What changed in QUALYS, INC.'s 2023 10-K compared to 2022?

Across the narrative sections we track, QUALYS, INC. (QLYS) added 288 paragraphs, removed 300, and edited 224 between the 2022 and 2023 10-K filings. The biggest movers are Item 1. Business (+104/−127), Item 1A. Risk Factors (+114/−101), Item 7. Management's Discussion & Analysis (+52/−50).

Did QUALYS, INC. add new Risk Factors in the 2023 10-K?

Yes — Item 1A Risk Factors shows 114 new/edited paragraphs and 101 removed paragraphs versus the 2022 10-K.

What changed in QUALYS, INC.'s MD&A (Item 7) in 2023?

Item 7 Management's Discussion & Analysis shows 52 new/edited paragraphs and 50 removed paragraphs year-over-year. Read the side-by-side diff to see exactly which revenue, margin, and outlook commentary was rewritten.

Did QUALYS, INC.'s Legal Proceedings (Item 3) change in 2023?

Item 3 shows 3 added/edited paragraphs and 3 removed paragraphs — usually indicating new litigation disclosed or settled cases removed.

Where does this QLYS 10-K diff come from?

The source filings are QUALYS, INC.'s official 2022 and 2023 Form 10-K annual reports from SEC EDGAR. 10q10k.net parses each filing, aligns paragraphs by section (Item 1, 1A, 1C, 2, 3, 7, 7A), and highlights every added, removed and edited sentence side-by-side.

What changed in QUALYS, INC.'s 10-K — 2022 vs 2023

Paragraph-level year-over-year comparison of QUALYS, INC.'s 2022 and 2023 10-K annual filings, covering the Business, Risk Factors, Legal Proceedings, Cybersecurity, MD&A and Market Risk sections. Every new, removed and edited paragraph is highlighted side-by-side so you can see exactly what management changed in the 2023 report.

+288 added−300 removedSource: 10-K (2024-02-22) vs 10-K (2023-02-23)

Top changes in QUALYS, INC.'s 2023 10-K

288 paragraphs added · 300 removed · 224 edited across 7 sections

Item 1. Business+104 / −127 · 77 edited
Item 1A. Risk Factors+114 / −101 · 89 edited
Item 7. Management's Discussion & Analysis+52 / −50 · 40 edited
Item 5. Market for Registrant's Common Equity+6 / −9 · 6 edited
Item 7A. Quantitative and Qualitative Disclosures About Market Risk+7 / −8 · 7 edited

Item 1. Business

Business — how the company describes what it does

77 edited+27 added−50 removed47 unchanged

2022 filing

2023 filing

Biggest changeAs of December 31, 2022 , approximately 75% of our employees were located outside of the United States, with 66% of our employees located in Pune, India. None of our U.S. employees are covered by collective bargaining agreements. Employees in certain European countries and Brazil have collective bargaining arrangements at the national level.

Biggest changeNone of our U.S. employees are covered by collective bargaining agreements. Employees in certain European countries and Brazil have collective bargaining arrangements at the national level. We believe our employee relations are good, and we have not experienced any work stoppages. 13 Table of Contents Compensation and Benefits Our Competitive Compensation and Benefits Policy.

IT infrastructures are more complex and globally-distributed today than ever before, as organizations of all sizes increasingly rely upon a myriad of interconnected information systems and related IT assets, such as servers, databases, web applications, routers, switches, desktops, laptops, other physical and virtual infrastructure, and numerous external networks and cloud services.

IT infrastructures are more complex and globally-distributed today than ever before, as organizations of all sizes increasingly rely upon a myriad of interconnected information systems and related assets, such as servers, databases, web applications, routers, switches, desktops, laptops, other physical and virtual infrastructure, and numerous external networks and cloud services.

We also provide open application program interfaces, or APIs, and other developer tools that allow third parties to embed our technology into their solutions and build applications on our cloud platform. Our cloud platform utilizes physical and virtual sensors, and cloud agents that provide our customers with continuous visibility enabling customers to respond to threats immediately.

We also provide open application program interfaces, or APIs, and other developer tools that allow third parties to embed our technology into their solutions and build applications on our platform. Our cloud platform utilizes physical and virtual sensors, and cloud agents that provide our customers with continuous visibility enabling customers to respond to threats immediately.

Built on top of this core service is the Qualys GAV framework, which is a global asset inventory service enabling our customers to search for information on any IT asset, scaling to millions of assets for customers of all sizes, helping IT and security personnel to search IT assets and maintain an up-to-date inventory on a continuous basis. • Reporting and Dashboards.

Built on top of this core service is the Qualys GAV framework, which is a global asset inventory service enabling our customers to search for information on any asset, scaling to millions of assets for customers of all sizes, helping IT and security personnel to search assets and maintain an up-to-date inventory on a continuous basis. • Reporting and Dashboards.

An integrated workflow engine that allows customers to automatically generate helpdesk tickets for remediation and to manage compliance exceptions based on customer-defined policies, enabling subsequent review, commentary, tracking and escalation.

An integrated workflow engine that allows customers to automatically generate helpdesk tickets for remediation to manage compliance exceptions based on customer-defined policies, enabling subsequent review, commentary, tracking and escalation.

We believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of delivery models, ease of deployment and use, total cost of ownership, scalability and performance, customer support and extensibility of platform. We believe that our suite of solutions generally competes favorably with respect to these factors.

We believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of delivery models, ease of deployment and use, total cost of ownership, scalability and performance, customer support and the extensibility of our platform. We believe that our suite of solutions generally competes favorably with respect to these factors.

We compete with large and small public companies, such as Broadcom (Symantec Enterprise Security), CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Axonius, Checkmarx, Flexera, Invicti, Ivanti, Tanium, HelpSystems (Tripwire), Trustwave Holdings and Veracode. We also seek to replace IT, security and compliance solutions that organizations have developed internally.

We compete with large and small public companies, such as Broadcom (Symantec Enterprise Security), CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Axonius, Checkmarx, Flexera, Invicti, Ivanti, Tanium, HelpSystems (Tripwire), Trustwave Holdings, Veracode and Wiz. We also seek to replace IT, security and compliance solutions that organizations have developed internally.

Customers can extend visibility to all known IT infrastructure using our Out-of-Band Configuration Assessment sensor for systems that are air-gapped or otherwise difficult to assess. The Qualys Cloud Platform automatically gathers and analyzes security and compliance data in a scalable, state-of-the-art backend.

Customers can extend visibility to all known IT infrastructure using our Out-of-Band Configuration Assessment sensor for systems that are air-gapped or otherwise difficult to assess. Our cloud platform automatically gathers and analyzes security and compliance data in a scalable, state-of-the-art backend.

Web Application Security Web Application Scanning (WAS): WAS continuously discovers and catalogs web applications – including new and unknown ones – and detects vulnerabilities and misconfigurations in web apps and APIs. Scaling to thousands of scans, it conducts incisive, thorough and precise testing of browser-based web apps, mobile app backends, and Internet of things (IoT) services.

Web Application Scanning (WAS): WAS continuously discovers and catalogs web applications – including new and unknown ones – and detects vulnerabilities and misconfigurations in web apps and APIs. Scaling to thousands of scans, it conducts incisive, thorough and precise testing of browser-based web apps, mobile app backends, and Internet of things (IoT) services.

We intend to expand our relationships with key security consulting organizations, managed security service providers and value-added resellers to accelerate the adoption of our cloud platform. We seek to strengthen existing relationships as well as establish new relationships to increase the distribution and market awareness of our cloud platform and target new geographic regions.

We intend to expand our relationships with key security consulting organizations, leading cloud service providers, managed security service providers and value-added resellers to accelerate the adoption of our cloud platform. We seek to strengthen existing relationships as well as establish new relationships to increase the distribution and market awareness of our cloud platform and target new geographic regions.

Our cloud platform offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security assessments, and compliance management for an organization’s IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network perimeter, on endpoints or in the cloud.

Our cloud platform offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security and compliance assessments, and remediation for an organization’s IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network perimeter, on endpoints or in the cloud.

Our customers can conveniently see their security and compliance posture across their global IT asset inventory in one browser window, without plugins or a virtual private network (VPN), whenever and wherever Internet access is available. • Easy global scanning.

Our customers can conveniently see their security and compliance posture across their global IT and OT asset inventory in one browser window, without plugins or a virtual private network (VPN), whenever and wherever Internet access is available. • Easy global scanning.

It continuously gathers and uploads telemetry about installed software, open vulnerabilities and missing patches to the Qualys Cloud Platform. The resulting shared visibility of assets and their posture enables IT and security teams to collaborate using common vulnerability-centric terminology and provides a consistent data set to analyze, prioritize, deploy and verify patches more efficiently.

It continuously gathers and uploads telemetry about installed software, open vulnerabilities and missing patches to our cloud platform. The resulting shared visibility of assets and their posture enables IT and security teams to collaborate using common vulnerability-centric terminology and provides a consistent data set to analyze, prioritize, deploy and verify patches more efficiently.

Our encrypted databases are physically and logically secured. 5 Table of Contents We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their IT infrastructure and applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000.

Our encrypted databases are physically and logically secured. 6 Table of Contents We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their IT infrastructure and applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000.

Since inception, our solutions have been designed to be delivered through the cloud and to be easily and rapidly deployed on a global scale, enabling faster implementation and lower total cost of ownership than traditional on-premises enterprise software products.

We are fortunate that the nature of our business allows us to successfully operate in this dynamic hybrid environment. We believe that our hybrid policy will be a key enabler to support the broad needs of critical on-site to remote employees.

However, many of our primary competitors have greater name recognition, longer operating histories, more established customer relationships, larger marketing budgets and significantly greater resources than we do. 14 Table of Contents Intellectual Property We rely on a combination of trade secrets, copyrights, patents and trademarks, as well as contractual protections, to establish and protect our intellectual property rights and protect our proprietary technology.

However, many of our primary competitors have greater name recognition, longer operating histories, more established customer relationships, larger marketing budgets and significantly greater resources than we do. Intellectual Property We rely on a combination of trade secrets, copyrights, patents and trademarks, as well as contractual protections, to establish and protect our intellectual property rights and protect our proprietary technology.

The technology underlying our cloud infrastructure enables us to ingest, process, analyze and store a high volume of sensor data coming from our agents, scanners and passive analyzers, and correlate information at very high speeds in a distributed manner for millions of devices. 6 Table of Contents Our cloud platform is delivered to our customers via our 11 global shared cloud platforms, or via our private platform offering, Qualys Private Cloud Platform (PCP), for customers or partners that want the platform to reside within the customer's shared cloud platform.

The technology underlying our cloud infrastructure enables us to ingest, process, analyze and store a high volume of sensor data coming from our agents, scanners and passive analyzers, and correlate information at very high speeds in a distributed manner for millions of devices. 7 Table of Contents Our cloud platform is delivered to our customers via our 14 global shared cloud platforms, or via our private platform offering, Qualys Private Cloud Platform (PCP), for customers or partners that want the platform to reside within the customer's shared cloud platform.

We view our trade secrets and know-how as a significant component of our intellectual property assets, as we have spent years designing and developing the Qualys Cloud Platform, which we believe differentiates us from our competitors.

We view our trade secrets and know-how as a significant component of our intellectual property assets, as we have spent years designing and developing our cloud platform, which we believe differentiates us from our competitors.

With our diverse employee population, we uphold the rights to work in an environment that promotes equal opportunity and prohibits discriminatory practices against race, color, national origin, ancestry, medical condition, religious creed (including religious dress and grooming practices), marital status, registered domestic partner status, sex, sexual orientation, gender identity and expression, genetic characteristics and information, age, veteran status, or any other protected characteristic.

Organizations use our integrated suite of solutions to cost-effectively obtain a unified view of their IT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for information technology, information security, application security, endpoint, developer security and cloud teams.

Organizations use our integrated suite of solutions to cost-effectively obtain a unified view of their internal and external IT and OT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for information technology, information security, application security, endpoint, developer security and cloud teams.

We continue to experience revenue growth from our existing customers as they renew and purchase additional subscriptions, as well as from the addition of new customers to our cloud platform. Our Qualys Cloud Platform is currently used by over 10,000 customers worldwide, including a majority of each of the Forbes Global 100 and Fortune 100.

We continue to experience revenue growth from our existing customers as they renew and purchase additional subscriptions, as well as from the addition of new customers to our cloud platform. Our cloud platform is currently used by over 10,000 customers worldwide, including a majority of the Forbes Global 100.

At the end of the subscription term, the channel partner engages with the customer to execute a renewal order, with our sales team providing assistance as required. In 2022, 2021 and 2020, 42%, 41% and 42%, respectively, of our revenues were generated by channel partners.

At the end of the subscription term, the channel partner engages with the customer to execute a renewal order, with our sales team providing assistance as required. In 2023, 2022 and 2021, 43%, 42% and 41%, respectively, of our revenues were generated by channel partners.

Our Platform Our cloud platform consists of a suite of IT security, compliance, web application security, asset management and cloud and container security solutions, which we refer to as the Qualys Cloud Apps, that leverages our shared and extensible core services and our highly scalable multi-tenant cloud infrastructure.

Our Platform Our cloud platform consists of a suite of IT security, compliance, web application security, asset management and cloud security solutions, which we refer to as the Qualys Cloud Apps, that leverage our shared and extensible core services and our highly scalable multi-tenant cloud infrastructure.

During 2022, our workforce gradually transitioned into a hybrid work schedule, which resulted in a significant portion of our workforce working either in-person on a part-time basis, or remotely on a permanent basis. Our top priority remains providing support for our employees, partners, and customers.

During 2022, our workforce gradually transitioned into a hybrid work schedule, which resulted in a significant portion of our workforce working either in-person on a part-time basis, or remotely on a permanent basis. During 2023, we continued to offer this hybrid work schedule to our workforce. Our top priority remains providing support for our employees, partners, and customers.

Qualys fills the gaps by bringing a new multi-vector approach and the unifying power of its highly scalable Cloud Platform to EDR, providing vital context and comprehensive visibility to the entire attack chain, from prevention to detection to response.

Our highly scalable platform fills the gaps by bringing a new multi-vector approach and the unifying power to EDR, providing vital context and comprehensive visibility to the entire attack chain, from prevention to detection to response.

Additionally, copies of materials filed by us with the SEC may be accessed at the SEC's website, www.sec.gov . 16 Table of Contents

Additionally, copies of materials filed by us with the SEC may be accessed at the SEC's website, www.sec.gov .

Free Services We also offer organizations of all sizes free security and compliance services based on the Qualys Cloud Platform: • Qualys Global AssetView app automatically creates a continuous, real-time inventory of known and unknown assets throughout a user's global IT footprint across on-premises, endpoints, multi-cloud, mobile, containers, operational technology and IoT.

