 135.60 $ 193.97 $ 238.82 $ 160.92 $ 233.41 NASDAQ Computer $ 100.00 $ 150.34 $ 225.48 $ 310.84 $ 199.64 $ 322.34 S&P 500 $ 100.00 $ 131.49 $ 155.68 $ 200.37 $ 164.08 $ 207.21 The information on the above Stock Price Performance Graph shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liabilities of that section or Sections 11 and 12(a)(2) of the Securities Act of 1933, as amended, and shall not be incorporated by reference into any registration statement or other document filed by us with the SEC, whether made before or after the date of this Annual Report on Form 10-K, regardless of any general incorporation language in such filing, except as shall be expressly set forth by specific reference in such filing. 41 Table of Contents Purchases of Equity Securities by the Issuer and Affiliated Purchasers A summary of our repurchases of common stock during the three months ended December 31, 2023 is as follows: Period Total Number of Shares Purchased Average Price Paid per Share Total Number of Shares Purchased as Part of Publicly Announced Plan or Program (1) Approximate Dollar Value of Shares that May Yet Be Purchased under the Plan or Program October 1, 2023 - October 31, 2023 76,000 $ 156.94 76,000 $ 94,828,514 November 1, 2023 - November 30, 2023 49,112 $ 171.10 49,112 $ 86,425,300 December 1, 2023 - December 31, 2023 14,400 $ 190.51 14,400 $ 83,681,929 (2) Total 139,512 139,512 (1) On February 12, 2018, we announced that our board of directors authorized a $100.0 million share repurchase program.

Biggest changeDecember 31, 2019 December 31, 2020 December 31, 2021 December 31, 2022 December 31, 2023 December 31, 2024 Qualys, Inc. $ 100.00 $ 146.18 $ 164.59 $ 134.62 $ 235.43 $ 168.19 NASDAQ Global Select Market $ 100.00 $ 143.04 $ 176.11 $ 118.67 $ 172.13 $ 222.62 NASDAQ Computer $ 100.00 $ 149.98 $ 206.76 $ 132.79 $ 221.06 $ 301.44 S&P 500 $ 100.00 $ 118.40 $ 152.39 $ 124.79 $ 157.59 $ 197.02 The information on the above Stock Price Performance Graph shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liabilities of that section or Sections 11 and 12(a)(2) of the Securities Act of 1933, as amended, and shall not be incorporated by reference into any registration statement or other document filed by us with the SEC, whether made before or after the date of this Annual Report on Form 10-K, regardless of any general incorporation language in such filing, except as shall be expressly set forth by specific reference in such filing. 40 Table of Contents Purchases of Equity Securities by the Issuer and Affiliated Purchasers A summary of our repurchases of common stock during the three months ended December 31, 2024 is as follows: Period Total Number of Shares Purchased Average Price Paid per Share Total Number of Shares Purchased as Part of Publicly Announced Plan or Program (1) Approximate Dollar Value of Shares that May Yet Be Purchased under the Plan or Program October 1, 2024 - October 31, 2024 145,802 $ 123.87 145,802 $ 167,659,031 November 1, 2024 - November 30, 2024 74,190 $ 144.16 74,190 $ 159,964,062 December 1, 2024 - December 31, 2024 91,730 $ 147.60 91,730 $ 143,424,943 (2) Total 311,722 311,722 (1) On February 12, 2018, we announced that our board of directors authorized a $100.0 million share repurchase program.

On each of October 30, 2018, October 30, 2019, May 7, 2020, February 10, 2021 and February 9, 2023, we announced that our board of directors had authorized an increase of $100.0 million, and on each of November 3, 2021, May 4, 2022, and February 7, 2024, we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.2 billion as of December 31, 2024.

Such returns are based on historical results and are not intended to suggest future performance. 40 Table of Contents COMPARISON OF CUMULATIVE TOTAL RETURN* Among Qualys, Inc., NASDAQ-Global Select Market Composite Index, and NASDAQ Computer Index and S&P 500 Index * $100 invested on December 31, 2018 in stock or index, including reinvestment of dividends. Fiscal year ending December 31.

Such returns are based on historical results and are not intended to suggest future performance. 39 Table of Contents COMPARISON OF CUMULATIVE TOTAL RETURN* Among Qualys, Inc., NASDAQ-Global Select Market Composite Index, and NASDAQ Computer Index and S&P 500 Index * $100 invested on December 31, 2019 in stock or index, including reinvestment of dividends. Fiscal year ending December 31.

