More annual reports from Qualys:
2023 ReportPeers and competitors of Qualys:
HubSpotQUALYS, INC. FORM 10-K (Annual Report) Filed 02/23/18 for the Period Ending 12/31/17 Address Telephone CIK 919 E. HILLSDALE BLVD. FOSTER CITY, CA, 94404 650-801-6100 0001107843 Symbol QLYS SIC Code Industry Sector Fiscal Year 7372 - Services-Prepackaged Software IT Services & Consulting Technology 12/31 http://www.edgar-online.com © Copyright 2018, EDGAR Online, a division of Donnelley Financial Solutions. All Rights Reserved. Distribution and use of this document restricted under EDGAR Online, a division of Donnelley Financial Solutions, Terms of Use. Table of ContentsUNITED STATESSECURITIES AND EXCHANGE COMMISSIONWashington, D.C. 20549__________________FORM 10-K__________________xAnnual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934For the Annual Period Ended December 31, 2017oroTransition Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934For the transition period from toCommission file number 001-35662__________________QUALYS, INC.(Exact name of registrant as specified in its charter)__________________Delaware 77-0534145(State or other jurisdiction of (I.R.S. Employerincorporation or organization) Identification Number)919 E. Hillsdale Boulevard, 4th Floor, Foster City, California 94404(Address of principal executive offices, including zip code)(650) 801-6100(Registrant’s telephone number, including area code)__________________Securities registered pursuant to section 12(b) of the Act:Title of each class Name of each exchange on which registeredCommon stock, $0.001 par value per share NASDAQ Stock MarketSecurities registered pursuant to section 12(g) of the Act: NoneIndicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act. Yes x No oIndicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes o No xIndicate by check mark whether the Registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934 duringthe preceding 12 months (or for such shorter period that the Registrant was required to file such reports), and (2) has been subject to such filing requirementsfor the past 90 days. Yes x No oIndicate by check mark whether the registrant has submitted electronically and posted on its corporate Web site, if any, every Interactive Data File required to besubmitted and posted pursuant to Rule 405 of Regulation S-T during the preceding 12 months (or for such shorter period that the registrant was required tosubmit and post such files). Yes x No oIndicate by check mark if disclosure of delinquent filers pursuant to Item 405 of Regulation S-K(§229.405 of this chapter) is not contained herein, and will not becontained, to the best of registrant's knowledge, in definitive proxy or information statements incorporated by reference in Part III of this Form 10-K or anyamendment to this Form 10-K. oIndicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company or anemerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company” and “emerging growth company” inRule 12b-2 of the Exchange Act. (Check one):Large accelerated filerx Accelerated filero Non-accelerated filero Smaller reporting companyo (Do not check if a smallerreporting company) Emerging growth companyoIf an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new orrevised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. oIndicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act). Yes o No xAs of June 30, 2017, the aggregate market value of voting shares of common stock held by non-affiliates of the registrant was $1,293 million based on the lastreported sale price of the registrant ' s common stock on June 30, 2017. Shares of common stock held by each executive officer and director and by eachperson who owns 10% or more of the outstanding common stock have been excluded in that such persons may be deemed to be affiliates. This determinationof affiliate status is not necessarily a conclusive determination for other purposes.The number of shares of the Registrant's common stock outstanding as of January 31, 2018 was 38,628,442 shares.DOCUMENTS INCORPORATED BY REFERENCEPortions of the registrant's Proxy Statement for its 2018 Annual Meeting of Stockholders are incorporated by reference in Part III of this Annual Report on Form10-K where indicated. Such proxy statement will be filed with the Securities and Exchange Commission within 120 days of the registrant's fiscal year endedDecember 31, 2017 .Table of ContentsQualys, Inc.TABLE OF CONTENTS PagePART IItem 1.Business4Item 1A.Risk Factors15Item 1B.Unresolved Staff Comments36Item 2.Properties37Item 3.Legal Proceedings37Item 4.Mine Safety Disclosures37PART IIItem 5.Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities38Item 6.Selected Consolidated Financial Data40Item 7.Management's Discussion and Analysis of Financial Condition and Results of Operations41Item 7A.Quantitative and Qualitative Disclosures About Market Risk59Item 8.Financial Statements and Supplementary Data60Item 9.Changes in and Disagreements with Accountants on Accounting and Financial Disclosure95Item 9A.Controls and Procedures95Item 9B.Other Information96PART IIIItem 10.Directors, Executive Officers and Corporate Governance97Item 11.Executive Compensation97Item 12.Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters97Item 13.Certain Relationships and Related Transactions, and Director Independence97Item 14.Principal Accounting Fees and Services97PART IVItem 15.Exhibits and Financial Statement Schedules98Signatures992Table of ContentsPART IForward-Looking StatementsIn addition to historical information, this Annual Report on Form 10-K contains "forward-looking" statements within the meaning of the federalsecurities laws, which statements involve substantial risks and uncertainties. Forward-looking statements generally relate to future events or ourfuture financial or operating performance. In some cases, it is possible to identify forward-looking statements because they contain words such as"anticipates," "believes," "contemplates," "continue," "could," "estimates," "expects," "future," "intends," "likely," "may," "plans," "potential," "predicts,""projects," "seek," "should," "target," or "will," or the negative of these words or other similar terms or expressions that concern our expectations,strategy, plans or intentions. Forward-looking statements contained in this Annual Report on 10-K include, but are not limited to, statements about:•our financial performance, including our revenues, costs, expenditures, growth rates, operating expenses and ability to generatepositive cash flow to fund our operations and sustain profitability;•anticipated technology trends, such as the use of cloud solutions;•our ability to adapt to changing market conditions;•economic and financial conditions, including volatility in foreign exchange rates;•our ability to diversify our sources of revenues, including selling additional solutions to our existing customers and our ability to pursuenew customers;•the effects of increased competition in our market;•our ability to innovate, enhance our cloud solutions and platform and introduce new solutions;•our ability to effectively manage our growth;•our anticipated investments in sales and marketing, our infrastructure, new solutions, research and development, and acquisitions;•maintaining and expanding our relationships with channel partners;•our ability to maintain, protect and enhance our brand and intellectual property;•costs associated with defending intellectual property infringement and other claims;•our ability to attract and retain qualified employees and key personnel, including sales and marketing personnel;•our ability to successfully enter new markets and manage our international expansion;•our expectations, assumptions and conclusions related to our provision for income taxes, our deferred tax assets and our effective taxrate; and•other factors discussed in this Annual Report on Form 10-K in the sections titled "Risk Factors," "Management's Discussion andAnalysis of Financial Condition and Results of Operations" and "Business."We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations andprojections about future events and trends that we believe may affect our business, financial condition, results of operations and prospects. Theresults, events and circumstances reflected in these forward-looking statements are subject to risks, uncertainties, assumptions, and other factorsincluding those described in Part I, Item 1A (Risk Factors) of this Annual Report. Moreover, we operate in a very competitive and rapidly changingenvironment. New risks and uncertainties emerge from time to time, and it is not possible for us to predict all risks and uncertainties that could havean impact on the forward-looking statements used herein. We cannot provide assurance that the results, events, and circumstances reflected in theforward-looking statements will be achieved or occur, and actual results, events or circumstances could differ materially from those described in theforward-looking statements.You should not rely on forward-looking statements as predictions of future events. Except as required by law, neither we nor any other personassumes responsibility for the accuracy and completeness of the forward-looking statements, and we undertake no obligation to update anyforward-looking statements to reflect events or circumstances after the date of such statements.Qualys, the Qualys logo and QualysGuard, and other trademarks and service marks of Qualys appearing in this Annual Report on Form 10-Kare the property of Qualys. This Annual Report on Form 10-K also contains trademarks and trade names of other businesses that are the property oftheir respective holders. We have omitted the ® and ™ designations, as applicable, for the trademarks used in this Annual Report on Form 10-K.3Table of ContentsItem 1.BusinessOverviewWe are a pioneer and leading provider of a cloud-based platform delivering security and compliance solutions that enable organizations toidentify security risks to their information technology (IT) infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations. Our cloud solutions address the growing security and compliancecomplexities and risks that are amplified by the dissolving boundaries between internal and external IT infrastructures and web environments, therapid adoption of cloud computing and the proliferation of geographically dispersed IT assets. Our integrated suite of security and compliancesolutions delivered on our Qualys cloud platform enables our customers to identify their IT assets, collect and analyze large amounts of IT securitydata, discover and prioritize vulnerabilities, recommend remediation actions and verify the implementation of such actions. Organizations use ourintegrated suite of solutions delivered on our Qualys cloud platform to cost-effectively obtain a unified view of their security and compliance postureacross globally-distributed IT infrastructures as our solution offers a single platform for information security, application security, endpoint, developersecurity and cloud teams.IT infrastructures are more complex and globally-distributed today than ever before, as organizations of all sizes increasingly rely upon amyriad of interconnected information systems and related IT assets, such as servers, databases, web applications, routers, switches, desktops,laptops, other physical and virtual infrastructure, and numerous external networks and cloud services. In this environment, new and evolving digitaltechnologies intended to improve organizations’ operations can also increase vulnerability to cyber-attacks, which can expose sensitive data,damage IT and physical infrastructures, and result in serious financial or reputational consequences. In addition, the rapidly increasing amount ofdata and devices in IT environments makes it more difficult to identify and remediate vulnerabilities in a timely manner. The predominant approachto IT security has been to implement multiple disparate security products that can be costly and difficult to deploy, integrate and manage and maynot adequately protect organizations. As a result, we believe there is a large and growing opportunity for comprehensive cloud-based security andcompliance solutions delivered in a single platform.We designed our Qualys cloud platform to transform the way organizations secure and protect their IT infrastructures and applications. Ourcloud platform offers an integrated suite of solutions that automates the lifecycle of asset discovery, security assessments, and compliancemanagement for an organization’s IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on theirnetwork perimeter, on endpoints or in the cloud. Since inception, our solutions have been designed to be delivered through the cloud and to beeasily and rapidly deployed on a global scale, enabling faster implementation and lower total cost of ownership than traditional on-premisesenterprise software products. Our customers, ranging from some of the largest global organizations to small businesses, are served from ourglobally-distributed cloud platform, enabling us to rapidly deliver new solutions, enhancements and security updates.We believe that our cloud platform provides our customers with unique advantages, including:•No hardware to buy or manage. There is no infrastructure or software to buy and maintain thus reducing our customers’ operatingcosts; all services are accessible in the cloud via web interface. Qualys operates and maintains the platform.•Real-time visibility in one place, anytime and anywhere . Our customers can conveniently see their security and compliance postureacross their global IT asset inventory in one browser window, without plugins or a virtual private network (VPN), whenever andwherever Internet access is available.•Easy global scanning. Our customers can easily perform scans on geographically distributed and segmented networks at theperimeter, behind the firewall, on dynamic cloud environments and on endpoints.•Seamless scaling. Our cloud platform is a scalable, comprehensive, and end-to-end solution for the IT security needs of ourcustomers. Our customers can seamlessly add new coverage, users and services after they have deployed our platform.4Table of Contents•Up to date resources . Qualys has one of the largest knowledge bases of vulnerability signatures in the industry. All security updatesare made in real-time.•Data stored securely . Data is securely stored and processed in a multi-tiered architecture of load-balanced servers. Our encrypteddatabases are physically and logically secured.We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their ITinfrastructure and applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000. As VM gained acceptance, weintroduced new solutions to help customers manage increasing IT security and compliance requirements. Today, the suite of solutions offered onour cloud platform, which we refer to as the Qualys Cloud Apps, includes: Asset Inventory (AI), CMDB Sync (SYN), VM, Continuous Monitoring(CM), Cloud Agent Platform (CAP), Threat Protection (TP), Security Configuration Assessment (SCA), Indication of Compromise (IOC), PolicyCompliance (PC), PCI Compliance (PCI), Security Assessment Questionnaire (SAQ), File Integrity Monitoring (FIM), Web Application Scanning(WAS) and Web Application Firewall (WAF).We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions requirecustomers to pay a fee in order to access our cloud solutions. We invoice our customers for the entire subscription amount at the start of thesubscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription. Wecontinue to experience significant revenue growth from existing customers as they renew and purchase additional subscriptions.O ur Qualys cloud platform is currently used by over 10,300 customers in more than 130 countries, including a majority of each of the ForbesGlobal 100 and Fortune 100. Our revenues increased from $164.3 million in 2015 to $197.9 million in 2016 , and reached $230.8 million in 2017 .Our VM solutions (including VM, AI, SYN, CM, TP, Cloud Agent for VM, allocated scanner revenue and Qualys Private Cloud Platform) haveprovided a substantial majority of our revenues to date, representing 75% , 76% and 77% of total revenues in 2017, 2016 and 2015 , respectively.We generated net income of $40.4 million in 2017, $19.2 million in 2016 and $15.9 million in 2015. Total assets as of December 31, 2017 and 2016were $537.5 million and $407.0 million, respectively. Our PlatformOur cloud platform consists of a suite of asset management, IT security, compliance monitoring, and web application security solutions, whichwe refer to as the Qualys Cloud Apps, that leverages our shared and extensible core services and our highly scalable multi-tenant cloudinfrastructure. We also provide open application program interfaces, or APIs, and other developer tools that allow third parties to embed ourtechnology into their solutions and build