What changed in QUALYS, INC.'s 2025 10-K compared to 2024?

Across the narrative sections we track, QUALYS, INC. (QLYS) added 222 paragraphs, removed 211, and edited 194 between the 2024 and 2025 10-K filings. The biggest movers are Item 1A. Risk Factors (+101/−97), Item 1. Business (+57/−53), Item 7. Management's Discussion & Analysis (+36/−35).

Did QUALYS, INC. add new Risk Factors in the 2025 10-K?

Yes — Item 1A Risk Factors shows 101 new/edited paragraphs and 97 removed paragraphs versus the 2024 10-K.

What changed in QUALYS, INC.'s MD&A (Item 7) in 2025?

Item 7 Management's Discussion & Analysis shows 36 new/edited paragraphs and 35 removed paragraphs year-over-year. Read the side-by-side diff to see exactly which revenue, margin, and outlook commentary was rewritten.

Did QUALYS, INC. update its Cybersecurity disclosure (Item 1C) in 2025?

Item 1C Cybersecurity has 12 paragraph-level changes between the 2024 and 2025 filings.

Did QUALYS, INC.'s Legal Proceedings (Item 3) change in 2025?

Item 3 shows 2 added/edited paragraphs and 2 removed paragraphs — usually indicating new litigation disclosed or settled cases removed.

Where does this QLYS 10-K diff come from?

The source filings are QUALYS, INC.'s official 2024 and 2025 Form 10-K annual reports from SEC EDGAR. 10q10k.net parses each filing, aligns paragraphs by section (Item 1, 1A, 1C, 2, 3, 7, 7A), and highlights every added, removed and edited sentence side-by-side.

What changed in QUALYS, INC.'s 10-K — 2024 vs 2025

Paragraph-level year-over-year comparison of QUALYS, INC.'s 2024 and 2025 10-K annual filings, covering the Business, Risk Factors, Legal Proceedings, Cybersecurity, MD&A and Market Risk sections. Every new, removed and edited paragraph is highlighted side-by-side so you can see exactly what management changed in the 2025 report.

+222 added−211 removedSource: 10-K (2026-02-20) vs 10-K (2025-02-21)

Top changes in QUALYS, INC.'s 2025 10-K

222 paragraphs added · 211 removed · 194 edited across 8 sections

Item 1A. Risk Factors+101 / −97 · 88 edited
Item 1. Business+57 / −53 · 49 edited
Item 7. Management's Discussion & Analysis+36 / −35 · 32 edited
Item 1C. Cybersecurity+12 / −11 · 10 edited
Item 5. Market for Registrant's Common Equity+7 / −7 · 7 edited

Item 1. Business

Business — how the company describes what it does

49 edited+8 added−4 removed95 unchanged

2024 filing

2025 filing

Biggest changeWe compete with a large and broad array of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a highly fragmented and competitive environment. 12 Table of Contents We compete with large and small public companies, such as CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Invicti, Tanium, and Wiz.

Biggest changeWe compete with large and small public companies, such as CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Invicti, Tanium, and Wiz (which has announced a pending acquisition by Google). We also seek to replace IT, security and compliance solutions that organizations have developed internally.

Organizations use our integrated suite of solutions to cost-effectively obtain a unified view of their internal and external IT and OT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for information technology, information security, application security, endpoint, developer security and cloud teams.

Organizations use our integrated suite of solutions to cost-effectively obtain a unified view of their internal and external IT and OT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for IT, information security, application security, endpoint, developer security and cloud teams.

Patch Management is a component of Qualys' TruRisk Eliminate suite of remediation solutions. TruRusk Eliminate encompasses a broad range of remediation capabilities for organizations when patches are not yet available or feasible to deploy.

Patch Management is a component of Qualys' TruRisk Eliminate suite of remediation solutions. TruRisk Eliminate encompasses a broad range of remediation capabilities for organizations when patches are not yet available or feasible to deploy.

The TruRisk component allows for a unified risk view, correlating vulnerabilities, security controls, and compliance across resources to prioritize and reduce cyber risks effectively. For real-time defense, TotalCloud's InstaProtect continuously monitors all cloud assets to detect and protect against evolving and unknown threats. Remediation is streamlined through our QFlow technology, which provides no-code, drag-and-drop workflows for efficient vulnerability management.

The TruRisk component allows for a unified risk view, correlating vulnerabilities, security controls, and compliance across resources to prioritize and reduce cyber risks effectively. For real-time defense, TC's InstaProtect continuously monitors all cloud assets to detect and protect against evolving and unknown threats. Remediation is streamlined through our QFlow technology, which provides no-code, drag-and-drop workflows for efficient vulnerability management.

FIM collects the critical details needed to quickly identify changes and root out activity that violates policy or is potentially malicious. FIM helps customers to comply with change control policy enforcement and change monitoring requirements. Cloud Security Qualys TotalCloud is a Cloud-Native Application Protection Platform (CNAPP), which provides an integrated suite of security capabilities designed for multi-cloud environments.

FIM collects the critical details needed to quickly identify changes and root out activity that violates policy or is potentially malicious. FIM helps customers to comply with change control policy enforcement and change monitoring requirements. Cloud Security TotalCloud (TC): TC is a Cloud-Native Application Protection Platform (CNAPP), which provides an integrated suite of security capabilities designed for multi-cloud environments.

It provides complete visibility and cyber-risk exposure assessment across cloud assets, enabling continuous discovery and monitoring of the cloud landscape to identify risks and maintain compliance. With its FlexScan technology, TotalCloud offers comprehensive assessment features that include no-touch, agentless, API, and snapshot-based scanning, along with agent and network-based scanning for thorough vulnerability detection.

It provides complete visibility and cyber-risk exposure assessment across cloud assets, enabling continuous discovery and monitoring of the cloud landscape to identify risks and maintain compliance. With its FlexScan technology, TC offers comprehensive assessment features that include no-touch, agentless, API, and snapshot-based scanning, along with agent and network-based scanning for thorough vulnerability detection.

Our Customers We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. As of December 31, 2024, we had over 10,000 customers worldwide, including a majority of the Forbes Global 100.

Our Customers We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. As of December 31, 2025, we had over 10,000 customers worldwide, including a majority of the Forbes Global 100.

We strive to consistently improve how we operate our platforms in energy-efficient networks and data centers as well as pursue sustainability initiatives that reduce energy, waste and materials consumption. We have 14 multi-tenant platforms across the world, six of which are in collocated facilities. The others are hosted in public cloud environments.

We strive to consistently improve how we operate our platforms in energy-efficient networks and data centers as well as pursue sustainability initiatives that reduce energy, waste and materials consumption. We have 15 multi-tenant platforms across the world, six of which are in collocated facilities. The others are hosted in public cloud environments.

It continuously gathers and uploads telemetry about installed software, open vulnerabilities and missing patches to our cloud platform. The resulting shared visibility of assets and their posture enables IT and security teams to collaborate using common vulnerability-centric terminology and provides a consistent data set to analyze, prioritize, deploy and verify patches more efficiently.

It continuously gathers and uploads telemetry about installed software, open vulnerabilities and missing patches to our cloud platform. The resulting shared visibility of assets and their posture enables IT and security teams to collaborate using common vulnerability- 9 Table of Contents centric terminology and provides a consistent data set to analyze, prioritize, deploy and verify patches more efficiently.

The PCP is a standalone version of our multi-layer, multi-tenant services architecture and is a fully integrated turnkey solution, making it more scalable, cost effective and faster to deploy within a customer's shared cloud platform. 7 Table of Contents Solutions delivered through our PCP are typically on the same subscription basis as solutions delivered through our shared platform.

The PCP is a standalone version of our multi-layer, multi-tenant services architecture and is a fully integrated turnkey solution, making it more scalable, cost effective and faster to deploy within a customer's shared cloud platform. Solutions delivered through our PCP are typically on the same subscription basis as solutions delivered through our shared platform.

We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force. We generate a significant portion of sales through our channel partners, including managed security service providers, value-added resellers and consulting firms in the United States and internationally.

We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force. We generate a significant portion of sales through our channel 11 Table of Contents partners, including managed security service providers, value-added resellers and consulting firms in the United States and internationally.

As part of its ongoing review of the performance criteria and compensation of designated key executives, the Compensation and Talent Committee also meets annually with the CEO, our principal human resources executive, and any other corporate officers as it deems appropriate. 13 Table of Contents Supporting our Team and Community Talent Development and Safety.

As part of its ongoing review of the performance criteria and compensation of designated key executives, the Compensation and Talent Committee also meets annually with the CEO, our principal human resources executive, and any other corporate officers as it deems appropriate. Supporting our Team and Community Talent Development and Safety.

Qualys products, delivered via our multi-tenant cloud platform, enable improved environmental sustainability for our customers. In particular, our cloud-based solutions minimize the number of physical servers our customers 14 Table of Contents have to deploy within their own environments, reducing energy consumption on their end.

Qualys products, delivered via our multi-tenant cloud platform, enable improved environmental sustainability for our customers. In particular, our cloud-based solutions minimize the number of physical servers our customers have to deploy within their own environments, reducing energy consumption on their end.

We intend to continue to make significant investments in research and development to extend our cloud platform’s functionality by developing new security solutions and capabilities and further enhancing our existing suite of solutions. 10 Table of Contents • Expand the use of our suite of solutions by our large and diverse customer base.

We intend to continue to make significant investments in research and development to extend our cloud platform’s functionality by developing new security solutions and capabilities and further enhancing our existing suite of solutions. • Expand the use of our suite of solutions by our large and diverse customer base.

We conduct our research and development in the United States, France and India, which gives us access to some of the best research and engineering talent in the world. Our focus remains to attract engineering talent as we continue to add new solutions and improve existing ones.

We conduct our research and development 12 Table of Contents in the United States, France and India, which gives us access to some of the best research and engineering talent in the world. Our focus remains to attract engineering talent as we continue to add new solutions and improve existing ones.

In each of 2024, 2023 and 2022, no one customer accounted for more than 10% of our revenues. In 2024, 2023 and 2022, 58%, 60% and 60%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses.

In each of 2025, 2024 and 2023, no one customer accounted for more than 10% of our revenues. In 2025, 2024 and 2023, 56%, 58% and 60%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses.

WAS' powerful API enables integration with other systems and allows teams to detect issues within DevOps environments early in the application development process. Bundled malware detection capability with WAS uses reputational, behavioral, antivirus, and heuristic analyses to identify and alert on malware infecting a user's websites.

TAS' powerful API enables integration with other systems and allows teams to detect issues within DevOps environments early in the application development process. Bundled malware detection capability with TAS uses reputational, behavioral, antivirus, and heuristic analyses to identify and alert on malware infecting a user's websites.

At the end of the subscription term, the channel partner engages with the customer to execute a renewal order, with our sales team providing assistance as required. In 2024, 2023 and 2022, 46%, 43% and 42%, respectively, of our revenues were generated by channel partners.

At the end of the subscription term, the channel partner engages with the customer to execute a renewal order, with our sales team providing assistance as required. In 2025, 2024 and 2023, 49%, 46% and 43%, respectively, of our revenues were generated by channel partners.

By Integrating WAS with manual testing tools and bug bounty solutions, customers can build a comprehensive web application vulnerability testing program. Risk Remediation Patch Management (PM): PM provides automated patch deployment capabilities for Windows, Linux, Mac and third party software by correlating vulnerabilities and the right set of remediation including patches and configuration fixes.

By Integrating TAS with manual testing tools and bug bounty solutions, customers can build a comprehensive application security testing program. Risk Remediation Patch Management (PM): PM provides automated patch deployment capabilities for Windows, Linux, Mac and third party software by correlating vulnerabilities and the right set of remediation including patches and configuration fixes.

When a channel partner secures a sale, we sell the associated 11 Table of Contents subscription to the channel partner who in turn resells the subscription to the customer, with the channel partner retaining the margin between the price they purchase from us and the price they sell to the end user.

When a channel partner secures a sale, we sell the associated subscription to the channel partner who in turn resells the subscription to the customer, with the channel partner retaining the margin between the price they purchase from us and the price they sell to the end user.

Additionally, copies of materials filed by us with the SEC may be accessed at the SEC's website, www.sec.gov .

Additionally, copies of materials filed by us with the SEC may be accessed at the SEC's website, www.sec.gov . 15 Table of Contents

TotalCloud provides organizations with an all-encompassing solution, delivering fast, agentless, real-time security and compliance across a variety of use cases, including Cloud Workload Protection (CWP), Cloud Detection and Response (CDR), Cloud Security Posture Management (CSPM), Infrastructure as Code (IaC), SaaS Security Posture Management (SSPM), and Kubernetes and Container Security (KCS) to offer organizations a single unified solution for comprehensively securing their cloud and multi-cloud environments.

TC provides organizations with an all-encompassing solution, delivering fast, agentless, real-time security and compliance across a variety of use cases, including Cloud Workload Protection (CWP), Cloud Detection and Response (CDR), Cloud Security Posture Management (CSPM), Infrastructure as Code (IaC), SaaS Security Posture Management (SSPM), Cloud Infrastructure and Entitlement Management (CIEM), and 10 Table of Contents Kubernetes and Container Security (KCS) to offer organizations a single unified solution for comprehensively securing their cloud and hybrid-cloud environments.

As of December 31, 2024, we have 42 issued patents, which expire from 2029 to 2042, several pending U.S. patent applications and an exclusive license to four U.S. patents.

As of December 31, 2025, we have 52 issued patents, which expire from 2029 to 2044, several pending U.S. patent applications and an exclusive license to four U.S. patents.