Stock Price Performance Graph The following graph shows a comparison from December 31, 2018 through December 31, 2023 of the cumulative total return for an investment of $100 (and the reinvestment of dividends) in our common stock, the NASDAQ Global Select Market Composite Index and the NASDAQ Computer Index and the S&P 500 Index.

Stock Price Performance Graph The following graph shows a comparison from December 31, 2019 through December 31, 2024 of the cumulative total return for an investment of $100 (and the reinvestment of dividends) in our common stock, the NASDAQ Global Select Market Composite Index and the NASDAQ Computer Index and the S&P 500 Index.

Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities Market Information Our common stock is listed and traded on the NASDAQ Global Select Market under the symbol “QLYS”. Holders of Record As of February 12, 2024, there were approximately 48 holders of record of our common stock.

Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities Market Information Our common stock is listed and traded on the NASDAQ Global Select Market under the symbol “QLYS”. Holders of Record As of February 11, 2025, there were approximate ly 44 hol ders of record of our common stock.

Our share repurchase program does not have an expiration date. (2) Does not reflect the $200.0 million increase to our share repurchase program announced on February 7, 2024. Item 6. [RESERVED] 42 Table of Contents

(2) Does not reflect the $200.0 million increase to our share repurchase program announced on February 6, 2025. Item 6. [RESERVED] 41 Table of Contents

Shares may be repurchased from time to time on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934. We have entered into a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act to effect repurchases under our share repurchase program. All share repurchases have been made using cash resources.

We have entered into a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act to effect repurchases under our share repurchase program. All share repurchases have been made using cash resources. Our share repurchase program does not have an expiration date.

Added

On February 6, 2025, we announced that our board of directors authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.4 billion. Shares may be repurchased from time to time on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934.

Item 7. Management's Discussion & Analysis

Management's Discussion & Analysis (MD&A) — revenue / margin commentary

37 edited+4 added−6 removed45 unchanged

2023 filing

2024 filing

Biggest changeTotal other income, net Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) Total other income, net $ 15,582 $ 3,153 $ 12,429 394 % Total other income, net increased by $12.4 million in 2023 compared to 2022, due to an increase in interest income of $11.7 million driven by an increase of market interest rates, in addition to a $1.2 million decrease in foreign currency loss, partially offset by an unrealized loss of $0.5 million on a non-marketable equity security. 47 Table of Contents Income tax provision Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) Income tax provision $ 27,056 $ 25,708 $ 1,348 5 % On July 21, 2023, the IRS issued a rule change allowing taxpayers to temporarily apply the regulations in effect prior to 2022 related to U.S. federal foreign tax credits to foreign taxes paid or accrued in years 2022 and 2023.

Biggest changeTotal other income, net Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) Total other income, net $ 22,626 $ 15,582 $ 7,044 45 % Total other income, net increased by $7.0 million in 2024 compared to 2023, primarily due to an increase in interest income of $8.9 million driven by an increase in our average daily cash and investment balance, a non-recurring unrealized loss of $0.5 million on a non-marketable equity security recognized during 2023, partially offset by an increase in foreign currency loss of $2.4 million. 46 Table of Contents Income tax provision Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) Income tax provision $ 36,142 $ 27,056 $ 9,086 34 % Income tax provision increased by $9.1 million in 2024 compared to 2023, primarily due to the tax effect of an increase in pretax income, increase in foreign withholding taxes, decrease in excess tax benefit from stock-based compensation compared to prior year, and decrease in other discrete tax adjustments.

In addition, we also generated $18.2 million of cash from working capital change in 2023, of which $22.7 million was related to a net increase in deferred revenue and accounts receivable due to the growth in billing and the timing of collections, partially offset by a $1.1 million decrease in payables and accrued liabilities and a $3.4 million increase in prepaid expenses primarily driven by the timing of payments.

In addition, we also generated $18.2 million of cash from working capital change in 2023, of which $22.7 million was related to the net increase in deferred revenue and accounts receivable due to the growth in billing and the timing of collections, partially offset by a $1.1 million decrease in payables and accrued liabilities and a $3.4 million increase in prepaid expenses primarily driven by the timing of payments.

Overview We are a pioneer and leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions that enable organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations.

Overview We are a leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions that enable organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations.

Because of these limitations, Adjusted EBITDA should be considered alongside other financial performance measures, including revenues, net income, cash flows from operating activities and our financial results presented in accordance with U.S. GAAP. The following unaudited table presents the reconciliation of net income to Adjusted EBITDA for the years ended December 31, 2023 and 2022.