applications on our cloud platform.Our cloud platform utilizes sensors, including physical, virtual and cloud scanners, and cloud agents that provide our customers with continuousvisibility enabling customers to respond to threats immediately. It automatically gathers and analyzes security and compliance data in a scalable,state-of-the-art backend. The technology underlying our cloud infrastructure enables us to ingest, process, analyze and store a high volume ofsensor data coming from our agents, scanners and passive analyzers, and correlate information at very high speeds in a distributed manner formillions of devices.5Table of Contents6Table of ContentsOur cloud platform is delivered to our customers via our shared platform offering from our global data centers, or via our private platformoffering Qualys Private Cloud Platform (PCP) for customers or partners that want the platform to reside within the customer's data center. The PCPis a standalone version of our multi-layer, multi-tenant services architecture and is a fully integrated turnkey solution, making it more scalable, costeffective and faster to deploy within a customer's data center. Solutions delivered through our PCP are typically on the same subscription basis assolutions delivered through our shared platform. Our PCP utilizes hardware and software owned by us and physically located on the customer'spremises. The customer is not permitted to take possession of the software or access the software code. Our PCP provides our subscription-basedplatform services to the customer using a virtual version of our software. This virtualized PCP allows us to extend our security and compliancesolutions without the complexity and cost associated with deploying traditional enterprise software. Additionally, in 2016, we introduced the PrivateCloud Platform Appliance (PCPA), an on-premises security and compliance solution packaged in a form-factor for medium-sized companies.Qualys Core ServicesOur core services enable integrated workflows, management and real-time analysis and reporting across all of our IT security and compliancesolutions for our customers inside their organizations, on the perimeter, on endpoints or in the cloud.Our core services constitute dynamic and customizable dashboards and centrally managed, self-updating integrated Cloud Apps, through whatwe call a “single-pane-of-glass” user interface. Our interactive, dynamic dashboards and cloud platform allow our customers to aggregate andcorrelate all of their IT, security and compliance data in one place, drill down into details, and generate reports customized for different audiences.Our cloud platform’s powerful elasticsearch clusters enable customers to instantly find detailed data on any asset.Our core services include:•Asset Tagging and Management. Enables customers to easily identify, categorize and manage large numbers of assets in highly dynamicIT environments and automates the process of inventory management and hierarchical organization of IT assets. Built on top of this coreservice is the Qualys AI framework, which is a global asset inventory service enabling our customers to search for information on any ITasset, scaling to millions of assets for customers of all sizes, helping IT and security personnel to search IT assets and maintain an up-to-date inventory on a continuous basis.•Reporting and Dashboards. A highly configurable reporting engine that provides customers with reports and dashboards based on theirroles and access privileges.•Questionnaires and Collaboration. A configurable workflow engine that enables customers to easily build questionnaires and captureexisting business processes and workflows to evaluate controls and gather evidence to validate and document compliance.•Remediation and Workflow. An integrated workflow engine that allows customers to automatically generate helpdesk tickets for remediationand to manage compliance exceptions based on customer-defined policies, enabling subsequent review, commentary, tracking andescalation. This engine automatically distributes remediation tasks to IT administrators upon scan completion, tracks remediation progressand closes open tickets once patches are applied and remediation is verified in subsequent scans.•Big Data Correlation and Analytics Engine. Provides elasticsearch capabilities for indexing, searching and correlating large amounts ofsecurity and compliance data with other security incidents and third-party security intelligence data. Embedded workflows enable customersto quickly assess risk and access information for remediation, incident analysis and forensic investigations.•Alerts and Notifications. Creates email notifications to alert customers of new vulnerabilities, malware infections, scan completion, opentrouble tickets and system updates.7Table of ContentsQualys Cloud AppsMany organizations have an array of heterogeneous point tools that do not interoperate well and are difficult and costly to maintain andintegrate, making it difficult for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to obtain a single, unified view oftheir organization’s security and compliance posture. The Qualys cloud platform and its Cloud Apps help organizations escape this tool-fragmentation dilemma by drastically simplifying their security stacks and regaining unimpeded visibility across their IT environment.The Cloud Apps are self-updating, centrally managed and tightly integrated, and cover a broad range of functionality in areas such asvulnerability management, IT asset management, IT security, web app security and compliance monitoring.Our suite of Cloud Apps currently includes: AI, SYN, VM, CM, CAP, TP, SCA, IOC, PC, PCI, SAQ, FIM, WAS and WAF.We believe that our applications are easy to use and provide our customers with a high level of control because our applications are part of oneplatform, share a common user interface , utilize the same scanners and agents, access the same collected data, and leverage the same userpermissions .Our customers can subscribe to one or more of our security and compliance Apps based on their initial needs and expand their subscriptionsover time to new areas within their organization or to additional Qualys solutions. We offer three editions of our Qualys Cloud Apps: Enterprise forlarge enterprises, Express for medium-sized businesses, and Express Lite for small-sized businesses.Many of our customers use multiple Cloud Apps to develop a more complete understanding of their respective environment’s security andcompliance posture. The Qualys cloud platform currently provides the following Cloud Apps to our customers:Asset ManagementAsset Inventory (AI): AI provides a complete, continuously updated inventory of a customer’s IT assets everywhere: on premises, in cloudsor at mobile endpoints. It lists assets’ installed software, existing vulnerabilities and hardware details. A powerful search engine enables adhoc queries and refines such queries. In addition to Qualys’ network scanners, AI leverages our Cloud Agents, which are lightweight, self-updating and run in the background. These Cloud Agents continuously enable the assessment of the compliance and security status ofcustomer assets, including intermittently connected assets, without the need for scan windows or credential management.CMDB Sync (SYN): This certified application synchronizes AI data with ServiceNow’s Configuration Management system. Device changesare immediately transmitted to the Qualys cloud platform and then synchronized with ServiceNow. For customers, this means an end tounidentified and misclassified assets and to data update delays, all of which decrease chances of breaches. SYN provides real-time,comprehensive visibility of IT asset inventories enabling immediate detection of security and compliance risks .IT SecurityVulnerability Management (VM): VM is an industry leading and award-winning solution that automates network auditing and vulnerabilitymanagement across an organization, including network discovery and mapping, asset management, vulnerability reporting and remediationtracking. Driven by our comprehensive knowledge base of known vulnerabilities, VM enables cost-effective protection against vulnerabilitieswithout substantial resource deployment.Continuous Monitoring (CM): Built on top of VM, CM is a next-generation cloud service that can detect network threats and unexpectedchanges before they turn into breaches. Whenever it spots an anomaly in your network, it immediately sends targeted, informative alerts tothe right people for each situation and each machine. CM tracks what happens throughout public perimeters, internal networks, and cloudenvironments - anywhere in the world.8Table of ContentsThreat Protection (TP): Thousands of new vulnerabilities are disclosed annually. With TP, customers can pinpoint their most critical threatsand identify what they need to remediate first. TP continuously correlates external threat information against a customer's vulnerabilities andIT asset inventory, so customers know which threats pose the greatest risk to their organization at any given time. As Qualys engineerscontinuously validate and rate new threats from internal and external sources, TP’s live feed displays the latest vulnerability disclosures andmaps them to customers’ impacted IT assets. Customers can see the assets affected by each threat, and drill down into details.Security Configuration Assessment (SCA): A VM add-on, SCA expands our VM program with automatic assessment of IT assets’configurations using the latest Center for Internet Security (CIS) Benchmarks for operating systems, databases, applications and networkdevices. SCA provides intuitive workflows for assessing, monitoring, reporting and remediating security-related configuration issues. SCA’sCIS assessments are provided via a web-based user interface and delivered from the Qualys cloud platform, enabling centralizedmanagement with minimal deployment overhead. SCA users can automatically create downloadable reports and view dashboards.Indication of Compromise (IOC): IOC delivers threat hunting, detects suspicious activity, and confirms the presence of known and unknownmalware for devices both on and off the network. From its single console, customers can monitor current and historical system activity for allon-premises servers, user endpoints, and cloud instances - even for assets that are currently offline or have been re-imaged by IT. IOCutilizes the Cloud Agent to capture endpoint activity on files, processes, mutant handles, registries, and network connections, and uploadsthe data to the Qualys cloud platform for storage, processing, and query. Compliance MonitoringPolicy Compliance (PC): PC performs automated security configuration assessments on IT systems throughout a network, helping toreduce risk and continuously ensure compliance with internal policies and external regulations. PC leverages out-of-the-box library contentto fast-track compliance assessments using industry-recommended best practices. PC also provides a centralized, interactive console forspecifying baseline standards for different hosts. By automating requirement evaluation against multiple standards for OSes, networkdevices, databases and server applications, PC enables the quick identification of security issues and works to prevent configuration drift.PC works to prioritize and track remediation and exceptions, while demonstrating a repeatable auditable process for compliancemanagement.PCI Compliance (PCI): PCI streamlines and automates compliance with PCI DSS (Payment Card Industry Data Security Standard)requirements for protecting the collection, storage, processing and transmission of cardholder data. As an Approved Scanning Vendor,Qualys has been authorized by the PCI Security Standards Council to conduct the required quarterly scans. PCI scans all Internet-facingnetworks and systems with Six Sigma (99.9996%) accuracy, generates reports and provides detailed patching instructions. An auto-submission feature completes the compliance process once remediation is completed.Security Assessment Questionnaire (SAQ): SAQ automates and streamlines third-party and internal risk assessment processes, obviatingthe need to perform such processes manually via email and spreadsheets. SAQ easily designs surveys to assess procedural controls of ITsecurity policies and practices. SAQ automates the launch and monitoring of assessment campaigns, making the process agile, accurate,comprehensive, centralized, scalable and uniform across an organization. SAQ also provides tools for displaying, analyzing and acting oncollected data, enabling the assessment of compliance with industry standards, regulations and internal policies of third parties, like vendorsand partners, and of employees.File Integrity Monitoring (FIM): FIM logs and centrally tracks file change events on common enterprise operating systems in organizations ofall sizes. FIM provides customers with a simple way to achieve centralized cloud-based visibility of activity resulting from normal patchingand administrative tasks, change control exceptions or violations, or malicious activity - then reports on that system activity as part ofcompliance mandates. FIM collects the critical details needed to quickly identify changes and root out activity that violates policy or ispotentially malicious. FIM helps customers to comply with change control policy enforcement and change monitoring requirements.9Table of ContentsWeb Application SecurityWeb Application Scanning (WAS): WAS continuously discovers and catalogs web apps in your network - including new and unknown ones -- and detects vulnerabilities and misconfigurations. Scaling up to thousands of web apps, it conducts incisive, thorough and precise scans,with few false positives. Its seamless integration with Web Application Firewall (WAF) enables one-click patching of web apps, includingmobile apps and Internet of things (IoT) services. With WAS, customers can also insert security into DevOps environments by detectingcode security issues early and often in the app development and deployment pipeline. WAS also scans, identifies and removes malwareinfections from customers' websites using behavioral and static analysis.Web Application Firewall (WAF): WAF permits the reduction of application security cost and complexity with a unified platform to detect andvirtually patch web application vulnerabilities. Simple, scalable and adaptive, WAF enables the quick blocking of attacks, preventsdisclosure of sensitive information, and controls when and where customer applications are accessed. WAF and WAS work togetherseamlessly. Customers scan web apps with WAS, deploy one-click virtual patches for detected vulnerabilities in WAF, and manage it allfrom a centralized cloud-based portal. WAF can be deployed in minutes, supports Transport Layer Security (TLS) and Secure SocketsLayer (SSL) and does not require special hardware.Our Growth StrategyWe intend to strengthen our leadership position as a trusted provider of cloud-based security and compliance solutions. The key elements ofour growth strategy are:•Continue to innovate and enhance our cloud platform and suite of solutions. We intend to continue to make significant investments inresearch and development to extend our cloud platform’s functionality by developing new security solutions and capabilities and furtherenhancing our existing suite of solutions. From inception through December 31, 2016, we have added the following solutions: VM, PCI, PC,WAS, WAF, CM, CAP, AI, SYN, SAQ and TP. In 2017, we introduced a number of new offerings, including FIM, IOC and SCA.•Expand the use of our suite of solutions by our large and diverse customer base. With more than 10,300 customers across manyindustries and geographies, we believe we have a significant opportunity to sell additional solutions to our customers and expand their useof our suite of solutions. Since typically our customers initially deploy one or two of our solutions in select parts of their IT infrastructures, ourexisting customers serve as a strong source of new sales as they expand their scope and increase their subscriptions, or choose to adoptadditional solutions from our integrated suite of IT security and compliance offerings. In this regard, we continue to expand our salesexecution and marketing functions to increase adoption of our newly developed solutions among our existing customers.•Drive new customer growth and broaden our global reach. We are pursuing new customers by targeting key accounts and expandingour sales and marketing organization and network of channel partners. We will continue to seek to make significant investments toencourage organizations to replace their existing security products with our cloud solutions. We intend to expand our relationships with keysecurity consulting organizations, managed security service providers and value added resellers to accelerate the adoption of our cloudplatform. We seek to strengthen existing relationships as well as establish new relationships to increase the distribution and marketawareness of our cloud platform and target new geographic regions. We also plan to partner with such security providers that can host ourPrivate Cloud offering within their data centers, helping us expand our reach in new markets and new geographies.