Free Services We also offer organizations of all sizes free security and compliance services based on our cloud platform: • Qualys Global AssetView app automatically creates a continuous, real-time inventory of known and unknown assets throughout a user's global IT footprint across on-premises, endpoints, cloud, containers, and mobile environments.

Our cloud solutions address the growing IT, security and compliance complexities and risks that are amplified by the dissolving boundaries between internal and external IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets.

Our cloud platform addresses the growing IT, security and compliance complexities and risks that are amplified by the dissolving boundaries between IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets.

As of December 31, 2022 , we have thirty issued patents, which expire from 2029 to 2040, several pending U.S. patent applications and an exclusive license to four U.S. patents.

As of December 31, 2023, we have thirty-six issued patents, which expire from 2029 to 2042, several pending U.S. patent applications and an exclusive license to four U.S. patents.

In 2022, we acquired certain intangible assets of Blue Hexagon Inc., enabling us to leverage our cloud platform with AI/machine learning to uncover behavior patterns including active vulnerability exploitation, identification of advanced network threats, and adaptive risk mitigation across all assets and applications. In 2021, we acquired certain intangible assets of Kandor Soft Labs Private Ltd.

In 2022, we acquired certain intangible assets of Blue Hexagon Inc., enabling us to leverage our cloud platform with deep learning AI and machine learning (ML) technologies to uncover behavior patterns including active vulnerability exploitation, identification of advanced network threats, and adaptive risk mitigation across all assets and applications.

As a result, we believe there is a large and growing opportunity for comprehensive cloud-based IT, security and compliance solutions delivered in a single platform. We designed our Qualys Cloud Platform to transform the way organizations secure and protect their IT infrastructures and applications.

As a result, we believe there is a large and growing opportunity for comprehensive cloud-based IT, security and compliance solutions that detect, measure, prioritize and remediate cyber risk delivered in a single platform. We designed our cloud platform to transform the way organizations secure and protect their IT infrastructures and applications.

Hillsdale Blvd., 4th Floor, Foster City, California 94404. The telephone number of our principal executive offices is (650) 801-6100, and our main corporate website is www.qualys.com .

Available Information Our principal executive offices are located at 919 E. Hillsdale Blvd., 4th Floor, Foster City, California 94404. The telephone number of our principal executive offices is (650) 801-6100, and our main corporate website is www.qualys.com .

Our integrated suite of IT, security and compliance solutions delivered on our Qualys Cloud Platform enables our customers to: 1) identify and manage their IT assets across on-premises, endpoints, cloud, containers, and mobile environments; 2) collect and analyze large amounts of IT security data; 3) discover and prioritize vulnerabilities; 4) recommend and implement remediation actions; and 5) verify the implementation of such actions.

Our integrated suite of IT, security and compliance solutions delivered on Qualys' Enterprise TruRisk Platform enables our customers to: 1) identify and manage their internal and external IT and operational technology (OT) assets across on-premises, endpoints, cloud, containers, and mobile environments; 2) collect and analyze large amounts of IT security data; 3) discover and prioritize vulnerabilities; 4) quantify cyber risk exposure; 5) recommend and implement remediation actions; and 6) verify the implementation of such actions.

As such, these partners offer our IT, security and compliance solutions in conjunction with one or more of their own products or services and act as a conduit through which we can connect with these prospective customers to offer our solutions. Our channel partners include security consulting organizations, leading cloud providers, managed service providers and resellers.

As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as web application scanning and firewalls, we expect to face additional competition in these new markets.

As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as Cybersecurity Asset Management and Patch Management, we expect to face additional competition in these new markets.

EDR unifies different context vectors like asset discovery, rich normalized software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, in-depth endpoint telemetry, and network reachability with a powerful backend to correlate it all for accurate assessment, detection and response. Certificate Assessment (CRA): CRA assesses digital certificates and Transport Layer Security (TLS) configurations.

EDR unifies different context vectors like asset discovery, rich normalized software inventory, end-of-life visibility, vulnerabilities 9 Table of Contents and exploits, misconfigurations, in-depth endpoint telemetry, and network reachability with a powerful backend to correlate it all for accurate assessment, detection and response.

It identifies unauthorized or end-of-life and end-of-service software and the absence of required security tools, and assesses the health of the attack surface. Further, CSAM enables response options with threat alerts and software removal and delivers regulatory reporting in support of FedRAMP, PCI-DSS and other mandates. CSAM includes External Attack Surface Management, which allows discovery of internet facing unknown assets.

It identifies unauthorized or end-of-life and end-of-service software and the absence of required security tools, and assesses the health of the attack surface. Further, CSAM enables response options with threat alerts and software removal and delivers regulatory reporting in support of the Federal Risk and Authorization Management Program ("FedRAMP"), PCI-DSS and other mandates.

Shared Cloud Platform Agreements Our shared cloud platform operations are provided by large third-party vendors and are located in the United States, Canada, Switzerland, the Netherlands, United Arab Emirates, Australia, United Kingdom and India. Our shared cloud platform agreements have varying terms through 2025.

Our interactive, dynamic dashboards and cloud platform allow our customers to aggregate and correlate all of their IT, security and compliance data in one place, drill down into details, and generate reports customized for different audiences. Our cloud platform’s powerful Elasticsearch clusters enable customers to instantly find detailed data on any asset.

Custom Assessment and Remediation (CAR): Custom Assessment and Remediation opens the Qualys Cloud Platform for security architects allowing the creation of custom scripts in popular scripting languages, user-defined controls and automation, all seamlessly integrated within existing programs to quickly assess, respond to and remediate threats across global hybrid environments.

Custom Assessment and Remediation (CAR): CAR enables security architects to create custom scripts in popular scripting languages, user-defined controls and automation, all seamlessly integrated within existing programs to quickly assess, respond to and remediate threats across global hybrid environments.

Qualys Core Services Our core services enable integrated workflows, management and real-time analysis and reporting across all of our IT, security and compliance solutions for our customers inside their organizations, on the perimeter, on endpoints or in the cloud. Our core services constitute dynamic and customizable dashboards and centrally managed, self-updating integrated Cloud Apps, through a natively integrated unified platform.

Qualys Core Services Our core services enable our customers to detect vulnerabilities, measure and remediate cyber risk through integrated workflows, management and real-time analysis and reporting inside their organizations, on the perimeter, on endpoints or in the cloud. Our core services constitute dynamic and customizable dashboards and centrally managed, self-updating integrated Cloud Apps, through a natively integrated unified platform.

Our customers can subscribe to one or more of our IT, security and compliance Apps based on their initial needs and expand their subscriptions over time to new areas within their organization or to additional Qualys solutions.

Our customers can subscribe to one or more of our 20+ Cloud Apps based on their initial needs and expand their subscriptions over time to new areas within their organization or to additional Qualys solutions to develop a more complete understanding of their respective environment's IT, security and compliance posture and remediate cybersecurity risk.

Our revenues increased to $489.7 million in 2022 from $411.2 million in 2021 and $363.0 million in 2020 .

Our revenues increased to $554.5 million in 2023 from $489.7 million in 2022 and $411.2 million in 2021.

Our Customers We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities.

We generally invoice our customers for the entire subscription amount at the start of the subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription.

These subscriptions require customers to pay a fee in order to access each of our cloud solutions. We generally invoice our customers for the entire subscription amount at the start of the subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription.

The key elements of our growth strategy are: • Continue to innovate and enhance our cloud platform and suite of solutions. We intend to continue to make significant investments in research and development to extend our cloud platform’s functionality by developing new security solutions and capabilities and further enhancing our existing suite of solutions.

We intend to continue to make significant investments in research and development to extend our cloud platform’s functionality by developing new security solutions and capabilities and further enhancing our existing suite of solutions. • Expand the use of our suite of solutions by our large and diverse customer base.

We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force. We generate a significant portion of sales through our channel partners, including managed security service providers, value-added resellers and consulting firms in the United States and internationally.

Cloud Inventory is limited to three accounts per public cloud platform. • Qualys Certificate Inventory inventories and assesses all Internet-facing certificates to generate SSL/TLS configuration grades, identifies the certificate issuer and tracks certificate expirations to help stop expired and expiring certificates from interrupting critical business functions. 11 Table of Contents Our Growth Strategy We intend to strengthen our leadership position as a trusted provider of cloud-based IT, security and compliance solutions.

Upon an unknown device detection, users can install a light-weight Qualys self-updating agent (3MB) to turn the device into a managed device or launch a vulnerability scan. • Qualys Certificate Inventory inventories and assesses all Internet-facing certificates to generate SSL/TLS configuration grades, identifies the certificate issuer and tracks certificate expirations to help stop expired and expiring certificates from interrupting critical business functions. 10 Table of Contents Our Growth Strategy We intend to strengthen our leadership position as a trusted provider of cloud-based IT, security and compliance solutions.

The Qualys Cloud Platform and its Cloud Apps help organizations escape this tool-fragmentation dilemma by drastically simplifying their security stacks and regaining unimpeded visibility across their IT environment.

Qualys’ Enterprise TruRisk Platform and its Cloud Apps help organizations escape this tool-fragmentation dilemma by drastically simplifying their security stacks and regaining unimpeded visibility across their on-premises, endpoints, cloud, container, and mobile environments.

In addition, we leverage the insights drawn from our customers to further improve the functionality of our IT, security and compliance solutions.

In addition, we leverage the insights drawn from our customers to further improve the functionality of our IT, security and compliance solutions. Our mission is to ensure customer satisfaction and play a critical role in retaining and expanding our customer base.

Our cloud platform’s powerful Elasticsearch clusters enable customers to instantly find detailed data on any asset. 7 Table of Contents Our core services include: • Asset Tagging and Management. Enables customers to easily identify, categorize and manage large numbers of assets in highly dynamic IT environments and automates the process of inventory management and hierarchical organization of IT assets.

Our core services include: • Asset Tagging and Management. Enables customers to easily identify, categorize and manage large numbers of assets in highly dynamic IT and OT environments and automates the process of inventory management and hierarchical organization of all internal and external assets.

Sales and Marketing Sales We market and sell our IT, security and compliance solutions to customers directly through our sales teams as well as indirectly through our network of channel partners. 12 Table of Contents Our global sales force is organized into a field sales team, which focuses on enterprises, generally including organizations with more than 5,000 employees, and an inside sales team, which focuses on small to medium-sized businesses, which generally include organizations with less than 5,000 employees.

Our global sales force is organized into a field sales team, which focuses on enterprises, generally including organizations with more than 5,000 employees, and an inside sales team, which focuses on small to medium-sized businesses, which generally include organizations with less than 5,000 employees.

Qualys has also established strategic partnerships with leading cloud providers like Amazon Web Services, Microsoft Azure and the Google Cloud Platform. For sales involving a channel partner, the channel partner engages with the prospective customer directly and involves our sales team as needed to assist in developing and closing an order.

For sales involving a channel partner, the channel partner engages with the prospective customer directly and involves our sales team as needed to assist in developing and closing an order.

(TotalCloud), strengthening our cloud security solution by allowing customers to build user-defined workflows for custom policies and execute them on-demand for simplified security and compliance. In 2020, we acquired certain intangible assets of Spell Security Private Limited (Spell Security), expanding our endpoint behavior detection, threat hunting, malware research and multi-layered response capabilities for our EDR application.

In 2021, we acquired certain intangible assets of Kandor Soft Labs Private Ltd. (TotalCloud), strengthening our cloud security solution by allowing customers to build user-defined workflows for custom policies and execute them on-demand for simplified security and compliance.

FIM collects the critical details needed to quickly identify changes and root out activity that violates policy or is potentially malicious. FIM helps customers to comply with change control policy enforcement and change monitoring requirements. Cloud Security Qualys TotalCloud is a Cloud-Native Application Protection Platform (CNAPP), which provides an integrated suite of security capabilities designed for multi-cloud environments.

Our channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customers with services and third-party solutions to help meet those customers’ evolving security and compliance requirements.

We also further assign each of our sales teams into groups that focus on adding new customers or managing relationships with existing customers. 11 Table of Contents Our channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customers with services and third-party solutions to help meet those customers’ evolving security and compliance requirements.

Competition The expanding capabilities of our IT, security and compliance solutions have enabled us to address a growing array of opportunities in the cloud IT, security and compliance market. We compete with a large and broad array of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a highly fragmented and competitive environment.

We compete with a large and broad array of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a highly fragmented and competitive environment.

Multi-Vector Endpoint Detection and Response (EDR): Traditional endpoint detection and response solutions focus only on endpoint activity to detect attacks. As a result, they lack the full context to analyze attacks accurately. This leads to an incomplete picture and a high rate of false positives and negatives, requiring organizations to use multiple point solutions and large incident response teams.

Threat Detection and Response Multi-Vector Endpoint Detection and Response (EDR): Traditional endpoint detection and response solutions focus only on endpoint activity to detect attacks. As a result, they lack the full context to analyze attacks accurately.

File Integrity Monitoring (FIM): FIM logs and centrally tracks file change events on common enterprise operating systems in organizations of all sizes.

PC works to prioritize and track remediation and exceptions, while demonstrating a repeatable auditable process for compliance management File Integrity Monitoring (FIM): FIM logs and centrally tracks file change events on common enterprise operating systems in organizations of all sizes.

We believe that our applications are easy to use and provide our customers with a high level of control because our applications are part of one platform, share a common user interface, utilize the same scanners and agents, access the same collected data, and leverage the same user permissions.

The Cloud Apps are self-updating, centrally managed and tightly integrated, and cover a broad range of functionality in areas such as asset management, vulnerability management, risk mitigation, threat detection and response, compliance and cloud security solutions. 8 Table of Contents We believe that our applications are easy to use and provide our customers with a high level of control because our applications are part of one platform, share a common user interface, utilize the same scanners and agents, access the same collected data, and leverage the same user permissions.

Finally, VMDR quantifies risk across vulnerabilities, assets and groups of assets helping organizations proactively reduce cyber risk exposure and track cyber risk reduction over time. By delivering all this in a single app workflow, VMDR automates the entire process and significantly accelerates an organization’s ability to respond to threats, thus preventing possible exploitation.

By delivering all this in a single app workflow, VMDR automates the entire process and significantly accelerates an organization’s ability to respond to threats, thus preventing possible exploitation across on-premises, endpoints, cloud, containers, and mobile environments.

Both our field and inside sales teams are divided into three geographic regions, the Americas; Europe, Middle East and Africa; and Asia-Pacific. We also further assign each of our sales teams into groups that focus on adding new customers or managing relationships with existing customers.

Both our field and inside sales teams are divided into three geographic regions, the Americas; Europe, Middle East and Africa; and Asia-Pacific.