Web Application Scanning (WAS): WAS continuously discovers and catalogs web applications – including new and unknown ones – and detects vulnerabilities and misconfigurations in web apps and APIs. Scaling to thousands of scans, it conducts incisive, thorough and precise testing of browser-based web apps, mobile app backends, and Internet of things (IoT) services.

Total Application Security (TotalAppSec, TAS): TAS continuously discovers and catalogs web applications and APIs – including new and unknown ones – and detects vulnerabilities and misconfigurations in web apps and APIs. Scaling to thousands of scans, it conducts incisive, thorough and precise testing of browser-based web apps, mobile app backends, and APIs.

We also seek to replace IT, security and compliance solutions that organizations have developed internally. As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as Cybersecurity Asset Management and Patch Management, we expect to face additional competition in these new markets.

As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as Cybersecurity Asset Management, Patch Management, and Enterprise TruRisk Management, we expect to face additional competition in these new markets.

We have a number of registered and unregistered trademarks. We require our employees, consultants and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation and other proprietary information.

We require our employees, consultants and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation and other proprietary information.

Our core services include: • Asset Tagging and Management. Enables customers to easily identify, categorize and manage large numbers of assets in highly dynamic IT and OT environments and automates the process of inventory management and hierarchical organization of all internal and external assets.

Our cloud platform’s powerful Elasticsearch clusters enable customers to instantly find detailed data on any asset. Our core services include: • Asset Tagging and Management. Enables customers to easily identify, categorize and manage large numbers of assets in highly dynamic IT and OT environments and automates the process of inventory management and hierarchical organization of all internal and external assets.

We expect that software and other solutions in our industry may be subject to third-party infringement claims as the number of competitors grows and the functionality of products in different industry segments overlaps. Any of these third parties might make a claim of infringement against us at any time.

Our revenues increased to $607.6 million in 2024 from $554.5 million in 2023 and $489.7 million in 2022.

Our revenues increased to $669.1 million in 2025 from $607.6 million in 2024 and $554.5 million in 2023.

Human Capital Resources We take a holistic approach to our human capital management strategy, striving to create a culture where talented people want to come to work, develop their careers, become leaders, and make a difference for all our stakeholders and communities.

Any of these third parties might make a claim of infringement against us at any time. 13 Table of Contents Human Capital Resources We take a holistic approach to our human capital management strategy, striving to create a culture where talented people want to come to work, develop their careers, become leaders, and make a difference for all our stakeholders and communities.

As of December 31, 2024, we had 2,400 full-time employees, including 1,144 in research and development, 474 in sales and marketing, 554 in operations and customer support, and 228 in general and administrative. As of December 31, 2024, approximately 77% of our employees were located outside of the United States, with 68% of our employees located in India.

As of December 31, 2025, we had 2,625 full-time employees, including 1,262 in research and development, 524 in sales and marketing, 592 in operations and customer support, and 247 in general and administrative. As of December 31, 2025, approximately 78% of our employees were located outside of the United States, with 70% of our employees located in India.

EDR unifies different context vectors like asset discovery, rich normalized software inventory, end-of-life visibility, vulnerabilities 9 Table of Contents and exploits, misconfigurations, in-depth endpoint telemetry, and network reachability with a powerful backend to correlate it all for accurate assessment, detection and response.

EDR unifies different context vectors like asset discovery, rich normalized software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, in-depth endpoint telemetry, and network reachability with a powerful backend to correlate it all for accurate assessment, detection and response. Compliance Policy Audit (PA): PA automates security configuration assessments across IT systems spanning on-premises, cloud, and hybrid environments.

Our employees participated in environmental initiatives such as World Environment Day that encourage awareness and action for the protection of the environment, in addition to taking part in local clean-up activities across the world. Training and Development Employee Training. We require our employees and managers to participate in myriad training programs directed at maintaining a harassment-free, diverse, and secure workplace.

Our employees further participated in environmental 14 Table of Contents initiatives such as World Environment Day that encourage awareness and action for the protection of the environment, in addition to taking part in local clean-up activities across the world. Training and Development Employee Training.

The technology underlying our cloud infrastructure enables us to ingest, process, analyze and store a high volume of sensor data coming from our agents, scanners and passive analyzers, and correlate information at very high speeds in a distributed manner for millions of devices. 7 Table of Contents Our cloud platform is delivered to our customers via our 15 global shared cloud platforms, or via our private platform offering, Qualys Private Cloud Platform (PCP), for customers or partners that want the platform to reside within the customer's shared cloud platform.

We assist employees in achieving their career goals by helping them improve their skillsets and transition to increasingly challenging roles. Diversity and Inclusion. We are proud to be a leader in the promotion and practice of diversity and inclusion. We take pride in our cultural diversity with offices and employees all over the world.

We assist employees in achieving their career goals by helping them improve their skillsets and transition to increasingly challenging roles. Diversity and Inclusion. We take pride in our cultural diversity with offices and employees all over the world. Our objective is to continue to improve our hiring, development, advancement, and retention of diverse talent and to foster an inclusive environment.

Competition The expanding capabilities of our IT, security and compliance solutions have enabled us to address a growing array of opportunities in the cloud IT, security and compliance market.

Competition The expanding capabilities of our IT, security and compliance solutions have enabled us to address a growing array of opportunities in the cloud IT, security and compliance market. We compete with a large and broad array of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a highly fragmented and competitive environment.

Our objective is to continue to improve our hiring, development, advancement, and retention of diverse talent and to foster an inclusive environment. In addition to having more than 50% of the executive team from underrepresented communities, we are also continuing to improve diversity among our growing workforce, with over half of our US-based employees from underrepresented communities.

In addition to having more than 50% of the executive team from underrepresented communities, we are also continuing to improve diversity among our growing workforce, with over half of our US-based employees from underrepresented communities. Qualys searches the globe for top talent in an effort to recruit and hire diverse individuals with a variety of skills, experiences, and backgrounds.

We believe that our applications are easy to use and provide our customers with a high level of control because our applications are part of one platform, share a common user interface, utilize the same scanners and agents, access the same collected data, and leverage the same user permissions. 8 Table of Contents Our customers can subscribe to one or more of our 20+ Cloud Apps based on their initial needs and expand their subscriptions over time to new areas within their organization or to additional Qualys solutions to develop a more complete understanding of their respective environment's IT, security and compliance posture and remediate cybersecurity risk.

Our customers can subscribe to one or more of our 20+ Cloud Apps based on their initial needs and expand their subscriptions over time to new areas within their organization or to additional Qualys solutions to develop a more complete understanding of their respective environment's IT, security and compliance posture and remediate cybersecurity risk.

Our interactive, dynamic dashboards and cloud platform allow our customers to aggregate and correlate all of their IT, security and compliance data in one place, drill down into details, and generate reports customized for different audiences. Our cloud platform’s powerful Elasticsearch clusters enable customers to instantly find detailed data on any asset.

Our core services constitute dynamic and customizable dashboards and centrally managed, self-updating integrated Cloud Apps, through a natively integrated unified platform. Our interactive, dynamic dashboards and cloud platform allow our customers to aggregate and correlate all of their IT, security and compliance data in one place, drill down into details, and generate reports customized for different audiences.

CSAM includes External Attack Surface Management (EASM), which allows discovery of internet facing unknown assets. Vulnerability and Configuration Management Vulnerability Management, Detection and Response (VMDR): VMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets.

These capabilities provide organizations with a vendor-agnostic solution to holistically centralize their response to cyber risk. Vulnerability and Configuration Management Vulnerability Management, Detection and Response (VMDR): VMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets.

Qualys searches the globe for top talent in an effort to recruit and hire diverse individuals with a variety of skills, experiences, and backgrounds. Our company holiday calendar includes events and festivals from many regions and religions, and we include diverse cultural initiatives throughout the year. Promoting a Healthy Work-life Balance.

Our company holiday calendar includes events and festivals from many regions and religions, and we include diverse cultural initiatives throughout the year. Promoting a Healthy Work-life Balance. Qualys aims to maintain a healthy work-life balance and provide resources to support our employees’ well-being.

We may explore acquisitions that are complementary to and can expand the functionality of our cloud platform. We may also seek to acquire development teams to supplement our own personnel and acquire technology to increase the breadth of our cloud-based IT, security and compliance solutions.

We may explore acquisitions that are complementary to and can expand the functionality of our cloud platform.

Qualys aims to maintain a healthy work-life balance and provide resources to support our employees’ mental and physical well-being. During 2022, our workforce gradually transitioned into a hybrid work schedule, which resulted in a significant portion of our workforce working either in-person on a part-time basis, or remotely on a permanent basis.

During 2022, our workforce gradually transitioned into a hybrid work schedule, which resulted in a significant portion of our workforce working either in-person on a part-time basis, or remotely. During 2025, we continued to offer this hybrid work schedule to our workforce. Our top priority remains providing support for our employees, partners, and customers. Community Engagement .

In 2022, we acquired certain intangible assets of Blue Hexagon Inc., enabling us to leverage our cloud platform with deep learning AI and machine learning (ML) technologies to uncover behavior patterns including active vulnerability exploitation, identification of advanced network threats, and adaptive risk mitigation across all assets and applications.

We may also seek to acquire development teams to supplement our own personnel and acquire technology to increase the breadth of our cloud-based IT, security and compliance solutions, deep learning AI, and machine learning (ML) technologies to uncover behavior patterns including active vulnerability exploitation, identification of advanced network threats, and adaptive risk mitigation across all assets and applications.

The licenses are currently exclusive and will remain exclusive so long as we make an appropriately-timed written election and pay an annual fixed royalty for ten years thereafter. These exclusive licenses are subject to the licensor’s reservation of certain r ights in the patents and subject to the U.S. government’s reserved rights in the technology.

These exclusive licenses are subject to the licensor’s reservation of certain r ights in the patents and subject to the U.S. government’s reserved rights in the technology. We have a number of registered and unregistered trademarks.

PC works to prioritize and track remediation and exceptions, while demonstrating a repeatable auditable process for compliance management File Integrity Monitoring (FIM): FIM logs and centrally tracks file change events on common enterprise operating systems in organizations of all sizes.

By leveraging industry-recommended best practices and a repeatable, auditable process, Qualys’ PA empowers organizations to reduce risk, automate compliance assessments, and ensure adherence to both internal policies and external regulations. File Integrity Monitoring (FIM): FIM logs and centrally tracks file change events on common enterprise operating systems in organizations of all sizes.

This virtualized PCP allows us to extend our security and compliance solutions without the complexity and cost associated with deploying traditional enterprise software.

This virtualized PCP allows us to extend our security and compliance solutions without the complexity and cost associated with deploying traditional enterprise software. Qualys Core Services Our core services enable customers to detect vulnerabilities, measure and remediate cyber risk through integrated workflows, and deliver real-time analysis and reporting across on-premises environments, network perimeters, endpoints, and cloud deployments.

During 2024, we continued to offer this hybrid work schedule to our workforce. Our top priority remains providing support for our employees, partners, and customers. Community Engagement . We value the communities that support our operations and have several company and employee-led initiatives to support the communities in which we operate.

We value the communities that support our operations and have several company and employee-led initiatives to support the communities in which we operate. In 2025, our efforts were centered on advancing education, technology, local communities, and environmental initiatives.

In 2024, our efforts were centered on advancing education, technology, local communities, and environmental initiatives. For example, we provided scholarships for women in Science, Technology, Engineering, and Mathematics (STEM), partnered with nonprofit organizations to provide back-to-school backpacks to underserved youth in our community, and donated to food drives and holiday fundraisers to support local families in need, among other initiatives.

For example, we provided training, mobility solutions, and job placements for people with disabilities, established a Clinic on Wheels program and brought doctors, medicines, and essential care to areas where access is limited, partnered with nonprofit organizations to provide back-to-school backpacks and computer cyber labs to educate youth in our community, supported by a coursework developed by our own employees, and donated to food drives and holiday fundraisers to support local families in need, among other initiatives.

Removed

Our cloud platform is delivered to our customers via our 14 global shared cloud platforms, or via our private platform offering, Qualys Private Cloud Platform (PCP), for customers or partners that want the platform to reside within the customer's shared cloud platform.

Added

Qualys' TruRisk scoring capabilities are embedded in many of our Cloud Apps, providing 8 Table of Contents our customers with a quantitative metric of risk to help prioritize cybersecurity threats based on a combination of severity, exploitability, asset criticality, threat intelligence, and business context.

Removed

Qualys Core Services Our core services enable our customers to detect vulnerabilities, measure and remediate cyber risk through integrated workflows, management and real-time analysis and reporting inside their organizations, on the perimeter, on endpoints or in the cloud. Our core services constitute dynamic and customizable dashboards and centrally managed, self-updating integrated Cloud Apps, through a natively integrated unified platform.

Added

Removed

Compliance Policy Compliance (PC): PC performs automated security configuration assessments on IT systems throughout a network, helping to reduce risk and continuously ensure compliance with internal policies and external regulations. PC leverages out-of-the-box library content to fast-track compliance assessments using industry-recommended best practices. PC also provides a centralized, interactive console for specifying baseline standards for different hosts.

Added

CSAM includes External Attack Surface Management (EASM), which allows discovery of internet facing unknown assets. Enterprise TruRisk Management (ETM): ETM provides a unified view of cyber risk across an organization’s entire attack surface, including on-premises infrastructure, cloud environments, and applications, through a consolidated inventory of assets.