•Selectively pursue technology acquisitions to bolster our capabilities and leadership position. We may explore acquisitions that arecomplementary to and can expand the functionality of our cloud platform. We may also seek to acquire development teams to supplementour own personnel and acquire technology to increase the breadth of our cloud-based security and compliance solutions. In 2017, weacquired certain assets of Nevis Networks (India) Private Limited (“Nevis”), a company developing network security solutions for detectionand awareness of external intrusions to computer networks. This transaction provided us with significant domain expertise in passivescanning technologies and allowed us to accelerate our move into the adjacent market of mitigation and response at endpoints. In 2017, wealso acquired the assets of NetWatcher , allowing us to expand our threat protection and management capabilities and add new offerings tomanaged service providers (MSPs).10Table of ContentsOur CustomersWe market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range ofindustries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. As ofDecember 31, 2017 , we had over 10,300 customers in more than 130 countries, including a majority of each of the Forbes Global 100 and Fortune100. In each of 2017 , 2016 and 2015 , no one customer accounted for more than 10% of our revenues. In 2017 , 2016 and 2015 , 70% , 71% and70% , respectively, of our revenues were derived from customers in the United States. We sell our solutions to enterprises and government entitiesprimarily through our field sales force and to small and medium-sized businesses through our inside sales force. We generate a significant portion ofsales through our channel partners, including managed service providers, value-added resellers and consulting firms in the United States andinternationally.Sales and MarketingSalesWe market and sell our IT security and compliance solutions to customers directly through our sales teams as well as indirectly through ournetwork of channel partners.Our global sales force is organized into a field sales team, which focuses on enterprises, generally including organizations with more than5,000 employees, and an inside sales team, which focuses on small to medium-sized businesses, which generally include organizations with lessthan 5,000 employees. Both our field and inside sales teams are divided into three geographic regions, including the Americas; Europe, Middle Eastand Africa; and Asia-Pacific. We also further segment each of our sales teams into groups that focus on adding new customers or managingrelationships with existing customers.Our channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customerswith services and third-party solutions to help meet those customers’ evolving security and compliance requirements. As such, these partners offerour IT security and compliance solutions in conjunction with one or more of their own products or services and act as a conduit through which wecan connect with these prospective customers to offer our solutions. Our channel partners include security consulting organizations, managedservice providers and resellers, such as Deutsche Telekom AG, Fujitsu, DXC Technology, Insight Technologies, Inc., Optiv Security, Inc.,SecureWorks Corp., and Verizon Communications Inc.For sales involving a channel partner, the channel partner engages with the prospective customer directly and involves our sales team asneeded to assist in developing and closing an order. When a channel partner secures a sale, we sell the associated subscription to the channelpartner who in turn resells the subscription to the customer, with the channel partner earning a fee based on the total value of the order. Once theorder is completed, we provide these customers with direct access to our solutions and other associated back-office applications, enabling us toestablish a direct relationship as part of ensuring customer satisfaction with our solutions. At the end of the subscription term, the channel partnerengages with the customer to execute a renewal order, with our sales team providing assistance as required. In 2017 , 2016 and 2015 , 41% , 42%and 39% , respectively, of our revenues were generated by channel partners.MarketingOur marketing programs include a variety of online marketing, advertising, conferences, events, public relations activities and web-basedseminar campaigns targeted at key decision makers within our prospective customers.We have a number of marketing initiatives to build awareness and encourage customer adoption of our solutions. We offer free trials andservices to allow prospective customers to experience the quality of our solutions, to learn in detail about the features and functionality of our cloudplatform, and to quantify the potential benefits of our solutions.11Table of ContentsCustomer SupportWe deliver 24x7x365 day customer technical support from centers located in Foster City, California; Raleigh, North Carolina; and Pune, India.We recruit senior level technical personnel and trained subject matter experts who work closely with engineering and operations personnel toresolve issues quickly. Our security and compliance solutions can be deployed easily and are designed to be implemented and operated without theneed for significant professional services. We also offer various training programs as part of our subscriptions to all of our customers. We believethat our customer support helps ensure customer satisfaction and is critical to retaining and expanding our customer base. In addition, we leveragethe insights drawn from our customers to further improve the functionality of our security and compliance solutions.Research and Development and OperationsWe devote significant resources to maintain, enhance and add new functionality to our Qualys cloud platform and the integrated suite ofsolutions that we offer. Our development organization consists of agile engineering teams with substantial security expertise in specific areas of oursolutions. In addition to our development teams, we have also built a sophisticated research team focused on identifying threats and developingsignatures for vulnerabilities and compliance checks so that we can provide our customers with daily updates and enable them to scan their assetsfor the latest threats. We conduct our research and development in the United States, France, India, and the United Kingdom, which gives usaccess to some of the best research and engineering talent in the world. Our focus remains to attract engineering talent as we continue to add newsolutions and improve existing ones.Our development team works closely with our customers and partners to gain valuable insights into their environments and gather feedback forthreat research, product development and innovations. We typically release updates to our solutions, including enhancements and new featuresmultiple times a year, and we measure the quality of our scan results on a frequent basis in an effort to maintain the highest level of scan accuracy.The modular architecture of our cloud platform enables our engineering teams to simultaneously work on different features, accelerating thedelivery of new functionalities to customers. Our research and development team also works collaboratively with our technical support team toensure customer satisfaction and with our sales team to accelerate the adoption of our solutions.Research and development expenses were $42.8 million , $36.6 million and $30.4 million for 2017 , 2016 and 2015 , respectively.Manufacturing AgreementOur physical appliances are provided by SYNNEX Corporation, or SYNNEX, pursuant to a manufacturing services agreement dated March 1,2011. Under this agreement, SYNNEX manufactures, assembles and tests our physical scanner appliances. This agreement has an initial term ofone year, which is automatically renewed for additional one-year terms, unless terminated (i) at any time upon the mutual written agreement of usand SYNNEX, (ii) by either party upon 90 days or more written notice, (iii) upon written notice, subject to applicable cure periods, if the other partyhas materially breached its obligations under the agreement or (iv) by either party upon the other party seeking an order for relief under thebankruptcy laws of the United States or similar laws of any other jurisdiction, a composition with or assignment for the benefit of creditors, ordissolution or liquidation.Data Center AgreementsOur data center operations are provided by large third-party data center vendors and are located in the United States, Switzerland, theNetherlands and India. Our data center agreements have varying terms through 2020.CompetitionThe expanding capabilities of our security and compliance solutions have enabled us to address a growing array of opportunities in the cloud ITsecurity and compliance market. We compete with a large and broad array of established and emerging vulnerability management vendors,compliance vendors and data security vendors in a highly fragmented and competitive environment.12Table of ContentsWe compete with large and small public companies, such as FireEye, Inc., Imperva, Inc., International Business Machines Corporation, MicroFocus International plc, Rapid7, Inc. and Symantec Corporation, as well as privately held security providers including Barracuda Networks Inc.,BeyondTrust Software, Inc., Carbon Black, Inc., CrowdStrike Inc., Tanium Inc., Tenable Network Security, Inc., Tripwire, Inc. and TrustwaveHoldings, Inc. We also seek to replace IT security and compliance solutions that organizations have developed internally. As we continue to extendour cloud platform’s functionality by further developing security and compliance solutions, such as web application scanning and firewalls, we expectto face additional competition in these new markets.We believe that the principal competitive factors affecting the market for cloud-based security and compliance solutions include productfunctionality, breadth of offerings, flexibility of delivery models, ease of deployment and use, total cost of ownership, scalability and performance,customer support and extensibility of platform. We believe that our suite of solutions generally competes favorably with respect to these factors.However, many of our primary competitors have greater name recognition, longer operating histories, more established customer relationships,larger marketing budgets and significantly greater resources than we do.Intellectual PropertyWe rely on a combination of trade secrets, copyrights, patents and trademarks, as well as contractual protections, to establish and protect ourintellectual property rights and protect our proprietary technology. As of February 23, 2018, we have eleven issued patents, several pending U.S.patent applications and an exclusive license to four U.S. patents, which was obtained in connection with our acquisition of Nemean in 2010. Theinbound license remains in effect until the licensed patents are no longer enforceable, unless the applicable license agreement is first terminated byus or terminated by the licensor for a breach of the agreement or if we undergo certain bankruptcy events. The licenses are currently exclusive andwill remain exclusive so long as we make an appropriately-timed written election and pay an annual fixed royalty for ten years thereafter. Theseexclusive licenses are subject to the licensor’s reservation of certain rights in the patents and subject to the U.S. government’s reserved rights in thetechnology. We have a number of registered and unregistered trademarks. We require our employees, consultants and other third parties to enterinto confidentiality and proprietary rights agreements and control access to software, documentation and other proprietary information. We view ourtrade secrets and know-how as a significant component of our intellectual property assets, as we have spent years designing and developing ourQualys cloud platform, which we believe differentiates us from our competitors.We expect that software and other solutions in our industry may be subject to third-party infringement claims as the number of competitorsgrows and the functionality of products in different industry segments overlaps. Any of these third parties might make a claim of infringement againstus at any time.EmployeesAs of December 31, 2017 , we had 869 full-time employees, including 384 in research and development, 206 in sales and marketing, 189 inoperations and customer support and 90 in general and administrative. As of December 31, 2017 , we had 381 employees in the United States and488 employees internationally. None of our U.S. employees are covered by collective bargaining agreements. Employees in certain Europeancountries have collective bargaining arrangements at the national level. We believe our employee relations are good and we have not experiencedany work stoppages.Available InformationOur principal executive offices are located at 919 E. Hillsdale Blvd., 4th Floor, Foster City, California 94404. The telephone number of ourprincipal executive offices is (650) 801-6100, and our main corporate website is www.qualys.com . Information contained on, or that can beaccessed through, our website, does not constitute part of this Annual Report on Form 10-K and inclusion of our website address in this AnnualReport on Form 10-K is an inactive textual reference only.We make available our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments tothose reports filed or furnished pursuant to Section 13(a) or Section 15(d) of the Securities Exchange Act of 1934, as amended, free of charge onour website, www.qualys.com as soon as reasonably practicable after they are electronically filed with or furnished to the Securities and ExchangeCommission, or SEC. Additionally, copies of materials filed by us with the SEC may be accessed at the SEC's Public Reference Room at 100 FStreet, N.E., Washington, D.C. 20549 or at the SEC's website, www.sec.gov . For information about the SEC's Public Reference Room, contact 1-800-SEC-0330.13Table of ContentsGeographic InformationFor a description of our revenue and property and equipment by geographic location, see Note 10 to our consolidated financial statementsincluded elsewhere in this Annual Report on Form 10-K.14Table of ContentsItem 1A.Risk FactorsAn investment in our common stock involves a high degree of risk. You should carefully consider the risks and uncertainties described below,and all other information contained in this Annual Report on Form 10-K, including our consolidated financial statements and the related notes, beforemaking a decision to invest in our common stock. Our business, operating results, financial condition, or prospects could be materially and adverselyaffected by any of these risks and uncertainties. In that case, the trading price of our common stock could decline, and you might lose all or part orall of your investment. In addition, the risks and uncertainties discussed below are not the only ones we face. Our business, operating results,financial performance or prospects could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe arematerial.Subscriptions to our Vulnerability Management solutions generate most of our revenues, and if we are unable to continue to renew andgrow subscriptions for these solutions, our operating results would suffer.We derived approximately 75% , 76% and 77% of our revenues from subscriptions to our VM solutions for the years ended December 31, 2017, 2016 and 2015 , respectively. In 2015 and prior 10-Q and 10-K filings, we had included all revenues from scanners and credits for prepaid servicesin our VM solutions revenues. In the fourth quarter of 2016, we changed the methodology to allocate revenues from scanners and credits across ourproducts.We expect to continue to derive a significant majority of our revenues from subscriptions to our VM solutions. As a result, the market demandfor our Vulnerability Management solutions is critical to our continued success. Demand for these solutions is affected by a number of factorsbeyond our control, including continued market acceptance of our solution for existing and new use cases, the timing of development and release ofnew products or services by our competitors, technological change, and growth or contraction in our market. Our inability to renew or increasesubscriptions for this solution or a decline in price of this solution would harm our business and operating results more seriously than if we derivedsignificant revenues from a variety of solutions.Our quarterly operating results