We will continue to evaluate the nature and extent of the impact to our business, financial position, results of operations and cash flows. 43 Table of Contents Key Components of Results of Operations Revenues We derive revenues from the sale of subscriptions to our IT, security and compliance solutions, which are delivered on our cloud platform.

We will continue to evaluate the nature and extent of the impact to our business, financial position, results of operations and cash flows. 42 Table of Contents Key Components of Results of Operations Revenues We derive revenues from the sale of subscriptions to our IT, security and compliance solutions, which are delivered on our cloud platform.

Our cloud platform address the growing security and compliance complexities and risks that are amplified by the dissolving boundaries between IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets.

Our cloud platform addresses the growing security and compliance complexities and risks that are amplified by the dissolving boundaries between IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets.

We regularly assess the realizability of our net deferred tax assets. As of December 31, 2023, valuation allowances remain in certain jurisdictions where we believe it is necessary to see further positive evidence, such as sustained achievement of sufficient profits to meet a more likely than not stance that the valuation allowance should be reversed.

We regularly assess the realizability of our net deferred tax assets. As of December 31, 2024, valuation allowances remain in certain jurisdictions where we believe it is necessary to see positive evidence, such as sustained achievement of sufficient profits, to meet a more likely than not stance that the valuation allowance should be reversed.

You should carefully review and consider the information regarding our financial condition and results of operations set forth under Part II-Item 7 (Management’s Discussion and Analysis of Financial Condition and Results of Operations) in our Annual Report on Form 10-K for the fiscal year ended December 31, 2022, filed with the SEC on February 23, 2023, for an understanding of our results of operations and liquidity discussions and analysis comparing fiscal year 2022 to fiscal year 2021, which information is hereby incorporated by reference.

You should carefully review and consider the information regarding our financial condition and results of operations set forth under Part II-Item 7 (Management’s Discussion and Analysis of Financial Condition and Results of Operations) in our Annual Report on Form 10-K for the fiscal year ended December 31, 2023, filed with the SEC on February 22, 2024, for an understanding of our results of operations and liquidity discussions and analysis comparing fiscal year 2023 to fiscal year 2022, which information is hereby incorporated by reference.

We also believe that Adjusted EBITDA provides an additional tool for investors to use in comparing our recurring core business operating results over multiple periods with other companies in our industry. 48 Table of Contents Adjusted EBITDA should not be considered in isolation from, or as a substitute for, financial information prepared in accordance with U.S. GAAP.

We also believe that Adjusted EBITDA provides an additional tool for investors to use in comparing our recurring core business operating results over multiple periods with other companies in our industry. Adjusted EBITDA should not be considered in isolation from, or as a substitute for, financial information prepared in accordance with U.S. GAAP.

Our significant accounting policies are described in Note 1 - The Company and Summary of Significant Accounting Policies in the accompanying notes to the consolidated financial statements included in Part II, Item 8, "Financial Statements and Supplementary Data" of this Annual Report on Form 10-K.

Our significant 49 Table of Contents accounting policies are described in Note 1 - The Company and Summary of Significant Accounting Policies in the accompanying notes to the consolidated financial statements included in Part II, Item 8, "Financial Statements and Supplementary Data" of this Annual Report on Form 10-K.

Other Income (Expense), Net Our other income (expense), net consists primarily of interest and returns from our short-term and long-term marketable securities, non-marketable securities gains and losses, and foreign exchange gains and losses.

Other Income (Expense), Net Our other income (expense), net consists primarily of interest and returns from our cash equivalent, short-term and long-term marketable securities, non-marketable securities gains and losses, and foreign exchange gains and losses.

Numerator: We measure the ARR for that same cohort of customers representing all active subscriptions as of the end of the reporting period, using the same foreign exchange rate from the prior year. Our net dollar expansion rates were 105% and 109% for the years ended December 31, 2023 and 2022, respectively.

Numerator: We measure the ARR for that same cohort of customers representing all active subscriptions as of the end of the reporting period, using the same foreign exchange rate from the prior year. Our net dollar expansion rates were 103% and 105% for the years ended December 31, 2024 and 2023, respectively.

In 2023, 2022 and 2021, 60%, 60% and 61%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force.

In 2024, 2023 and 2022, 58%, 60% and 60%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force.