Removed

By automating requirement evaluation against multiple standards for operating systems, network devices, databases and server applications, PC enables the quick identification of security issues and works to prevent configuration drift.

Added

The solution ingests and analyzes security telemetry from Qualys and third-party sensors, applying normalization, deduplication, and correlation of threat signals across more than 25 threat intelligence feeds to enhance risk severity and exploitability assessment.

Added

Leveraging the Qualys TruRisk score, ETM incorporates configurable business and risk parameters to quantify cyber risk in financial terms specific to an organization’s risk tolerance, supporting risk-based prioritization and decision-making. ETM further enables automated remediation through policy-based response rules and AI-driven workflows that integrate with Qualys’ TruRisk Eliminate solutions, IT service management platforms, and other third-party systems.

Added

PA provides real-time visibility into compliance status and helps prevent configuration drift by continuously monitoring against multiple standards for operating systems, network devices, databases, and server applications. PA includes a robust library of 900+ pre-built policies, 20,000 controls, and 350 supported technologies, covering over 90 regulations and frameworks such as PCI DSS, HIPAA, SOX, and NIST.

Added

With built-in CIS 18 management and actionable remediation guidance, Qualys’ PA solution simplifies compliance by enabling organizations to identify security issues, prioritize fixes, and track exceptions from a single, unified workflow.

Added

We require our employees and managers to participate in myriad training programs directed at maintaining a harassment-free, diverse, and secure workplace.

Item 1A. Risk Factors

Risk Factors — what could go wrong, per management

88 edited+13 added−9 removed248 unchanged

2024 filing

2025 filing

Biggest changeAlthough we maintain insurance coverage that may be applicable to certain liabilities in connection with these matters, we cannot be certain that our insurance coverage will be adequate for liabilities that actually are incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. 27 Table of Contents The successful assertion of one or more large claims against us that exceed available insurance coverage or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material and adverse effect on our business, including our financial condition, operating results and reputation.

Therefore, we are subject to risks associated with having international sales and worldwide operations, including: • foreign currency exchange fluctuations; 22 Table of Contents • trade and foreign exchange restrictions; • economic or political instability in foreign markets; • greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods; • changes in regulatory requirements; • tax laws (including U.S. taxes on foreign subsidiaries); • difficulties and costs of staffing and managing foreign operations; • the uncertainty and limitation of protection for intellectual property rights in some countries; • costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations; • costs of complying with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our solutions in certain foreign markets, and the risks and costs of non-compliance; • heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements; • the potential for political unrest, acts of terrorism, hostilities or war; • management communication and integration problems resulting from cultural differences and geographic dispersion; and • multiple and possibly overlapping tax structures.

Therefore, we are subject to risks associated with having international sales and worldwide operations, including: • foreign currency exchange fluctuations; • trade and foreign exchange restrictions; • economic or political instability in foreign markets; • greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods; • changes in regulatory requirements; • tax laws (including U.S. taxes on foreign subsidiaries); • difficulties and costs of staffing and managing foreign operations; • the uncertainty and limitation of protection for intellectual property rights in some countries; • costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations; • costs of complying with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our solutions in certain foreign markets, and the risks and costs of non-compliance; 23 Table of Contents • heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements; • the potential for political unrest, acts of terrorism, hostilities or war; • management communication and integration problems resulting from cultural differences and geographic dispersion; and • multiple and possibly overlapping tax structures.

Additionally, due to political uncertainty and military actions in parts of Eastern Europe and the Middle East, we and our service providers are vulnerable to heightened risks of cybersecurity incidents and security and privacy breaches and incidents caused or initiated by nation-state or affiliated actors, including attacks that could materially disrupt our systems, operations and services, or impact our customers systems, operations, and services.

Additionally, due to political uncertainty and military actions in parts of Eastern Europe and the Middle East, we and our service providers and suppliers are vulnerable to heightened risks of cybersecurity incidents and security and privacy breaches and incidents caused or initiated by nation-state or affiliated actors, including attacks that could materially disrupt our systems, operations and services, or impact our customers systems, operations, and services.

We have taken and intend to continue to take steps to monitor and enhance the security of our solutions, cloud platform, and other relevant systems, IT infrastructure, networks, and data; however, the unprecedented scale of remote work may require additional personnel and resources, which nevertheless cannot be guaranteed to fully safeguard our solutions, our cloud platform, or any systems, IT infrastructure networks, or data upon which we rely.

We have taken and intend to continue to take steps to monitor and enhance the security of our solutions, cloud platform, and other relevant systems, IT infrastructure, networks, and data; however, the scale of remote work may require additional personnel and resources, which nevertheless cannot be guaranteed to fully safeguard our solutions, our cloud platform, or any systems, IT infrastructure networks, or data upon which we rely.

We and our service providers face threats from a variety of sources, including attacks on our networks and systems from numerous sources, including but not limited to traditional “hackers,” sophisticated nation-state and nation-state supported actors, other sources of malicious code (such as viruses and worms), ransomware, social engineering, denial of service attacks, and phishing attempts.

We and our service providers and suppliers face threats from a variety of sources, including attacks on our networks and systems from numerous sources, including but not limited to traditional “hackers,” sophisticated nation-state and nation-state supported actors, other sources of malicious code (such as viruses and worms), ransomware, social engineering, denial of service attacks, and phishing attempts.

These facilities are vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, cybersecurity attacks, terrorist attacks, employee negligence, power losses, technical errors, telecommunications failures and similar events. The facilities also could be subjec t to break-ins, sabotage, intentional acts of vandalism and other misconduct.

These facilities are vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, cybersecurity attacks, terrorist attacks, employee negligence, power losses, technical errors, telecommunications failures and similar events. The facilities also could be subjec t to break-ins, sabotage, acts of war, intentional acts of vandalism and other misconduct.

We and our service providers could be a target of cyber-attacks or other malfeasance designed to impede the performance of our solutions, penetrate our network security or the security of our cloud platform, products, or our internal systems, misappropriate proprietary information, gain access to our customers' systems and data, and/or cause interruptions to our services.

We and our service providers and suppliers could be a target of cyber-attacks or other malfeasance designed to impede the performance of our solutions, penetrate our network security or the security of our cloud platform, products, or our internal systems, misappropriate proprietary information, gain access to our customers' systems and data, and/or cause interruptions to our services.

The Organization for Economic Cooperation and Development has issued model rules in connection with the Base Erosion and Profit Shifting integrated framework that determine multi-jurisdictional taxing rights (Pillar One) and the minimum rate of tax applicable to certain types of income (Pillar Two).

The Organization for Economic Cooperation and Development (OECD) has issued model rules in connection with the Base Erosion and Profit Shifting integrated framework that determine multi-jurisdictional taxing rights (Pillar One) and the minimum rate of tax applicable to certain types of income (Pillar Two).

Our solutions, platforms, and system, and those of our service providers, may be, and have in the past been, subject to security incidents as a result of technical and non-technical issues, including as a result of intentional or inadvertent acts or omissions by our employees or service providers.

Our solutions, platforms, and system, and those of our service providers and suppliers, may be, and have in the past been, subject to security incidents as a result of technical and non-technical issues, including as a result of intentional or inadvertent acts or omissions by our employees or service providers.

Our use of such technologies may create additional cybersecurity risks or increase cybersecurity risks, including risks of technical error, security breaches and incidents. Further, AI/machine learning technologies may be used in connection with certain cybersecurity attacks, resulting in heightened risks of security breaches and incidents.

Our use of such technologies may create additional cybersecurity risks or increase cybersecurity risks, including risks of technical error, security breaches and other incidents. Further, AI/machine learning technologies may be used in connection with certain cybersecurity attacks, resulting in heightened risks of security breaches and incidents.

The trading price of our common stock has been, and may continue to be, subject to significant fluctuations in response to a number of factors, most of which we cannot predict or control, including: • announcements of new solutions, services or technologies, commercial relationships, acquisitions or other events by us or our competitors; • fluctuations in stock market prices and trading volumes of securities of similar companies; • general market conditions and overall fluctuations in U.S. equity markets; • variations in our operating results, or the operating results of our competitors; • changes in our financial guidance or securities analysts’ estimates of our financial performance; • changes in accounting principles; • sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders; • additions or departures of any of our key personnel; • announcements related to litigation; • changing legal or regulatory developments in the United States and other countries; and • discussion of us or our stock price by the financial press and in online investor communities.

The trading price of our common stock has been, and may continue to be, subject to significant fluctuations in response to a number of factors, most of which we cannot predict or control, including: • announcements of new solutions, services or technologies, commercial relationships, acquisitions or other events by us or our competitors; • fluctuations in stock market prices and trading volumes of securities of similar companies; • general market conditions and overall fluctuations in U.S. equity markets; 33 Table of Contents • variations in our operating results, or the operating results of our competitors; • changes in our financial guidance or securities analysts’ estimates of our financial performance; • changes in accounting principles; • sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders; • additions or departures of any of our key personnel; • announcements related to litigation; • changing legal or regulatory developments in the United States and other countries; and • discussion of us or our stock price by the financial press and in online investor communities.

These provisions include: • authorizing “blank check” preferred stock, which could be issued by our board of directors without stockholder approval and may contain voting, liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and could thwart a takeover attempt; • a classified board of directors whose members can only be dismissed for cause; • the prohibition on actions by written consent of our stockholders; • the limitation on who may call a special meeting of stockholders; 34 Table of Contents • the establishment of advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon at stockholder meetings; and • the requirement of at least two-thirds of the outstanding capital stock to amend any of the foregoing second through fifth provisions.

These provisions include: • authorizing “blank check” preferred stock, which could be issued by our board of directors without stockholder approval and may contain voting, liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and could thwart a takeover attempt; • a classified board of directors whose members can only be dismissed for cause; • the prohibition on actions by written consent of our stockholders; • the limitation on who may call a special meeting of stockholders; • the establishment of advance notice requirements for nominations for election to our board of directors or for proposing matters that can be acted upon at stockholder meetings; and • the requirement of at least two-thirds of the outstanding capital stock to amend any of the foregoing second through fifth provisions.

We and our service providers have experienced and may continue to experience security incidents and attacks of varying degrees from time to time. We have incurred costs to respond to such incidents and may continue to incur costs to support our efforts to enhance our security measures.

We and our service providers and suppliers have experienced and may continue to experience security incidents and attacks of varying degrees from time to time. We have incurred costs to respond to such incidents and may continue to incur costs to support our efforts to enhance our security measures.

Our success significantly depends to a significant extent on establishing and maintaining relationships with a variety of channel partners and we anticipate that we will continue to depend on these partners in order to grow our business.

Our success depends to a significant extent on establishing and maintaining relationships with a variety of channel partners and we anticipate that we will continue to depend on these partners in order to grow our business.

Our solution enhancements or new solutions could fail to attain sufficient market acceptance for many reasons, including: • failure to timely meet market demand for product functionality; • inability to identify and provide intelligence regarding the attacks or techniques used by cyber-attackers; • inability to inter-operate effectively with the database technologies, file systems or web applications of our prospective customers; • defects, errors or failures; • delays in releasing our enhancements or new solutions; • negative publicity about their performance or effectiveness; • introduction or anticipated introduction of products by our competitors; • poor business conditions, causing customers to delay IT, security and compliance purchases; • easing or changing of external regulations related to IT, security and compliance; and • reluctance of customers to purchase cloud solutions for IT, security and compliance.

Our solution enhancements or new solutions could fail to attain sufficient market acceptance for many reasons, including: • failure to timely meet market demand for product functionality; • inability to identify and provide intelligence regarding the attacks or techniques used by cyber-attackers; • inability to inter-operate effectively with the database technologies, file systems or web applications of our prospective customers; • defects, errors or failures; • delays in releasing our enhancements or new solutions; • negative publicity about their performance or effectiveness; • introduction or anticipated introduction of products by our competitors; • poor business conditions, causing customers to delay IT, security and compliance purchases; • easing or changing of external regulations related to IT, security and compliance; and 17 Table of Contents • reluctance of customers to purchase cloud solutions for IT, security and compliance.

The occurrence of a natural disaster, an act of terrorism or misconduct, a decision to close the facilities without adequate notice or other unanticipated problems could result in interruptions in our services.

The occurrence of a natural disaster, an act of war, an act of terrorism or misconduct, a decision to close the facilities without adequate notice or other unanticipated problems could result in interruptions in our services.

Our operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including: • the level of demand for our solutions, from both existing and new customers; • the extent to which customers subscribe for additional solutions; • changes in customer renewals of our solutions; • timing of deals signed within the applicable fiscal period; • seasonal buying patterns of our customers; • timely invoicing or changes in billing terms of customers; • the length of our sales cycle for our products and services; 15 Table of Contents • price competition; • the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors; • the introduction or adoption of new technologies that compete with our solutions; • decisions by potential customers to purchase IT, security and compliance products or services from other vendors; • general economic conditions, both domestically and in the foreign markets in which we sell our solutions; • changes in foreign currency exchange rates; • changes in the growth rate of the IT, security and compliance market; • actual or perceived security breaches and incidents, technical difficulties or interruptions with our service; • failure of our products and services to operate as designed; • publicity regarding security breaches and incidents generally and the level of perceived threats to IT security; • the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates; • the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business; • pace and cost of hiring employees; • expenses associated with our existing and new products and services; • the timing of sales commissions relative to the recognition of revenues; • insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solutions; • our ability to integrate any products or services that we have acquired or may acquire in the future into our product suite or migrate existing customers of any companies that we have acquired or may acquire in the future to our products and services; • future accounting pronouncements or changes in our accounting policies; • our effective tax rate, changes in tax rules, tax effects of infrequent or unusual transactions, and tax audit settlements; • the amount and timing of income tax that we recognize resulting from stock-based compensation; • the timing of expenses related to the development or acquisition of technologies, services or businesses; and • potential goodwill and intangible asset impairment charges associated with acquired businesses.