This new data layer allows teams to detect issues such as unauthorized software, outdated hardware or end-of-life software, which can help properly tag, support, and secure business-critical assets. 10 Table of Contents Cybersecurity Asset Management (CSAM): CSAM is an all-in-one solution that leverages the power of the Qualys Cloud Platform with its multiple native sensors and CMDB synchronization to continuously inventory known and unknown assets, discover installed applications, and overlay business and risk context to establish asset criticality.

Many of our customers use multiple Cloud Apps, some of which are noted below: Asset Management Cybersecurity Asset Management (CSAM): CSAM is an all-in-one solution that leverages the power of our cloud platform with its multiple native sensors and CMDB synchronization to continuously inventory known and unknown assets, discover installed applications, and overlay business and risk context to establish asset criticality.

Driven by our comprehensive knowledge base of known vulnerabilities, VM enables cost-effective protection against vulnerabilities without substantial resource deployment. Vulnerability Management, Detection and Response (VMDR): VMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets.

CSAM includes External Attack Surface Management (EASM), which allows discovery of internet facing unknown assets. Vulnerability Management Vulnerability Management, Detection and Response (VMDR): VMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets.

By automating requirement evaluation against multiple standards for operating systems, network devices, databases and server applications, PC enables the quick identification of security issues and works to prevent configuration drift. PC works to prioritize and track remediation and exceptions, while demonstrating a repeatable auditable process for compliance management.

PC leverages out-of-the-box library content to fast-track compliance assessments using industry-recommended best practices. PC also provides a centralized, interactive console for specifying baseline standards for different hosts. By automating requirement evaluation against multiple standards for operating systems, network devices, databases and server applications, PC enables the quick identification of security issues and works to prevent configuration drift.

This virtualized PCP allows us to extend our security and compliance solutions without the complexity and cost associated with deploying traditional enterprise software. We also offer Private Cloud Platform Appliance (PCPA), an on-premises IT, security and compliance solution packaged in a form-factor for medium-sized companies.

This virtualized PCP allows us to extend our security and compliance solutions without the complexity and cost associated with deploying traditional enterprise software.

It leverages the Cloud Platform's response capabilities - patching, fixing misconfigurations, killing processes and network connections, and quarantining hosts - to comprehensively remediate cyber security threats identified by Qualys XDR.

It leverages our cloud platform's response capabilities - patching, fixing misconfigurations, killing processes and network connections, and quarantining hosts - to comprehensively remediate cyber security threats identified by Qualys’ XDR. Compliance Policy Compliance (PC): PC performs automated security configuration assessments on IT systems throughout a network, helping to reduce risk and continuously ensure compliance with internal policies and external regulations.

As VM gained acceptance, we introduced additional solutions to help customers manage increasing IT, security and compliance requirements. Today, the suite of solutions that we offer on our cloud platform and refer to as the Qualys Cloud Apps helps our customers protect a range of assets across on-premises, endpoints, cloud, containers, and mobile environments.

Today, the suite of solutions that we offer on our cloud platform and refer to as the Qualys Cloud Apps help our customers detect, measure, prioritize and remediate cyber risk spanning a range of assets across on-premises, endpoints, cloud, containers, and mobile environments. We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions.

Our mission is to ensure customer satisfaction and play a critical role in retaining and expanding our customer base. 13 Table of Contents Research and Development and Operations We devote significant resources to maintain, enhance and add new functionality to our Qualys Cloud Platform and the integrated suite of solutions that we offer.

Research and Development and Operations We devote significant resources to maintain, enhance and add new functionality to our cloud platform and the integrated suite of solutions that we offer. Our development organization consists of agile engineering teams with substantial security expertise in specific areas of our solutions.

As of December 31, 2022 , we had 2,143 full-time employees, including 1,062 in research and development, 376 in sales and marketing, 478 in operations and customer support, and 227 in general and administrative.

As of December 31, 2023, we had 2,188 full-time employees, including 1,016 in research and development, 438 in sales and marketing, 504 in operations and customer support, and 230 in general and administrative. As of December 31, 2023, approximately 75% of our employees were located outside of the United States, with 66% of our employees located in Pune, India.

We believe our employee relations are good, and we have not experienced any work stoppages. Diversity and Inclusion We are proud to be a leader in the promotion and practice of diversity and inclusion. In addition to having offices and employees all over the world, we take pride in our cultural diversity.

We assist employees in achieving their career goals by helping them improve their skillsets and transition to increasingly challenging roles. Diversity and Inclusion. We are proud to be a leader in the promotion and practice of diversity and inclusion. We take pride in our cultural diversity with offices and employees all over the world.

CM tracks what happens throughout public perimeters, internal networks, and cloud environments - anywhere in the world. Patch Management (PM): PM provides automated patch deployment capabilities for Windows, Linux, Mac and third party software by correlating vulnerabilities and the right set of remediation including patches and configuration fixes.

By Integrating WAS with manual testing tools and bug bounty solutions, customers can build a comprehensive web application vulnerability testing program. Risk Mitigation Patch Management (PM): PM provides automated patch deployment capabilities for Windows, Linux, Mac and third party software by correlating vulnerabilities and the right set of remediation including patches and configuration fixes.

Qualys searches the globe for top talent in an effort to recruit and hire diverse individuals with a variety of skills, experiences, and backgrounds. Our objective is to continue to improve our hiring, development, advancement, and retention of diverse talent and to foster an inclusive environment. Our board of directors and executive team are highly diverse.

Our objective is to continue to improve our hiring, development, advancement, and retention of diverse talent and to foster an inclusive environment.

In 2022 , 2021 and 2020 , 60% , 61% and 63%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force.

In each of 2023, 2022 and 2021, no one customer accounted for more than 10% of our revenues. In 2023, 2022 and 2021, 60%, 60% and 61%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses.

Its seamless integration with the Qualys Web Application Firewall (WAF) enables verification of attack protection, ticket creation and one click mitigation of vulnerabilities. WAS' powerful API enables integration with other systems and allows teams to detect issues within DevOps environments early in the application development process.

WAS' powerful API enables integration with other systems and allows teams to detect issues within DevOps environments early in the application development process. Bundled malware detection capability with WAS uses reputational, behavioral, antivirus, and heuristic analyses to identify and alert on malware infecting a user's websites.

We assist employees in achieving their career goals by helping them improve their skillsets and transition to other challenging roles. To support career growth inside and outside Qualys, we offer free self-paced or instructor-led certified training on core Qualys topics giving employees and non-employees an opportunity to achieve certifications. Available Information Our principal executive offices are located at 919 E.

To support career growth inside and outside Qualys, we offer free self-paced and instructor-led certified training on core Qualys topics, giving employees and non-employees an opportunity to achieve certifications and job-related courses free of charge. To allow for open dialogue between employees and managers, we conduct formal employee reviews each year.

Removed

These Cloud Apps address and include: • IT Security: Vulnerability Management (VM), Vulnerability Management, Detection and Response (VMDR), Threat Protection (TP), Continuous Monitoring (CM), Patch Management (PM), Multi-Vector Endpoint Detection and Response (EDR), Certificate Assessment (CRA), SaaS Detection and Response (SaaSDR), Secure Enterprise Mobility (SEM), Custom Assessment and Remediation (CAR), Context Extended Detection and Response (XDR), Network Detection and Response (NDR); • Compliance: Policy Compliance (PC), Security Configuration Assessment (SCA), PCI Compliance (PCI), File Integrity Monitoring (FIM), Security Assessment Questionnaire (SAQ), Out of-Band Configuration Assessment (OCA); • Web Application Security: Web Application Scanning (WAS), Web Application Firewall (WAF); • Asset Management: Global AssetView (GAV), Cybersecurity Asset Management (CSAM), Certificate Inventory (CRI); and • Cloud/Container Security: Cloud Inventory (CI), Cloud Security Assessment (CSA), Container Security (CS).

Added

As VM gained acceptance, we introduced additional solutions to help customers manage increasing IT, security and compliance requirements.

Removed

We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions require customers to pay a fee in order to access each of our cloud solutions.

… 74 more changes not shown on this page.

Item 1A. Risk Factors

Risk Factors — what could go wrong, per management

89 edited+25 added−12 removed224 unchanged

2022 filing

2023 filing

Biggest changeOur operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including: • the level of demand for our solutions, from both existing and new customers; • the extent to which customers subscribe for additional solutions; • changes in customer renewals of our solutions; • timing of deals signed within the applicable fiscal period; • seasonal buying patterns of our customers; • timely invoicing or changes in billing terms of customers; • the length of our sales cycle for our products and services; • price competition; • the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors; • the introduction or adoption of new technologies that compete with our solutions; • decisions by potential customers to purchase IT, security and compliance products or services from other vendors; • general economic conditions, both domestically and in the foreign markets in which we sell our solutions; • changes in foreign currency exchange rates; • changes in the growth rate of the IT, security and compliance market; • actual or perceived security breaches, technical difficulties or interruptions with our service; • failure of our products and services to operate as designed; • publicity regarding security breaches generally and the level of perceived threats to IT security; • the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates; • the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business; • pace and cost of hiring employees; • expenses associated with our existing and new products and services; • the timing of sales commissions relative to the recognition of revenues; • insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solutions; • our ability to integrate any products or services that we have acquired or may acquire in the future into our product suite or migrate existing customers of any companies that we have acquired or may acquire in the future to our products and services; • future accounting pronouncements or changes in our accounting policies; • our effective tax rate, changes in tax rules, tax effects of infrequent or unusual transactions, and tax audit settlements; • the amount and timing of income tax that we recognize resulting from stock-based compensation; • the timing of expenses related to the development or acquisition of technologies, services or businesses; and • potential goodwill and intangible asset impairment charges associated with acquired businesses.

Biggest changeOur operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors, many of which are outside of our control, including: • the level of demand for our solutions, from both existing and new customers; • the extent to which customers subscribe for additional solutions; • changes in customer renewals of our solutions; • timing of deals signed within the applicable fiscal period; • seasonal buying patterns of our customers; • timely invoicing or changes in billing terms of customers; • the length of our sales cycle for our products and services; • price competition; • the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our industry, including consolidation among our competitors; • the introduction or adoption of new technologies that compete with our solutions; • decisions by potential customers to purchase IT, security and compliance products or services from other vendors; • general economic conditions, both domestically and in the foreign markets in which we sell our solutions; • changes in foreign currency exchange rates; • changes in the growth rate of the IT, security and compliance market; • actual or perceived security breaches and incidents, technical difficulties or interruptions with our service; • failure of our products and services to operate as designed; • publicity regarding security breaches and incidents generally and the level of perceived threats to IT security; • the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates; • the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business; • pace and cost of hiring employees; • expenses associated with our existing and new products and services; • the timing of sales commissions relative to the recognition of revenues; • insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solutions; • our ability to integrate any products or services that we have acquired or may acquire in the future into our product suite or migrate existing customers of any companies that we have acquired or may acquire in the future to our products and services; • future accounting pronouncements or changes in our accounting policies; • our effective tax rate, changes in tax rules, tax effects of infrequent or unusual transactions, and tax audit settlements; • the amount and timing of income tax that we recognize resulting from stock-based compensation; • the timing of expenses related to the development or acquisition of technologies, services or businesses; and • potential goodwill and intangible asset impairment charges associated with acquired businesses. 16 Table of Contents Further, the interpretation and application of international laws and regulations in many cases is uncertain, and our legal and regulatory obligations in foreign jurisdictions are subject to frequent and unexpected changes, including the potential for various regulatory or other governmental bodies to enact new or additional laws or regulations or to issue rulings that invalidate prior laws or regulations.

The successful assertion of one or more large claims against us that exceed available insurance coverage or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material and adverse effect on our business, including our financial condition, operating results and reputation.

Our tax rate is affected by changes in the mix of earnings and losses in countries with differing statutory tax rates, certain non-deductible expenses and excess tax benefits arising from stock-based compensation, other tax benefits and credits, and the valuation of deferred tax assets and liabilities. Increases in our effective tax rate could harm our operating results.

Our tax rate is affected by changes in the mix of earnings and losses in countries with differing statutory tax rates, certain non-deductible expenses, excess tax benefits arising from stock-based compensation, other tax benefits and credits, and the valuation of deferred tax assets and liabilities. Increases in our effective tax rate could harm our operating results.

We compete with large and small public companies, such as Broadcom (Symantec Enterprise Security), CrowdStrike, Palo Alto Networks, Rapid7, Tenable Holdings, as well as privately held security providers including Axonius, Checkmarx, Flexera, Invicti, Ivanti, Tanium, HelpSystems (Tripwire), Trustwave Holdings and Veracode. We also seek to replace IT, security and compliance solutions that organizations have developed internally.

We compete with large and small public companies, such as Broadcom (Symantec Enterprise Security), CrowdStrike, Palo Alto Networks, Rapid7, Tenable Holdings, as well as privately held security providers including Axonius, Checkmarx, Flexera, Invicti, Ivanti, Tanium, HelpSystems (Tripwire), Trustwave Holdings, Veracode and Wiz. We also seek to replace IT, security and compliance solutions that organizations have developed internally.

Therefore, we are subject to risks associated with having international sales and worldwide operations, including: • foreign currency exchange fluctuations; • trade and foreign exchange restrictions; • economic or political instability in foreign markets, including as a result of increasing tensions between India and China; • greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods; • changes in regulatory requirements; • tax laws (including U.S. taxes on foreign subsidiaries); • difficulties and costs of staffing and managing foreign operations; • the uncertainty and limitation of protection for intellectual property rights in some countries; • costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations; • costs of complying with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our solutions in certain foreign markets, and the risks and costs of non-compliance; • heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements; • the potential for political unrest, acts of terrorism, hostilities or war; • management communication and integration problems resulting from cultural differences and geographic dispersion; and • multiple and possibly overlapping tax structures.

Therefore, we are subject to risks associated with having international sales and worldwide operations, including: • foreign currency exchange fluctuations; • trade and foreign exchange restrictions; • economic or political instability in foreign markets, including as a result of increasing tensions between India and China; • greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods; • changes in regulatory requirements; • tax laws (including U.S. taxes on foreign subsidiaries); • difficulties and costs of staffing and managing foreign operations; • the uncertainty and limitation of protection for intellectual property rights in some countries; • costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations; • costs of complying with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our solutions in certain foreign markets, and the risks and costs of non-compliance; • heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results and result in restatements of, and irregularities in, financial statements; • the potential for political unrest, acts of terrorism, hostilities or war; • management communication and integration problems resulting from cultural differences and geographic dispersion; and 23 Table of Contents • multiple and possibly overlapping tax structures.

Industry organizations like the PCI Council may significantly change their security standards with little or no notice, including changes that could make their standards more or less onerous for businesses. Governments may also adopt new laws or regulations, or make changes to existing laws or regulations, that could impact the demand for or value of our solutions.

Industry organizations like the PCI Council may significantly change their security standards with little or no notice, including changes that could make their standards more or less onerous for businesses. Governments may also adopt new laws or regulations, or make changes to existing laws or regulations, which could impact the demand for or value of our solutions.

