Qualys, Inc. provides cloud-based IT, security and compliance solutions that enable organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations.
The company's integrated suite of IT, security, and compliance solutions, delivered on Qualys' Enterprise TruRisk Platform, enables its customers to identify and manage their internal and exter...
Qualys, Inc. provides cloud-based IT, security and compliance solutions that enable organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations.
The company's integrated suite of IT, security, and compliance solutions, delivered on Qualys' Enterprise TruRisk Platform, enables its customers to identify and manage their internal and external IT and operational technology (OT) assets across on-premises, endpoints, cloud, containers, and mobile environments; collect and analyze large amounts of IT security data; discover and prioritize vulnerabilities; quantify cyber risk exposure; recommend and implement remediation actions; and verify the implementation of such actions. This helps organizations protect their systems and applications from ever-evolving cyber-attacks, and helps achieve compliance with internal policies, and external regulations.
The company's cloud platform addresses the growing IT, security, and compliance complexities and risks that are amplified by the dissolving boundaries between IT infrastructures and web environments, the rapid adoption of cloud computing, containers, and serverless IT models, and the proliferation of geographically dispersed IT assets. Organizations use the company's integrated suite of solutions to cost-effectively obtain a unified view of their internal and external IT and OT asset inventory, as well as security and compliance posture across globally distributed IT infrastructures, as the company's solution offers a single platform for information technology, information security, application security, endpoint, developer security, and cloud teams.
IT infrastructures are more complex and globally distributed than ever before, as organizations of all sizes increasingly rely upon a myriad of interconnected information systems and related assets, such as servers, databases, web applications, routers, switches, desktops, laptops, other physical and virtual infrastructure, and numerous external networks and cloud services. In addition, the rapidly increasing amount of data and devices in IT environments makes it more difficult to identify and remediate vulnerabilities in a timely manner.
The company designed its cloud platform to transform the way organizations secure and protect their IT infrastructures and applications. The company's cloud platform offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security and compliance assessments, and remediation for an organization’s IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network perimeter, on endpoints, or in the cloud. Since inception, the company's solutions have been designed to be delivered through the cloud, and to be easily and rapidly deployed on a global scale, enabling faster implementation and lower total cost of ownership than traditional on-premise enterprise software products. The company's customers, ranging from some of the largest global organizations to small businesses, are served from its globally distributed cloud platform, enabling it to rapidly deliver new solutions, enhancements, and security updates.
The company provides its solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions require customers to pay a fee in order to access each of the company's cloud solutions. The company generally invoices its customers for the entire subscription amount at the start of the subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription. The company continues to experience revenue growth from its existing customers as they renew and purchase additional subscriptions, as well as from the addition of new customers to its cloud platform.
The company's cloud platform is used by over 10,000 customers worldwide, including a majority of the Forbes Global 100.
Platform
The company's cloud platform consists of a suite of IT security, compliance, web application security, asset management, and cloud security solutions, which it refers to as the Qualys Cloud Apps, that leverage its shared and extensible core services and its scalable multi-tenant cloud infrastructure. The company also provides open application program interfaces, or APIs, and other developer tools that allow third parties to embed its technology into their solutions and build applications on its platform.
The company's cloud platform utilizes physical and virtual sensors, and cloud agents that provide its customers with continuous visibility, enabling customers to respond to threats immediately. Customers can extend visibility to all known IT infrastructure using the company's Out-of-Band Configuration Assessment sensor for systems that are air-gapped or otherwise difficult to assess.
The company's cloud platform automatically gathers and analyzes security and compliance data in a scalable, state-of-the-art backend. The technology underlying its cloud infrastructure enables it to ingest, process, analyze, and store a high volume of sensor data coming from its agents, scanners, and passive analyzers, and correlate information at high speeds in a distributed manner for millions of devices.
The company's cloud platform is delivered to its customers via its multiple global shared cloud platforms, or via its private platform offering, Qualys Private Cloud Platform (PCP), for customers or partners that want the platform to reside within the customer's shared cloud platform. The PCP is a standalone version of its multi-layer, multi-tenant services architecture and is a fully integrated turnkey solution, making it more scalable, cost-effective, and faster to deploy within a customer's shared cloud platform.
Solutions delivered through the company's PCP are typically on the same subscription basis as solutions delivered through its shared platform. The company's PCP utilizes hardware and software owned by it and is physically located on the customer's premises. The customer is not permitted to take possession of the software or access the software code. The company also offers its PCP as a subscription-based platform service to the customer using a virtual version of its software. This virtualized PCP allows the company to extend its security and compliance solutions without the complexity and cost associated with deploying traditional enterprise software.