Our operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including: • the level of demand for our solutions, from both existing and new customers; • the extent to which customers subscribe for additional solutions; • changes in customer renewals of our solutions; • timing of deals signed within the applicable fiscal period; • seasonal buying patterns of our customers; • timely invoicing or changes in billing terms of customers; • the length of our sales cycle for our products and services; • price competition; • the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors; • the introduction or adoption of new technologies that compete with our solutions; • decisions by potential customers to purchase IT, security and compliance products or services from other vendors; • general economic conditions, both domestically and in the foreign markets in which we sell our solutions; • the imposition of tariffs and other non-tariff trade barriers; • changes in foreign currency exchange rates; • changes in the growth rate of the IT, security and compliance market; • actual or perceived security breaches and incidents, technical difficulties or interruptions with our service; • failure of our products and services to operate as designed; • publicity regarding security breaches and incidents generally and the level of perceived threats to IT security; • the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates; • the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business; • pace and cost of hiring employees; • expenses associated with our existing and new products and services; • the timing of sales commissions relative to the recognition of revenues; • insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solutions; 16 Table of Contents • our ability to integrate any products or services that we have acquired or may acquire in the future into our product suite or migrate existing customers of any companies that we have acquired or may acquire in the future to our products and services; • future accounting pronouncements or changes in our accounting policies; • our effective tax rate, changes in tax rules, tax effects of infrequent or unusual transactions, and tax audit settlements; • the amount and timing of income tax that we recognize resulting from stock-based compensation; • the timing of expenses related to the development or acquisition of technologies, services or businesses; and • potential goodwill and intangible asset impairment charges associated with acquired businesses.

Any inability to adequately address concerns relating to privacy, data protection, or cybersecurity, even if unfounded, or any actual or perceived inability to comply with applicable privacy or data protection laws, regulations and privacy standards relating to these matters, could result in cost and liability to us, damage our reputation, inhibit sales of subscriptions and harm our business.

Any inability to adequately address concerns relating to privacy, data protection, or cybersecurity, even if unfounded, or any actual or perceived inability to comply with applicable laws, regulations, standards, or other obligations relating to these matters, could result in cost and liability to us, damage our reputation, inhibit sales of subscriptions and harm our business.

On each of October 30, 2018, October 30, 2019, May 7, 2020, February 10, 2021 and February 9, 2023, we announced that our board of directors had authorized an increase of $100.0 million, and on each of November 3, 2021, May 4, 2022 and February 7, 2024, we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program.

On each of October 30, 2018, October 30, 2019, May 7, 2020, February 10, 2021 and February 9, 2023, we announced that our board of directors had authorized an increase of $100.0 million, and on each of November 3, 2021, May 4, 2022, February 7, 2024, and February 6, 2025, we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program.

In addition, continued governmental budgetary challenges in the United States and Europe, inflationary pressures and potential for a recession, and geopolitical turmoil in many parts of the world, including the ongoing military conflicts in parts of Eastern Europe and the Middle East, and other disruptions to global and regional economies and markets in many parts of the world, as well as uncertainties related to changes in public policies such as domestic and international regulations, taxes or international trade agreements, have and may continue to put pressure on global economic conditions and overall spending on IT security and may further increase inflation, both in the U.S. and globally, which could increase our operating costs in the future and reduce overall spending on IT security.

In addition, continued governmental budgetary challenges in the United States and Europe, inflationary pressures and potential for a recession, and geopolitical turmoil in many parts of the world, including the ongoing military conflicts in parts of Eastern Europe and the Middle East, and other disruptions to global and regional economies and markets in many parts of the world, as well as uncertainties related to changes in public policies such as domestic and international regulations, taxes, tariffs and non-tariff trade barriers, or international trade agreements, have and may continue to put pressure on global economic conditions and overall spending on IT security and may further increase inflation, both in the U.S. and globally, which could increase our operating costs in the future and reduce overall spending on IT security.

Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our solutions to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our solutions.

Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid subjecting our solutions to conditions we do not intend, the terms of many open source licenses have 30 Table of Contents not been interpreted by U.S. courts, and there is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our solutions.

As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do.

As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more quickly to new technologies and customer needs, 21 Table of Contents devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we do.

Many of our existing and potential competitors have competitive advantages, including: • greater brand name recognition; • larger sales and marketing budgets and resources; • broader distribution networks and more established relationships with distributors and customers; • access to larger customer bases; • greater customer support resources; • greater resources to make acquisitions; • greater resources to develop and introduce products that compete with our solutions; • greater resources to meet relevant regulatory requirements; and 20 Table of Contents • substantially greater financial, technical and other resources.

Many of our existing and potential competitors have competitive advantages, including: • greater brand name recognition; • larger sales and marketing budgets and resources; • broader distribution networks and more established relationships with distributors and customers; • access to larger customer bases; • greater customer support resources; • greater resources to make acquisitions; • greater resources to develop and introduce products that compete with our solutions; • greater resources to meet relevant regulatory requirements; and • substantially greater financial, technical and other resources.

As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as Cybersecurity Asset Management and Patch Management, we expect to face additional competition in these new markets.

A breach in or incident impacting our data security, an attack against our service availability, or any breach, incident, or attack impacting our third-party service providers, or a technical error or outage, could impact our networks or networks secured by our solutions, creating system disruptions or slowdowns and exploiting security vulnerabilities of our solutions, and the information stored on our networks or those of our third-party service providers could be accessed, used, disclosed publicly or to 18 Table of Contents unauthorized persons, altered, lost, destroyed, or stolen, which could subject us to liability and cause us financial harm.

A breach in or incident impacting our data security, an attack against our service availability, or any breach, incident, or attack impacting our third-party service providers and suppliers, or a technical error or outage, could impact our networks or networks secured by our solutions, creating system disruptions or slowdowns and exploiting security vulnerabilities of our solutions, and the information stored on our networks or those of our third-party service providers could be accessed, used, disclosed publicly or to unauthorized persons, altered, lost, destroyed, or stolen, which could subject us to liability and cause us financial harm.

Our reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. However, for the year ended December 31, 2024, we incurred approximately 29% of our expenses in foreign currencies, primarily the Euro, British Pound, and Indian Rupee, principally with respect to salaries and related personnel expenses associated with our European and Indian operations.

Our reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. However, for the year ended December 31, 2025, we incurred approximately 31% of our expenses in foreign currencies, primarily the Euro, British Pound, and Indian Rupee, principally with respect to salaries and related personnel expenses associated with our European and Indian operations.

Significant assumptions and estimates used in preparing our consolidated financial statements include those related to revenue recognition, accounting for income taxes and stock-based compensation. 35 Table of Contents Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results of operations. We prepare our financial statements in accordance with U.S. GAAP.

Significant assumptions and estimates used in preparing our consolidated financial statements include those related to revenue recognition, accounting for income taxes and stock-based compensation. Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results of operations. We prepare our financial statements in accordance with U.S. GAAP.

The Tax Cuts and Jobs Act of 2017 (or "TCJA") introduced a Base Erosion and Anti-Abuse Tax which imposes a minimum tax on adjusted income of corporations with average applicable gross receipt of at least $500 million for prior three tax years and that make certain payments to related foreign persons.

The Tax Cuts and Jobs Act of 2017 (“TCJA”) introduced a Base Erosion and Anti-Abuse Tax which imposes a minimum tax on adjusted income of corporations with average applicable gross receipt of at least $500 million for prior three tax years and that make certain payments to related foreign persons.

The loss of the services of our senior management or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of operations. 24 Table of Contents If we are unable to hire, retain and motivate qualified personnel, our business may suffer.

The loss of the services of our senior management or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of operations. If we are unable to hire, retain and motivate qualified personnel, our business may suffer.

If we fail to comply with export and import regulations, we may be fined or other penalties could be imposed, including denial of certain export privileges. If we are required to collect higher sales and use or other taxes on the solutions we sell, we may be subject to liability for past sales and our future sales may decrease.

If we fail to comply with export and import regulations, we may be fined or other penalties could be imposed, including denial of certain export privileges. 32 Table of Contents If we are required to collect higher sales and use or other taxes on the solutions we sell, we may be subject to liability for past sales and our future sales may decrease.

Because the interpretation and application of privacy and data protection laws, regulations, standards and contractual obligations relating to these matters are uncertain, it is possible that they may be interpreted and applied in a manner that is, or perceived to be, inconsistent with our data management practices or the features of our solutions.

The interpretation and application of laws, regulations, standards and contractual obligations relating to these matters are uncertain, and it is possible that they may be interpreted and applied in a manner that is, or perceived to be, inconsistent with our data management practices or the features of our solutions.

Competition for highly skilled personnel is frequently intense and we may not be able to compete for these employees. If we are unable to recruit and retain a sufficient number of productive sales personnel, sales of our solutions and the growth of our business may be harmed.

Competition for highly skilled personnel is frequently intense and we may not be able to compete for these employees. If we are unable to recruit and retain a sufficient number of 22 Table of Contents productive sales personnel, sales of our solutions and the growth of our business may be harmed.

The United Kingdom has adopted new standard contractual clauses (“UK SCCs”), that became effective as of March 21, 2022, and which also are required to be implemented. The EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy 28 Table of Contents Framework, United Kingdom extension to the EU-U.S.

Our subscription model also makes it difficult for us to rapidly increase our revenues through additional bookings in any period, as revenues are recognized ratably over the subscription period. 26 Table of Contents If the market for cloud solutions for IT, security and compliance does not evolve as we anticipate, our revenues may not grow and our operating results would be harmed.

Our subscription model also makes it difficult for us to rapidly increase our revenues through additional bookings in any period, as revenues are recognized ratably over the subscription period. If the market for cloud solutions for IT, security and compliance does not evolve as we anticipate, our revenues may not grow and our operating results would be harmed.

Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not 29 Table of Contents provide warranties or other contractual protections regarding infringement claims or the quality of the code.

Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regarding infringement claims or the quality of the code.

Economic weakness, customer financial difficulties, change in interest rates, inflationary pressures and potential for a recession, and constrained spending on IT security, as well as longer sales cycles, which factors we have experienced in 2023 and 2024, have resulted and may in the future result in decreased revenue and earnings.

Economic weakness, customer financial difficulties, change in interest rates, inflationary pressures and potential for a recession, economic and regulatory uncertainty, and constrained spending on IT security, as well as longer sales cycles, which factors we have experienced since 2023, have resulted and may in the future result in decreased revenue and earnings.

Our customers have no obligation to renew their subscriptions 17 Table of Contents after their subscription period expires, and they may not renew their subscriptions at the same or higher levels or at all. As a result, our ability to grow depends in part on customers renewing their existing subscriptions and purchasing additional subscriptions and solutions.

Our customers have no obligation to renew their subscriptions after their subscription period expires, and they may not renew their subscriptions at the same or higher levels or at all. As a result, our ability to grow depends in part on customers renewing their existing subscriptions and purchasing additional subscriptions and solutions.

Additionally, for the year ended December 31, 2024, approximately 25% of our revenue s were generated in foreign currencies. Accordingly, changes in exchange rates may have a material adverse effect on our business, operating results and financial condition.

Additionally, for the year ended December 31, 2025, approximately 22% of our revenue s were generated in foreign currencies. Accordingly, changes in exchange rates may have a material adverse effect on our business, operating results and financial condition.

On February 6, 2025 we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.4 billion to date ($1.2 billion as of December 31, 2024).

On February 5, 2026 we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.6 billion to date ($1.4 billion as of December 31, 2025).

Any of these factors could create downward pressure on 16 Table of Contents pricing and gross margins, and could adversely affect our renewal rates, as well as our ability to attract new customers.

Any of these factors could create downward pressure on pricing and gross margins, and could adversely affect our renewal rates, as well as our ability to attract new customers.

Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. These privacy, data protection and information security laws and regulations may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions.

Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. 28 Table of Contents These privacy, data protection, and cybersecurity laws and regulations may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions.

While we are able to assert in our Annual Report on Form 10-K that our internal control over financial reporting was effective as of December 31, 2024 , we cannot predict the outcome of our testing in future periods.

While we were able to assert in our Annual Report on Form 10-K that our internal control over financial reporting was effective as of December 31, 2025 , we cannot predict the outcome of our testing in future periods.

For the years ended December 31, 2024, 2023 and 2022 , we derived approximately 46%, 43% and 42% of our revenues from sales of subscriptions for our solutions through channel partners, and the percentage of revenues derived from channel partners may increase in future periods.

For the years ended December 31, 2025, 2024 and 2023 , we derived approximately 49%, 46% and 43% of our revenues from sales of subscriptions for our solutions through channel partners, and the percentage of revenues derived from channel partners may increase in future periods.

If an actual or perceived disruption in the availability of our solutions or the breach or other compromise of our security measures or those of our service providers occurs, it could adversely affect the market perception of our solutions, result in a loss of competitive advantage, have a negative impact on our reputation, or result in the loss of customers, channel partners and sales, and it may expose us to the loss, unavailability or alteration of information, claims, demands and litigation, regulatory investigations, actions and other proceedings and possible liability.

Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us.