The trading price of our common stock has been, and may continue to be, subject to significant fluctuations in response to a number of factors, most of which we cannot predict or control, including: • announcements of new solutions, services or technologies, commercial relationships, acquisitions or other events by us or our competitors; • fluctuations in stock market prices and trading volumes of securities of similar companies; • general market conditions and overall fluctuations in U.S. equity markets; • variations in our operating results, or the operating results of our competitors; • changes in our financial guidance or securities analysts’ estimates of our financial performance; • changes in accounting principles; • sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders; • additions or departures of any of our key personnel; • announcements related to litigation; • changing legal or regulatory developments in the United States and other countries; and • discussion of us or our stock price by the financial press and in online investor communities.

The trading price of our common stock has been, and may continue to be, subject to significant fluctuations in response to a number of factors, most of which we cannot predict or control, including: • announcements of new solutions, services or technologies, commercial relationships, acquisitions or other events by us or our competitors; • fluctuations in stock market prices and trading volumes of securities of similar companies; • general market conditions and overall fluctuations in U.S. equity markets; • variations in our operating results, or the operating results of our competitors; • changes in our financial guidance or securities analysts’ estimates of our financial performance; 33 Table of Contents • changes in accounting principles; • sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders; • additions or departures of any of our key personnel; • announcements related to litigation; • changing legal or regulatory developments in the United States and other countries; and • discussion of us or our stock price by the financial press and in online investor communities.

In addition, any such actual or perceived security breach could impair our ability to operate our business and provide solutions to our customers. If this happens, our reputation could be harmed, our revenues could decline and our business could suffer.

In addition, any such actual or perceived security breach or incident could impair our ability to operate our business and provide solutions to our customers. If this happens, our reputation could be harmed, our revenues could decline and our business could suffer.

In addition, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, which is responsible for appointing the members of our management. 34 Table of Contents General Risk Factors Disruptive technologies could gain wide adoption and supplant our cloud-based IT, security and compliance solutions, thereby weakening our sales and harming our results of operations.

In addition, these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for stockholders to replace members of our board of directors, which is responsible for appointing the members of our management. 35 Table of Contents General Risk Factors Disruptive technologies could gain wide adoption and supplant our cloud-based IT, security and compliance solutions, thereby weakening our sales and harming our results of operations.

Our competitors may also attempt to further expand their presence in the IT, security and compliance market and compete more directly against one or more of our solutions. 22 Table of Contents We believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of delivery models, ease of deployment and use, total cost of ownership, scalability and performance, customer support and extensibility of platform.

Our competitors may also attempt to further expand their presence in the IT, security and compliance market and compete more directly against one or more of our solutions. 20 Table of Contents We believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of delivery models, ease of deployment and use, total cost of ownership, scalability and performance, customer support and the extensibility of our platform.

To the extent that any of the above results in delays of customer subscriptions or commercialization of our solutions, our business, financial condition and results of operations could be adversely affected. 28 Table of Contents Risks Related to Intellectual Property, Legal, Tax and Regulatory Matters Undetected software errors or flaws in our solutions could harm our reputation, decrease market acceptance of our solutions or result in liability.

To the extent that any of the above results in delays of customer subscriptions or commercialization of our solutions, our business, financial condition and results of operations could be adversely affected. 27 Table of Contents Risks Related to Intellectual Property, Legal, Tax and Regulatory Matters Undetected software errors or flaws in our solutions could harm our reputation, decrease market acceptance of our solutions or result in liability.

Additionally, although we price our products and subscriptions worldwide in U.S. Dollars, Euros, British Pounds, Canadian Dollars, Japanese Yen and Indian Rupee, currency fluctuations in certain countries and regions may negatively impact actual prices that partners and customers are willing to pay in those countries and regions, or the effective prices we realize in our reporting currency.

Additionally, although we price our products and subscriptions worldwide in U.S. Dollars, Euro, British Pounds, Canadian Dollars, Japanese Yen and Indian Rupee, currency fluctuations in certain countries and regions may negatively impact actual prices that partners and customers are willing to pay in those countries and regions, or the effective prices we realize in our reporting currency.

If we are unable to successfully manage the challenges of international operations, our business and operating results could be adversely affected. In addition, as of December 31, 2022, approximately 75% of our employees were located outside of the United States, with 66% of our employees located in Pune, India.

If we are unable to successfully manage the challenges of international operations, our business and operating results could be adversely affected. In addition, as of December 31, 2023, approximately 75% of our employees were located outside of the United States, with 66% of our employees located in Pune, India.

In addition, it may be suspended or terminated at any time, which may result in a decrease in the price of our common stock. Finally, our share repurchases in 2023 will be subject to a new 1% excise tax introduced in the Inflation Reduction Act.

In addition, it may be suspended or terminated at any time, which may result in a decrease in the price of our common stock. Finally, our share repurchases in 2023 were subject to a new 1% excise tax introduced in the Inflation Reduction Act.

Our IT, security and compliance solutions are delivered from 11 shared cloud platforms , and any disruption of service at these facilities would interrupt or delay our ability to deliver our solutions to our customers which could reduce our revenues and harm our operating results.

Our IT, security and compliance solutions are delivered from 14 shared cloud platforms , and any disruption of service at these facilities would interrupt or delay our ability to deliver our solutions to our customers which could reduce our revenues and harm our operating results.

While we were able to assert in our Annual Report on Form 10-K that our internal control over financial reporting was effective as of December 31, 2022, we cannot predict the outcome of our testing in future periods.

While we were able to assert in our Annual Report on Form 10-K that our internal control over financial reporting was effective as of December 31, 2023 , we cannot predict the outcome of our testing in future periods.

If we fail to anticipate market requirements or fail to develop and introduce solution enhancements or new solutions to satisfy those requirements in a timely manner, such failure could substantially decrease or delay market acceptance and sales of our present and future solutions and cause us to lose existing customers or fail to gain new customers, which would significantly harm our business, financial condition and results of operations.

If we fail to anticipate market requirements or fail to develop and introduce solution enhancements or new solutions to satisfy those requirements in a timely manner, such failure could substantially decrease or delay market acceptance and sales of our 17 Table of Contents present and future solutions and cause us to lose existing customers or fail to gain new customers, which would significantly harm our business, financial condition and results of operations.

We may be unable to scal e our infrastructure effectively or as quickly as our competitors in these markets and our revenues may not increase to offset any increased costs and operating expenses, which would cause our results to suffer. 25 Table of Contents We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.

We may be unable to scal e our infrastructure effectively or as quickly as our competitors in these markets and our revenues may not increase to offset any increased costs and operating expenses, which would cause our results to suffer. We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.

Any of our employees may terminate their employment at any time. Competition for highly skilled personnel is frequently intense, especially within our industry, and we may not be able to compete for such personnel. 26 Table of Contents We are required under accounting principles generally accepted in the United States (U.S.

Any of our employees may terminate their employment at any time. Competition for highly skilled personnel is frequently intense, especially within our industry, and we may not be able to compete for such personnel. We are required under accounting principles generally accepted in the United States (U.S.

If a large number of these shares are sold in the public market, the sales could reduce the trading price of our common stock. We cannot guarantee that our share repurchase program will be fully consummated or that it will enhance stockholder value, and any share repurchases we make could affect the price of our common stock.

If a large number of these shares are sold in the public market, the sales could reduce the trading price of our common stock. 34 Table of Contents We cannot guarantee that our share repurchase program will be fully consummated or that it will enhance stockholder value, and any share repurchases we make could affect the price of our common stock.

We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in the section titled “Part I, Item 2 - Management’s Discussion and Analysis of Financial Condition and Results of Operations,” the results of which form the basis for making judgments about the carrying values of assets, liabilities, equity, revenues and expenses that are not readily apparent from other sources.

We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as provided in the section titled “Part II, Item 7 - Management’s Discussion and Analysis of Financial Condition and Results of Operations,” the results of which form the basis for making judgments about the carrying values of assets, liabilities, equity, revenues and expenses that are not readily apparent from other sources.

The loss of the services of our senior management or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of operations. If we are unable to hire, retain and motivate qualified personnel, our business may suffer.

The loss of the services of our senior management or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of operations. 25 Table of Contents If we are unable to hire, retain and motivate qualified personnel, our business may suffer.

Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. These privacy, data protection and information security laws and regulations may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions.

Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal framework with which we or our customers must comply. 28 Table of Contents These privacy, data protection and information security laws and regulations may result in ever-increasing regulatory and public scrutiny and escalating levels of enforcement and sanctions.

If we fail to comply with export and import regulations, we may be fined or other penalties could be imposed, including denial of certain export privileges. If we are required to collect higher sales and use or other taxes on the solutions we sell, we may be subject to liability for past sales and our future sales may decrease.

If we fail to comply with export and import regulations, we may be fined or other penalties could be imposed, including denial of certain export privileges. 32 Table of Contents If we are required to collect higher sales and use or other taxes on the solutions we sell, we may be subject to liability for past sales and our future sales may decrease.

A breach in our data security or an attack against our service availability, or that of our third-party service providers, could impact our networks or networks secured by our solutions, creating system disruptions or slowdowns and exploiting security vulnerabilities of our solutions, and the information stored on our networks or those of our third-party service providers could be accessed, used, publicly disclosed, altered, lost, or stolen, which could subject us to liability and cause us financial harm.

A breach in or incident impacting our data security, an attack against our service availability, or any breach, incident, or attack impacting our third-party service providers, could impact our networks or networks secured by our solutions, creating system disruptions or slowdowns and exploiting security vulnerabilities of our solutions, and the information stored on our networks or those of our third-party service providers could be accessed, used, publicly disclosed, altered, lost, or stolen, which could subject us to liability and cause us financial harm.

For example, many of our customers subscribe to our IT, security and compliance solutions to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council, or the PCI Council, which apply to companies that store cardholder data.

For example, many of our customers subscribe to our IT, security and compliance solutions to help them comply with the security standards developed and maintained by the Payment Card Industry Security Standards Council, 21 Table of Contents or the PCI Council, which apply to companies that store cardholder data.

Any of the foregoing events could seriously harm our business, financial condition and results of operations. 31 Table of Contents Governmental export or import controls could subject us to liability if we violate them or limit our ability to compete in foreign markets.

Any of the foregoing events could seriously harm our business, financial condition and results of operations. Governmental export or import controls could subject us to liability if we violate them or limit our ability to compete in foreign markets.

In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result we could lose other sales opportunities or incur expenses that are not offset by an increase in revenues, which could harm our business. 21 Table of Contents Adverse economic conditions or reduced IT spending may adversely impact our business.

In addition, we might devote substantial time and effort to a particular unsuccessful sales effort, and as a result we could lose other sales opportunities or incur expenses that are not offset by an increase in revenues, which could harm our business. Adverse economic conditions or reduced IT spending may adversely impact our business.

Our reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. However, for the year ended December 31, 2022, we incurred approximately 29% of our expenses in foreign currencies, primarily Euros, British Pounds, and Indian Rupee, principally with respect to salaries and related personnel expenses associated with our European and Indian operations.

Our reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. However, for the year ended December 31, 2023, we incurred approximately 29% of our expenses in foreign currencies, primarily Euro, British Pounds, and Indian Rupee, principally with respect to salaries and related personnel expenses associated with our European and Indian operations.

Risks Related to Our Business and Industry 17 Table of Contents Our quarterly and annual operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.

Risks Related to Our Business and Industry Our quarterly and annual operating results may vary from period to period, which could result in our failure to meet expectations with respect to operating results and cause the trading price of our stock to decline.

In any of these cases, our revenues and operating results could be harmed. 23 Table of Contents If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations.

In any of these cases, our revenues and operating results could be harmed. If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could have an adverse effect on our business and results of operations.

If an actual or perceived disruption in the availability of our solutions or the breach of our security measures or those of our service providers occurs, it could adversely affect the market perception of our solutions, result in a loss of competitive advantage, have a negative impact on our reputation, or result in the loss of customers, channel partners and sales, and it may expose us to the loss or alteration of information, litigation, regulatory actions and investigations and possible liability.

If an actual or perceived disruption in the availability of our solutions or the breach or other compromise of our security measures or those of our service providers occurs, it could adversely affect the market perception of our solutions, result in a loss of competitive advantage, have a negative impact on our reputation, or result in the loss of customers, channel partners and sales, and it may expose us to the loss, unavailability or alteration of information, claims, demands and litigation, regulatory investigations, actions and other proceedings and possible liability.

Additionally, for the year ended December 31, 2022, approximately 24% of our revenue s were generated in foreign currencies. Accordingly, changes in exchange rates may have a material adverse effect on our business, operating results and financial condition.

Additionally, for the year ended December 31, 2023, approximately 23% of our revenue s were generated in foreign currencies. Accordingly, changes in exchange rates may have a material adverse effect on our business, operating results and financial condition.

Our solutions, platforms, and system, and those of our service providers, may also suffer security incidents as a result of non-technical issues, including intentional or inadvertent acts or omissions by our employees or service providers. With the increase in personnel working remotely during the current COVID-19 pandemic, we and our service providers are at increased risk for security breaches.

Our solutions, platforms, and system, and those of our service providers, may also suffer security incidents as a result of non-technical issues, including intentional or inadvertent acts or omissions by our employees or service providers. With the increase in personnel working remotely, we and our service providers are at increased risk for security breaches and incidents.

For example, we acquired certain intellectual property of Spell Security on July 24, 2020, certain intellectual property of TotalCloud on August 19, 2021 and certain assets of Blue Hexagon on October 4, 2022. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices may exceed what we would prefer to pay.

For example, we acquired certain intellectual property of TotalCloud on August 19, 2021 and certain assets of Blue Hexagon on October 4, 2022. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices may exceed what we would prefer to pay.

It remains unclear how United Kingdom data protection laws or regulations will develop in the medium to longer term and how data transfers to and from the United Kingdom will be regulated. Additionally, we have joined the EU-U.S. Privacy Shield Framework and a related program, the Swiss-U.S.

It remains unclear how United Kingdom data protection laws or regulations will develop in the medium to longer term and how data transfers to and from the United Kingdom will be regulated. Additionally, we have self-certified under the EU-U.S. Data Privacy Framework and a related program, the Swiss-U.S.

Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us.

Patent and other intellectual property disputes are common in our industry. Some companies, including some of our competitors, own large numbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties may in the future assert claims of infringement, misappropriation or other violations of intellectual property rights against us.

In addition, continued governmental budgetary challenges in the United States and Europe, inflationary pressures and potential for a recession, and geopolitical turmoil in many parts of the world, including the ongoing military conflict between Russia and Ukraine, and other disruptions to global and regional economies and markets in many parts of the world, as well as uncertainties related to changes in public policies such as domestic and international regulations, taxes or international trade agreements, have and may continue to put pressure on global economic conditions and overall spending on IT security and may further increase inflation, both in the U.S. and globally, which could increase our operating costs in the future and reduce overall spending on IT security.