Qualys Core Services
The company's core services enable its customers to detect vulnerabilities, measure, and remediate cyber risk through integrated workflows, management, and real-time analysis and reporting inside their organizations, on the perimeter, on endpoints, or in the cloud.
The company's core services constitute dynamic and customizable dashboards and centrally managed, self-updating integrated Cloud Apps, through a natively integrated unified platform. The company's interactive, dynamic dashboards and cloud platform allow its customers to aggregate and correlate all of their IT, security, and compliance data in one place, drill down into details, and generate reports customized for different audiences. The cloud platform’s powerful Elasticsearch clusters enable customers to instantly find detailed data on any asset.
The company's core services include:
Asset Tagging and Management: Enables customers to easily identify, categorize, and manage large numbers of assets in highly dynamic IT and OT environments, and automates the process of inventory management and hierarchical organization of all internal and external assets. Built on top of this core service is the Qualys GAV framework, which is a global asset inventory service enabling its customers to search for information on any asset, scaling to millions of assets for customers of all sizes, helping IT and security personnel to search assets and maintain an up-to-date inventory on a continuous basis.
Reporting and Dashboards: A highly configurable reporting engine that provides customers with reports and dashboards based on their roles and access privileges.
Questionnaires and Collaboration: A configurable workflow engine that enables customers to easily build questionnaires and capture existing business processes and workflows to evaluate controls and gather evidence to validate and document compliance.
Remediation and Workflow: An integrated workflow engine that allows customers to automatically generate helpdesk tickets for remediation to manage compliance exceptions based on customer-defined policies, enabling subsequent review, commentary, tracking, and escalation. This engine automatically distributes remediation tasks to IT administrators upon scan completion, tracks remediation progress, and closes open tickets once patches or other mitigating actions are applied and remediation is verified in subsequent scans.
Big Data Correlation and Analytics Engine: Provides Elasticsearch capabilities for indexing, searching, and correlating large amounts of security and compliance data with other security incidents and third-party security intelligence data. Embedded workflows enable customers to quickly assess risk and access information for remediation, incident analysis, and forensic investigations.
Alerts and Notifications: Creates email notifications to alert customers of new vulnerabilities, malware infections, scan completion, open trouble tickets, and system updates.
Qualys Cloud Apps
Many organizations have an array of heterogeneous point tools that do not interoperate well and are difficult and costly to maintain and integrate, making it difficult for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to obtain a single, unified view of their organization’s security and compliance posture. Qualys’ Enterprise TruRisk Platform and its Cloud Apps help organizations escape this tool-fragmentation dilemma by drastically simplifying their security stacks and regaining unimpeded visibility across their on-premises, endpoints, cloud, container, and mobile environments.
The Cloud Apps are self-updating, centrally managed, and tightly integrated, and cover a broad range of functionality in areas, such as asset management, vulnerability and configuration management, risk remediation, threat detection and response, compliance, and cloud security solutions.
The company's customers can subscribe to one or more of its 20+ Cloud Apps based on their initial needs, and expand their subscriptions over time to new areas within their organization or to additional company solutions to develop a more complete understanding of their respective environment's IT, security, and compliance posture, and remediate cybersecurity risk.
Asset Management
Cybersecurity Asset Management (CSAM): CSAM is an all-in-one solution that leverages the power of the company's cloud platform with its multiple native sensors and CMDB synchronization to continuously inventory known and unknown assets, discover installed applications, and overlay business and risk context to establish asset criticality. It identifies unauthorized or end-of-life and end-of-service software, and the absence of required security tools, and assesses the health of the attack surface. Further, CSAM enables response options with threat alerts and software removal, and delivers regulatory reporting in support of the Federal Risk and Authorization Management Program (FedRAMP), Payment Card Industry Data Security Standard (PCI-DSS), and other mandates. CSAM includes External Attack Surface Management (EASM), which allows discovery of internet-facing unknown assets.
Vulnerability and Configuration Management
Vulnerability Management, Detection and Response (VMDR): VMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. VMDR continuously assesses these assets for the latest vulnerabilities and applies the latest threat intel analysis to prioritize actively exploitable vulnerabilities. VMDR automatically detects the latest superseding patch for the vulnerable asset and easily deploys it for remediation. Finally, VMDR quantifies risk across vulnerabilities, assets, and groups of assets, helping organizations proactively reduce cyber risk exposure and track cyber risk reduction over time. By delivering all this in a single app workflow, VMDR automates the entire process and significantly accelerates an organization’s ability to respond to threats, thus preventing possible exploitation across on-premises, endpoints, cloud, containers, and mobile environments.