may vary from period to period, which could result in our failure to meet expectations with respect tooperating results and cause the trading price of our stock to decline.Our operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number offactors, many of which are outside of our control, including:•the level of demand for our solutions;•publicity regarding security breaches generally and the level of perceived threats to IT security;•expenses associated with our existing and new products and services;•changes in customer renewals of our solutions;•the extent to which customers subscribe for additional solutions;•seasonal buying patterns of our customers;•the level of perceived threats to IT security;•security breaches, technical difficulties or interruptions with our service;•changes in the growth rate of the IT security and compliance market;•the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscapeof our industry, including consolidation among our competitors;•the introduction or adoption of new technologies that compete with our solutions;•decisions by potential customers to purchase IT security and compliance products or services from other vendors;•the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business;•the timing of sales commissions relative to the recognition of revenues;15Table of Contents•the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates;•failure of our products and services to operate as designed;•price competition;•the length of our sales cycle for our products and services;•insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solutions;•timely invoicing or changes in billing terms of customers;•timing of deals signed within the quarter;•pace and cost of hiring employees;•changes in foreign currency exchange rates;•general economic conditions, both domestically and in the foreign markets in which we sell our solutions;•future accounting pronouncements or changes in our accounting policies;•our ability to integrate any products or services that we may acquire in the future into our product suite or migrate existing customers of anycompanies that we may acquire in the future to our products and services;•our effective tax rate;•the timing of expenses related to the development or acquisition of technologies, services or businesses; and•potential goodwill and intangible asset impairment charges associated with acquired businesses.Each factor above or discussed elsewhere in this Annual Report on Form 10-K or the cumulative effect of some of these factors may result influctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operatingresults, or those of securities analysts or investors, for a particular period. In addition, a significant percentage of our operating expenses are fixed innature and based on forecasted trends in revenues. Accordingly, in the event of shortfalls in revenues, we are generally unable to mitigate thenegative impact on margins in the short term by reducing our operating expenses. If we fail to meet or exceed expectations for our operating resultsfor these or any other reasons, the trading price of our common stock could fall and we could face costly lawsuits, including securities class actionsuits.If the market for cloud solutions for IT security and compliance does not evolve as we anticipate, our revenues may not grow and ouroperating results would be harmed.Our success depends to a significant extent on the willingness of organizations to increase their use of cloud solutions for their IT security andcompliance. However, the market for cloud solutions for IT security and compliance is at an early stage relative to on-premises solutions, and assuch, it is difficult to predict important market trends, including the potential growth, if any, of the market for cloud security and compliance solutions.To date, some organizations have been reluctant to use cloud solutions because they have concerns regarding the risks associated with thereliability or security of the technology delivery model associated with these solutions. If other cloud service providers experience security incidents,loss of customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole, including our solutions, may benegatively impacted. Moreover, many organizations have invested substantial personnel and financial resources to integrate on-premises softwareinto their businesses, and as a result may be reluctant or unwilling to migrate to a cloud solution. Organizations that use on-premises securityproducts, such as network firewalls, security information and event management products or data loss prevention solutions, may also believe thatthese products sufficiently protect their IT infrastructure and deliver adequate security. Therefore, they may continue spending their IT securitybudgets on these products and may not adopt our security and compliance solutions in addition to or as a replacement for such products.If the market for cloud solutions for IT security and compliance does not evolve in the way we anticipate or if customers do not recognize thebenefits of our cloud solutions over traditional on-premises enterprise software products, and as a result we are unable to increase sales ofsubscriptions to our solutions, then our revenues may not grow or may decline, and our operating results would be harmed.16Table of ContentsIf we do not successfully anticipate market needs and opportunities or are unable to enhance our solutions and develop new solutionsthat meet those needs and opportunities on a timely or cost-effective basis, we may not be able to compete effectively and our businessand financial condition may be harmed.The IT security and compliance market is characterized by rapid technological advances, customer price sensitivity, short product and servicelife cycles, intense competition, changes in customer requirements, frequent new product introductions and enhancements and evolving industrystandards and regulatory mandates. Any of these factors could create downward pressure on pricing and gross margins, and could adversely affectour renewal rates, as well as our ability to attract new customers. Our future success will depend on our ability to enhance existing solutions,introduce new solutions on a timely and cost-effective basis, meet changing customer needs, extend our core technology into new applications, andanticipate and respond to emerging standards and business models. We must also continually change and improve our solutions in response tochanges in operating systems, application software, computer and communications hardware, networking software, data center architectures,programming tools and computer language technology.We may not be able to anticipate future market needs and opportunities or develop enhancements or new solutions to meet such needs oropportunities in a timely manner or at all. The market for cloud solutions for IT security and compliance is relatively new, and it is uncertain whetherour new solutions will gain market acceptance.Our solution enhancements or new solutions could fail to attain sufficient market acceptance for many reasons, including:•failure to timely meet market demand for product functionality;•inability to identify and provide intelligence regarding the attacks or techniques used by cyber-attackers;•inability to inter-operate effectively with the database technologies, file systems or web applications of our prospective customers;•defects, errors or failures;•delays in releasing our enhancements or new solutions;•negative publicity about their performance or effectiveness;•introduction or anticipated introduction of products by our competitors;•poor business conditions, causing customers to delay IT security and compliance purchases;•easing or changing of external regulations related to IT security and compliance; and•reluctance of customers to purchase cloud solutions for IT security and compliance.Furthermore, diversifying our solutions and expanding into new IT security and compliance markets will require significant investment andplanning, require that our research and development and sales and marketing organizations develop expertise in these new markets, bring us moredirectly into competition with security and compliance providers that may be better established or have greater resources than we do, requireadditional investment of time and resources in the development and training of our channel partners and entail significant risk of failure.If we fail to anticipate market requirements or fail to develop and introduce solution enhancements or new solutions to satisfy thoserequirements in a timely manner, such failure could substantially decrease or delay market acceptance and sales of our present and future solutionsand cause us to lose existing customers or fail to gain new customers, which would significantly harm our business, financial condition and results ofoperations.17Table of ContentsIf we fail to continue to effectively scale and adapt our platform to meet the performance and other requirements of our customers, ouroperating results and our business would be harmed.Our future growth depends upon our ability to continue to meet the expanding needs of our customers as their use of our cloud platform grows.As these customers gain more experience with our solutions, the number of users and the number of locations where our solutions are beingaccessed may expand rapidly in the future. In order to ensure that we meet the performance and other requirements of our customers, we intend tocontinue to make significant investments to develop and implement new proprietary and third-party technologies at all levels of our cloud platform.These technologies, which include databases, applications and server optimizations, and network and hosting strategies, are often complex, newand unproven. We may not be successful in developing or implementing these technologies. To the extent that we do not effectively scale ourplatform to maintain performance as our customers expand their use of our platform, our operating results and our business may be harmed.Our current research and development efforts may not produce successful products or enhancements to our platform that result insignificant revenue, cost savings or other benefits in the near future, if at all.We must continue to dedicate significant financial and other resources to our research and development efforts if we are to maintain ourcompetitive position. However, developing products and enhancements to our platform is expensive and time consuming, and there is no assurancethat such activities will result in significant new marketable products or enhancements to our platform, design improvements, cost savings, revenueor other expected benefits. If we spend significant resources on research and development and are unable to generate an adequate return on ourinvestment, our business and results of operations may be materially and adversely affected.Our platform, website and internal systems may be subject to intentional disruption or other security incidents that could result in liabilityand adversely impact our reputation and future sales.We and our service providers could be a target of cyber-attacks or other malfeasance designed to impede the performance of our solutions,penetrate our network security or the security of our cloud platform or our internal systems, misappropriate proprietary information and/or causeinterruptions to our services. Our solutions, platforms, and system may also suffer security incidents as a result of non-technical issues, includingintentional or inadvertent breaches by our employees or service providers. Because our operations involve providing IT security solutions to ourcustomers, we may be targeted for cyber-attacks and other security incidents. If an actual or perceived breach of our security measures or those ofour service providers occurs, it could adversely affect the market perception of our solutions, negatively affecting our reputation, and may expose usto the loss of information, litigation, regulatory actions and possible liability. Any such actual or perceived security breach could also divert the effortsof our technical and management personnel. In addition, any such actual or perceived security breach could impair our ability to operate ourbusiness and provide solutions to our customers. If this happens, our reputation could be harmed, our revenues could decline and our businesscould suffer.Our business depends substantially on retaining our current customers, and any reduction in our customer renewals or revenues fromsuch customers could harm our future operating results.We offer our Qualys cloud platform and integrated suite of solutions pursuant to a software-as-a-service model, and our customers purchasesubscriptions from us that are generally one year in length. Our customers have no obligation to renew their subscriptions after their subscriptionperiod expires, and they may not renew their subscriptions at the same or higher levels or at all. As a result, our ability to grow depends in part oncustomers renewing their existing subscriptions and purchasing additional subscriptions and solutions. Our customers may choose not to renewtheir subscriptions to our solutions or purchase additional solutions due to a number of factors, including their satisfaction or dissatisfaction with oursolutions, the prices of our solutions, the prices of products or services offered by our competitors, reductions in our customers’ spending levels dueto the macroeconomic environment or other factors. If our customers do not renew their subscriptions to our solutions, renew on less favorableterms, or do not purchase additional solutions or subscriptions, our revenues may grow more slowly than expected or decline and our results ofoperations may be harmed.18Table of ContentsIf we are unable to continue to attract new customers and grow our customer base, our growth could be slower than we expect and ourbusiness may be harmed.We believe that our future growth depends in part upon increasing our customer base. Our ability to achieve significant growth in revenues inthe future will depend, in large part, upon continually attracting new customers and obtaining subscription renewals to our solutions from thosecustomers. If we fail to attract new customers our revenues may grow more slowly than expected and our business may be harmed.If we are unable to sell subscriptions to additional solutions, our future revenue growth may be harmed and our business may suffer.We will need to increase the revenues that we derive from our current and future solutions other than Vulnerability Management for ourbusiness and revenues to grow as we expect. Revenues from our other solutions such as Policy Compliance, PCI Compliance, SecurityAssessment Questionnaire, Web Application Scanning, and Web Application Firewall have been relatively modest compared to revenues from ourVulnerability Management solutions. Our future success depends in part on our ability to sell subscriptions to these additional solutions to existingand new customers. This may require more costly sales and marketing efforts and may not result in additional sales. If our efforts to sellsubscriptions to additional solutions to existing and new customers are not successful, our business may suffer.Our sales cycle can be long and unpredictable, and our sales efforts require considerable time and expense. As a result, revenues mayvary from period to period, which may cause our operating results to fluctuate and could harm our business.The timing of sales of subscriptions for our solutions can be difficult to forecast because of the length and unpredictability of our sales cycle,particularly with large transactions. We sell subscriptions to our security and compliance solutions primarily to IT departments that are managing agrowing set of user and compliance demands, which has increased the complexity of customer requirements to be met and confirmed during thesales cycle and prolonged our sales cycle. Further, the length of time that potential customers devote to their testing and evaluation, contractnegotiation and budgeting processes varies significantly, which has also made our sales cycle long and unpredictable. The length of the sales cyclefor our solutions typically ranges from six to twelve months but can be more than eighteen months. In addition, we might devote substantial time andeffort to a particular unsuccessful sales effort, and as a result we could lose other sales opportunities or incur expenses that are not offset by anincrease in revenues, which could harm our business.Adverse economic conditions or reduced IT spending may adversely impact our business.Our business depends on the overall demand for IT and on the economic health of our current and prospective customers. Economicweakness, customer financial difficulties, and constrained spending on IT security may result in decreased revenue and earnings. Such factorscould make