In addition, continued governmental budgetary challenges in the United States and Europe, inflationary pressures and potential for a recession, and geopolitical turmoil in many parts of the 19 Table of Contents world, including the ongoing military conflicts in parts of Eastern Europe and the Middle East, and other disruptions to global and regional economies and markets in many parts of the world, as well as uncertainties related to changes in public policies such as domestic and international regulations, taxes or international trade agreements, have and may continue to put pressure on global economic conditions and overall spending on IT security and may further increase inflation, both in the U.S. and globally, which could increase our operating costs in the future and reduce overall spending on IT security.

Accordingly, we cannot yet predict the impact of the CCPA, CRPA or other evolving privacy and data protection obligations on our business or operations, but it may require us to modify our data processing practices and policies and incur substantial costs and expenses in an effort to comply.

We cannot predict the impact of the CCPA, CPRA, or other evolving privacy and data protection obligations on our business or operations, but they may require us to modify our data processing practices and policies and incur substantial costs and expenses in an effort to comply.

As of December 31, 2022, we had approximately 37 .4 million shares of our common stock outstanding. In addition, as of December 31, 2022, there were approximately 1.8 million options and 1.1 million restricted stock units outstanding. If such options are exercised and restricted stock units are released, these additional shares will become available for sale.

As of December 31, 2023, we had approximately 36.9 million shares of our common stock outstanding. In addition, as of December 31, 2023, there were approximately 1.4 million options and 1.1 million restricted stock units outstanding. If such options are exercised and restricted stock units are released, these additional shares will become available for sale.

The timing of sales of subscriptions for our solutions can be difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large transactions.

The timing of sales of subscriptions for our solutions can be difficult to forecast because of the length and unpredictability of our sales cycle, particularly with large transactions and in the current macroeconomic environment.

For th e years ended December 31, 2022, 2021 and 2020, we derived approximately 42%, 41% and 42%, respectively, o f our revenues from sales of subscriptions for our solutions through channel partners, and the percentage of revenues derived from channel partners may increase in future periods.

For the years ended December 31, 2023, 2022 and 2021 , we derived approximately 43%, 42% and 41% o f our revenues from sales of subscriptions for our solutions through channel partners, and the percentage of revenues derived from channel partners may increase in future periods.

Economic weakness, customer financial difficulties, supply chain constraints, change in interest rates, inflationary pressures and potential for a recession, and constrained spending on IT security, which factors we have experienced in 2022, have resulted and may in the future result in decreased revenue and earnings.

Economic weakness, customer financial difficulties, supply chain constraints, change in interest rates, inflationary pressures and potential for a recession, and constrained spending on IT security, as well as longer sales cycles, which factors we have experienced in 2023, have resulted and may in the future result in decreased revenue and earnings.

An actual or perceived security breach or theft of the sensitive data of one of our customers, regardless of whether the breach is attributable to the failure of our solutions, could adversely affect the market’s perception of our security solutions.

An actual or perceived security breach or incident or loss, theft, unavailability or other compromise of the sensitive data of one of our customers, regardless of whether the breach is attributable to the failure of our solutions, could adversely affect the market’s perception of our security solutions.

We also may incur significant costs and operational consequences of investigating, remediating, eliminating and putting in place additional tools and devices designed to prevent actual or perceived security incidents, as well as the costs to comply with any notification obligations resulting from any security incidents.

We also may incur significant costs and operational consequences of investigating, remediating, eliminating and putting in place additional tools and devices designed to prevent actual or perceived security incidents, as well as costs to respond to and otherwise address any breach or incident, including any to comply with any notification obligations resulting from any security incidents.

As of December 31, 2022, we had an aggregate of 2.4 million shares of our common stock reserved for future issuance under our Restated 2012 Equity Incentive Plan and 0.6 million shares reserved for future purchase under our 2021 Employee Stock Purchase Plan, which can be freely sold in the public market upon issuance.

As of December 31, 2023 , we had an aggregate of 1.8 million shares of our common stock reserved for future issuance under our Restated 2012 Equity Incentive Plan and 0.5 million shares reserved for future purchase under our 2021 Employee Stock Purchase Plan, which can be freely sold in the public market upon issuance.

If these services become unavailable due to extended outages or interruptions or because they are no longer available on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and integrated, all of which could harm our business.

Our recent hires and planned hires may not become as productive as quickly as we would like, and we may be unable to hire or retain sufficient numbers of qualified individuals in the future in the competitive markets where we do business.

We plan to continue to expand our sales force and invest in our sales and marketing activities. Our recent hires and planned hires may not become as productive as quickly as we would like, and we may be unable to hire or retain sufficient numbers of qualified individuals in the future in the competitive markets where we do business.

Our business, operating results, financial condition, or prospects could be materially and adversely affected by any of these risks and uncertainties. In that case, the trading price of our common stock could decline, and you might lose all or part of your investment. In addition, the risks and uncertainties discussed below are not the only ones we face.

On each of October 30, 2018, October 30, 2019, May 7, 2020, February 10, 2021 and February 9, 2023, we announced that our board of directors had authorized an increase of $100.0 million, and on each of November 3, 2021 and May 4, 2022, we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.0 billion to date ($900.0 million as of December 31, 2022).

Our business could be harmed if the financial condition of some of these channel partners substantially weakened and we were unable to timely secure replacement channel partners. 24 Table of Contents A significant portion of our customers, channel partners and employees are located outside of the United States, which subjects us to a number of risks associated with conducting international operations, and if we are unable to successfully manage these risks, our business and operating results could be harmed.

A significant portion of our customers, channel partners and employees are located outside of the United States, which subjects us to a number of risks associated with conducting international operations, and if we are unable to successfully manage these risks, our business and operating results could be harmed.

In this event, we could be required to seek licenses from third parties to continue offering our solutions, to make our proprietary code generally available in source code form, to re-engineer our solutions or to discontinue the sale of our solutions if re-engineering could not be accomplished on a timely basis, any of which could adversely affect our business, operating results and financial condition. 30 Table of Contents We use third-party software and data that may be difficult to replace or cause errors or failures of our solutions that could lead to lost customers or harm to our reputation and our operating results.

In this event, we could be required to seek 30 Table of Contents licenses from third parties to continue offering our solutions, to make our proprietary code generally available in source code form, to re-engineer our solutions or to discontinue the sale of our solutions if re-engineering could not be accomplished on a timely basis, any of which could adversely affect our business, operating results and financial condition.

Any failure to successfully implement our operating strategy or the occurrence of any of the events or circumstances set forth in this “Risk Factors” section in this Annual Report on Form 10-K could result in our actual operating results being different from our guidance, and the differences may be adverse and material. 33 Table of Contents Future sales of shares by existing stockholders could cause our stock price to decline.

The amount of share repurchases subject to the excise tax will be reduced by the fair market value of any shares issues during the taxable year. We do not expect this provision to have a material impact to our results of operations.

The amount of share repurchases subject to the excise tax are reduced by the fair market value of any shares issued during the taxable year. This provision does not currently, nor do we expect it to in the future, have a material impact to our results of operations.

Additionally, due to political uncertainty and military actions associated with Russia’s invasion of Ukraine, we and our service providers are vulnerable to heightened risks of cybersecurity incidents and security and privacy breaches from or affiliated with nation-state actors, including attacks that could materially disrupt our systems, operations and services.

Additionally, due to political uncertainty and military actions in parts of Eastern Europe and the Middle East, we and our service providers are vulnerable to heightened 18 Table of Contents risks of cybersecurity incidents and security and privacy breaches from or affiliated with nation-state actors, including attacks that could materially disrupt our systems, operations and services.

The facilities also could be subjec t to break-ins, sabotage, intentional acts of vandalism and other misconduct. The occurrence of a natural disaster, an act of terrorism or misconduct, a decision to close the facilities without adequate notice or other unanticipated problems could result in interruptions in our services.

The occurrence of a natural disaster, an act of terrorism or misconduct, a decision to close the facilities without adequate notice or other unanticipated problems could result in interruptions in our services.

We rely on third-party software-as-a-service vendors to operate certain critical functions of our business, including financial management and human resource management.

We rely on software-as-a-service vendors to operate certain functions of our business and any failure of such vendors to provide services to us could adversely impact our business and operations. We rely on third-party software-as-a-service vendors to operate certain critical functions of our business, including financial management and human resource management.

Our business, operating results, financial performance or prospects could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material.

In addition, the risks and 15 Table of Contents uncertainties discussed below are not the only ones we face. Our business, operating results, financial performance or prospects could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material.

Although we believe our tax estimates are reasonable, the final determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material adverse effect on our operating results or cash flows in the period or periods for which a determination is made. 32 Table of Contents Risks Related to Ownership of Our Common Stock Market volatility may affect our stock price and the value of an investment in our common stock and could subject us to litigation.

In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the NASDAQ Stock Market. 35 Table of Contents

In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the NASDAQ Stock Market. Item 1B. Unresolved Staff Comments None.

We have continued to grow over the last several years, with revenues increasing from $363.0 million in 2020 to $489.7 million in 2022, and headcount increasing from 1,498 employees at the beginning of 2020 to 2,143 employees as of December 31, 2022.

We have continued to grow over the last several years, with revenues increasing from $411.2 million in 2021 to $554.5 million in 2023, and headcount increasing from 1,498 employees at the beginning of 2021 to 2,188 employees as of December 31, 2023.

The privacy, data protection, and information security laws and regulations we must comply with also are subject to change. For example, the United Kingdom enacted a Data Protection Act in May 2018 that substantially implements the GDPR, but the United Kingdom's exit from the European Union, commonly referred to as “Brexit,” could lead to further legislative and regulatory changes.

The privacy, data protection, and information security laws and regulations we must comply with also are subject to change. For example, the United Kingdom has enacted a Data Protection Act, and has implemented legislation referred to as the “UK GDPR,” that substantially implement the GDPR in the United Kingdom following the United Kingdom’s exit from the European Union.

Some organizations may be reluctant to use cloud solutions because they have concerns regarding the risks associated with the reliability or security of the technology delivery model associated with these solutions.

Our success depends to a significant extent on the willingness of organizations to increase their use of cloud solutions for their IT, security and compliance. Some organizations may be reluctant to use cloud solutions because they have concerns regarding the risks associated with the reliability or security of the technology delivery model associated with these solutions.

During the year ended December 31 , 2022, w e repurchased 2.5 mil lion shares of our common stock for approximately $317.3 million. As of December 31, 2022, approximately $154.5 million remained available for share repurchases pursuant to our share repurchase program.

During the year ended December 31, 2023, w e repurchased 1.3 million shares of our common stock for approximatel y $170.8 million. As of December 31, 2023 , approximately $83.7 million remained available for share repurchases pursuant to our share repurchase program.

If we are unable to protect our intellectual property rights, we may find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and effort required to create the innovative solutions that have enabled us to be successful to date. 31 Table of Contents Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs and harm our business and operating results.

If we consummate a transaction, we may be unable to integrate and manage acquired products and businesses effectively or retain key personnel.

If we consummate a transaction, we may be unable to integrate and manage acquired products and businesses effectively or retain key personnel. If we are unable to effectively execute acquisitions, our business, financial condition and operating results could be adversely affected.

The regulatory framework for privacy issues worldwide is currently evolving and is likely to remain uncertain for the foreseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations regarding the collection, use, disclosure and retention of personal information.

Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations regarding the collection, use, disclosure and retention of personal information.

Privacy Shield Framework, and adopted certain standard contractual clauses approved by the European Commission (“SCCs”) as part of our data processing agreements with regard to certain transfers of personal data from the European Economic Area (“EEA”) to the U.S. to ensure that we work with vendors that have adopted the same, where appropriate. While both the EU-U.S.

Data Privacy Framework, and have adopted certain standard contractual clauses approved by the European Commission (“SCCs”) as part of our data processing agreements with regard to certain transfers of personal data from the EEA to the U.S. Both the EU-U.S. Data Privacy Framework and SCCs have, however, been subject to legal challenge.

Any such actual or perceived security breach or disruption could also divert the efforts of our technical and management personnel.

Any such actual or perceived security breach or incident or disruption could also divert the efforts of our technical and management personnel. We and our service providers may face difficulties or delays in identifying and responding to any security breach or incident.

Privacy concerns, whether valid or not valid, may inhibit market adoption of our solutions particularly in certain industries and foreign countries. Our solutions contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our solutions.

Our solutions contain third-party open source software components, and our failure to comply with the terms of the underlying open source software licenses could restrict our ability to sell our solutions.

However, we may not be able to purchase derivative instruments that are adequate to insulate ourselves from foreign currency exchange risks. Additionally, our hedging activities may contribute to increased losses as a result of volatility in foreign currency markets.

However, we may not be able to purchase derivative instruments that are adequate to insulate ourselves from foreign currency exchange risks.

If we fail to meet or exceed expectations for our operating results for these or any other reasons, the trading price of our common stock could fall and we could face costly lawsuits, including securities class action suits. 18 Table of Contents If we do not successfully anticipate market needs and opportunities or are unable to enhance our solutions and develop new solutions that meet those needs and opportunities on a timely or cost-effective basis, we may not be able to compete effectively and our business and financial condition may be harmed.

If we do not successfully anticipate market needs and opportunities or are unable to enhance our solutions and develop new solutions that meet those needs and opportunities on a timely or cost-effective basis, we may not be able to compete effectively and our business and financial condition may be harmed.

Additionally, the data that our solutions collect to help secure and protect the IT infrastructure of our customers may include additional personal or confidential information of our customers’ employees and their customers. Personal privacy has become a significant issue in the United States and in many other countries where we offer our solutions.

Additionally, the data that our solutions collect to help secure and protect the IT infrastructure of our customers may include additional personal or confidential information of our customers’ employees and their customers, and we may collect, store and otherwise process personal or confidential information more generally in connection with our business and operations.

We license third-party software as well as security and compliance data from various third parties to deliver our solutions. In the future, this software or data may not be available to us on commercially reasonable terms, or at all.

In the future, this software or data may not be available to us on commercially reasonable terms, or at all.

If we fail to maintain an effective system of internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.

Changes to existing rules or the questioning of current practices may harm our operating results or require that we make significant changes to our systems, processes and controls or the way we conduct our business. 36 Table of Contents If we fail to maintain an effective system of internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.

If we spend significant resources on research and development and are unable to generate an adequate return on our investment, our business and results of operations may be materially and adversely affected. 20 Table of Contents Our platform, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability and adversely impact our reputation and future sales.

We rely on third-party channel partners to generate a substantial amount of our revenues, and if we fail to expand and manage our distribution channels, our revenues could decline and our growth prospects could suffer.