Web Application Scanning (WAS): WAS continuously discovers and catalogs web applications – including new and unknown ones – and detects vulnerabilities and misconfigurations in web apps and APIs. Scaling to thousands of scans, it conducts incisive, thorough, and precise testing of browser-based web apps, mobile app backends, and Internet of Things (IoT) services. WAS' powerful API enables integration with other systems and allows teams to detect issues within DevOps environments early in the application development process. Bundled malware detection capability with WAS uses reputational, behavioral, antivirus, and heuristic analyses to identify and alert on malware infecting a user's websites.
Risk Remediation
Patch Management (PM): PM provides automated patch deployment capabilities for Windows, Linux, Mac, and third-party software by correlating vulnerabilities and the right set of remediation, including patches and configuration fixes. It continuously gathers and uploads telemetry about installed software, open vulnerabilities, and missing patches to the company's cloud platform. The resulting shared visibility of assets and their posture enables IT and security teams to collaborate using common vulnerability-centric terminology, and provides a consistent data set to analyze, prioritize, deploy, and verify patches more efficiently. Patch Management is a component of the company's TruRisk Eliminate suite of remediation solutions. TruRisk Eliminate encompasses a broad range of remediation capabilities for organizations when patches are not yet available or feasible to deploy.
Custom Assessment and Remediation (CAR): CAR enables security architects to create custom scripts in popular scripting languages, user-defined controls, and automation, all seamlessly integrated within existing programs to quickly assess, respond to, and remediate threats across global hybrid environments.
Threat Detection and Response
Multi-Vector Endpoint Detection and Response (EDR): Traditional endpoint detection and response solutions focus only on endpoint activity to detect attacks. As a result, they lack the full context to analyze attacks accurately. This leads to an incomplete picture and a high rate of false positives and negatives, requiring organizations to use multiple point solutions and large incident response teams. The company's scalable platform fills the gaps by bringing a new multi-vector approach and the unifying power to EDR, providing vital context and comprehensive visibility to the entire attack chain, from prevention to detection to response. EDR unifies different context vectors, like asset discovery, rich normalized software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, in-depth endpoint telemetry, and network reachability with a powerful backend to correlate it all for accurate assessment, detection, and response.
Compliance
Policy Compliance (PC): PC performs automated security configuration assessments on IT systems throughout a network, helping to reduce risk and continuously ensure compliance with internal policies, and external regulations. PC leverages out-of-the-box library content to fast-track compliance assessments using industry-recommended best practices. PC also provides a centralized, interactive console for specifying baseline standards for different hosts. By automating requirement evaluation against multiple standards for operating systems, network devices, databases, and server applications, PC enables the quick identification of security issues and works to prevent configuration drift. PC works to prioritize and track remediation and exceptions, while demonstrating a repeatable auditable process for compliance management.
File Integrity Monitoring (FIM): FIM logs and centrally tracks file change events on common enterprise operating systems in organizations of all sizes. FIM provides customers with a simple way to achieve centralized cloud-based visibility of activity resulting from normal patching and administrative tasks, change control exceptions or violations, or malicious activity – then reports on that system activity as part of compliance mandates. FIM collects the critical details needed to quickly identify changes and root out activity that violates policy or is potentially malicious. FIM helps customers to comply with change control policy enforcement and change monitoring requirements.
Cloud Security
Qualys TotalCloud is a Cloud-Native Application Protection Platform (CNAPP), which provides an integrated suite of security capabilities designed for multi-cloud environments. It provides complete visibility and cyber-risk exposure assessment across cloud assets, enabling continuous discovery and monitoring of the cloud landscape to identify risks and maintain compliance. With its FlexScan technology, TotalCloud offers comprehensive assessment features that include no-touch, agentless, API, and snapshot-based scanning, along with agent and network-based scanning for thorough vulnerability detection. The TruRisk component allows for a unified risk view, correlating vulnerabilities, security controls, and compliance across resources to prioritize and reduce cyber risks effectively. For real-time defense, TotalCloud's InstaProtect continuously monitors all cloud assets to detect and protect against evolving and unknown threats. Remediation is streamlined through the company's QFlow technology, which provides no-code, drag-and-drop workflows for efficient vulnerability management. TotalCloud provides organizations with an all-encompassing solution, delivering fast, agentless, real-time security and compliance across a variety of use cases, including Cloud Workload Protection (CWP), Cloud Detection and Response (CDR), Cloud Security Posture Management (CSPM), Infrastructure as Code (IaC), SaaS Security Posture Management (SSPM), and Kubernetes and Container Security (KCS) to offer organizations a single unified solution for comprehensively securing their cloud and multi-cloud environments.