it difficult to accurately forecast our sales and operating results and could negatively affect our ability to provide accurate forecasts toour contract manufacturers. In addition, continued governmental budgetary challenges in the United States and Europe and geopolitical turmoil inmany parts of the world have and may continue to put pressure on global economic conditions and overall spending on IT security. Generaleconomic weakness may also lead to longer collection cycles for payments due from our customers, an increase in customer bad debt, restructuringinitiatives and associated expenses, and impairment of investments. Furthermore, the continued weakness and uncertainty in worldwide creditmarkets, including the sovereign debt situation in certain countries in the European Union, may adversely impact our customers' available budgetaryspending, which could lead to delays in planned purchases of our solutions.Uncertainty about future economic conditions also makes it difficult to forecast operating results and to make decisions about futureinvestments. Future or continued economic weakness for us or our customers, failure of our customers and markets to recover from such weakness,customer financial difficulties, and reductions in spending on IT security could have a material adverse effect on demand for our platform andconsequently on our business, financial condition and results of operations.19Table of ContentsOur security and compliance solutions are delivered from five data centers, and any disruption of service at these facilities wouldinterrupt or delay our ability to deliver our solutions to our customers which could reduce our revenues and harm our operating results.We currently host substantially all of our solutions from third-party data centers located in the United States, Switzerland, the Netherlands andIndia. These facilities are vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, cybersecurity attacks, terrorist attacks,employee negligence, power losses, telecommunications failures and similar events. The facilities also could be subject to break-ins, sabotage,intentional acts of vandalism and other misconduct. The occurrence of a natural disaster, an act of terrorism or misconduct, a decision to close thefacilities without adequate notice or other unanticipated problems could result in interruptions in our services.Some of our data centers are not currently redundant and we may not be able to rapidly move our customers from one data center to another,which may increase delays in the restoration of our service for our customers if an adverse event occurs. We have added data center facilities toprovide additional capacity for our cloud platform and to enable disaster recovery. We continue to build out these facilities; however, these additionalfacilities may not be operational in the anticipated time-frame and we may incur unplanned expenses.Additionally, our existing data center facilities providers have no obligations to renew their agreements with us on commercially reasonableterms, or at all. If we are unable to renew our agreements with the facilities providers on commercially reasonable terms or if in the future we addadditional data center facility providers, we may experience costs or downtime in connection with the loss of an existing facility or the transfer to, oraddition of, new data center facilities.Any disruptions or other performance problems with our solutions could harm our reputation and business and may damage our customers’businesses. Interruptions in our service delivery might reduce our revenues, cause us to issue credits to customers, subject us to potential liabilityand cause customers to terminate their subscriptions or not renew their subscriptions.If we are unable to increase market awareness of our company and our new solutions, our revenues may not continue to grow, or maydecline.We have a limited operating history, particularly in certain markets and solution offerings, and we believe that we need to continue to developmarket awareness in the IT security and compliance market. Market awareness of our capabilities and solutions is essential to our continued growthand success in all of our markets, particularly for the large enterprise, service provider and government markets. If our marketing programs are notsuccessful in creating market awareness of our company and our full suite of solutions, our business, financial condition and results of operationsmay be adversely affected, and we may not be able to achieve our expected growth.We face competition in our markets, and we may lack sufficient financial or other resources to maintain or improve our competitiveposition.We compete with a large range of established and emerging vulnerability management vendors, compliance vendors and data securityvendors in a highly fragmented and competitive environment. We face significant competition for each of our solutions from companies with broadproduct suites and greater name recognition and resources than we have, as well as from small companies focused on specialized securitysolutions.We compete with large and small public companies, such as FireEye, Inc., Imperva, Inc., International Business Machines Corporation, MicroFocus International plc, Rapid7, Inc. and Symantec Corporation, as well as privately held security providers including Barracuda Networks Inc.,BeyondTrust Software, Inc., Carbon Black, Inc., CrowdStrike Inc., Tanium Inc., Tenable Network Security, Inc., Tripwire, Inc. and TrustwaveHoldings, Inc. We also seek to replace IT security and compliance solutions that organizations have developed internally. As we continue to extendour cloud platform’s functionality by further developing security and compliance solutions, such as web application scanning and firewalls, we expectto face additional competition in these new markets. Our competitors may also attempt to further expand their presence in the IT security andcompliance market and compete more directly against one or more of our solutions.20Table of ContentsWe believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of deliverymodels, ease of deployment and use, total cost of ownership, scalability and performance, customer support and extensibility of platform. Many ofour existing and potential competitors have competitive advantages, including:•greater brand name recognition;•larger sales and marketing budgets and resources;•broader distribution networks and more established relationships with distributors and customers;•access to larger customer bases;•greater customer support resources;•greater resources to make acquisitions;•greater resources to develop and introduce products that compete with our solutions;•greater resources to meet relevant regulatory requirements; and•substantially greater financial, technical and other resources.As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies,standards or customer requirements. With the introduction of new technologies, the evolution of our service and new market entrants, we expectcompetition to intensify in the future.In addition, some of our larger competitors have substantially broader product offerings and can bundle competing products and services withother software offerings. As a result, customers may choose a bundled product offering from our competitors, even if individual products have morelimited functionality than our solutions. These competitors may also offer their products at a lower price as part of this larger sale, which couldincrease pricing pressure on our solutions and cause the average sales price for our solutions to decline. These larger competitors are also often ina better position to withstand any significant reduction in capital spending, and will therefore not be as susceptible to economic downturns.Furthermore, our current and potential competitors may establish cooperative relationships among themselves or with third parties that mayfurther enhance their resources and product and services offerings in the markets we address. In addition, current or potential competitors may beacquired by third parties with greater available resources. As a result of such relationships and acquisitions, our current or potential competitorsmight be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their productsand services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand theirproduct and service offerings more quickly than we do. For all of these reasons, we may not be able to compete successfully against our current orfuture competitors.If our solutions fail to help our customers achieve and maintain compliance with regulations and industry standards, our revenues andoperating results could be harmed.We generate a portion of our revenues from solutions that help organizations achieve and maintain compliance with regulations and industrystandards. For example, many of our customers subscribe to our security and compliance solutions to help them comply with the security standardsdeveloped and maintained by the Payment Card Industry Security Standards Council, or the PCI Council, which apply to companies that storecardholder data. Industry organizations like the PCI Council may significantly change their security standards with little or no notice, includingchanges that could make their standards more or less onerous for businesses. Governments may also adopt new laws or regulations, or makechanges to existing laws or regulations, that could impact the demand for or value of our solutions.If we are unable to adapt our solutions to changing regulatory standards in a timely manner, or if our solutions fail to assist with or expedite ourcustomers’ compliance initiatives, our customers may lose confidence in our solutions and could switch to products offered by our competitors. Inaddition, if regulations and standards related to data security, vulnerability management and other IT security and compliance requirements arerelaxed or the penalties for non-compliance are changed in a manner that makes them less onerous, our customers may view government andindustry regulatory compliance as less critical to their businesses, and our customers may be less willing to purchase our solutions. In any of thesecases, our revenues and operating results could be harmed.21Table of ContentsWe may not maintain profitability in the future.We may not be able to sustain or increase our growth or maintain profitability in the future. We plan to continue to invest in our infrastructure,new solutions, research and development and sales and marketing, and as a result, we cannot assure you that we will maintain profitability. We mayincur losses in the future for a number of reasons, including without limitation, the other risks and uncertainties described in this Annual Report onForm 10-K. Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that mayresult in losses in future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmedand we may not again achieve or maintain profitability in the future.The sales prices of our solutions are subject to competitive pressures and may decrease, which may reduce our gross profits andadversely impact our financial results.The sales prices for our solutions may decline for a variety of reasons, including competitive pricing pressures, discounts, a change in our mix ofsolutions and subscriptions, anticipation of the introduction of new solutions or subscriptions, or promotional programs. Competition continues toincrease in the market segments in which we participate, and we expect competition to further increase in the future, thereby leading to increasedpricing pressures. Larger competitors with more diverse product and service offerings may reduce the price of products or subscriptions thatcompete with ours or may bundle them with other products and subscriptions. Additionally, although we price our products and subscriptionsworldwide in U.S. dollars, Euros, British Pounds and Japanese Yen, currency fluctuations in certain countries and regions may negatively impactactual prices that partners and customers are willing to pay in those countries and regions, or the effective prices we realize in our reportingcurrency. We cannot assure you that we will be successful in developing and introducing new offerings with enhanced functionality on a timely basis,or that our new product and subscription offerings, if introduced, will enable us to maintain our prices and gross profits at levels that will allow us tomaintain positive gross margins and achieve profitability.If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which couldhave an adverse effect on our business and results of operations.If our solutions fail to detect vulnerabilities in our customers’ IT infrastructures, or if our solutions fail to identify and respond to new andincreasingly complex methods of attacks, our business and reputation may suffer. There is no guarantee that our solutions will detect allvulnerabilities. Additionally, our security and compliance solutions may falsely detect vulnerabilities or threats that do not actually exist. For example,some of our solutions rely on information on attack sources aggregated from third-party data providers who monitor global malicious activityoriginating from a variety of sources, including anonymous proxies, specific IP addresses, botnets and phishing sites. If the information from thesedata providers is inaccurate, the potential for false indications of security vulnerabilities increases. These false positives, while typical in the industry,may impair the perceived reliability or usability of our solutions and may therefore adversely impact market acceptance of our solutions and couldresult in negative publicity, loss of customers and sales, increased costs to remedy any incorrect information or problem, or claims by aggrievedparties. Similar issues may be generated by the misuse of our tools to identify and exploit vulnerabilities.In addition, our solutions do not currently extend to cover mobile devices or personal devices that employees may bring into an organization.As such, our solutions would not identify or address vulnerabilities in mobile devices, such as mobile phones or tablets, or personal devices, and ourcustomers’ IT infrastructures may be compromised by attacks that infiltrate their networks through such devices.An actual or perceived security breach or theft of the sensitive data of one of our customers, regardless of whether the breach is attributable tothe failure of our solutions, could adversely affect the market’s perception of our security solutions.Incorrect or improper implementation or use of our solutions could result in customer dissatisfaction and harm our business andreputation.Our solutions are deployed in a wide variety of IT environments, including large-scale, complex infrastructures. If our customers are unable toimplement our solutions successfully, customer perceptions of our platform may be impaired or our reputation and brand may suffer. Our customershave in the past inadvertently misused our solutions, which triggered downtime in their internal infrastructure until the problem was resolved. Anymisuse of our solutions could result in customer dissatisfaction, impact the perceived reliability of our solutions, result in negative press coverage,negatively affect our reputation and harm our financial results.22Table of ContentsUndetected software errors or flaws in our cloud platform could harm our reputation or decrease market acceptance of our solutions,which would harm our operating results.Our solutions may contain undetected errors or defects when first introduced or as new versions are released. We have experienced theseerrors or defects in the past in connection with new solutions and solution upgrades and we expect that these errors or defects will be found fromtime to time in the future in new or enhanced solutions after commercial release of these solutions. Since our customers use our solutions forsecurity and compliance reasons, any errors, defects, disruptions in service or other performance problems with our solutions may damage ourcustomers’ business and could hurt our reputation. If that occurs, we may incur significant costs, the attention of our key personnel could bediverted, our customers may delay or withhold payment to us or elect not to renew, or other significant customer relations problems may arise. Wemay also be subject to liability claims for damages related to errors or defects in our solutions. A material liability claim or other occurrence thatharms our reputation or decreases market acceptance of our solutions may harm our business and operating results.Our solutions could be used to collect and store personal information of our customers’ employees or customers, and therefore privacyand other data handling concerns could result in additional cost and liability to us or inhibit sales of our solutions.We collect the names and email addresses of our customers in connection with subscriptions to our solutions. Additionally, the data that oursolutions collect to help secure and protect the IT infrastructure of our customers may include additional personal or confidential information of ourcustomers’ employees and their customers. Personal privacy has become a significant issue in the United States and in many other countries wherewe offer our solutions. The regulatory framework for privacy issues worldwide is currently evolving and is likely to remain uncertain for theforeseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulationsregarding the collection, use, disclosure and retention of personal information. In the United States, these include, for example, rules and regulationspromulgated under the authority of the Federal Trade Commission, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, theGramm-Leach-Bliley Act, or GLB, and state breach notification laws. Internationally, virtually every jurisdiction in which we operate has establishedits own data security and privacy legal framework with which we or our customers must comply, including the Data Protection Directive establishedin the European Union and the Federal Data Protection Act passed in Germany.These privacy, data protection and information security laws and regulations may result in ever-increasing regulatory and public scrutiny andescalating levels of enforcement and sanctions. Additionally, new laws and regulations relating to privacy and data protection continue to beproposed and enacted. For example, the European Union has adopted a General Data Protection Regulation, or GDPR, to supersede the DataProtection Directive. This regulation, which will take full effect on May 25, 2018, will cause EU data protection requirements to be more stringent andprovide for greater penalties. Noncompliance with the GDPR can trigger fines of up to €20 million or 4% of global annual revenues, whichever ishigher.The privacy, data protection, and information security laws and regulations we must comply with also are subject to change. For example, inJune 2016, United Kingdom voters approved an exit from the European Union, commonly referred to as “Brexit,” which could also lead to furtherlegislative and regulatory changes. Additionally, an October 2015 ruling of the Court of Justice of the European Union invalidated the U.S.