Additionally, if our efforts do not result in increased revenues, our operating results could be negatively impacted due to the upfront operating expenses associated with expanding our sales force. 22 Table of Contents We rely on third-party channel partners to generate a substantial amount of our revenues, and if we fail to expand and manage our distribution channels, our revenues could decline and our growth prospects could suffer.

If the market for cloud solutions for IT, security and compliance does not evolve as we anticipate, our revenues may not grow and our operating results would be harmed. Our success depends to a significant extent on the willingness of organizations to increase their use of cloud solutions for their IT, security and compliance.

Additionally, our hedging activities may contribute to increased losses as a result of volatility in foreign currency markets. 24 Table of Contents If the market for cloud solutions for IT, security and compliance does not evolve as we anticipate, our revenues may not grow and our operating results would be harmed.

As a result, our ability to grow depends in part on customers renewing their existing subscriptions and purchasing additional subscriptions and solutions.

Our customers have no obligation to renew their subscriptions after their subscription period expires, and they may not renew their subscriptions at the same or higher levels or at all. As a result, our ability to grow depends in part on customers renewing their existing subscriptions and purchasing additional subscriptions and solutions.

… 46 more changes not shown on this page.

Item 2. Properties

Properties — owned and leased real estate

2 edited+0 added−0 removed1 unchanged

2022 filing

2023 filing

Biggest changeWe operate shared cloud platforms at third-party facilities in Santa Clara, California; Las Vegas, Nevada; Ontario, Canada; Geneva, Switzerland; Pune, India; and Amsterdam, the Netherlands.

Biggest changeWe operate shared cloud platforms at third-party facilities in United States, Canada, Switzerland, the Netherlands, United Arab Emirates, Australia, United Kingdom, Italy, the Kingdom of Saudi Arabia and India. Our shared cloud platform agreements have varying terms through 2027.

We have additional U.S. offices in North Carolina and Washington and other offices in France, Germany, Italy, Japan, the Netherlands, United Arab Emirates and United Kingdom. We believe our facilities are adequate for our current needs and for the foreseeable future.

We have an additional U.S. office in North Carolina and other offices in France, United Arab Emirates and United Kingdom. We believe our facilities are adequate for our current needs and for the foreseeable future.

Item 3. Legal Proceedings

Legal Proceedings — active lawsuits and investigations

3 edited+0 added−0 removed0 unchanged

2022 filing

2023 filing

Biggest changeFor more information, please refer to Note 9 in the accompanying notes to the consolidated financial statements, which is hereby incorporated by reference.

Biggest changeFor more information, please refer to Note 9 in the accompanying notes to the consolidated financial statements, which is hereby incorporated by reference. Item 4. Mine Safety Disclosures Not Applicable. 39 Table of Contents PART II

However, litigation is inherently unpredictable and is subject to significant uncertainties, some of which are beyond the Company's control. Should any of these estimates and assumptions change or prove to have been incorrect, the Company could incur significant charges related to legal matters which could have a material impact on its results of operations, financial position and cash flows.

However, litigation is inherently unpredictable and is subject to significant uncertainties, some of which are beyond our control. Should any of these estimates and assumptions change or prove to have been incorrect, we could incur significant charges related to legal matters which could have a material impact on its results of operations, financial position and cash flows.

Item 3. Legal Proceedings From time to time the Company may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. As of December 31, 2022, there has not been at least a reasonable possibility that the Company has incurred a material loss from any ongoing legal proceedings, individually or taken together.

Item 3. Legal Proceedings From time to time we may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. As of December 31, 2023, there has not been at least a reasonable possibility that we have incurred a material loss from any ongoing legal proceedings, individually or taken together.

Item 5. Market for Registrant's Common Equity

Market for Common Equity — stock, dividends, buybacks

6 edited+0 added−3 removed4 unchanged

2022 filing

2023 filing

Biggest changeDecember 31, 2017 December 31, 2018 December 31, 2019 December 31, 2020 December 31, 2021 December 31, 2022 Qualys, Inc. $ 100.00 $ 125.93 $ 140.47 $ 205.34 $ 231.20 $ 189.10 NASDAQ Global Select Market $ 100.00 $ 96.32 $ 130.62 $ 186.83 $ 230.03 $ 155.00 NASDAQ Computer $ 100.00 $ 96.32 $ 144.80 $ 217.17 $ 299.39 $ 192.28 S&P 500 $ 100.00 $ 95.62 $ 125.72 $ 148.85 $ 191.58 $ 156.88 The information on the above Stock Price Performance Graph shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liabilities of that section or Sections 11 and 12(a)(2) of the Securities Act of 1933, as amended, and shall not be incorporated by reference into any registration statement or other document filed by us with the SEC, whether made before or after the date of this Annual Report on Form 10-K, regardless of any general incorporation language in such filing, except as shall be expressly set forth by specific reference in such filing. 38 Table of Contents Purchases of Equity Securities by the Issuer and Affiliated Purchasers A summary of our repurchases of common stock during the three months ended December 31, 2022 is as follows: Period Total Number of Shares Purchased Average Price Paid per Share Total Number of Shares Purchased as Part of Publicly Announced Plan or Program (1) Approximate Dollar Value of Shares that May Yet Be Purchased under the Plan or Program October 1, 2022 - October 31, 2022 231,057 $ 136.68 231,057 $ 227,405,137 November 1, 2022 - November 30, 2022 285,100 $ 121.98 285,100 $ 192,628,215 December 1, 2022 - December 31, 2022 331,441 $ 115.09 331,441 $ 154,481,340 (2) Total 847,598 847,598 (1) On February 5, 2018, our board of directors authorized a $100.0 million share repurchase program, which was announced on February 12, 2018.

Biggest changeDecember 31, 2018 December 31, 2019 December 31, 2020 December 31, 2021 December 31, 2022 December 31, 2023 Qualys, Inc. $ 100.00 $ 111.55 $ 163.06 $ 183.60 $ 150.16 $ 262.62 NASDAQ Global Select Market $ 100.00 $ 135.60 $ 193.97 $ 238.82 $ 160.92 $ 233.41 NASDAQ Computer $ 100.00 $ 150.34 $ 225.48 $ 310.84 $ 199.64 $ 322.34 S&P 500 $ 100.00 $ 131.49 $ 155.68 $ 200.37 $ 164.08 $ 207.21 The information on the above Stock Price Performance Graph shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liabilities of that section or Sections 11 and 12(a)(2) of the Securities Act of 1933, as amended, and shall not be incorporated by reference into any registration statement or other document filed by us with the SEC, whether made before or after the date of this Annual Report on Form 10-K, regardless of any general incorporation language in such filing, except as shall be expressly set forth by specific reference in such filing. 41 Table of Contents Purchases of Equity Securities by the Issuer and Affiliated Purchasers A summary of our repurchases of common stock during the three months ended December 31, 2023 is as follows: Period Total Number of Shares Purchased Average Price Paid per Share Total Number of Shares Purchased as Part of Publicly Announced Plan or Program (1) Approximate Dollar Value of Shares that May Yet Be Purchased under the Plan or Program October 1, 2023 - October 31, 2023 76,000 $ 156.94 76,000 $ 94,828,514 November 1, 2023 - November 30, 2023 49,112 $ 171.10 49,112 $ 86,425,300 December 1, 2023 - December 31, 2023 14,400 $ 190.51 14,400 $ 83,681,929 (2) Total 139,512 139,512 (1) On February 12, 2018, we announced that our board of directors authorized a $100.0 million share repurchase program.

Such returns are based on historical results and are not intended to suggest future performance. COMPARISON OF CUMULATIVE TOTAL RETURN* Among Qualys, Inc., NASDAQ-Global Select Market Composite Index, and NASDAQ Computer Index and S&P 500 Index * $100 invested on December 31, 2017 in stock or index, including reinvestment of dividends. Fiscal year ending December 31.

Such returns are based on historical results and are not intended to suggest future performance. 40 Table of Contents COMPARISON OF CUMULATIVE TOTAL RETURN* Among Qualys, Inc., NASDAQ-Global Select Market Composite Index, and NASDAQ Computer Index and S&P 500 Index * $100 invested on December 31, 2018 in stock or index, including reinvestment of dividends. Fiscal year ending December 31.

On each of October 30, 2018, October 30, 2019, May 7, 2020 and February 10, 2021, we announced that our board of directors had authorized an increase of $100.0 million, and on each of November 3, 2021 and May 4, 2022, we announced that our board of directors had authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of $900.0 million as of December 31, 2022.

Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities Market Information Our common stock is listed and traded on the Nasdaq Global Select Market under the symbol “QLYS”. Holders of Record As of February 14, 2023, there were approximately 52 holders of record of our common stock.

Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities Market Information Our common stock is listed and traded on the NASDAQ Global Select Market under the symbol “QLYS”. Holders of Record As of February 12, 2024, there were approximately 48 holders of record of our common stock.

(4) Consists of 2,351 thousand shares reserved for issuance under our Restated 2012 Plan and 555 thousand shares reserved for issuance under our 2021 ESPP. 37 Table of Contents Stock Price Performance Graph The following graph shows a comparison from December 31, 2017 through December 31, 2022 of the cumulative total return for an investment of $100 (and the reinvestment of dividends) in our common stock, the NASDAQ Global Select Market Composite Index and the NASDAQ Computer Index and the S&P 500 Index.

Stock Price Performance Graph The following graph shows a comparison from December 31, 2018 through December 31, 2023 of the cumulative total return for an investment of $100 (and the reinvestment of dividends) in our common stock, the NASDAQ Global Select Market Composite Index and the NASDAQ Computer Index and the S&P 500 Index.

Our share repurchase program does not have an expiration date. (2) Does not reflect the $100.0 million increase to our share repurchase program announced on February 9, 2023.

Our share repurchase program does not have an expiration date. (2) Does not reflect the $200.0 million increase to our share repurchase program announced on February 7, 2024. Item 6. [RESERVED] 42 Table of Contents

Removed

Securities Authorized for Issuance under Equity Compensation Plans The following table summarizes information about our equity compensation plans as of December 31, 2022. All outstanding awards relate to our common stock.

Removed

Plan Category (a) Number of Securities to be Issued Upon Exercise of Outstanding Options, Warrants and Rights (b) Weighted-Average Exercise Price of Outstanding Options, Warrants and Rights (c) Number of Securities Remaining Available for Future Issuance Under Equity Compensation Plans (Excluding Securities Reflected in Column (a) (in thousands) (in thousands) Equity compensation plans approved by security holders (1) 2,990 (2) $ 87.59 (3) 2,906 (4) Equity compensation plans not approved by security holders — $ — — (1) Includes our Restated 2012 Equity Incentive Plan (Restated 2012 Plan) and 2021 Employee Stock Purchase Plan (2021 ESPP).

Removed

(2) Consists of 1,183 thousand restricted stock units and 1,807 thousand shares underlying stock options. (3) The weighted average exercise price is calculated based solely on outstanding stock options.

Item 7. Management's Discussion & Analysis

Management's Discussion & Analysis (MD&A) — revenue / margin commentary

40 edited+12 added−10 removed36 unchanged

2022 filing

2023 filing

Biggest changeSales and Marketing Expenses Year Ended December 31, Change 2022 2021 $ % (in thousands, except percentages) Sales and marketing $ 97,221 $ 76,487 $ 20,734 27 % Sales and marketing expenses increased by $20.7 million in 2022 compared to 2021 , due to an increase in personnel costs of $9.9 million driven by additional employees hired to support the growth of our business, an increase in trade show and other advertising related costs of $5.7 million, an increase of consulting expense of $2.3 million, an increase of travel and entertainment expense of $1.8 million associated with the easing of COVID-19 related travel restrictions and an increase in software license cost of $1.0 million. 44 Table of Contents General and Administrative Expenses Year Ended December 31, Change 2022 2021 $ % (in thousands, except percentages) General and administrative $ 57,981 $ 76,274 $ (18,293 ) (24 )% General and administrative expenses decreased by $18.3 million in 2022 compared to 2021 , due to a decrease in stock-based compensation expense of $27.3 million related to accelerated vesting of our former chief executive officer's grants upon termination due to disability in 2021, offset by an increase in personnel costs of $3.8 million driven by additional employees hired to support the growth of our business, an increase in software license cost of $1.0 million, an increase in consulting expense of $1.9 million, an increase in legal accrual of $1.5 million and an increase of travel and entertainment expense of $0.8 million associated with the easing of COVID-19 related travel restrictions.

Biggest changeGeneral and Administrative Expenses Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) General and administrative $ 61,741 $ 57,981 $ 3,760 6 % General and administrative expenses increased by $3.8 million in 2023 compared to 2022, due to an increase in personnel costs, including stock-based compensation of $5.7 million, driven by increased headcount, annual merit increases for eligible employees and refresh grants to eligible employees and executives, and an increase in subscribed license and software cost of $0.8 million, partially offset by a decrease in professional service expense of $1.4 million, and a decrease in legal expense of $1.3 million.

In some cases, we also provide certain computer equipment used to extend our Qualys Cloud Platform into our customers' private cloud environment. Customers are required to return physical scanner appliances and computer equipment if they do not renew their subscriptions. We typically invoice our customers for the entire subscription amount at the start of the subscription term.

In some cases, we also provide certain computer equipment used to extend our cloud platform into our customers' private cloud environment. Customers are required to return physical scanner appliances and computer equipment if they do not renew their subscriptions. We typically invoice our customers for the entire subscription amount at the start of the subscription term.

Because of these limitations, Adjusted EBITDA should be considered alongside other financial performance measures, including revenues, net income, cash flows from operating activities and our financial results presented in accordance with U.S. GAAP. The following unaudited table presents the reconciliation of net income to Adjusted EBITDA for the years ended December 31, 2022 and 2021.

Overview We are a pioneer and leading provider of a cloud-based platform delivering IT, security and compliance solutions that enable organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations.

Overview We are a pioneer and leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions that enable organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations.

Other expenses include depreciation of shared cloud platform equipment, physical scanner appliances and computer hardware provided to certain customers as part of their subscriptions, expenses related to the use of third-party shared cloud platforms and cloud infrastructures, amortization of software and license fees, amortization of intangibles related to acquisitions, maintenance support, fees paid to contractors who supplement or support our operations center personnel and overhead allocations.

Other expenses include depreciation of shared cloud platform equipment, physical scanner appliances and computer hardware provided to certain customers as part of their subscriptions, expenses related to the use of shared cloud platforms, amortization of software and license fees, amortization of intangibles related to acquisitions, maintenance support, fees paid to contractors who supplement or support our operations center personnel and overhead allocations.

In 2022, 2021 and 2020, 60%, 61% and 63%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force.

In 2023, 2022 and 2021, 60%, 60% and 61%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force.