We expect to continue to invest in additional sales personnel worldwide and also in more marketing programs to support new solutions on our platform, which will increase sales and marketing expenses in absolute dollars. 44 Table of Contents General and Administrative General and administrative expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation for our executive, finance and accounting, IT, legal and human resources teams, as well as professional services, fees, software licenses and overhead allocations.

We expect to continue to invest in sales and marketing teams and also in more marketing programs to support new solutions on our platform, which in turn, is expected to increase sales and marketing expenses in absolute dollars. 43 Table of Contents General and Administrative General and administrative expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation for our executive, finance and accounting, IT, legal and human resources teams, as well as professional services, fees, software licenses and overhead allocations.

Impacts of Current Macroeconomic Environment The uncertainty surrounding macroeconomic factors in the U.S. and globally characterized by the supply chain environment, inflationary pressure, rising interest rates, financial institution failures and associated uncertainty, labor shortages, significant volatility of global markets, reduced spending and extended sales cycles, and geopolitical conflicts could have a material adverse effect on our long-term business and could lead to further economic disruption and expose us to greater risk as our current and potential customers may reduce or eliminate their overall spending on IT security.

Impacts of Current Macroeconomic Environment The uncertainty surrounding macroeconomic factors in the U.S. and globally characterized by inflationary pressure, high interest rates, significant volatility of global markets, reduced spending and extended sales cycles, and geopolitical conflicts could have a material adverse effect on our long-term business and could lead to further economic disruption and expose us to greater risk as our current and potential customers may reduce or eliminate their overall spending on IT security.

We may also seek to invest in or acquire complementary businesses or technologies. • Other non-cancelable purchase obligations related to cloud infrastructures and other service providers totaled $70.6 million, of which $29.7 million is expected to be paid with in the next 12 months.

We may also seek to invest in or acquire complementary businesses or technologies. • Other non-cancelable purchase obligations related to cloud infrastructures and other service providers totaled $70.5 million, of which $39.2 million is expected to be paid with in the next 12 months.

We had fixed operating lease payment obligations of $31.1 million as of December 31, 2023, with $13.1 million expected to be paid within the next 12 months. • Cash outflow for capital expenditures in 2024 is expected to be in a range of $15.0 million to $20.0 million.

We had fixed operating lease payment obligations of $59.9 million as of December 31, 2024, with $13.5 million expected to be paid within the next 12 months. • Cash outflow for capital expenditures in 2025 is expected to be in a range of $8.0 million to $13.0 million.

In 2023, 57% of total revenues were direct and 43% of total revenues were through partners. Of the total increase of $64.7 million , 46% was direct and the remaining 54% was from partners. With our strong market position driving further demand for our solutions, we expect revenue growth from new and existing customers to continue.

In 2024, 54% of total revenues were direct and 46% of total revenues were through partners. Of the total increase of $53.1 million , 20% was direct and the remaining 80% was from partners. With our strong market position driving further demand for our solutions, we expect revenue growth from new and existing customers to continue.

Results of Operations The following table sets forth selected consolidated statements of operations data for each of the periods presented as a percentage of revenues: Year Ended December 31, 2023 2022 Revenues 100 % 100 % Cost of revenues 19 21 Gross profit 81 79 Operating expenses: Research and development 20 21 Sales and marketing 20 20 General and administrative 12 11 Total operating expenses 52 52 Income from operations 29 27 Total other income, net 3 — Income before income taxes 32 27 Income tax provision 5 5 Net income 27 % 22 % 45 Table of Contents Comparison of Years Ended December 31, 2023 and 2022 Revenues Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) Revenues $ 554,458 $ 489,723 $ 64,735 13 % Revenues increased by $64.7 million in 2023 compared to 2022, driven by increased demand for our subscription services by our end customers.

Results of Operations The following table sets forth selected consolidated statements of operations data for each of the periods presented as a percentage of revenues: Year Ended December 31, 2024 2023 Revenues 100 % 100 % Cost of revenues 18 19 Gross profit 82 81 Operating expenses: Research and development 19 20 Sales and marketing 21 20 General and administrative 11 12 Total operating expenses 51 52 Income from operations 31 29 Total other income, net 4 3 Income before income taxes 35 32 Income tax provision 6 5 Net income 29 % 27 % 44 Table of Contents Comparison of Years Ended December 31, 2024 and 2023 Revenues Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) Revenues $ 607,571 $ 554,458 $ 53,113 10 % Revenues increased by $53.1 million in 2024 compared to 2023, driven by increased demand for our subscription services by our end customers.