Patent and other intellectual property disputes are common in our industry. Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us.

Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and privacy standards that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our solutions.

Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and standards relating to privacy, data protection, or cybersecurity that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our solutions.

The privacy, data protection, and cybersecurity laws and regulations we must comply with also are subject to change. For example, the United Kingdom has enacted a Data Protection Act, and has implemented legislation referred to as the “UK GDPR,” which substantially implement the GDPR in the United Kingdom following the United Kingdom’s exit from the European Union.

If we are unable to successfully manage the challenges of international operations, our business and operating results could be adversely affected. In addition, as of December 31, 2024, approximately 77% of our employees were located outside of the United States, with 68% of our employees located in India.

If we are unable to successfully manage the challenges of international operations, our business and operating results could be adversely affected. In addition, as of December 31, 2025, approximately 78% of our employees were located outside of the United States, with 70% of our employees located in India.

With the increase in personnel working remotely, at least part-time in our case, we and our service providers are at increased risk for security breaches and incidents.

With the level of personnel working remotely, at least part-time in our case, we and our service providers and suppliers are at increased risk for security breaches and incidents.

The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent 23 Table of Contents years and may continue to fluctuate substantially in the future.

The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in recent years and may continue to fluctuate substantially in the future.

We have never declared or paid any cash dividend on our common stock. We currently anticipate that we will retain future earnings for the development, operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to stockholders will therefore be limited to the value of their stock.

We currently anticipate that we will retain future earnings for the development, operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return to stockholders will therefore be limited to the value of their stock.

We compete with large and small public companies, such as CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Invicti, Tanium, and Wiz. We also seek to replace IT, security and compliance solutions that organizations have developed internally.

We compete with large and small public companies, such as CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Invicti, Tanium, and Wiz (which has announced a pending acquisition by Google). We also seek to replace IT, security and compliance solutions that organizations have developed internally.

As of December 31, 2024 , we had an aggregate of 2.3 million shares of our common stock reserved for future issuance under our Restated 2012 Equity Incentive Plan and 0.4 million shares reserved for future purchase under our 2021 Employee Stock Purchase Plan, which can be freely sold in the public market upon issuance.

As of December 31, 2025 , we had an aggregate of 1.7 million shares of our common stock reserved for future issuance under 34 Table of Contents our Restated 2012 Equity Incentive Plan and 0.4 million shares reserved for future purchase under our 2021 Employee Stock Purchase Plan, which can be freely sold in the public market upon issuance.

As of December 31, 2024, we had approximately 36.5 million shares of our common stock outstanding. In addition, as of December 31, 2024, there were approximately 1.3 million options and 1.1 million restricted stock units outstanding. If such options are exercised and restricted stock units are released, these additional shares will become available for sale.

As of December 31, 2025, we had approximately 35.7 million shares of our common stock outstanding. In addition, as of December 31, 2025, there were approximately 1.2 million options and 1.1 million restricted stock units outstanding. If such options are exercised and restricted stock units are released, these additional shares will become available for sale.

If these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could harm our business.

We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection in certain jurisdictions. 30 Table of Contents Furthermore, it is possible that our patent applications may not result in granted patents, that the scope of our issued patents will be limited or not provide the coverage originally sought, that our issued patents will not provide us with any competitive advantages, or that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes or litigation.

Furthermore, it is possible that our patent applications may not result in granted patents, that the scope of our issued patents will be limited or not provide the coverage originally sought, that our issued patents will not provide us with any competitive advantages, or that our patents and other intellectual property rights may be challenged by others or invalidated through administrative processes or litigation.

In addition, it may be suspended or terminated at any time, which may result in a decrease in the price of our common stock. Finally, our share repurchases in 2023 and 2024 were subject to the 1% excise tax introduced in the Inflation Reduction Act.

In addition, it may be suspended or terminated at any time, which may result in a decrease in the price of our common stock. Finally, our net share repurchases are subject to the 1% excise tax introduced in the Inflation Reduction Act, which could increase the cost to us of share repurchases.

To the extent current or potential customers, channel partners, or others believe there has been an occurrence of an actual or perceived failure of our solutions to detect a vulnerability or otherwise to function as effectively as competitive products in any particular test, or indicates our solutions do not provide significant value, our business, competitive position, and reputation could be harmed. 21 Table of Contents In addition, our solutions do not currently extend to cover all mobile and personal devices that employees may bring into an organization.

Privacy, data protection, and cybersecurity have become significant issues in the United States and in many other countries where we offer our solutions. The regulatory framework for privacy issues worldwide is currently evolving and is likely to remain uncertain for the foreseeable future.

Privacy, data protection, and cybersecurity have become significant issues and the subject of extensive regulation in the United States and in many other countries where we offer our solutions. The regulatory frameworks for these matters worldwide are evolving and are likely to remain uncertain for the foreseeable future.

As such, our solutions would not identify or address vulnerabilities in all mobile and personal devices, and our customers’ IT infrastructures may be compromised by attacks that infiltrate their networks through such devices.

In addition, our solutions do not currently extend to cover all mobile and personal devices that employees may bring into an organization. As such, our solutions would not identify or address vulnerabilities in all mobile and personal devices, and our customers’ IT infrastructures may be compromised by attacks that infiltrate their networks through such devices.

Our business could be harmed if new IT, security and compliance technologies are widely adopted. We may not be able to successfully anticipate or adapt to changing technology or customer requirements on a timely basis, or at all.

The introduction of products and services embodying new technologies could render our existing solutions obsolete or less attractive to customers. Our business could be harmed if new IT, security and compliance technologies are widely adopted. We may not be able to successfully anticipate or adapt to changing technology or customer requirements on a timely basis, or at all.

Our success in acquiring and integrating other businesses, products or technologies could impact our financial position. In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products, services or technologies. For example, we acquired certain assets of Blue Hexagon on October 4, 2022.

While the European Union has deemed the United Kingdom an “adequate country” to which personal data could be exported from the European Economic Area (“EEA”), this decision is required to be renewed after four years of being in effect and may be modified, revoked, or challenged in the interim, creating uncertainty regarding transfers of personal data to the United Kingdom from the EEA.

While the European Union has deemed the United Kingdom an "adequate country" to which personal data could be exported from the European Economic Area (“EEA”), this decision is subject to renewal and may be modified, revoked, or challenged, creating uncertainty regarding transfers of personal data to the United Kingdom from the EEA.

In light of the foregoing, investors are urged not to rely upon our guidance in making an investment decision regarding our common stock. 33 Table of Contents Any failure to successfully implement our operating strategy or the occurrence of any of the events or circumstances set forth in this “Risk Factors” section in this Annual Report on Form 10-K could result in our actual operating results being different from our guidance, and the differences may be adverse and material.

Any failure to successfully implement our operating strategy or the occurrence of any of the events or circumstances set forth in this “Risk Factors” section in this Annual Report on Form 10-K could result in our actual operating results being different from our guidance, and the differences may be adverse and material.

Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export authorization for our solutions, when applicable, could harm our international sales and adversely affect our revenues.

U.S. export controls may require submission of an encryption registration, product classification and/or annual or semi-annual reports. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtain required import or export authorization for our solutions, when applicable, could harm our international sales and adversely affect our revenues.

Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a determination is made. 32 Table of Contents Risks Related to Ownership of Our Common Stock Market volatility may affect our stock price and the value of an investment in our common stock and could subject us to litigation.

If we are unable to protect our intellectual property rights, we may find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and effort required to create the innovative solutions that have enabled us to be successful to date. 31 Table of Contents Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs and harm our business and operating results.

Many countries have enacted legislation to apply the Pillar Two directive for tax years beginning in January 2024, which generally provides for a minimum effective tax rate of 15% on the income arising in each jurisdiction where the Company operates. These rules do not impact our current year’s financial results as the Company is below the revenue threshold.

Our solutions are subject to U.S. export controls, specifically, the Export Administration Regulations and economic sanctions enforced by the Office of Foreign Assets Control. We incorporate encryption technology into certain of our solutions. These encryption solutions and the underlying technology may be exported only with the required export authorizations, including by license, a license exception or other appropriate government authorizations.

In addition, war, acts of terrorism, pandemics or other health emergencies, or responses to these events could cause disruptions in our business or the business of our business partners, customers or the economy as a whole. All of the aforementioned risks may be exacerbated if the disaster recovery plans for us and our suppliers prove to be inadequate.

Industry organizations like the PCI Council may significantly change their security standards with little or no notice, including changes that could make their standards more or less onerous for businesses. Governments may also adopt new laws or regulations, or make changes to existing laws or regulations, which could impact the demand for or value of our solutions.

The timing of sales of subscriptions for our solutions can be difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large transactions and in the current macroeconomic environment.

As a result, revenues may vary from period to period, which may cause our operating results to fluctuate and could harm our business. The timing of sales of subscriptions for our solutions can be difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large transactions and in the current macroeconomic environment.

Government demand and payment for our solutions may be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our solutions.

This could subject us to liability, result in reputational harm, and adversely impact our financial condition or operating results. Government demand and payment for our solutions may be impacted by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our solutions.

We have continued to grow over the last several years, with revenues increasing from $489.7 million in 2022 to $607.6 million in 2024, and headcount increasing from 1,823 employees at the beginning of 2022 to 2,400 employees as of December 31, 2024.

We have continued to grow over the last several years, with revenues increasing from $554.5 million in 2023 to $669.1 million in 2025, and headcount increasing from 2,143 employees at the beginning of 2023 to 2,625 employees as of December 31, 24 Table of Contents 2025.

Future or continued economic weakness for us or our customers, failure of our customers and markets to recover from such weakness, customer financial difficulties, and reductions in spending on IT security could have a material adverse effect on demand for our platform and consequently on our business, financial condition and results of operations. 19 Table of Contents Our IT, security and compliance solutions are delivered from 14 shared cloud platforms , and any disruption of service at these facilities would interrupt or delay our ability to deliver our solutions to our customers which could reduce our revenues and harm our operating results.

In addition to laws and regulations, privacy advocacy and industry groups or other private parties may propose new and different standards relating to privacy, data protection, and cybersecurity that apply, or are alleged to apply, to us.

These changes may impact the duration of customer relationships and result in additional compliance and operational costs, which may affect our business. 29 Table of Contents In addition to laws and regulations, privacy advocacy and industry groups or other private parties may propose new and different standards relating to privacy, data protection, and cybersecurity that apply, or are alleged to apply, to us.

This legislation provides for substantial penalties for noncompliance of up to the greater of £17.5 million or four percent of the previous year’s annual revenues.

This legislation, which was modified in the Data (Use and Access) Bill, which received Royal Assent on June 19, 2025, provides for substantial penalties for noncompliance of up to the greater of £17.5 million or four percent of the previous year’s annual revenues.

To the extent that any of the above results in delays of customer subscriptions or commercialization of our solutions, our business, financial condition and results of operations could be adversely affected.

All of the aforementioned risks may be exacerbated if the disaster recovery plans for us and our service providers and suppliers prove to be inadequate. To the extent that any of the above 27 Table of Contents results in delays of customer subscriptions or commercialization of our solutions, our business, financial condition and results of operations could be adversely affected.

In addition, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, which is responsible for appointing the members of our management. 35 Table of Contents General Risk Factors Disruptive technologies could gain wide adoption and supplant our cloud-based IT, security and compliance solutions, thereby weakening our sales and harming our results of operations.

If we fail to maintain an effective system of internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.

Changes to existing rules or the questioning of current practices may harm our operating results or require that we make significant changes to our systems, processes and controls or the way we conduct our business. 36 Table of Contents If we fail to maintain an effective system of internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.

… 30 more changes not shown on this page.

Item 1C. Cybersecurity

Cybersecurity — threats and controls disclosure

10 edited+2 added−1 removed15 unchanged

2024 filing

2025 filing

Biggest changeOur CISO is a cybersecurity industry expert with over two decades of experience in cybersecurity, including work at multi-national technology companies and for a U.S. state government. He holds several industry certifications including CISSP, OSCP, CCSP, and GCFA and is also a graduate of the Carnegie Mellon University’s Chief Information Security Officer Executive Program.

Biggest changeHe holds a degree in computer science and has held industry certifications including CISSP, OSCP, CCSP, and GCFA and is also a graduate of the Carnegie Mellon University’s Chief Information Security Officer Executive Program. Our CEO is also a cybersecurity industry expert who has deep insight and over two decades of experience in cybersecurity, technology and information security.

We routinely evaluate the risks posed by third-party providers and engage with those whom fail to comply with our relevant contract requirements, or when we feel further action is needed to keep our risk levels within approved tolerance levels.

We routinely evaluate the risks posed by third-party providers and engage with those who fail to comply with our relevant contract requirements, or when we feel further action is needed to keep our risk levels within approved tolerance levels.

Our CISO provides briefings to the Audit and Risk Committee along with our CEO and other members of our senior management team, both on a quarterly basis via the Qualys Security Steering Committee and as needed, regarding our cybersecurity risks and activities, including, if any, critical and high impact cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the emerging threat landscape.

Our CISO provides briefings to the Audit and Risk Committee along with our CEO and other members of our senior management team, both on a quarterly basis via the Qualys Security Steering Committee and as needed, regarding our cybersecurity risks and activities, including, if any, critical and high impact cybersecurity incidents and related responses, 38 Table of Contents cybersecurity systems testing, activities of third parties, and the emerging threat landscape.

We devote significant resources and designate high-level personnel, including our Chief Information Security Officer (“CISO”) who reports to our Chief Executive Officer, to manage the risk assessment and mitigation process. 36 Table of Contents As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with human resources, IT, and management.