We will continue to evaluate the nature and extent of the impact to our business, financial position, results of operations and cash flows. Key Components of Results of Operations Revenues We derive revenues from the sale of subscriptions to our IT, security and compliance solutions, which are delivered on our cloud platform.

We will continue to evaluate the nature and extent of the impact to our business, financial position, results of operations and cash flows. 43 Table of Contents Key Components of Results of Operations Revenues We derive revenues from the sale of subscriptions to our IT, security and compliance solutions, which are delivered on our cloud platform.

We also believe that Adjusted EBITDA provides an additional tool for investors to use in comparing our recurring core business operating results over multiple periods with other companies in our industry. Adjusted EBITDA should not be considered in isolation from, or as a substitute for, financial information prepared in accordance with U.S. GAAP.

We also believe that Adjusted EBITDA provides an additional tool for investors to use in comparing our recurring core business operating results over multiple periods with other companies in our industry. 48 Table of Contents Adjusted EBITDA should not be considered in isolation from, or as a substitute for, financial information prepared in accordance with U.S. GAAP.

Numerator: We measure the ARR for that same cohort of customers representing all active subscriptions as of the end of the reporting period, using the same foreign exchange rate from the prior year. Our net dollar expansion rates were 109% and 108% for the years ended December 31, 2022 and 2021, respectively.

Numerator: We measure the ARR for that same cohort of customers representing all active subscriptions as of the end of the reporting period, using the same foreign exchange rate from the prior year. Our net dollar expansion rates were 105% and 109% for the years ended December 31, 2023 and 2022, respectively.

You should carefully review and consider the information regarding our financial condition and results of operations set forth under Part I-Item 7 (Management’s Discussion and Analysis of Financial Condition and Results of Operations) in our Annual Report on Form 10-K for the fiscal year ended December 31, 2021, filed with the SEC on February 22, 2022, for an understanding of our results of operations and liquidity discussions and analysis comparing fiscal year 2021 to fiscal year 2020, which information is hereby incorporated by reference.

You should carefully review and consider the information regarding our financial condition and results of operations set forth under Part II-Item 7 (Management’s Discussion and Analysis of Financial Condition and Results of Operations) in our Annual Report on Form 10-K for the fiscal year ended December 31, 2022, filed with the SEC on February 23, 2023, for an understanding of our results of operations and liquidity discussions and analysis comparing fiscal year 2022 to fiscal year 2021, which information is hereby incorporated by reference.

Our cloud solutions address the growing security and compliance complexities and risks that are amplified by the dissolving boundaries between internal and external IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets.

Our cloud platform address the growing security and compliance complexities and risks that are amplified by the dissolving boundaries between IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets.

We may also seek to invest in or acquire complementary businesses or technologies. • Other non-cancelable purchase obligations related to cloud infrastructures and other service providers totaled $77.1 million, of which $25.6 million is expected to be paid with in the next 12 months.

We may also seek to invest in or acquire complementary businesses or technologies. • Other non-cancelable purchase obligations related to cloud infrastructures and other service providers totaled $70.6 million, of which $29.7 million is expected to be paid with in the next 12 months.

In addition, we also generated $21.7 million of cash from working capital change in 2022, of which $11.8 million was related to net increase in deferred revenue and accounts receivable as a result of our continued growth in billing and collection, and $9.9 million was due to lower prepaid expenses and an increase in payables and accrued liabilities in line with our business.

In addition, we also generated $21.7 million of cash from working capital change in 2022, of which $11.8 million was related to a net increase in deferred revenue and accounts receivable as a result of our continued growth in billing and the timing of collections, and $9.9 million was due to lower prepaid expenses and an increase in payables and accrued liabilities primarily due to timing of payments.

We expect to continue to make capital investments to expand and support our shared cloud platform and cloud infrastructure operations, which will increase the cost of revenues in absolute dollars. Operating Expenses Research and Development Research and development expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation, for our research and development teams.

We expect to continue to expand our shared cloud platform infrastructures and hire additional employees to support our operations, which will increase the cost of revenues in absolute dollars. Operating Expenses Research and Development Research and development expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation, for our research and development teams.

We expect to continue to use cash to repurchase shares in 2023 under our share repurchase program authorized by our board of directors on February 5, 2018. As of December 31, 2022, our board of directors had authorized an aggregate amount of $900.0 million for repurchases under our share repurchase program, of which approximately $154.5 million remained available.

Share Repurchases We expect to continue to use cash to repurchase shares in 2024 under our share repurchase program authorized by our board of directors on February 5, 2018. As of December 31, 2023, our board of directors had authorized an aggregate amount of $1.0 billion for repurchases under our share repurchase program, of which approximately $83.7 million remained available.

We expense sales commissions related to contract renewals as incurred. Our new sales personnel are typically not immediately productive, and the resulting increase in sales and marketing expenses we incur when we add new personnel may not result in increased revenues if these new sales personnel fail to become productive.

Our new sales personnel are typically not immediately productive, and the resulting increase in sales and marketing expenses we incur when we add new personnel may not result in increased revenues if these new sales personnel fail to become productive.

Our integrated suite of IT, security and compliance solutions delivered on our Qualys Cloud Platform enables our customers to identify and manage their IT assets, collect and analyze large amounts of IT security data, discover and prioritize vulnerabilities, recommend and implement remediation actions and verify the implementation of such actions.

Our integrated suite of IT, security and compliance solutions delivered on Qualys' Enterprise TruRisk Platform enables our customers to identify and manage their IT and operational technology (OT) assets, collect and analyze large amounts of IT security data, discover and prioritize vulnerabilities, quantify cyber risk exposure, recommend and implement remediation actions and verify the implementation of such actions.

Investing Activities In 2022, we generated $169.0 million of cash in marketable securities investment, used $15.4 million of cash in capital expenditures mainly related to computer equipment to support our growth and development and $8.6 million of cash to acquire certain technology assets, as compared to $4.5 million of cash used in marketable securities investment, $24.4 million of cash used in capital expenditures and $1.1 million of cash used for acquisition of technology assets in 2021.

Investing Activities In 2023, we used $64.4 million of cash for purchases of marketable securities net of sales and maturities, and used $8.8 million of cash in capital expenditures mainly related to computer equipment to support our growth and development, as compared to $169.0 million of cash generated from net sales and maturities of our marketable securities, $15.4 million of cash used in capital expenditures mainly related to computer equipment to support our growth and development and $8.6 million of cash used to acquire certain technology assets in 2022.

We had fixed operating lease payment obligations of $46.4 million as of December 31, 2022, with $14.9 million expected to be paid within the next 12 months. • Cash outflow for capital expenditures in 2023 is expected to be in a range of $18.0 million to $25.0 million.

We had fixed operating lease payment obligations of $31.1 million as of December 31, 2023, with $13.1 million expected to be paid within the next 12 months. • Cash outflow for capital expenditures in 2024 is expected to be in a range of $15.0 million to $20.0 million.

The following summary of cash flows for the periods indicated has been derived from our consolidated financial statements included elsewhere in this report: Year Ended December 31, 2022 2021 (in thousands) Cash provided by operating activities $ 198,854 $ 200,616 Cash provided by (used in) investing activities 145,068 (29,532 ) Cash used in financing activities (306,031 ) (107,888 ) Net increase (decrease) in cash, cash equivalents and restricted cash $ 37,891 $ 63,196 Operating Activities In 2022 , we generated $177.2 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense and deferred taxes, as compared to $169.6 million in 2021.

The following summary of cash flows for the periods indicated have been derived from our consolidated financial statements included elsewhere in this report: Year Ended December 31, 2023 2022 (in thousands) Net cash provided by operating activities $ 244,605 $ 198,854 Net cash (used in) provided by investing activities (73,166) 145,068 Net cash used in financing activities (141,493) (306,031) Net increase in cash, cash equivalents and restricted cash $ 29,946 $ 37,891 49 Table of Contents Operating Activities In 2023, we generated $226.4 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense and deferred taxes, as compared to $177.2 million in 2022.

We generate a significant portion of sales through our channel partners, including managed security service providers, value-added resellers and consulting firms in the United States and internationally. 40 Table of Contents Impacts of Current Macroeconomic Environment The uncertainty surrounding macroeconomic factors in the U.S. and globally characterized by COVID-19, the supply chain environment, inflationary pressure, rising interest rates, labor shortages, significant volatility of global markets and geopolitical conflicts have had and could in the future have a material adverse effect on our long-term business and could lead to further economic disruption and expose us to greater risk as our current and potential customers may reduce or eliminate their overall spending on IT security.

Impacts of Current Macroeconomic Environment The uncertainty surrounding macroeconomic factors in the U.S. and globally characterized by the supply chain environment, inflationary pressure, rising interest rates, financial institution failures and associated uncertainty, labor shortages, significant volatility of global markets, reduced spending and extended sales cycles, and geopolitical conflicts could have a material adverse effect on our long-term business and could lead to further economic disruption and expose us to greater risk as our current and potential customers may reduce or eliminate their overall spending on IT security.

Of the total increase of $78.6 million in revenue from 2021 to 2022, 80% was from revenues from customers existing at or prior to December 31, 2021, and the remaining 20% was from new customers added in 2022.

Of the total increase of $64.7 million in revenues, 80% was from customers existing at or prior to December 31, 2022, and the remaining 20% was from new customers added in 2023. Of the total increase of $64.7 million , 62% was from customers in the United States and the remaining 38% was from customers in foreign countries.

Earnings from our non-U.S. activities are subject to income taxes in the local countries at rates which were generally similar to the U.S. statutory tax rate. 42 Table of Contents Results of Operations The following table sets forth selected consolidated statements of operations data for each of the periods presented as a percentage of revenues: Year Ended December 31, 2022 2021 Revenues 100 % 100 % Cost of revenues 21 22 Gross profit 79 78 Operating expenses: Research and development 21 20 Sales and marketing 20 19 General and administrative 12 18 Total operating expenses 53 57 Income from operations 26 21 Total other income, net 1 — Income before income taxes 27 21 Income tax provision 5 4 Net income 22 % 17 % Comparison of Years Ended December 31, 2022 and 2021 Revenues Year Ended December 31, Change 2022 2021 $ % (in thousands, except percentages) Revenues $ 489,723 $ 411,172 $ 78,551 19 % Revenues increased by $78.6 million in 2022 compared to 2021, driven by increased demand for our subscription services by our end customers.

Results of Operations The following table sets forth selected consolidated statements of operations data for each of the periods presented as a percentage of revenues: Year Ended December 31, 2023 2022 Revenues 100 % 100 % Cost of revenues 19 21 Gross profit 81 79 Operating expenses: Research and development 20 21 Sales and marketing 20 20 General and administrative 12 11 Total operating expenses 52 52 Income from operations 29 27 Total other income, net 3 — Income before income taxes 32 27 Income tax provision 5 5 Net income 27 % 22 % 45 Table of Contents Comparison of Years Ended December 31, 2023 and 2022 Revenues Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) Revenues $ 554,458 $ 489,723 $ 64,735 13 % Revenues increased by $64.7 million in 2023 compared to 2022, driven by increased demand for our subscription services by our end customers.

GAAP requires us to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenues, expenses and related disclosures.

Critical Accounting Estimates The preparation of our consolidated financial statements in accordance with U.S. GAAP requires us to make estimates and assumptions that affect the reported amounts of assets, liabilities, revenues, expenses and related disclosures.

Financing Activities In 2022, we used $317.3 million of cash for share repurchase and $17.6 million of cash in payment of employee withholding taxes upon vesting of restricted stock units and received $24.5 million of proceeds from employee exercise of stock options, as compared to $130.0 million of cash used for share repurchase, $27.8 million of cash used in payment of employee withholding taxes upon vesting of restricted stock units and $50.0 million of cash received from employee exercise of stock options in 2021.

Financing Activities In 2023, we used $170.8 million of cash for share repurchase and $22.3 million of cash in payment of employee withholding taxes upon vesting of restricted stock units, partially offset by $45.6 million of proceeds from employee exercise of stock options and $6.1 million of proceeds from issuance of common stock through our employee stock purchase plan ("ESPP"), as compared to $317.3 million of cash used for share repurchase and $17.6 million of cash in payment of employee withholding taxes upon vesting of restricted stock units, partially offset by $24.5 million of proceeds from employee exercise of stock options and $4.4 million of proceeds from issuance of common stock through our ESPP in 2022.

Other expenses include marketing and promotional events, lead-generation marketing programs, public relations, travel, software licenses and overhead allocations. Sales commissions related to new business and upsells are capitalized as an asset. We amortize the capitalized commission cost as a selling expense on a straight-line basis over a period of five years.

Sales commissions related to new business and upsells are capitalized as an asset. We amortize the capitalized commission cost as a selling expense on a straight-line basis over a period of five years. We expense sales commissions related to contract renewals as incurred.

Year Ended December 31, 2022 2021 (in thousands) Net income $ 107,992 $ 70,960 Net income as a percentage of revenues 22 % 17 % Depreciation and amortization of property and equipment 28,936 29,236 Amortization of intangible assets 5,686 6,661 Income tax provision 25,708 18,437 Stock-based compensation 53,408 67,579 Total other income, net (3,153 ) (1,714 ) Adjusted EBITDA $ 218,577 $ 191,159 Adjusted EBITDA as a percentage of revenues 45 % 46 % 46 Table of Contents Liquidity and Capital Resources As of December 31, 2022 , our principal source of liquidity was cash, cash equivalents and marketable securities of $380.5 million, including $52.7 million of cash held outside of the United States.

Year Ended December 31, 2023 2022 (in thousands) Net income $ 151,595 $ 107,992 Net income as a percentage of revenues 27 % 22 % Depreciation and amortization of property and equipment 23,904 28,936 Amortization of intangible assets 3,087 5,686 Income tax provision 27,056 25,708 Stock-based compensation 69,079 53,408 Total other income, net (15,582) (3,153) Adjusted EBITDA $ 259,139 $ 218,577 Adjusted EBITDA as a percentage of revenues 47 % 45 % Liquidity and Capital Resources As of December 31, 2023 , our principal source of liquidity was cash, cash equivalents and marketable securities of $482.2 million, including $94.8 million of cash held outside of the United States.

Income Tax Provision We are subject to federal, state and foreign income taxes for jurisdictions in which we operate, and we use estimates in determining our income tax provision and deferred tax assets. Earnings from our non-U.S. activities are subject to income taxes in the local countries at rates which are generally similar to the U.S. statutory tax rate.

Today, the suite of solutions that we offer on our cloud platform and refer to as the Qualys Cloud Apps helps our customers protect a range of assets across on-premises, endpoints, cloud, containers, and mobile environments.

General and Administrative General and administrative expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation for our executive, finance and accounting, IT, legal and human resources teams, as well as professional services, fees, software licenses and overhead allocations.