Cost of Revenues Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) Cost of revenues $ 107,485 $ 102,788 $ 4,697 5 % Cost of revenues increased by $4.7 million in 2023 compared to 2022, due to an increase in personnel costs, including stock-based compensation, of $5.1 million, driven by additional employees hired to support the growth of our business, an increase in shared cloud platform cost of $4.8 million, and an increase in subscribed license and software costs of $1.5 million, partially offset by a decrease in depreciation and amortization expense of $6.7 million resulting from our assets becoming fully depreciated or amortized.

Cost of Revenues Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) Cost of revenues $ 111,482 $ 107,485 $ 3,997 4 % Cost of revenues increased by $4.0 million in 2024 compared to 2023, primarily due to an increase in shared cloud platform cost of $6.0 million, an increase in personnel costs, including stock-based compensation, of $4.6 million, driven by additional employees hired to support the growth of our business, an increase in license expenses and professional service expenses of $1.2 million, partially offset by a decrease in depreciation and amortization expense of $7.8 million resulting from certain of our assets becoming fully depreciated or amortized.

The following summary of cash flows for the periods indicated have been derived from our consolidated financial statements included elsewhere in this report: Year Ended December 31, 2023 2022 (in thousands) Net cash provided by operating activities $ 244,605 $ 198,854 Net cash (used in) provided by investing activities (73,166) 145,068 Net cash used in financing activities (141,493) (306,031) Net increase in cash, cash equivalents and restricted cash $ 29,946 $ 37,891 49 Table of Contents Operating Activities In 2023, we generated $226.4 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense and deferred taxes, as compared to $177.2 million in 2022.

The following summary of cash flows for the periods indicated have been derived from our consolidated financial statements included elsewhere in this report: Year Ended December 31, 2024 2023 (in thousands) Net cash provided by operating activities $ 244,094 $ 244,605 Net cash used in investing activities (71,427) (73,166) Net cash used in financing activities (145,650) (141,493) Net increase in cash, cash equivalents and restricted cash $ 27,017 $ 29,946 Operating Activities In 2024, we generated $243.9 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense and deferred taxes, as compared to $226.4 million in 2023.

Financing Activities In 2023, we used $170.8 million of cash for share repurchase and $22.3 million of cash in payment of employee withholding taxes upon vesting of restricted stock units, partially offset by $45.6 million of proceeds from employee exercise of stock options and $6.1 million of proceeds from issuance of common stock through our employee stock purchase plan ("ESPP"), as compared to $317.3 million of cash used for share repurchase and $17.6 million of cash in payment of employee withholding taxes upon vesting of restricted stock units, partially offset by $24.5 million of proceeds from employee exercise of stock options and $4.4 million of proceeds from issuance of common stock through our ESPP in 2022.

Financing Activities In 2024, we used $139.9 million of cash for share repurchases and $28.4 million of cash in payment of employee withholding taxes upon vesting of restricted stock units and $1.5 million payment of cash held in escrow as part of the Blue Hexagon acquisition on October 4, 2022, partially offset by $17.3 million of proceeds from employee exercise of stock options and $6.9 million of proceeds from issuance of common stock through our employee stock purchase plan ("ESPP"), as compared to $170.8 million of cash for share repurchase and $22.3 million of cash in payment of employee withholding taxes upon vesting of restricted stock units, partially offset by $45.6 million of proceeds from employee exercise of stock options and $6.1 million of proceeds from issuance of common stock through our ESPP in 2023.

In 2022, we generated $177.2 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense and deferred taxes, as compared to $169.6 million in 2021.

In 2023, we generated $226.4 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense and deferred taxes.

Share Repurchases We expect to continue to use cash to repurchase shares in 2024 under our share repurchase program authorized by our board of directors on February 5, 2018. As of December 31, 2023, our board of directors had authorized an aggregate amount of $1.0 billion for repurchases under our share repurchase program, of which approximately $83.7 million remained available.

Share Repurchases We expect to continue to use cash to repurchase shares in 2025 under our share repurchase program authorized by our board of directors on February 5, 2018. As of December 31, 2024, approximately $143.4 million remained available under our share repurchase program.

Of the total increase of $64.7 million in revenues, 80% was from customers existing at or prior to December 31, 2022, and the remaining 20% was from new customers added in 2023. Of the total increase of $64.7 million , 62% was from customers in the United States and the remaining 38% was from customers in foreign countries.