We devote significant resources and designate high-level personnel, including our Chief Information Security Officer (“CISO”) who reports to our Chief Executive Officer, to manage the risk assessment and mitigation process. As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with human resources, IT, and management.

PSIRT coordinates product impact assessments and fixes based on industry standards such as the Common Vulnerabilities and Exposure (“CVE”) and Common Vulnerability Scoring System (“CVSS”). PSIRT operates in alignment with relevant requirements and industry standards and coordinates its activities with the CSIRT.

The Qualys PSIRT investigates vulnerabilities and incidents across the entire Qualys product portfolio. PSIRT coordinates product impact assessments and fixes based on industry standards such as the Common Vulnerabilities and Exposure (“CVE”) and Common Vulnerability Scoring System (“CVSS”). PSIRT operates in alignment with relevant requirements and industry standards and coordinates its activities with the CSIRT.

Our CEO is also a cybersecurity industry expert who has deep insight and over two decades of experience in cybersecurity, technology and information security. 37 Table of Contents Our CISO and our Security Steering Committee, along with other senior executives including the CEO and CTO, review and manage our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above.

Our CISO and our Security Steering Committee, along with other senior executives including the CEO and CTO, review and manage our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above.

We have also established a Product Security Incident Response Team (“PSIRT”) that identifies, assesses, and responds to security incidents, risks, and vulnerabilities associated with Qualys’ commercial products. The Qualys PSIRT investigates vulnerabilities and incidents across the entire Qualys product portfolio.

Exercise participants primarily consist of members from various Qualys departments such as security operations, IT operations, network operations, and other departments depending on the selected scenario. We have also established a Product Security Incident Response Team (“PSIRT”) that identifies, assesses, and responds to security incidents, risks, and vulnerabilities associated with Qualys’ commercial products.

Qualys' 24x7 Cybersecurity Fusion Center and CSIRT conduct Incident Response Plan testing and training on a periodic basis through tabletop exercises or simulated attack scenarios. This testing appraises our readiness to respond to such scenarios and tests the completeness and accuracy of the incident response plan.

Our Incident Response Program and Plan describes the major phases of an incident management lifecycle which includes the preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. Qualys' 24x7 Cybersecurity Fusion Center and CSIRT conduct Incident Response Plan testing and training on a periodic basis through tabletop exercises or simulated attack scenarios.

The CSIRT is responsible for identifying, managing, and responding to security incidents against Qualys' infrastructure and corporate IT systems. The security measures the CSIRT employs are consistent with relevant requirements of the National Institute of Standards and Technology (“NIST”), Federal Risk and Authorization Management Program (“FedRAMP”), International Organization for Standardization (“ISO”), and Federal Information Security Management Act (“FISMA”).

The security measures the CSIRT employs are consistent with relevant requirements of the National Institute of Standards and Technology (“NIST”), Federal Risk and Authorization Management Program (“FedRAMP”), International Organization for Standardization 37 Table of Contents (“ISO”), and Federal Information Security Management Act (“FISMA”). We have also adopted certain guidelines from NIST and the United States Computer Emergency Readiness Team.

The Cybersecurity Fusion Center and CSIRT teams drive these exercises to participants via various cyber security incident scenarios in the form of multiple injects. Exercise participants primarily consist of members from various Qualys departments such as security operations, IT operations, network operations, and other departments depending on the selected scenario.

This testing appraises our readiness to respond to such scenarios and tests the completeness and accuracy of the incident response plan. The Cybersecurity Fusion Center and CSIRT teams drive these exercises to participants via various cyber security incident scenarios in the form of multiple injects.

Removed

We have also adopted certain guidelines from NIST and the United States Computer Emergency Readiness Team. Our Incident Response Program and Plan describes the major phases of an incident management lifecycle which includes the preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.

Added

The CSIRT is responsible for identifying, managing, and responding to security incidents against Qualys' infrastructure and corporate IT systems.

Added

Our CISO is a cybersecurity industry expert with over two decades of experience in cybersecurity, including work at multi-national technology companies and for a U.S. state government.

Item 2. Properties

Properties — owned and leased real estate

1 edited+0 added−0 removed2 unchanged

2024 filing

2025 filing

Biggest changeItem 2. Properties Our principal executive offices are located in Foster City, California, where we occupy a 76,922 square-foot facility under a lease expiring on April 30, 2028. We also have 281,787 square feet of office space in Pune, India under a non-cancellable lease expiring in May 2029.

Biggest changeItem 2. Properties Our principal executive offices are located in Foster City, California, where we occupy a 76,922 square-foot facility under a lease expiring on April 30, 2034. We also have 321,333 square feet of office space in Pune, India under non-cancellable lease arrangements, with contractual lease expirations extending through June 2031.

Item 3. Legal Proceedings

Legal Proceedings — active lawsuits and investigations

2 edited+0 added−0 removed1 unchanged

2024 filing

2025 filing

Biggest changeFor more information, please refer to Note 9 in the accompanying notes to the consolidated financial statements, which is hereby incorporated by reference. Item 4. Mine Safety Disclosures Not Applicable. 38 Table of Contents PART II

Biggest changeFor more information, please refer to Note 8 in the accompanying notes to the consolidated financial statements, which is hereby incorporated by reference. Item 4. Mine Safety Disclosures Not Applicable. 39 Table of Contents PART II

Item 3. Legal Proceedings From time to time we may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. As of December 31, 2024, there has not been at least a reasonable possibility that we have incurred a material loss from any ongoing legal proceedings, individually or taken together.

Item 3. Legal Proceedings From time to time we may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. As of December 31, 2025, there has not been at least a reasonable possibility that we have incurred a material loss from any ongoing legal proceedings, individually or taken together.

Item 5. Market for Registrant's Common Equity

Market for Common Equity — stock, dividends, buybacks

7 edited+0 added−0 removed4 unchanged

2024 filing

2025 filing

Biggest changeDecember 31, 2019 December 31, 2020 December 31, 2021 December 31, 2022 December 31, 2023 December 31, 2024 Qualys, Inc. $ 100.00 $ 146.18 $ 164.59 $ 134.62 $ 235.43 $ 168.19 NASDAQ Global Select Market $ 100.00 $ 143.04 $ 176.11 $ 118.67 $ 172.13 $ 222.62 NASDAQ Computer $ 100.00 $ 149.98 $ 206.76 $ 132.79 $ 221.06 $ 301.44 S&P 500 $ 100.00 $ 118.40 $ 152.39 $ 124.79 $ 157.59 $ 197.02 The information on the above Stock Price Performance Graph shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liabilities of that section or Sections 11 and 12(a)(2) of the Securities Act of 1933, as amended, and shall not be incorporated by reference into any registration statement or other document filed by us with the SEC, whether made before or after the date of this Annual Report on Form 10-K, regardless of any general incorporation language in such filing, except as shall be expressly set forth by specific reference in such filing. 40 Table of Contents Purchases of Equity Securities by the Issuer and Affiliated Purchasers A summary of our repurchases of common stock during the three months ended December 31, 2024 is as follows: Period Total Number of Shares Purchased Average Price Paid per Share Total Number of Shares Purchased as Part of Publicly Announced Plan or Program (1) Approximate Dollar Value of Shares that May Yet Be Purchased under the Plan or Program October 1, 2024 - October 31, 2024 145,802 $ 123.87 145,802 $ 167,659,031 November 1, 2024 - November 30, 2024 74,190 $ 144.16 74,190 $ 159,964,062 December 1, 2024 - December 31, 2024 91,730 $ 147.60 91,730 $ 143,424,943 (2) Total 311,722 311,722 (1) On February 12, 2018, we announced that our board of directors authorized a $100.0 million share repurchase program.

Biggest changeDecember 31, 2020 December 31, 2021 December 31, 2022 December 31, 2023 December 31, 2024 December 31, 2025 Qualys, Inc. $ 100.00 $ 112.60 $ 92.09 $ 161.06 $ 115.06 $ 109.05 NASDAQ Global Select Market $ 100.00 $ 123.12 $ 82.96 $ 120.33 $ 155.63 $ 188.00 NASDAQ Computer $ 100.00 $ 137.86 $ 88.54 $ 147.39 $ 200.98 $ 258.44 S&P 500 $ 100.00 $ 128.71 $ 105.40 $ 133.10 $ 166.40 $ 196.16 The information on the above Stock Price Performance Graph shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liabilities of that section or Sections 11 and 12(a)(2) of the Securities Act of 1933, as amended, and shall not be incorporated by reference into any registration statement or other document filed by us with the SEC, whether made before or after the date of this Annual Report on Form 10-K, regardless of any general incorporation language in such filing, except as shall be expressly set forth by specific reference in such filing. 41 Table of Contents Purchases of Equity Securities by the Issuer and Affiliated Purchasers A summary of our repurchases of common stock during the three months ended December 31, 2025 is as follows: Period Total Number of Shares Purchased Average Price Paid per Share Total Number of Shares Purchased as Part of Publicly Announced Plan or Program (1) Approximate Dollar Value of Shares that May Yet Be Purchased under the Plan or Program October 1, 2025 - October 31, 2025 137,484 $ 128.13 137,484 $ 187,571,436 November 1, 2025 - November 30, 2025 89,227 $ 140.46 89,227 $ 175,038,494 December 1, 2025 - December 31, 2025 101,451 $ 143.10 101,451 $ 160,520,569 (2) Total 328,162 328,162 (1) On February 12, 2018, we announced that our board of directors authorized a $100.0 million share repurchase program.

On each of October 30, 2018, October 30, 2019, May 7, 2020, February 10, 2021 and February 9, 2023, we announced that our board of directors had authorized an increase of $100.0 million, and on each of November 3, 2021, May 4, 2022, and February 7, 2024, we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.2 billion as of December 31, 2024.

On each of October 30, 2018, October 30, 2019, May 7, 2020, February 10, 2021 and February 9, 2023, we announced that our board of directors had authorized an increase of $100.0 million, and on each of November 3, 2021, May 4, 2022, February 7, 2024, and February 6, 2025, we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.4 billion as of December 31, 2025.

Such returns are based on historical results and are not intended to suggest future performance. 39 Table of Contents COMPARISON OF CUMULATIVE TOTAL RETURN* Among Qualys, Inc., NASDAQ-Global Select Market Composite Index, and NASDAQ Computer Index and S&P 500 Index * $100 invested on December 31, 2019 in stock or index, including reinvestment of dividends. Fiscal year ending December 31.

Such returns are based on historical results and are not intended to suggest future performance. 40 Table of Contents COMPARISON OF CUMULATIVE TOTAL RETURN* Among Qualys, Inc., NASDAQ-Global Select Market Composite Index, and NASDAQ Computer Index and S&P 500 Index * $100 invested on December 31, 2020 in stock or index, including reinvestment of dividends. Fiscal year ending December 31.

On February 6, 2025, we announced that our board of directors authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.4 billion. Shares may be repurchased from time to time on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934.

On February 5, 2026, we announced that our board of directors authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.6 billion. Shares may be repurchased from time to time on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934.

Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities Market Information Our common stock is listed and traded on the NASDAQ Global Select Market under the symbol “QLYS”. Holders of Record As of February 11, 2025, there were approximate ly 44 hol ders of record of our common stock.

Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities Market Information Our common stock is listed and traded on the NASDAQ Global Select Market under the symbol “QLYS”. Holders of Record As of February 11, 2026, there were approximate ly 40 hol ders of record of our common stock.

Stock Price Performance Graph The following graph shows a comparison from December 31, 2019 through December 31, 2024 of the cumulative total return for an investment of $100 (and the reinvestment of dividends) in our common stock, the NASDAQ Global Select Market Composite Index and the NASDAQ Computer Index and the S&P 500 Index.

Stock Price Performance Graph The following graph shows a comparison from December 31, 2020 through December 31, 2025 of the cumulative total return for an investment of $100 (and the reinvestment of dividends) in our common stock, the NASDAQ Global Select Market Composite Index and the NASDAQ Computer Index and the S&P 500 Index.

(2) Does not reflect the $200.0 million increase to our share repurchase program announced on February 6, 2025. Item 6. [RESERVED] 41 Table of Contents

(2) Does not reflect the $200.0 million increase to our share repurchase program announced on February 5, 2026. Item 6. [RESERVED] 42 Table of Contents

Item 7. Management's Discussion & Analysis

Management's Discussion & Analysis (MD&A) — revenue / margin commentary

32 edited+4 added−3 removed51 unchanged

2024 filing

2025 filing

Biggest changeTotal other income, net Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) Total other income, net $ 22,626 $ 15,582 $ 7,044 45 % Total other income, net increased by $7.0 million in 2024 compared to 2023, primarily due to an increase in interest income of $8.9 million driven by an increase in our average daily cash and investment balance, a non-recurring unrealized loss of $0.5 million on a non-marketable equity security recognized during 2023, partially offset by an increase in foreign currency loss of $2.4 million. 46 Table of Contents Income tax provision Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) Income tax provision $ 36,142 $ 27,056 $ 9,086 34 % Income tax provision increased by $9.1 million in 2024 compared to 2023, primarily due to the tax effect of an increase in pretax income, increase in foreign withholding taxes, decrease in excess tax benefit from stock-based compensation compared to prior year, and decrease in other discrete tax adjustments.