We expect to continue to invest in additional sales personnel worldwide and also in more marketing programs to support new solutions on our platform, which will increase sales and marketing expenses in absolute dollars. 44 Table of Contents General and Administrative General and administrative expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based compensation for our executive, finance and accounting, IT, legal and human resources teams, as well as professional services, fees, software licenses and overhead allocations.

Shares will be repurchased from time to time on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934, including pursuant to a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act.

Shares will be repurchased from time to time in the open market in accordance with Rule 10b-18 of the Exchange Act of 1934, including pursuant to a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act. 50 Table of Contents On February 7, 2024, we announced that our Board of Directors authorized an additional $200.0 million under the share repurchase program, increasing the total amount of authorized repurchase to $1.2 billion.

Other Income (Expense), Net Our other income (expense), net consists primarily of interest and investment income from our short-term and long-term marketable securities and foreign exchange gains and losses, the majority of which result from fluctuations between the U.S. Dollar and the Euro, British Pound ("GBP") and Indian Rupee ("INR").

Other Income (Expense), Net Our other income (expense), net consists primarily of interest and returns from our short-term and long-term marketable securities, non-marketable securities gains and losses, and foreign exchange gains and losses.

Net cash used in financing activities are expected to be lower in 2023 due to expected lower volume of share repurchase. We believe our existing cash and cash equivalents, marketable securities and our expected cash flow generated from operations will be sufficient to fund our operations for the next twelve months and beyond.

Material Cash Requirements We believe our existing cash and cash equivalents, marketable securities and our expected cash flow generated from operations will be sufficient to fund our operations for the next twelve months and beyond. If we repatriate funds from our foreign subsidiaries, we could be subject to foreign withholding taxes.

We expect to continue to devote resources to research and development in an effort to continuously improve our existing solutions as well as develop new solutions and capabilities and expect that research and development expenses will increase in absolute dollars. 41 Table of Contents Sales and Marketing Sales and marketing expenses consist primarily of personnel expenses, comprised of salaries, benefits, sales commissions, performance-based compensation and stock-based compensation for our worldwide sales and marketing teams.

Other expenses include third-party contractor fees, software and license fees, amortization of intangibles related to acquisitions and overhead allocations. We expect to continue to devote resources to research and development in an effort to continuously improve our existing solutions as well as develop new solutions and capabilities and expect that research and development expenses will increase in absolute dollars.

In 2021, we generated $31.0 million of cash from working capital change, of which $37.4 million was related to net increase in deferred revenue and accounts receivable as a result of our continued growth in billing and collection, partially offset by higher prepaid income taxes of $6.9 million.

In addition, we also generated $18.2 million of cash from working capital change in 2023, of which $22.7 million was related to a net increase in deferred revenue and accounts receivable due to the growth in billing and the timing of collections, partially offset by a $1.1 million decrease in payables and accrued liabilities and a $3.4 million increase in prepaid expenses primarily driven by the timing of payments.

With our strong market position driving further demand for our solutions, we expect revenue growth from new and existing customers to continue. 43 Table of Contents Cost of Revenues Year Ended December 31, Change 2022 2021 $ % (in thousands, except percentages) Cost of revenues $ 102,788 $ 89,439 $ 13,349 15 % Cost of revenues increased by $13.3 million in 2022 compared to 2021, due to an increase in personnel costs of $9.5 million driven by additional employees hired to support the growth of our business, an increase in shared cloud platform and cloud costs of $2.0 million to meet growing demand and an increase in software license cost of $1.8 million.

Cost of Revenues Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) Cost of revenues $ 107,485 $ 102,788 $ 4,697 5 % Cost of revenues increased by $4.7 million in 2023 compared to 2022, due to an increase in personnel costs, including stock-based compensation, of $5.1 million, driven by additional employees hired to support the growth of our business, an increase in shared cloud platform cost of $4.8 million, and an increase in subscribed license and software costs of $1.5 million, partially offset by a decrease in depreciation and amortization expense of $6.7 million resulting from our assets becoming fully depreciated or amortized.

Income tax provision Year Ended December 31, Change 2022 2021 $ % (in thousands, except percentages) Income tax provision $ 25,708 $ 18,437 $ 7,271 39 % Income tax provision increased by $7.3 million in 2022 compared to 2021, primarily due to an increase in pre-tax income and the effects of a tax law change related to mandatory capitalization of research and development expenses starting January 1, 2022, offset by an increase in excess tax benefits arising from stock-based compensation. 45 Table of Contents Key Operating and Non-GAAP Financial Performance Metrics In addition to measures of financial performance presented in our consolidated financial statements, we monitor the key metrics set forth below to help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operational efficiencies.

Key Operating and Non-GAAP Financial Performance Metrics In addition to measures of financial performance presented in our consolidated financial statements, we monitor the key metrics set forth below to help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operational efficiencies.

Research and Development Expenses Year Ended December 31, Change 2022 2021 $ % (in thousands, except percentages) Research and development $ 101,186 $ 81,289 $ 19,897 24 % Research and development expenses increased by $19.9 million in 2022 compared to 2021 , due to an increase in personnel costs of $18.3 million primarily driven by additional employees hired to support the growth of our business, an increase in software license cost of $1.0 million and an increase in travel and entertainment expense of $0.6 million due to easing of COVID-19 related travel restrictions.

Research and Development Expenses Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) Research and development $ 110,472 $ 101,186 $ 9,286 9 % Research and development expenses increased by $9.3 million in 2023 compared to 2022, due to an increase in personnel costs, including stock-based compensation, of $11.4 million, driven by increased headcount, annual merit increases for eligible employees and refresh grants to eligible employees, partially offset by a decrease in professional service expense of $1.2 million, and a decrease in depreciation and amortization expense in property and equipment of $0.9 million. 46 Table of Contents Sales and Marketing Expenses Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) Sales and marketing $ 111,691 $ 97,221 $ 14,470 15 % Sales and marketing expenses increased by $14.5 million in 2023 compared to 2022, due to an increase in personnel costs, including stock-based compensation, of $13.6 million, driven by increased headcount, an increase in travel and entertainment cost of $1.5 million associated with increased in-person sales meetings and marketing events, and an increase in subscribed license and software costs of $0.7 million, partially offset by a decrease in professional service expense of $1.3 million.

Removed

Added

We generate a significant portion of sales through our channel partners, including managed security service providers, leading cloud providers, value-added resellers and consulting firms in the United States and internationally.

Removed

Added

Sales and Marketing Sales and marketing expenses consist primarily of personnel expenses, comprised of salaries, benefits, sales commissions, performance-based compensation and stock-based compensation for our worldwide sales and marketing teams. Other expenses include marketing and promotional events, lead-generation marketing programs, public relations, travel, software licenses and overhead allocations.

Removed

Other expenses include third-party contractor fees, software and license fees, amortization of intangibles related to acquisitions and overhead allocations.

Added

We regularly assess the realizability of our net deferred tax assets. As of December 31, 2023, valuation allowances remain in certain jurisdictions where we believe it is necessary to see further positive evidence, such as sustained achievement of sufficient profits to meet a more likely than not stance that the valuation allowance should be reversed.

Removed

Added

If additional positive evidence becomes available in the foreseeable future, we may release all or a portion of the valuation allowance. The exact timing and amount of the valuation allowance release is subject to change based on the level of profitability achieved in future periods.

Removed

Of the total increase of $78.6 million, 51% was from customers in the United States and the remaining 49% was from customers in foreign countries. In 2022, 58% of total revenue was direct and 42% of total revenue was through partners. Of the total increase of $78.6 million, 53% was direct and the remaining 47% was from partners.

Added

Release of the valuation allowance would result in the recognition of deferred tax assets and a corresponding decrease to income tax expense in the period the release is recorded.

Removed

Total other income, net Year Ended December 31, Change 2022 2021 $ % (in thousands, except percentages) Total other income, net $ 3,153 $ 1,714 $ 1,439 84 % Total other income, net increased by $1.4 million in 2022 compared to 2021 , due to an increase in interest income of $2.9 million driven by continued interest rate increase in 2022, offset by an increase in foreign exchange loss of $1.5 million.

Added

In 2023, 57% of total revenues were direct and 43% of total revenues were through partners. Of the total increase of $64.7 million , 46% was direct and the remaining 54% was from partners. With our strong market position driving further demand for our solutions, we expect revenue growth from new and existing customers to continue.

Removed

Net cash taxes paid, excluding prepaid income taxes, during 2022 were approximately $20.0 million higher compared to 2021, primarily due to the new tax law requiring mandatory capitalization and amortization of research and development expenses effective January 1, 2022. Previously, these expenses could be deducted in the year incurred.

Added

Total other income, net Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) Total other income, net $ 15,582 $ 3,153 $ 12,429 394 % Total other income, net increased by $12.4 million in 2023 compared to 2022, due to an increase in interest income of $11.7 million driven by an increase of market interest rates, in addition to a $1.2 million decrease in foreign currency loss, partially offset by an unrealized loss of $0.5 million on a non-marketable equity security. 47 Table of Contents Income tax provision Year Ended December 31, Change 2023 2022 $ % (in thousands, except percentages) Income tax provision $ 27,056 $ 25,708 $ 1,348 5 % On July 21, 2023, the IRS issued a rule change allowing taxpayers to temporarily apply the regulations in effect prior to 2022 related to U.S. federal foreign tax credits to foreign taxes paid or accrued in years 2022 and 2023.

Removed

The near term increase in cash tax will be offset by a decrease in cash taxes in future years when the capitalized expenses are amortized for tax purposes.

Added

Additionally, on September 8, 2023, the IRS issued interim guidance on the capitalization and amortization of research and development expenses. A cumulative tax benefit applicable to prior periods for the rule change and the guidance was recorded in 2023, which reduced the effective tax rate in 2023 compared to 2022.

Removed

We do not anticipate that we will need funds generated from foreign operations to fund our domestic operations. However, if we repatriate these funds, we could be subject to foreign withholding taxes.

Added

On December 11, 2023, the IRS extended the temporary relief for U.S. Federal foreign tax credit until further guidance, which is expected to provide similar tax benefits in future tax years.

Removed

On February 9, 2023 , we announced that its Board of Directors authorized the repurchase of an additional $100.0 million under our share repurchase program, increasing the total amount of authorized repurchase to $1.0 billion. 47 Table of Contents Critical Accounting Estimates The preparation of our consolidated financial statements in accordance with U.S.

Added

Income tax provision increased by $1.3 million in 2023 compared to 2022, primarily due to an increase in pretax income and a decrease in excess tax benefits arising from stock-based compensation compared to the same period in 2022.

Added

The increase was partially offset by higher foreign tax credits and lower net capitalization of research and development expenses for tax purposes than previously estimated, reflecting the rule change and the guidance.

Added

In 2022, we generated $177.2 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense and deferred taxes, as compared to $169.6 million in 2021.

Item 7A. Quantitative and Qualitative Disclosures About Market Risk

Market Risk — interest-rate, FX, commodity exposure

7 edited+0 added−1 removed1 unchanged

2022 filing

2023 filing

Biggest changeCash and cash equivalents include cash held in banks, highly liquid money market funds and commercial paper. Marketable securities consist of fixed-income U.S. Treasury and government agency securities, commercial paper corporate bonds, asset-backed securities and foreign government securities. The primary objectives of our investment activities are the preservation of principal and support of our liquidity requirements.

Biggest changeOur exposure to market risk for changes in interest rates primarily relates to our cash and cash equivalents and marketable securities. Our cash equivalents and marketable securities are held in money market funds, fixed-income U.S. Treasury and government agency securities, commercial paper, corporate bonds and asset-backed securities.

Dollar and the Euro, GBP, INR and Canadian Dollar ("C$") , th e currencies of countries where we currently have our most significant international operations. We enter into foreign currency forward contracts to reduce our exposure to foreign currency exchange rate fluctuations related to forecasted subscription revenue, operating expenses and foreign currency denominated assets or liabilities.

Dollar and the EUR, GBP, INR and Canadian Dollar ("C$" or " CAD") , the currencies of countries where we currently have our most significant international operations. We enter into foreign currency forward contracts to reduce our exposure to foreign currency exchange rate fluctuations related to forecasted subscription revenue, operating expenses and foreign currency denominated assets or liabilities.

With our hedging strategy applied, the effect of an immediate 10% adverse change in foreign exchange rates would not be material to our financial condition, operating results or cash flows. Interest Rate Sensitivity We had $380.5 million in cash, cash equivalents and short-term and long-term marketable securities as of December 31, 2022.

With our hedging strategy applied, the effect of an immediate 10% adverse change in foreign exchange rates would not be material to our financial condition, operating results or cash flows. Interest Rate Sensitivity We had $482.2 million in cash, cash equivalents and short-term and long-term marketable securities as of December 31, 2023.

As of December 31, 2022, a hypothetical 100 basis point increase in interest rate would result in a decrease in the fair value of our marketable securities by $1.0 million. 48 Table of Contents

As of December 31, 2023, a hypothetical 100 basis point increase in interest rate would result in a decrease in the fair value of our marketable securities by $1.4 million. 52 Table of Contents

We do not invest for trading or speculative purposes. Our marketable securities are subject to market risk due to changes in interest rates, which may affect the interest income we earn and the fair market value.

The primary objectives of our investment activities are the preservation of principal and support of our liquidity requirements. We do not invest for trading or speculative purposes. Our marketable securities a re subject to market risk due to changes in interest rates, which may affect the interest income we earn and the fair market value.

Foreign Currency Risk Our results of operations and cash flows have been and will continue to be subject to fluctuations because of changes in foreign currency exchange rates, particularly changes in exchange rates between the U.S.

To reduce certain of these risks, we monitor the financial condition of our large customers and limit credit exposure by collecting subscription fees in advance. 51 Table of Contents Foreign Currency Risk Our results of operations and cash flows have been and will continue to be subject to fluctuations because of changes in foreign currency exchange rates, particularly changes in exchange rates between the U.S.

As of December 31, 2022, we had designated cash flow hedge forward contracts with notional amounts of €37.4 million, £10.4 million and Rs.3,411.0 million and non-designated forward contracts with notional amounts of €40.2 million, £16.2 million, Rs.484.0 million and C$3.8 million .

As of December 31, 2023, we had designated cash flow hedge forward contracts with notional amounts of €48.5 million , £14.6 million and Rs. 4,042.0 million and non-designated forward contracts with notional amounts of €19.2 million , £6.0 million , Rs. 440.0 million and C $1.0 million.

Removed

To reduce certain of these risks, we monitor the financial condition of our large customers and limit credit exposure by collecting subscription fees in advance.

Top changes in QUALYS, INC.'s 2023 10-K

Item 1. Business

Item 1A. Risk Factors

Item 2. Properties

Item 3. Legal Proceedings

Item 5. Market for Registrant's Common Equity

Item 7. Management's Discussion & Analysis

Item 7A. Quantitative and Qualitative Disclosures About Market Risk

Other QLYS 10-K year-over-year comparisons