-EU SafeHarbor Framework as a method of compliance with European restrictions regarding the transfer of personal data outside of the European EconomicArea, or EEA. U.S. and EU authorities reached a political agreement in February 2016 regarding a new means for legitimizing personal datatransfers from the EEA to the U.S., the EU-U.S. Privacy Shield Framework, and we have joined the EU-U.S. Privacy Shield Framework and arelated program, the Swiss-U.S. Privacy Shield Framework. The EU-U.S. Privacy Shield is subject to legal challenge, however, and it or the Swiss-U.S. Privacy Shield may be modified or invalidated. We may be unsuccessful in maintaining legitimate means for our transfer and receipt ofpersonal data from the EEA or Switzerland. We may experience reluctance or refusal by current or prospective European customers to use ourproducts, and we may find it necessary or desirable to make further changes to our handling of personal data of European residents.23Table of ContentsIn addition to laws and regulations, privacy advocacy and industry groups or other private parties may propose new and different privacystandards that either legally or contractually apply to us. Because the interpretation and application of privacy and data protection laws, regulations,standards and contractual obligations are uncertain, it is possible that they may be interpreted and applied in a manner that is, or perceived to be,inconsistent with our data management practices or the features of our solutions. If so, in addition to the possibility of regulatory investigations andenforcement actions, fines, lawsuits and other claims, other forms of injunctive or operations-limiting relief, and damage to our reputations and lossof goodwill, we could be required to fundamentally change our business activities and practices or modify our solutions and may face limitations inour ability to develop new solutions and features, any of which could have an adverse effect on our business. Any inability to adequately addressprivacy concerns, even if unfounded, or any actual or perceived inability to comply with applicable privacy or data protection laws, regulations andprivacy standards, could result in cost and liability to us, damage our reputation, inhibit sales of subscriptions and harm our business.Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and privacy standards that are applicable tothe businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our solutions. Privacy concerns, whethervalid or not valid, may inhibit market adoption of our solutions particularly in certain industries and foreign countries.If we are unable to continue the expansion of our sales force, sales of our solutions and the growth of our business would be harmed.We believe that our growth will depend, to a significant extent, on our success in recruiting and retaining a sufficient number of qualified salespersonnel and their ability to obtain new customers, manage our existing customer base and expand the sales of our newer solutions. We plan tocontinue to expand our sales force and make significant investment in our sales and marketing activities. Our recent hires and planned hires maynot become as productive as quickly as we would like, and we may be unable to hire or retain sufficient numbers of qualified individuals in the futurein the competitive markets where we do business. Competition for highly skilled personnel is frequently intense, especially in the San Francisco BayArea, one of the locations in which we have a substantial presence and need for highly skilled personnel and we may not be able to compete forthese employees. If we are unable to recruit and retain a sufficient number of productive sales personnel, sales of our solutions and the growth ofour business may be harmed. Additionally, if our efforts do not result in increased revenues, our operating results could be negatively impacted dueto the upfront operating expenses associated with expanding our sales force.A significant portion of our customers, channel partners and employees are located outside of the United States, which subjects us to anumber of risks associated with conducting international operations and if we are unable to successfully manage these risks, ourbusiness and operating results could be harmed.We market and sell subscriptions to our solutions throughout the world and have personnel in many parts of the world. In addition, we havesales offices and research and development facilities outside the United States and we conduct, and expect to continue to conduct, a significantamount of our business with organizations that are located outside the United States, particularly in Europe and Asia. Therefore, we are subject torisks associated with having international sales and worldwide operations, including:•foreign currency exchange fluctuations;•trade and foreign exchange restrictions;•economic or political instability in foreign markets;•greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;•changes in regulatory requirements;•tax laws (including U.S. taxes on foreign subsidiaries);•difficulties and costs of staffing and managing foreign operations;•the uncertainty and limitation of protection for intellectual property rights in some countries;•costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;•costs of complying with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and exportcontrol laws, tariffs, trade barriers, economic sanctions and other regulatory24Table of Contentsor contractual limitations on our ability to sell our solutions in certain foreign markets, and the risks and costs of non-compliance;•heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that mayimpact financial results and result in restatements of, and irregularities in, financial statements;•the potential for political unrest, acts of terrorism, hostilities or war;•management communication and integration problems resulting from cultural differences and geographic dispersion; and•multiple and possibly overlapping tax structures.Our business, including the sales of subscriptions of our solutions, may be subject to foreign governmental regulations, which vary substantiallyfrom country to country and change from time to time. Failure to comply with these regulations could adversely affect our business. Further, in manyforeign countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S.regulations applicable to us. Although we have implemented policies and procedures designed to ensure compliance with these laws and policies,there can be no assurance that all of our employees, contractors, channel partners and agents have complied or will comply with these laws andpolicies. Violations of laws or key control policies by our employees, contractors, channel partners or agents could result in delays in revenuerecognition, financial reporting misstatements, fines, penalties or the prohibition of the importation or exportation of our solutions and could have amaterial adverse effect on our business and results of operations. If we are unable to successfully manage the challenges of internationaloperations, our business and operating results could be adversely affected.In addition, as of December 31, 2017 , approximately 56% of our employees were located outside of the United States, with a significantnumber of these employees located in Pune, India. Accordingly, we are exposed to changes in laws governing our employee relationships in variousU.S. and foreign jurisdictions, including laws and regulations regarding wage and hour requirements, fair labor standards, employee data privacy,unemployment tax rates, workers’ compensation rates, citizenship requirements and payroll and other taxes which may have a direct impact on ouroperating costs. We may continue to expand our international operations and international sales and marketing activities. Expansion in internationalmarkets has required, and will continue to require, significant management attention and resources. We may be unable to scale our infrastructureeffectively or as quickly as our competitors in these markets and our revenues may not increase to offset any increased costs and operatingexpenses, which would cause our results to suffer.Disruptive technologies could gain wide adoption and supplant our cloud security and compliance solutions, thereby weakening oursales and harming our results of operations.The introduction of products and services embodying new technologies could render our existing solutions obsolete or less attractive tocustomers. Our business could be harmed if new security and compliance technologies are widely adopted. We may not be able to successfullyanticipate or adapt to changing technology or customer requirements on a timely basis, or at all. If we fail to keep up with technological changes orto convince our customers and potential customers of the value of our solutions even in light of new technologies, our business could be harmedand our revenues may decline.Our business and operations have experienced significant growth, and if we do not appropriately manage any future growth, or areunable to improve our systems and processes, our operating results may be negatively affected.We have experienced significant growth over the last several years. From 2015 to 2017 , our revenues have grown from $164.3 million to$230.8 million , and our headcount increased from 431 employees at the beginning of 2015 to 869 employees at December 31, 2017 . We rely oninformation technology systems to help manage critical functions such as order processing, revenue recognition and financial forecasts. To manageany future growth effectively we must continue to improve and expand our IT systems, financial infrastructure, and operating and administrativesystems and controls, and continue to manage headcount, capital and processes in an efficient manner. We may not be able to successfullyimplement improvements to these systems and processes in a timely or efficient manner.25Table of ContentsOur failure to improve our systems and processes, or their failure to operate in the intended manner, may result in our inability to manage thegrowth of our business and to accurately forecast our revenues, expenses and earnings, or to prevent certain losses. In addition, as we continue togrow, our productivity and the quality of our solutions may also be adversely affected if we do not integrate and train our new employees quickly andeffectively. Any future growth would add complexity to our organization and require effective coordination across our organization. Failure to manageany future growth effectively could result in increased costs, harm our results of operations and lead to investors losing confidence in our internalsystems and processes.Forecasts of market growth may prove to be inaccurate, and even if the markets in which we compete achieve the forecasted growth,there can be no assurance that our business will grow at similar rates, or at all.Growth forecasts relating to the expected growth in the market for IT security and compliance and other markets are subject to significantuncertainty and are based on assumptions and estimates which may prove to be inaccurate. Even if these markets experience the forecastedgrowth, we may not grow our business at similar rates, or at all. Our growth is subject to many factors, including our success in implementing ourbusiness strategy, which is subject to many risks and uncertainties. Accordingly, forecasts of market growth should not be taken as indicative of ourfuture growth.We rely on third-party channel partners to generate a substantial amount of our revenues, and if we fail to expand and manage ourdistribution channels, our revenues could decline and our growth prospects could suffer.Our success significantly depends upon establishing and maintaining relationships with a variety of channel partners and we anticipate that wewill continue to depend on these partners in order to grow our business. For the years ended December 31, 2017 , 2016 and 2015 , we derivedapproximately 41% , 42% and 39% , respectively, of our revenues from sales of subscriptions for our solutions through channel partners, and thepercentage of revenues derived from channel partners may increase in future periods. Our agreements with our channel partners are generally non-exclusive and do not prohibit them from working with our competitors or offering competing solutions, and many of our channel partners have moreestablished relationships with our competitors. If our channel partners choose to place greater emphasis on products of their own or those offered byour competitors, do not effectively market and sell our solutions, or fail to meet the needs of our customers, then our ability to grow our business andsell our solutions may be adversely affected. In addition, the loss of one or more of our larger channel partners, who may cease marketing oursolutions with limited or no notice, and our possible inability to replace them, could adversely affect our sales. Moreover, our ability to expand ourdistribution channels depends in part on our ability to educate our channel partners about our solutions, which can be complex. Our failure to recruitadditional channel partners, or any reduction or delay in their sales of our solutions or conflicts between channel sales and our direct sales andmarketing activities may harm our results of operations. Even if we are successful, these relationships may not result in greater customer usage ofour solutions or increased revenues.In addition, the financial health of our channel partners and our continuing relationships with them are important to our success. Some of thesechannel partners may be unable to withstand adverse changes in economic conditions, which could result in insolvency and/or the inability of suchdistributors to obtain credit to finance purchases of our products and services. In addition, weakness in the end-user market could negatively affectthe cash flows of our channel partners who could, in turn, delay paying their obligations to us, which would increase our credit risk exposure. Ourbusiness could be harmed if the financial condition of some of these channel partners substantially weakened and we were unable to timely securereplacement channel partners.26Table of ContentsOur solutions contain third-party open source software components, and our failure to comply with the terms of the underlying opensource software licenses could restrict our ability to sell our solutions.Our solutions contain software licensed to us by third-parties under so-called “open source” licenses, including the GNU General PublicLicense, or GPL, the GNU Lesser General Public License, or LGPL, the BSD License, the Apache License and others. From time to time, therehave been claims against companies that distribute or use open source software in their products and services, asserting that such open sourcesoftware infringes the claimants’ intellectual property rights. We could be subject to suits by parties claiming that what we believe to be licensedopen source software infringes their intellectual property rights. Use and distribution of open source software may entail greater risks than use ofthird-party commercial software, as open source licensors generally do not provide warranties or other contractual protections regardinginfringement claims or the quality of the code. In addition, certain open source licenses require that source code for software programs that aresubject to the license be made available to the public and that any modifications or derivative works to such open source software continue to belicensed under the same terms. If we combine our proprietary software with open source software in certain ways, we could, in some circumstances,be required to release the source code of our proprietary software to the public. Disclosing the source code of our proprietary software could make iteasier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our solutions, which could result in oursolutions failing to provide our customers with the security they expect from our services. This could harm our business and reputation. Disclosingour proprietary source code also could allow our competitors to create similar products with lower development effort and time and ultimately couldresult in a loss of sales for us. Any of these events could have a material adverse effect on our business, operating results and financial condition.Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and toavoid subjecting our solutions to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, andthere is a risk that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability tocommercialize our solutions. In this event, we could be required to seek l icenses from third parties to continue offering our solutions, to make ourproprietary code generally available in source code form, to re-engineer our solutions or to discontinue the sale of our solutions if re-engineeringcould not be accomplished on a timely basis, any of which could adversely affect our business, operating results and financial condition.We rely on software-as-a-service vendors to operate certain functions of our business and any failure of such vendors to provideservices to us could adversely impact our business and operations.We rely on third-party software-as-a-service vendors to operate certain critical functions of our business, including financial management andhuman resource management. If these services become unavailable due to extended outages or interruptions or because they are no longeravailable on commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and ourprocesses for managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified,obtained and integrated, all of which could harm our business.We use third-party software and data that may be difficult to replace or cause errors or failures of our solutions that could lead to lostcustomers or harm to our reputation and our operating results.We license third-party software as well as security and compliance data from various third parties to deliver our solutions. In the future, thissoftware or data may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of this software or datacould result in delays in the provisioning of our solutions until equivalent technology or data is either developed by us, or, if available, is identified,obtained and integrated, which could harm our business. In addition, any errors or defects in or failures of this third-party software or data couldresult in errors or defects in our solutions or cause our solutions to fail, which could harm our business and be costly to correct. Many of theseproviders attempt to impose limitations on their liability for such errors, defects or failures, and if enforceable, we may have additional liability to ourcustomers or third-party providers that could harm our reputation and increase our operating costs.We will need to maintain our relationships with third-party software and data providers, and to obtain software and data from such providersthat do not contain any errors or defects. Any failure to do so could adversely impact our ability to deliver effective solutions to our customers andcould harm our operating results.27Table of ContentsDelays or interruptions in the manufacturing and delivery of our physical scanner appliances by our sole source manufacturer may harmour business.Upon customer request, we provide physical or virtual scanner appliances on a subscription basis as an additional capability to the customer’ssubscription for use during their subscription term. Our physical scanner appliances are built by a single manufacturer. Our reliance on a solemanufacturer involves several risks, including a potential inability to obtain an adequate supply of physical scanner appliances and limited controlover pricing, quality and timely deployment of such scanner appliances. In addition, replacing this manufacturer may be difficult and could result inan inability or delay in deploying our solutions to customers that request physical scanner appliances as part of their subscriptions.Furthermore, our manufacturer’s ability to timely manufacture and ship our physical scanner appliances depends on a variety of factors, suchas the availability of hardware components, supply shortages or contractual restrictions. In the event of an interruption from this manufacturer, wemay not be able to develop alternate or secondary sources in a timely manner. If we are unable to purchase physical scanner appliances inquantities sufficient to meet our requirements on a timely basis, we may not be able to effectively deploy our solutions to new customers that requestphysical scanner appliances, which could harm our business.We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results ofoperations.Our reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. However, in 2017 , we incurredapproximately 19% of our expenses outside of the United States in foreign currencies, primarily Euros, British Pounds, and Indian Rupee, principallywith respect to salaries and related personnel expenses associated with our European and Indian operations. Additionally, in 2017 , approximately18% of our revenues were generated in foreign currencies. Accordingly, changes in exchange rates may have a material adverse effect on ourbusiness, operating results and financial condition. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially inrecent years and may continue to fluctuate substantially in the future. We expect that a majority of our revenues will continue to be generated in U.S.dollars for the foreseeable future and that a significant portion of our expenses, including personnel costs, as well as capital and operatingexpenditures, will continue to be denominated in Euro, British Pound and Indian Rupee. The results of our operations may be adversely affected byforeign exchange fluctuations.We use forward foreign exchange contracts to mitigate the effect of changes in foreign exchange rates on certain cash and accountsreceivable balances denominated in certain foreign currencies. However, we may not be able to purchase derivative instruments that are adequateto insulate ourselves from foreign currency exchange risks. Additionally, our hedging activities may contribute to increased losses as a result ofvolatility in foreign currency markets.Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.The success of our business depends in part on our ability to protect and enforce our trade secrets, trademarks, copyrights, patents and otherintellectual property rights. We attempt to protect our intellectual property under copyright, trade secret, patent and trademark laws, and through acombination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection.We primarily rely on our unpatented proprietary technology and trade secrets. Despite our efforts to protect our proprietary technology andtrade secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. The contractual provisionsthat we enter into with employees, consultants, partners, vendors and customers may not prevent unauthorized use or disclosure of our proprietarytechnology or intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietarytechnology or intellectual property rights. Moreover, policing unauthorized use of our technologies, solutions and intellectual property is difficult,expensive and time-consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in theUnited States and where mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of anyunauthorized use or infringement of our solutions, technologies or intellectual property rights.28Table of ContentsAs of February 23, 2018, we have eleven issued patents and several pending U.S. patent applications, and may file additional patentapplications in the future. Additionally, we have an exclusive license to four third-party patents. The process of obtaining patent protection isexpensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent applications at a reasonable cost or in atimely manner, if at all. We may choose not to seek patent protection for certain innovations and may choose not to pursue patent protection incertain jurisdictions.Furthermore, it is possible that our patent applications may not result in granted patents, that the scope of our issued patents will be limited ornot provide the coverage originally sought, that our issued patents will not provide us with any competitive advantages, or that our patents and otherintellectual property rights may be challenged by others or invalidated through administrative processes or litigation. In addition, issuance of a patentdoes not guarantee that we have an absolute right to practice the patented invention. As a result, we may not be able to obtain adequate patentprotection or to enforce our issued patents effectively.From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our tradesecrets, to determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Suchlitigation could result in substantial costs and diversion of resources and could negatively affect our business, operating results and financialcondition. If we are unable to protect our intellectual property rights, we may find ourselves at a competitive disadvantage to others who need notincur the additional expense, time and effort required to create the innovative solutions that have enabled us to be successful to date.Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costsand harm our business and operating results.Patent and other intellectual property disputes are common in our industry. Some companies, including some of our competitors, own largenumbers of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties may in the future assert claims ofinfringement, misappropriation or other violations of intellectual property rights against us. They may also assert such claims against our customersor channel partners whom we typically indemnify against claims that our solutions infringe, misappropriate or otherwise violate the intellectualproperty rights of third parties. As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement,misappropriation and other violations of intellectual property rights may increase. Any claim of infringement, misappropriation or other violation ofintellectual property rights by a third party, even those without merit, could cause us to incur substantial costs defending against the claim and coulddistract our management from our business.The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us forpatent infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, futureassertions of patent rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners whohave no relevant product revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be noassurance that we will not be found to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past.An adverse outcome of a dispute may require us to:•pay substantial damages, including treble damages, if we are found to have willfully infringed a third party’s patents or copyrights;•cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others;•expend additional development resources to attempt to redesign our solutions or otherwise develop non-infringing technology, which maynot be successful;•enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectualproperty rights; and•indemnify our partners and other third parties.29Table of ContentsIn addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may requiresignificant royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore our competitors may have access tothe same technology licensed to us. Any of the foregoing events could seriously harm our business, financial condition and results of operations.If we are required to collect sales and use or other taxes on the solutions we sell, we may be subject to liability for past sales and ourfuture sales may decrease.Taxing jurisdictions, including state and local entities, have differing rules and regulations governing sales and use or other taxes, and theserules and regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales taxes to oursubscription services in various jurisdictions is unclear. It is possible that we could face sales tax audits and that our liability for these taxes couldexceed our estimates as tax authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remitthose taxes to those authorities. We could also be subject to audits with respect to state and international jurisdictions for which we have notaccrued tax liabilities. A successful assertion that we should be collecting additional sales or other taxes on our services in jurisdictions where wehave not historically done so and do not accrue for sales taxes could result in substantial tax liabilities for past sales, discourage customers frompurchasing our solutions or otherwise harm our business and operating results.We depend on the continued services and performance of our senior management and other key employees, the loss of any of whomcould adversely affect our business, operating results and financial condition.Our future performance depends on the continued services and continuing contributions of our senior management, particularly Philippe F.Courtot, our Chairman, President and Chief Executive Officer, and other key employees to execute on our business plan and to identify and pursuenew opportunities and product innovations. We do not maintain key-man insurance for Mr. Courtot or for any other member of our seniormanagement team. From time to time, there may be changes in our senior management team resulting from the termination or departure ofexecutives. Our senior management and key employees are generally employed on an at-will basis, which means that they could terminate theiremployment with us at any time. The loss of the services of our senior management, particularly Mr. Courtot, or other key employees for any reasoncould significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition andresults of operations.If we are unable to hire, retain and motivate qualified personnel, our business may suffer.Our future success depends, in part, on our ability to continue to attract and retain highly skilled personnel. The loss of the services of any ofour key personnel, the inability to attract or retain qualified personnel or delays in hiring required personnel, particularly in engineering and sales,may seriously harm our business, financial condition and results of operations. Any of our employees may terminate their employment at any time.Competition for highly skilled personnel is frequently intense, especially in the San Francisco Bay Area, one of the locations in which we have asubstantial presence and need for highly skilled personnel and we may not be able to compete for these employees.We are required under accounting principles generally accepted in the United States (“U.S. GAAP”) to recognize compensation expense in ouroperating results for employee stock-based compensation under our equity grant programs, which may negatively impact our operating results andmay increase the pressure to limit stock-based compensation that we might otherwise offer to current or potential employees. In addition, to theextent we hire personnel from competitors, we may be subject to allegations that they have been improperly solicited or divulged proprietary or otherconfidential information.Changes in laws or regulations related to the Internet may diminish the demand for our solutions and could have a negative impact onour business.We deliver our solutions through the Internet. Federal, state or foreign government