Biggest changeTotal other income, net Year Ended December 31, Change 2025 2024 $ % (in thousands, except percentages) Total other income, net $ 24,876 $ 22,626 $ 2,250 10 % Total other income, net increased by $2.3 million in 2025 compared to 2024, primarily due to favorable changes in foreign currency of $2.8 million, partially offset by a decrease in interest income of $0.5 million.

Organizations use our integrated suite of solutions to cost-effectively obtain a unified view of their internal and external IT and OT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for IT, information security, application security, endpoint, developer security and cloud teams.

We expect to continue to invest in sales and marketing teams and also in more marketing programs to support new solutions on our platform, which in turn, is expected to increase sales and marketing expenses in absolute dollars. 43 Table of Contents General and Administrative General and administrative expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation for our executive, finance and accounting, IT, legal and human resources teams, as well as professional services, fees, software licenses and overhead allocations.

We expect to continue to invest in sales and marketing teams and also in more marketing programs to support new solutions on our platform, which in turn, is expected to increase sales and marketing expenses in absolute dollars. 44 Table of Contents General and Administrative General and administrative expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation for our executive, finance and accounting, IT, legal and human resources teams, as well as professional services, fees, software licenses and overhead allocations.

We regularly assess the realizability of our net deferred tax assets. As of December 31, 2024, valuation allowances remain in certain jurisdictions where we believe it is necessary to see positive evidence, such as sustained achievement of sufficient profits, to meet a more likely than not stance that the valuation allowance should be reversed.

We regularly assess the realizability of our net deferred tax assets. As of December 31, 2025, valuation allowances remain in certain jurisdictions where we believe it is necessary to see positive evidence, such as sustained achievement of sufficient profits, to meet a more likely than not stance that the valuation allowance should be reversed.

Such a change in recognition or measurement would result in recognition of a tax benefit or an additional charge to the tax provision that could be material in the future. Stock-Based Compensation We recognize the fair value of our employee stock options and restricted stock units, including performance-based restricted stock units, over the requisite service period.

Such a change in recognition or measurement would result in recognition of a tax benefit or an additional charge to the tax provision that could be material in the future. Stock-Based Compensation We recognize the fair value of our employee stock options and restricted stock units (RSU), including performance-based restricted stock units (PRSU), over the requisite service period.

We will continue to evaluate the nature and extent of the impact to our business, financial position, results of operations and cash flows. 42 Table of Contents Key Components of Results of Operations Revenues We derive revenues from the sale of subscriptions to our IT, security and compliance solutions, which are delivered on our cloud platform.

We will continue to evaluate the nature and extent of the impact to our business, financial position, results of operations and cash flows. 43 Table of Contents Key Components of Results of Operations Revenues We derive revenues from the sale of subscriptions to our IT, security and compliance solutions, which are delivered on our cloud platform.

In addition, we also generated $0.2 million of cash from working capital change in 2024, of which $11.7 million was related to the 48 Table of Contents increases in accounts receivable and deferred revenue due to the timing of collections and growth in billings, a $3.2 million increase in payables and accrued liabilities driven by the timing of payment, partially offset by a $14.7 million increase in prepaid expenses.

In addition, we also generated $0.2 million of cash from working capital change in 2024, of which $11.7 million was related to the increases in accounts receivable and deferred revenue due to the timing of collections and growth in billings, a $3.2 million increase in payables and accrued liabilities driven by the timing of payment, partially offset by a $14.7 million increase in prepaid expenses.

You should carefully review and consider the information regarding our financial condition and results of operations set forth under Part II-Item 7 (Management’s Discussion and Analysis of Financial Condition and Results of Operations) in our Annual Report on Form 10-K for the fiscal year ended December 31, 2023, filed with the SEC on February 22, 2024, for an understanding of our results of operations and liquidity discussions and analysis comparing fiscal year 2023 to fiscal year 2022, which information is hereby incorporated by reference.

You should carefully review and consider the information regarding our financial condition and results of operations set forth under Part II-Item 7 (Management’s Discussion and Analysis of Financial Condition and Results of Operations) in our Annual Report on Form 10-K for the fiscal year ended December 31, 2024, filed with the SEC on February 21, 2025, for an understanding of our results of operations and liquidity discussions and analysis comparing fiscal year 2024 to fiscal year 2023, which information is hereby incorporated by reference.

In 2024, 2023 and 2022, 58%, 60% and 60%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force.

In 2025, 2024 and 2023, 56%, 58% and 60%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force.

Impacts of Current Macroeconomic Environment The uncertainty surrounding macroeconomic factors in the U.S. and globally characterized by inflationary pressure, high interest rates, significant volatility of global markets, reduced spending and extended sales cycles, and geopolitical conflicts could have a material adverse effect on our long-term business and could lead to further economic disruption and expose us to greater risk as our current and potential customers may reduce or eliminate their overall spending on IT security.

Impacts of Current Macroeconomic Environment The uncertainty surrounding macroeconomic factors in the U.S. and globally characterized by inflationary pressure, high interest rates, significant volatility of global markets, reduced spending and extended sales cycles, tariff and non-tariff trade barriers, economic and regulatory uncertainty, and geopolitical conflicts could have a material adverse effect on our long-term business and could lead to further economic disruption and expose us to greater risk as our current and potential customers may reduce or eliminate their overall spending on IT security.

Our significant 49 Table of Contents accounting policies are described in Note 1 - The Company and Summary of Significant Accounting Policies in the accompanying notes to the consolidated financial statements included in Part II, Item 8, "Financial Statements and Supplementary Data" of this Annual Report on Form 10-K.

Our significant accounting policies are described in Note 1 - The Company and Summary of Significant Accounting Policies in the accompanying notes to the consolidated financial statements included in Part II, Item 8, "Financial Statements and Supplementary Data" of this Annual Report on Form 10-K.

On February 6, 2025, we announced that our board of directors authorized an additional $200.0 million under the share repurchase program, increasing the total amount of authorized repurchase to $1.4 billion. Critical Accounting Estimates The preparation of our consolidated financial statements in accordance with U.S.

On February 5, 2026, we announced that our board of directors authorized an additional $200.0 million under the share repurchase program, increasing the total amount of authorized repurchase to $1.6 billion. Critical Accounting Estimates The preparation of our consolidated financial statements in accordance with U.S.

Our judgments also include anticipating the tax positions we will record in the financial statements before preparing and filing the tax returns. Our estimates and assumptions may differ from the actual results as reflected in our income tax returns and we record the required adjustments when they are identified or resolved.

Our judgments also include anticipating the tax positions we 50 Table of Contents will record in the financial statements before preparing and filing the tax returns. Our estimates and assumptions may differ from the actual results as reflected in our income tax returns and we record the required adjustments when they are identified or resolved.

We may also seek to invest in or acquire complementary businesses or technologies. • Other non-cancelable purchase obligations related to cloud infrastructures and other service providers totaled $70.5 million, of which $39.2 million is expected to be paid with in the next 12 months.

We may also seek to invest in or acquire complementary businesses or technologies. • Other non-cancelable purchase obligations related to cloud infrastructures and other service providers totaled $60.2 million, of which $13.2 million is expected to be paid with in the next 12 months.

Financing Activities In 2024, we used $139.9 million of cash for share repurchases and $28.4 million of cash in payment of employee withholding taxes upon vesting of restricted stock units and $1.5 million payment of cash held in escrow as part of the Blue Hexagon acquisition on October 4, 2022, partially offset by $17.3 million of proceeds from employee exercise of stock options and $6.9 million of proceeds from issuance of common stock through our employee stock purchase plan ("ESPP"), as compared to $170.8 million of cash for share repurchase and $22.3 million of cash in payment of employee withholding taxes upon vesting of restricted stock units, partially offset by $45.6 million of proceeds from employee exercise of stock options and $6.1 million of proceeds from issuance of common stock through our ESPP in 2023.

Financing Activities In 2025, we used $183.4 million of cash for share repurchases and $25.0 million of cash in payment of employee withholding taxes upon vesting of restricted stock units, partially offset by $16.3 million of proceeds from employee exercise of stock options and $6.8 million of proceeds from issuance of common stock through our employee stock purchase plan (ESPP), as compared to $139.9 million of cash for share repurchase and $28.4 million of cash in payment of employee withholding taxes upon vesting of restricted stock units and $1.5 million payment of cash held in escrow as part of the Blue Hexagon acquisition on October 4, 2022, partially offset by $17.3 million of proceeds from employee exercise of stock options and $6.9 million of proceeds from issuance of common stock through our ESPP in 2024.

Share Repurchases We expect to continue to use cash to repurchase shares in 2025 under our share repurchase program authorized by our board of directors on February 5, 2018. As of December 31, 2024, approximately $143.4 million remained available under our share repurchase program.

Share Repurchases We expect to continue to use cash to repurchase shares in 2026 under our share repurchase program authorized by our board of directors on February 5, 2018. As of December 31, 2025, approximately $160.5 million remained available under our share repurchase program.

Numerator: We measure the ARR for that same cohort of customers representing all active subscriptions as of the end of the reporting period, using the same foreign exchange rate from the prior year. Our net dollar expansion rates were 103% and 105% for the years ended December 31, 2024 and 2023, respectively.

Numerator: We measure the ARR for that same cohort of customers representing all active subscriptions as of the end of the reporting period, using the same foreign exchange rate from the prior year. Our net dollar expansion rate was 103% for both the years ended December 31, 2025 and 2024.

In 2023, we generated $226.4 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense and deferred taxes.

In 2024, we generated $243.9 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense and deferred taxes.

We had fixed operating lease payment obligations of $59.9 million as of December 31, 2024, with $13.5 million expected to be paid within the next 12 months. • Cash outflow for capital expenditures in 2025 is expected to be in a range of $8.0 million to $13.0 million.

We had fixed operating lease payment obligations of $69.0 million as of December 31, 2025, with $11.4 million expected to be paid within the next 12 months. • Cash outflow for capital expenditures in 2026 is expected to be in a range of $8.0 million to $12.0 million.

Investing Activities In 2024, we used $59.1 million of cash for purchases of marketable securities net of sales and maturities, and used $12.3 million of cash in capital expenditures mainly related to computer equipment to support our growth and development and leasehold improvement for expansion of our office spaces and shared cloud platform facilities, as compared to the use of $64.4 million of cash for purchases of marketable securities net of sales and maturities, and the use of $8.8 million of cash in capital expenditures mainly related to computer equipment to support our growth and development in 2023.

Investing Activities In 2025, we used $100.9 million of cash for purchases of marketable securities net of sales and maturities, and used $5.0 million of cash in capital expenditures mainly related to computer equipment to support our growth and development and leasehold improvement for expansion of our office spaces, as compared to the use of $59.1 million of cash for purchases of marketable securities net of sales and maturities, and the use of $12.3 million of cash in capital expenditures mainly related to computer 49 Table of Contents equipment to support our growth and development and leasehold improvement for expansion of our office spaces and shared cloud platform facilities in 2024.

In 2024, 54% of total revenues were direct and 46% of total revenues were through partners. Of the total increase of $53.1 million , 20% was direct and the remaining 80% was from partners. With our strong market position driving further demand for our solutions, we expect revenue growth from new and existing customers to continue.

In 2025, 51% of total revenues were direct and 49% of total revenues were through partners. Of the total increase of $61.6 million , 20% was direct and the remaining 80% was from partners. With our strong market position driving further demand for our solutions, we expect revenue growth from new and existing customers to continue.

The following summary of cash flows for the periods indicated have been derived from our consolidated financial statements included elsewhere in this report: Year Ended December 31, 2024 2023 (in thousands) Net cash provided by operating activities $ 244,094 $ 244,605 Net cash used in investing activities (71,427) (73,166) Net cash used in financing activities (145,650) (141,493) Net increase in cash, cash equivalents and restricted cash $ 27,017 $ 29,946 Operating Activities In 2024, we generated $243.9 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense and deferred taxes, as compared to $226.4 million in 2023.

The following summary of cash flows for the periods indicated has been derived from our consolidated financial statements included elsewhere in this report: Year Ended December 31, 2025 2024 (in thousands) Net cash provided by operating activities $ 309,400 $ 244,094 Net cash used in investing activities (105,924) (71,427) Net cash used in financing activities (185,400) (145,650) Net increase in cash, cash equivalents and restricted cash $ 18,076 $ 27,017 Operating Activities In 2025, we generated $296.0 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense and deferred taxes, as compared to $243.9 million in 2024.

Results of Operations The following table sets forth selected consolidated statements of operations data for each of the periods presented as a percentage of revenues: Year Ended December 31, 2024 2023 Revenues 100 % 100 % Cost of revenues 18 19 Gross profit 82 81 Operating expenses: Research and development 19 20 Sales and marketing 21 20 General and administrative 11 12 Total operating expenses 51 52 Income from operations 31 29 Total other income, net 4 3 Income before income taxes 35 32 Income tax provision 6 5 Net income 29 % 27 % 44 Table of Contents Comparison of Years Ended December 31, 2024 and 2023 Revenues Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) Revenues $ 607,571 $ 554,458 $ 53,113 10 % Revenues increased by $53.1 million in 2024 compared to 2023, driven by increased demand for our subscription services by our end customers.

Results of Operations The following table sets forth selected consolidated statements of operations data for each of the periods presented as a percentage of revenues: Year Ended December 31, 2025 2024 Revenues 100 % 100 % Cost of revenues 17 18 Gross profit 83 82 Operating expenses: Research and development 18 19 Sales and marketing 21 21 General and administrative 11 11 Total operating expenses 50 51 Income from operations 33 31 Total other income, net 4 4 Income before income taxes 37 35 Income tax provision 7 6 Net income 30 % 29 % 45 Table of Contents Comparison of Years Ended December 31, 2025 and 2024 Revenues Year Ended December 31, Change 2025 2024 $ % (in thousands, except percentages) Revenues $ 669,125 $ 607,571 $ 61,554 10 % Revenues increased by $61.6 million in 2025 compared to 2024, driven by increased demand for our subscription services by our end customers.