Of the total increase of $53.1 million in revenues, 69% was from customers existing at or prior to December 31, 2023, and the remaining 31% was from new customers added in 2024. Of the total increase of $53.1 million , 42% was from customers in the United States and the remaining 58% was from customers in foreign countries.

Year Ended December 31, 2023 2022 (in thousands) Net income $ 151,595 $ 107,992 Net income as a percentage of revenues 27 % 22 % Depreciation and amortization of property and equipment 23,904 28,936 Amortization of intangible assets 3,087 5,686 Income tax provision 27,056 25,708 Stock-based compensation 69,079 53,408 Total other income, net (15,582) (3,153) Adjusted EBITDA $ 259,139 $ 218,577 Adjusted EBITDA as a percentage of revenues 47 % 45 % Liquidity and Capital Resources As of December 31, 2023 , our principal source of liquidity was cash, cash equivalents and marketable securities of $482.2 million, including $94.8 million of cash held outside of the United States.

Year Ended December 31, 2024 2023 (in thousands) Net income $ 173,680 $ 151,595 Net income as a percentage of revenues 29 % 27 % Depreciation and amortization of property and equipment 15,610 23,904 Amortization of intangible assets 2,903 3,087 Income tax provision 36,142 27,056 Stock-based compensation 77,133 69,079 Total other income, net (22,626) (15,582) Adjusted EBITDA $ 282,842 $ 259,139 Adjusted EBITDA as a percentage of revenues 47 % 47 % Liquidity and Capital Resources As of December 31, 2024 , our principal source of liquidity was cash, cash equivalents and marketable securities of $575.3 million, including $119.9 million of cash held outside of the United States.

We calculate Adjusted EBITDA as net income before (1) other (income) expense, net, which includes interest income, interest expense and other income and expense, (2) income tax provision (benefit), (3) depreciation and amortization of property and equipment, (4) amortization of intangible assets, (5) stock-based compensation and (6) non-recurring expenses that do not reflect ongoing costs of operating the business. 47 Table of Contents Adjusted EBITDA has limitations as an analytical tool and should not be considered in isolation from or as a substitute for the measures presented in accordance with U.S.

We expect that general and administrative expenses will increase in absolute dollars, as we continue to add personnel and incur professional services to support our growth and compliance with legal requirements.

We expect to continue to invest in our people and incur professional services to support our growth and compliance with legal and regulatory requirements, which in turn, is expected to increase general and administrative expenses in absolute dollars.

Release of the valuation allowance would result in the recognition of deferred tax assets and a corresponding decrease to income tax expense in the period the release is recorded.

The exact timing and amount of the valuation allowance release is subject to change based on the level of profitability achieved in future periods. Release of the valuation allowance would result in the recognition of deferred tax assets and a corresponding decrease to income tax expense in the period the release is recorded.

General and Administrative Expenses Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) General and administrative $ 61,741 $ 57,981 $ 3,760 6 % General and administrative expenses increased by $3.8 million in 2023 compared to 2022, due to an increase in personnel costs, including stock-based compensation of $5.7 million, driven by increased headcount, annual merit increases for eligible employees and refresh grants to eligible employees and executives, and an increase in subscribed license and software cost of $0.8 million, partially offset by a decrease in professional service expense of $1.4 million, and a decrease in legal expense of $1.3 million.

General and Administrative Expenses Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) General and administrative $ 68,738 $ 61,741 $ 6,997 11 % General and administrative expenses increased by $7.0 million in 2024 compared to 2023, primarily due to an increase in personnel costs, including stock-based compensation, of $6.3 million, driven by increased headcount, annual merit increases and refresh grants to eligible employees and executives, and an increase in subscribed software costs and other expenses of $0.7 million.

Critical Accounting Estimates The preparation of our consolidated financial statements in accordance with U.S. GAAP requires us to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenues, expenses and related disclosures.

GAAP requires us to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenues, expenses and related disclosures.

Research and Development Expenses Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) Research and development $ 110,472 $ 101,186 $ 9,286 9 % Research and development expenses increased by $9.3 million in 2023 compared to 2022, due to an increase in personnel costs, including stock-based compensation, of $11.4 million, driven by increased headcount, annual merit increases for eligible employees and refresh grants to eligible employees, partially offset by a decrease in professional service expense of $1.2 million, and a decrease in depreciation and amortization expense in property and equipment of $0.9 million. 46 Table of Contents Sales and Marketing Expenses Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) Sales and marketing $ 111,691 $ 97,221 $ 14,470 15 % Sales and marketing expenses increased by $14.5 million in 2023 compared to 2022, due to an increase in personnel costs, including stock-based compensation, of $13.6 million, driven by increased headcount, an increase in travel and entertainment cost of $1.5 million associated with increased in-person sales meetings and marketing events, and an increase in subscribed license and software costs of $0.7 million, partially offset by a decrease in professional service expense of $1.3 million.