Free Services
The company also offers organizations of all sizes free security and compliance services based on its cloud platform:
The Qualys Global AssetView app automatically creates a continuous, real-time inventory of known and unknown assets throughout a user's global IT footprint across on-premises, endpoints, cloud, containers, and mobile environments. The app also automatically normalizes and categorizes assets to ensure clean, reliable, and consistent data. In-depth asset details provide fine-grained visibility on the system, services, installed software, network, and users. It also detects any device that connects to a user's networks via passive scanning technology.
The Qualys Certificate Inventory inventories and assesses all Internet-facing certificates to generate SSL/TLS configuration grades, identifies the certificate issuer, and tracks certificate expirations to help stop expired and expiring certificates from interrupting critical business functions.
Growth Strategy
The key elements of the company's growth strategy are to continue to innovate and enhance its cloud platform and suite of solutions; expand the use of its suite of solutions by its large and diverse customer base; drive new customer growth and broaden its global reach; and selectively pursue technology acquisitions to bolster its capabilities.
Customers
The company markets and sells its solutions to enterprises, government entities, and small and medium-sized businesses across a broad range of industries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology, and utilities. As of December 31, 2024, the company had over 10,000 customers worldwide, including a majority of the Forbes Global 100. In 2024, 58% of its revenues were derived from customers in the United States based on its customers' billing addresses. The company sells its solutions to enterprises and government entities primarily through its field sales force and to small and medium-sized businesses through its inside sales force. The company generates a significant portion of sales through its channel partners, including managed security service providers, value-added resellers, and consulting firms in the United States and internationally.
Sales and Marketing
Sales
The company markets and sells its IT, security, and compliance solutions to customers directly through its sales teams, as well as indirectly through its network of channel partners. Both its field and inside sales teams are divided into three geographic regions: the Americas, Europe, the Middle East and Africa, and Asia-Pacific. The company also further assigns each of its sales teams into groups that focus on adding new customers or managing relationships with existing customers.
The company's channel partners maintain relationships with their customers throughout the territories in which they operate, and provide their customers with services and third-party solutions to help meet those customers’ evolving security and compliance requirements. As such, these partners offer the company's IT, security, and compliance solutions in conjunction with one or more of their own products or services, and act as a conduit. The company's channel partners include security consulting organizations, cloud providers, managed service providers, and resellers.
For sales involving a channel partner, the channel partner engages with the prospective customer directly and involves the company's sales team as needed to assist in developing and closing an order. When a channel partner secures a sale, the company sells the associated subscription to the channel partner, who in turn resells the subscription to the customer, with the channel partner retaining the margin between the price they purchase from the company and the price they sell to the end user. Once the order is completed, the company provides these customers with direct access to its solutions and other associated back-office applications, enabling it to establish a direct relationship as part of ensuring customer satisfaction with its solutions. At the end of the subscription term, the channel partner engages with the customer to execute a renewal order, with the company's sales team providing assistance as required. In 2024, 46% of the company's revenues were generated by channel partners.
Marketing
The company's marketing programs include a variety of online marketing, advertising, conferences, events, public relations activities, and web-based seminar campaigns targeted at key decision makers within its prospective customers.
The company has a number of marketing initiatives to build awareness and encourage customer adoption of its solutions. The company offers free trials and services to allow prospective customers to experience the quality of its solutions, to learn in detail about the features and functionality of its cloud platform, and to quantify the potential benefits of its solutions.
Customer Support
Qualys Support delivers 24x7x365 day customer technical support from global centers located in Foster City, California; Raleigh, North Carolina; and Pune, India. The company recruits senior-level technical personnel and trained subject matter experts who work closely with engineering and operations personnel to resolve issues quickly. The company also offers various training programs as part of its subscriptions to all of its customers. In addition, the company leverages the insights drawn from its customers to further improve the functionality of its IT, security, and compliance solutions.
Shared Cloud Platform Agreements
The company's shared cloud platform operations are provided by large third-party vendors and are located in the United States, Canada, Switzerland, the Netherlands, the United Arab Emirates, Australia, the United Kingdom, Italy, the Kingdom of Saudi Arabia, and India. The company's shared cloud platform agreements have varying terms through 2030.
Competition
The company competes with large and small public companies, such as CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately held security providers, including Invicti, Tanium, and Wiz.
Intellectual Property
As of December 31, 2024, the company has 42 issued patents, which expire from 2029 to 2042, several pending U.S. patent applications, and an exclusive license to four U.S. patents.
History
Qualys, Inc. was founded in 1999. The company was incorporated in the state of Delaware in 1999.