Some of these limitations are: • Adjusted EBITDA does not reflect certain cash and non-cash charges that are recurring; • Adjusted EBITDA does not reflect income tax payments that reduce cash available to us; • Adjusted EBITDA excludes depreciation and amortization of property and equipment and amortization of intangible assets, although these are non-cash charges, the assets being depreciated and amortized may have to be replaced in the future; and • Other companies, including companies in our industry, may calculate Adjusted EBITDA differently or not at all, which reduces its usefulness as a comparative measure.

Cost of Revenues Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) Cost of revenues $ 111,482 $ 107,485 $ 3,997 4 % Cost of revenues increased by $4.0 million in 2024 compared to 2023, primarily due to an increase in shared cloud platform cost of $6.0 million, an increase in personnel costs, including stock-based compensation, of $4.6 million, driven by additional employees hired to support the growth of our business, an increase in license expenses and professional service expenses of $1.2 million, partially offset by a decrease in depreciation and amortization expense of $7.8 million resulting from certain of our assets becoming fully depreciated or amortized.

Cost of Revenues Year Ended December 31, Change 2025 2024 $ % (in thousands, except percentages) Cost of revenues $ 114,768 $ 111,482 $ 3,286 3 % Cost of revenues increased by $3.3 million in 2025 compared to 2024, primarily due to an increase in personnel costs of $4.7 million, driven by additional employees hired to support the growth of our business and an increase in incentive compensation, an increase in license expenses of $1.9 million, partially offset by a decrease in depreciation and amortization expense of $3.3 million resulting from certain of our assets becoming fully depreciated or amortized.

Of the total increase of $53.1 million in revenues, 69% was from customers existing at or prior to December 31, 2023, and the remaining 31% was from new customers added in 2024. Of the total increase of $53.1 million , 42% was from customers in the United States and the remaining 58% was from customers in foreign countries.

Of the total increase of $61.6 million in revenues, 76% was from customers existing at or prior to December 31, 2024, and the remaining 24% was from new customers added in 2025. Of the total increase of $61.6 million , 37% was from customers in the United States and the remaining 63% was from customers in foreign countries.

We calculate Adjusted EBITDA as net income before (1) other (income) expense, net, which includes interest income, interest expense and other income and expense, (2) income tax provision (benefit), (3) depreciation and amortization of property and equipment, (4) amortization of intangible assets, (5) stock-based compensation and (6) non-recurring expenses that do not reflect ongoing costs of operating the business. 47 Table of Contents Adjusted EBITDA has limitations as an analytical tool and should not be considered in isolation from or as a substitute for the measures presented in accordance with U.S.

In addition, we also generated $18.2 million of cash from working capital change in 2023, of which $22.7 million was related to the net increase in deferred revenue and accounts receivable due to the growth in billing and the timing of collections, partially offset by a $1.1 million decrease in payables and accrued liabilities and a $3.4 million increase in prepaid expenses primarily driven by the timing of payments.

In addition, we also generated $13.4 million of cash from working capital change in 2025, of which $14.0 million was related to the net favorable change in accounts receivable and deferred revenue due to the growth in billings and collections, partially offset by an $0.6 million net unfavorable change in prepaid expenses and payables and accrued liabilities due to the timing of payments.

Year Ended December 31, 2024 2023 (in thousands) Net income $ 173,680 $ 151,595 Net income as a percentage of revenues 29 % 27 % Depreciation and amortization of property and equipment 15,610 23,904 Amortization of intangible assets 2,903 3,087 Income tax provision 36,142 27,056 Stock-based compensation 77,133 69,079 Total other income, net (22,626) (15,582) Adjusted EBITDA $ 282,842 $ 259,139 Adjusted EBITDA as a percentage of revenues 47 % 47 % Liquidity and Capital Resources As of December 31, 2024 , our principal source of liquidity was cash, cash equivalents and marketable securities of $575.3 million, including $119.9 million of cash held outside of the United States.

The following unaudited table presents the reconciliation of net income to Adjusted EBITDA for the years ended December 31, 2025 and 2024: Year Ended December 31, 2025 2024 (in thousands) Net income $ 198,320 $ 173,680 Net income as a percentage of revenues 30 % 29 % Depreciation and amortization of property and equipment 11,934 15,610 Amortization of intangible assets 2,557 2,903 Income tax provision 48,508 36,142 Stock-based compensation 76,966 77,133 Total other income, net (24,876) (22,626) Adjusted EBITDA $ 313,409 $ 282,842 Adjusted EBITDA as a percentage of revenues 47 % 47 % Liquidity and Capital Resources As of December 31, 2025 , our principal source of liquidity was cash, cash equivalents and marketable securities of $696.8 million, including $155.3 million of cash held outside of the United States.

General and Administrative Expenses Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) General and administrative $ 68,738 $ 61,741 $ 6,997 11 % General and administrative expenses increased by $7.0 million in 2024 compared to 2023, primarily due to an increase in personnel costs, including stock-based compensation, of $6.3 million, driven by increased headcount, annual merit increases and refresh grants to eligible employees and executives, and an increase in subscribed software costs and other expenses of $0.7 million.

General and Administrative Expenses Year Ended December 31, Change 2025 2024 $ % (in thousands, except percentages) General and administrative $ 71,616 $ 68,738 $ 2,878 4 % General and administrative expenses increased by $2.9 million in 2025 compared to 2024, primarily due to an increase in personnel costs, including stock-based compensation, of $4.1 million, driven by an increase in headcount and higher incentive compensation due to higher achievement rates compared to 2024, and an increase in license expenses of $0.9 million, partially offset by an increase in overhead allocations to other expense categories of $2.1 million.

Research and Development Expenses Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) Research and development $ 111,852 $ 110,472 $ 1,380 1 % Research and development expenses increased by $1.4 million in 2024 compared to 2023, primarily due to an increase in personnel costs, including stock-based compensation, of $2.8 million, driven by increased headcount, partially offset by a decrease in depreciation and amortization expense in property and equipment of $0.8 million, and a decrease in overhead allocation of $0.6 million. 45 Table of Contents Sales and Marketing Expenses Year Ended December 31, Change 2024 2023 $ % (in thousands, except percentages) Sales and marketing $ 128,303 $ 111,691 $ 16,612 15 % Sales and marketing expenses increased by $16.6 million in 2024 compared to 2023, primarily due to an increase in personnel costs, including stock-based compensation, of $12.9 million, driven by increased headcount, an increase in travel and entertainment cost of $1.8 million, an increase in marketing expenses related to trade shows of $0.7 million, an increase in overhead allocation of $0.7 million, and an increase in subscribed license and software costs of $0.5 million.

Research and Development Expenses Year Ended December 31, Change 2025 2024 $ % (in thousands, except percentages) Research and development $ 117,284 $ 111,852 $ 5,432 5 % Research and development expenses increased by $5.4 million in 2025 compared to 2024, primarily due to an increase in personnel costs of $4.4 million, driven by additional employees hired to support the growth of our business and an increase in incentive compensation, an increase in overhead allocations of $1.8 million, and an increase in shared cloud platform costs of $1.0 million, partially offset by a decrease in stock-based compensation of $1.1 million driven by lower average grant-date fair value and geographic mix, and a decrease in professional service expense of $0.7 million. 46 Table of Contents Sales and Marketing Expenses Year Ended December 31, Change 2025 2024 $ % (in thousands, except percentages) Sales and marketing $ 143,505 $ 128,303 $ 15,202 12 % Sales and marketing expenses increased by $15.2 million in 2025 compared to 2024, primarily due to an increase in personnel costs of $8.8 million, driven by an increase in headcount and higher sales commissions and incentive compensation, an increase in marketing expenses of $4.2 million, primarily related to digital advertising, sales event and sponsorship, an increase in travel expenses of $1.5 million, and an increase in overhead allocations of $0.7 million.

Key Operating and Non-GAAP Financial Performance Metrics In addition to measures of financial performance presented in our consolidated financial statements, we monitor the key metrics set forth below to help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operational efficiencies.

Income tax provision Year Ended December 31, Change 2025 2024 $ % (in thousands, except percentages) Income tax provision $ 48,508 $ 36,142 $ 12,366 34 % Income tax provision increased by $12.4 million in 2025 compared to 2024, primarily due to the tax effect of a decrease in the benefit from FDII deduction as a result of the enactment of the OBBBA, along with a decrease in excess tax benefits from stock-based compensation and a decrease in tax benefits from other discrete adjustments compared to the prior year. 47 Table of Contents Key Operating and Non-GAAP Financial Performance Metrics In addition to measures of financial performance presented in our consolidated financial statements, we monitor the key metrics set forth below to help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operational efficiencies.

Removed

The increase in tax expense was partially offset by an increase in foreign derived intangible income benefit, an increase in research and development tax credits, and the recognition of an income tax benefit related to uncertain tax positions due to statute lapse.

Added

On July 4, 2025, the One Big Beautiful Bill Act (OBBBA) was signed into law. The OBBBA permanently extends and modifies certain domestic and international provisions from the 2017 TCJA and phases out certain provisions from the 2022 Inflation Reduction Act.

Removed

For the year ended December 31, 2024 , our income tax provision included a benefit of $2.5 million related to an increase in foreign derived intangible income benefit and research and development tax credits associated with our U.S. income tax return filed during the year.

Added

Beginning in 2025, the OBBBA provides an elective deduction for domestic research and development expenses and a reinstatement of elective 100% first-year bonus depreciation. Some international provisions of the OBBBA will not be effective until 2026 and forward.

Removed

Because of these limitations, Adjusted EBITDA should be considered alongside other financial performance measures, including revenues, net income, cash flows from operating activities and our financial results presented in accordance with U.S. GAAP. The following unaudited table presents the reconciliation of net income to Adjusted EBITDA for the years ended December 31, 2024 and 2023.

Added

We have recognized the effects of the OBBBA provisions in our financial results to the extent they are applicable to the year ended December 31, 2025. We will continue to monitor the impact of the OBBBA and the range of potential outcomes, which will depend on facts in each year and anticipated guidance from the U.S. Department of the Treasury.

Added

Adjusted EBITDA has limitations as an analytical tool and should not be considered in isolation from or as a substitute for the measures presented in accordance with U.S. GAAP.

Item 7A. Quantitative and Qualitative Disclosures About Market Risk

Market Risk — interest-rate, FX, commodity exposure

5 edited+1 added−0 removed4 unchanged

2024 filing

2025 filing

Biggest changeDollar and the EUR, GBP, INR and Canadian Dollar ("C$" or " CAD") , the currencies of countries where we currently have our most significant international operations. We enter into foreign currency forward contracts to reduce our exposure to foreign currency exchange rate fluctuations related to forecasted subscription revenue, operating expenses and foreign currency denominated assets or liabilities.

Biggest changeWe enter into foreign currency forward contracts to reduce our exposure to foreign currency exchange rate fluctuations related to forecasted subscription revenue, operating expenses and foreign currency denominated assets or liabilities.

The primary objectives of our investment activities are the preservation of principal and support of our liquidity requirements. We do not invest for trading or speculative purposes. Our marketable securities a re subject to market risk due to changes in interest rates, which may affect the interest income we earn and the fair market value.

As of December 31, 2024, a hypothetical 100 basis point increase in interest rate would not result in a material decrease in the fair value of our marketable securities . 51 Table of Contents

As of December 31, 2025, a hypothetical 100 basis point increase in interest rate would not result in a material decrease in the fair value of our marketable securities . 51 Table of Contents

With our hedging strategy applied, the effect of an immediate 10% adverse change in foreign exchange rates would not be material to our financial condition, operating results or cash flows. Interest Rate Sensitivity We had $575.3 million in cash, cash equivalents and short-term and long-term marketable securities as of December 31, 2024.

With our hedging strategy applied, the effect of an immediate 10% adverse change in foreign exchange rates would not be material to our financial condition, operating results or cash flows. Interest Rate Sensitivity We had $696.8 million in cash, cash equivalents and short-term and long-term marketable securities as of December 31, 2025.

As of December 31, 2024, we had designated cash flow hedge forward contracts with notional amounts of €51.4 million , £20.3 million and Rs. 4,381.0 million and non-designated forward contracts with notional amounts of €27.0 million , £8.0 million , Rs. 1,252.0 50 Table of Contents million and C $1.0 million.

As of December 31, 2025, we had designated cash flow hedge forward contracts with notional amounts of €54.3 million , £24.1 million and Rs. 5,526.0 million and non-designated forward contracts with notional amounts of €24.4 million , £6.8 million , Rs. 2,723.0 million and C $2.5 million.

Added

Dollar and the EUR, GBP, INR and Canadian Dollar ( “ C$” or “CAD ” ) , the currencies of countries where we currently have our most significant international operations.

Top changes in QUALYS, INC.'s 2025 10-K

Item 1. Business

Item 1A. Risk Factors

Item 1C. Cybersecurity

Item 2. Properties

Item 3. Legal Proceedings

Item 5. Market for Registrant's Common Equity

Item 7. Management's Discussion & Analysis

Item 7A. Quantitative and Qualitative Disclosures About Market Risk

Other QLYS 10-K year-over-year comparisons