Research and Development Expenses Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) Research and development $ 111,852 $ 110,472 $ 1,380 1 % Research and development expenses increased by $1.4 million in 2024 compared to 2023, primarily due to an increase in personnel costs, including stock-based compensation, of $2.8 million, driven by increased headcount, partially offset by a decrease in depreciation and amortization expense in property and equipment of $0.8 million, and a decrease in overhead allocation of $0.6 million. 45 Table of Contents Sales and Marketing Expenses Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) Sales and marketing $ 128,303 $ 111,691 $ 16,612 15 % Sales and marketing expenses increased by $16.6 million in 2024 compared to 2023, primarily due to an increase in personnel costs, including stock-based compensation, of $12.9 million, driven by increased headcount, an increase in travel and entertainment cost of $1.8 million, an increase in marketing expenses related to trade shows of $0.7 million, an increase in overhead allocation of $0.7 million, and an increase in subscribed license and software costs of $0.5 million.

Investing Activities In 2023, we used $64.4 million of cash for purchases of marketable securities net of sales and maturities, and used $8.8 million of cash in capital expenditures mainly related to computer equipment to support our growth and development, as compared to $169.0 million of cash generated from net sales and maturities of our marketable securities, $15.4 million of cash used in capital expenditures mainly related to computer equipment to support our growth and development and $8.6 million of cash used to acquire certain technology assets in 2022.

Investing Activities In 2024, we used $59.1 million of cash for purchases of marketable securities net of sales and maturities, and used $12.3 million of cash in capital expenditures mainly related to computer equipment to support our growth and development and leasehold improvement for expansion of our office spaces and shared cloud platform facilities, as compared to the use of $64.4 million of cash for purchases of marketable securities net of sales and maturities, and the use of $8.8 million of cash in capital expenditures mainly related to computer equipment to support our growth and development in 2023.

In addition, we also generated $21.7 million of cash from working capital change in 2022, of which $11.8 million was related to a net increase in deferred revenue and accounts receivable as a result of our continued growth in billing and the timing of collections, and $9.9 million was due to lower prepaid expenses and an increase in payables and accrued liabilities primarily due to timing of payments.

In addition, we also generated $0.2 million of cash from working capital change in 2024, of which $11.7 million was related to the 48 Table of Contents increases in accounts receivable and deferred revenue due to the timing of collections and growth in billings, a $3.2 million increase in payables and accrued liabilities driven by the timing of payment, partially offset by a $14.7 million increase in prepaid expenses.

Other expenses include third-party contractor fees, software and license fees, amortization of intangibles related to acquisitions and overhead allocations. We expect to continue to devote resources to research and development in an effort to continuously improve our existing solutions as well as develop new solutions and capabilities and expect that research and development expenses will increase in absolute dollars.

We expect to continue to devote resources to research and development in an effort to continuously improve our existing solutions as well as develop new solutions and capabilities, which in turn, is expected to increase the research and development expenses in absolute dollars.

Shares will be repurchased from time to time in the open market in accordance with Rule 10b-18 of the Exchange Act of 1934, including pursuant to a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act. 50 Table of Contents On February 7, 2024, we announced that our Board of Directors authorized an additional $200.0 million under the share repurchase program, increasing the total amount of authorized repurchase to $1.2 billion.

Shares will be repurchased from time to time in privately negotiated transactions or on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934, including pursuant to a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act.

We expect to continue to expand our shared cloud platform infrastructures and hire additional employees to support our operations, which will increase the cost of revenues in absolute dollars. Operating Expenses Research and Development Research and development expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation, for our research and development teams.

We expect to continue to expand our shared cloud platform infrastructures and invest in our customer support and operations teams to support our customers and operations, which in turn, is expected to increase the cost of revenues in absolute dollars.

Removed

If additional positive evidence becomes available in the foreseeable future, we may release all or a portion of the valuation allowance. The exact timing and amount of the valuation allowance release is subject to change based on the level of profitability achieved in future periods.

Added

Operating Expenses Research and Development Research and development expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation, for our research and development teams. Other expenses include third-party contractor fees, software and license fees, amortization of intangibles related to acquisitions and overhead allocations.

Removed

Additionally, on September 8, 2023, the IRS issued interim guidance on the capitalization and amortization of research and development expenses. A cumulative tax benefit applicable to prior periods for the rule change and the guidance was recorded in 2023, which reduced the effective tax rate in 2023 compared to 2022.

Added

The increase in tax expense was partially offset by an increase in foreign derived intangible income benefit, an increase in research and development tax credits, and the recognition of an income tax benefit related to uncertain tax positions due to statute lapse.

Removed

On December 11, 2023, the IRS extended the temporary relief for U.S. Federal foreign tax credit until further guidance, which is expected to provide similar tax benefits in future tax years.

Added

For the year ended December 31, 2024 , our income tax provision included a benefit of $2.5 million related to an increase in foreign derived intangible income benefit and research and development tax credits associated with our U.S. income tax return filed during the year.

Removed

Income tax provision increased by $1.3 million in 2023 compared to 2022, primarily due to an increase in pretax income and a decrease in excess tax benefits arising from stock-based compensation compared to the same period in 2022.

Added

On February 6, 2025, we announced that our board of directors authorized an additional $200.0 million under the share repurchase program, increasing the total amount of authorized repurchase to $1.4 billion. Critical Accounting Estimates The preparation of our consolidated financial statements in accordance with U.S.

Removed

The increase was partially offset by higher foreign tax credits and lower net capitalization of research and development expenses for tax purposes than previously estimated, reflecting the rule change and the guidance.

Removed

Adjusted EBITDA has limitations as an analytical tool and should not be considered in isolation from or as a substitute for the measures presented in accordance with U.S. GAAP.

Item 7A. Quantitative and Qualitative Disclosures About Market Risk

Market Risk — interest-rate, FX, commodity exposure

4 edited+1 added−0 removed4 unchanged

2023 filing

2024 filing

Biggest changeTo reduce certain of these risks, we monitor the financial condition of our large customers and limit credit exposure by collecting subscription fees in advance. 51 Table of Contents Foreign Currency Risk Our results of operations and cash flows have been and will continue to be subject to fluctuations because of changes in foreign currency exchange rates, particularly changes in exchange rates between the U.S.

Biggest changeForeign Currency Risk Our results of operations and cash flows have been and will continue to be subject to fluctuations because of changes in foreign currency exchange rates, particularly changes in exchange rates between the U.S.

With our hedging strategy applied, the effect of an immediate 10% adverse change in foreign exchange rates would not be material to our financial condition, operating results or cash flows. Interest Rate Sensitivity We had $482.2 million in cash, cash equivalents and short-term and long-term marketable securities as of December 31, 2023.

With our hedging strategy applied, the effect of an immediate 10% adverse change in foreign exchange rates would not be material to our financial condition, operating results or cash flows. Interest Rate Sensitivity We had $575.3 million in cash, cash equivalents and short-term and long-term marketable securities as of December 31, 2024.

As of December 31, 2023, a hypothetical 100 basis point increase in interest rate would result in a decrease in the fair value of our marketable securities by $1.4 million. 52 Table of Contents

As of December 31, 2024, a hypothetical 100 basis point increase in interest rate would not result in a material decrease in the fair value of our marketable securities . 51 Table of Contents

As of December 31, 2023, we had designated cash flow hedge forward contracts with notional amounts of €48.5 million , £14.6 million and Rs. 4,042.0 million and non-designated forward contracts with notional amounts of €19.2 million , £6.0 million , Rs. 440.0 million and C $1.0 million.

As of December 31, 2024, we had designated cash flow hedge forward contracts with notional amounts of €51.4 million , £20.3 million and Rs. 4,381.0 million and non-designated forward contracts with notional amounts of €27.0 million , £8.0 million , Rs. 1,252.0 50 Table of Contents million and C $1.0 million.

Added

To reduce certain of these risks, we monitor the financial condition of our large customers and limit credit exposure by collecting subscription fees in advance.

Top changes in QUALYS, INC.'s 2024 10-K

Item 1. Business

Item 1A. Risk Factors

Item 1C. Cybersecurity

Item 2. Properties

Item 3. Legal Proceedings

Item 5. Market for Registrant's Common Equity

Item 7. Management's Discussion & Analysis

Item 7A. Quantitative and Qualitative Disclosures About Market Risk

Other QLYS 10-K year-over-year comparisons