bodies or agencies have in the past adopted, and may inthe future adopt, laws or regulations affecting data privacy and the use of the Internet. In addition, government agencies or private organizationsmay begin to impose taxes, fees or other charges for accessing the Internet or on commerce conducted via the Internet. These laws or chargescould limit the viability of Internet-based solutions such as ours and reduce the demand for our solutions.30Table of ContentsA portion of our revenues are generated by sales to government entities, which are subject to a number of challenges and risks.Government entities have historically been particularly concerned about adopting cloud-based solutions for their operations, including securitysolutions, and increasing sales of subscriptions for our solutions to government entities may be more challenging than selling to commercialorganizations. Selling to government entities can be highly competitive, expensive and time-consuming, often requiring significant upfront time andexpense without any assurance that we will win a sale. We have invested in the creation of a cloud offering certified under the Federal InformationSecurity Management Act, or FISMA, for government usage but we cannot be sure that we will continue to sustain or renew this certification, thatthe government will continue to mandate such certification or that other government agencies or entities will use this cloud offering. Governmentdemand and payment for our solutions may be impacted by public sector budgetary cycles and funding authorizations, with funding reductions ordelays adversely affecting public sector demand for our solutions. Government entities may have contractual or other legal rights to terminatecontracts with our channel partners for convenience or due to a default, and any such termination may adversely impact our future results ofoperations. Governments routinely investigate and audit government contractors’ administrative processes, and any unfavorable audit could result inthe government refusing to continue buying our solutions, a reduction of revenues or fines or civil or criminal liability if the audit uncovers improper orillegal activities. Any such penalties could adversely impact our results of operations in a material way.Governmental export or import controls could subject us to liability if we violate them or limit our ability to compete in foreign markets.Our solutions are subject to U.S. export controls, specifically, the Export Administration Regulations and economic sanctions enforced by theOffice of Foreign Assets Control. We incorporate encryption technology into certain of our solutions. These encryption solutions and the underlyingtechnology may be exported only with the required export authorizations, including by license, a license exception or other appropriate governmentauthorizations. U.S. export controls may require submission of an encryption registration, product classification and/or annual or semi-annualreports. Governmental regulation of encryption technology and regulation of imports or exports of encryption products, or our failure to obtainrequired import or export authorization for our solutions, when applicable, could harm our international sales and adversely affect our revenues.Compliance with applicable regulatory requirements regarding the export of our solutions, including with respect to new releases of our solutions,may create delays in the introduction of our solutions in international markets, prevent our customers with international operations from deployingour solutions throughout their globally-distributed systems or, in some cases, prevent the export of our solutions to some countries altogether. Inaddition, various countries regulate the import of our appliance-based solutions and have enacted laws that could limit our ability to distributesolutions or could limit our customers’ ability to implement our solutions in those countries. Any new export or import restrictions, new legislation orshifting approaches in the enforcement or scope of existing regulations, or in the countries, persons or technologies targeted by such regulations,could result in decreased use of our solutions by existing customers with international operations, declining adoption of our solutions by newcustomers with international operations and decreased revenues. If we fail to comply with export and import regulations, we may be fined or otherpenalties could be imposed, including a denial of certain export privileges.Our success in acquiring and integrating other businesses, products or technologies could impact our financial position.In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products, services ortechnologies. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices may exceed what wewould prefer to pay. Moreover, achieving the anticipated benefits of future acquisitions will depend in part upon whether we can integrate acquiredoperations, products and technology in a timely and cost-effective manner , and even if we achieve benefits from acquisitions, such acquisitions maystill be viewed negatively by customers, financial markets or investors. The acquisition and integration process is complex, expensive and time-consuming, and may cause an interruption of, or loss of momentum in, product development and sales activities and operations of both companiesand we may incur substantial cost and expense, as well as divert the attention of management. We may issue equity securities which could dilutecurrent stockholders’ ownership, incur debt, assume contingent or other liabilities and expend cash in acquisitions, which could negatively impactour financial position, stockholder equity and stock price. We may not find suitable acquisition candidates, and acquisitions we complete may beunsuccessful. If we consummate a transaction, we may be unable to integrate and manage acquired products and businesses effectively or retainkey personnel. If we are unable to effectively execute acquisitions, our business, financial condition and operating results could be adverselyaffected.31Table of ContentsOur financial results are based in part on our estimates or judgments relating to our critical accounting policies. These estimates orjudgments may prove to be incorrect, which could harm our operating results and result in a decline in our stock price.The preparation of financial statements in conformity with U.S. GAAP requires management to make estimates and assumptions that affect theamounts reported in the consolidated financial statements and accompanying notes. We base our estimates on historical experience and on variousother assumptions that we believe to be reasonable under the circumstances, as provided in the section titled “Part II, Item 7 - Management’sDiscussion and Analysis of Financial Condition and Results of Operations,” the results of which form the basis for making judgments about thecarrying values of assets, liabilities, equity, revenues and expenses that are not readily apparent from other sources. Our operating results may beadversely affected if our assumptions change or if actual circumstances differ from those in our assumptions, which could cause our operatingresults to fall below the expectations of securities analysts and investors, resulting in a decline in our stock price. Significant assumptions andestimates used in preparing our consolidated financial statements include those related to revenue recognition, accounting for income taxes, stock-based compensation, and fair value measurement.Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results ofoperations.We prepare our financial statements in accordance with U.S. GAAP. These principles are subject to interpretation by the SEC and variousbodies formed to interpret and create appropriate accounting principles. A change in these accounting standards or practices could harm ouroperating results and could have a significant effect on our reporting of transactions and reported results and may even retroactively affectpreviously reported transactions. New accounting pronouncements and varying interpretations of accounting pronouncements have occurred andmay occur in the future. Changes to existing rules or the questioning of current practices may harm our operating results, or require that we makesignificant changes to our systems, processes and controls or the way we conduct our business.We have historically expensed commissions associated with sales of our solutions immediately upon receipt of a subscription order froma customer and generally recognize the revenues associated with such sale over the term of the agreement. Accordingly, our historicaloperating income in any period may not be indicative of our financial health and future performance. With the adoption of AccountingStandards Update ("ASU") 2014-09, Revenue from Contracts with Customers (Topic 606) effective January 1, 2018, we will commencecapitalizing of our commissions but will elect to use the practical expedient in Topic 606 and expense commissions related to contractswith a renewal contract term of one year or less. As a result of the adoption of Topic 606, our future operating results may vary fromperiod to period as our commission expense will not be directly comparable to historical periods.Through December 2017, we have expensed commissions paid to our sales personnel in the quarter in which the related order is received. Incontrast, we have generally recognized the revenues associated with a sale of our solutions ratably over the term of the subscription, which istypically one year. Accordingly, our historical results may have fluctuated based on timing of commission expenses as compared to revenuerecognized. With the adoption of Topic 606, our operating results will also fluctuate and not be comparable to historical periods and continue tofluctuate as we will generally capitalize commissions except for renewal sales that are one year or less. In addition, amortization of expense frompreviously capitalized contracts is expected to increase over time as our opening capitalized commission asset balance upon adoption of Topic 606only includes open contracts as of December 31, 2017. Accordingly, we expect our commission expense to grow in future periods after the initialadoption of Topic 606.We recognize revenues from subscriptions over the term of the relevant service period, and therefore any decreases or increases inbookings are not immediately reflected in our operating results.We recognize revenues from subscriptions over the term of the relevant service period, which is typically one year. As a result, most of ourreported revenues in each quarter are derived from the recognition of deferred revenues relating to subscriptions entered into during previousquarters. Consequently, a shortfall in demand for our solutions in any period may not significantly reduce our revenues for that period, but couldnegatively affect revenues in future periods. Accordingly, the effect of significant downturns in bookings may not be fully reflected in our results ofoperations until future periods. We may be unable to adjust our costs and expenses to compensate for such a potential shortfall in revenues. Oursubscription model also makes it difficult for us to rapidly increase our revenues through additional bookings in any period, as revenues arerecognized ratably over the subscription period.32Table of ContentsChanges in our provision for income taxes or adverse outcomes resulting from examination of our income tax returns could adverselyaffect our operating results. We could be subject to additional taxes.We are subject to income taxes in the United States and various foreign jurisdictions, and our domestic and international tax liabilities aresubject to the allocation of expenses in differing jurisdictions. Our tax rate is affected by changes in the mix of earnings and losses in countries withdiffering statutory tax rates, certain non-deductible expenses arising from the requirement to expense stock options, excess tax benefits from stock-based compensation, and the valuation of deferred tax assets and liabilities, including our ability to utilize our federal and state net operating losses,which were $ 54.4 million as of December 31, 2017 . As a result of the Tax Cuts and Jobs Act (“the 2017 Tax Act”), which was enacted by the U.S.federal government on December 22, 2017, our federal tax rate will decrease in 2018, resulting in our recording of $10.4 million of additional incometax expense in 2017 due to the re-measurement of certain deferred tax assets and liabilities. Accordingly, our operating results have fluctuated andmay not be comparable to historical periods and continue to fluctuate in the future. Increases in our effective tax rate could harm our operatingresults.Additionally, significant judgment is required in evaluating our tax positions and our worldwide provision for taxes. During the ordinary course ofbusiness, there are many activities and transactions for which the ultimate tax determination is uncertain. In addition, our tax obligations andeffective tax rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations,including those relating to income tax nexus, by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lowerstatutory rates and higher than anticipated earnings in jurisdictions where we have higher statutory rates, by changes in foreign currency exchangerates, or by changes in the valuation of our deferred tax assets and liabilities. We may be audited in various jurisdictions, and such jurisdictions mayassess additional taxes, sales taxes and value-added taxes against us. Although we believe our tax estimates are reasonable, the finaldetermination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a materialadverse effect on our operating results or cash flows in the period or periods for which a determination is made.Uncertainties in the interpretation and application of the 2017 Tax Cuts and Jobs Act could materially affect our tax obligations andeffective tax rate. The 2017 Tax Act significantly affected U.S. tax law by changing how the U.S. imposes income tax on multinational corporations. Given thetiming, scope, and magnitude of the changes enacted by the 2017 Tax Act, along with on-going implementation efforts, guidance, and otherdevelopments from U.S. regulatory and standard-setting bodies, the completion of the accounting for certain tax items included in Note 9 to theConsolidated Financial Statements included in Part II, Item 8, that have been reported as provisional may be subject to material change. Anysignificant changes to our future effective tax rate, including final resolution of provisional amounts relating to effects of the 2017 Tax Act, may resultin a material adverse effect on our business, financial condition, results of operations, or cash flows.Our business is subject to the risks of earthquakes, fire, power outages, floods and other catastrophic events, and to interruption byman-made problems such as terrorism.A significant natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on ourbusiness, operating results and financial condition. Our corporate headquarters and a significant portion of our operations are located in the SanFrancisco Bay Area, a region known for seismic activity. In addition, natural disasters could affect our business partners’ ability to perform servicesfor us on a timely basis. In the event we or our business partners are hindered by any of the events discussed above, our ability to provide oursolutions to customers could be delayed, resulting in our missing financial targets, such as revenues and net income, for a particular quarter.Further, if a natural disaster occurs in a region from which we derive a significant portion of our revenues, customers in that region may delay orforego subscriptions of our solutions, which may materially and adversely impact our results of operations for a particular period. In addition, acts ofterrorism could cause disruptions in our business or the business of our business partners, customers or the economy as a whole. All of theaforementioned risks may be exacerbated if the disaster recovery plans for us and our suppliers prove to be inadequate. To the extent that any ofthe above results in delays of customer subscriptions or commercialization of our solutions, our business, financial condition and results ofoperations could be adversely affected.If we fail to maintain an effective system of internal control over financial reporting, our ability to produce timely and accurate financialstatements or comply with applicable regulations could be impaired.33Table of ContentsAs a public company, we are subject to the reporting requirements of the Securities Exchange Act of 1934, or the Exchange Act, the Sarbanes-Oxley Act, and the rules and regulations of the NASDAQ Stock Market. To comply with the requirements of being a public company, we may needto undertake various actions, such as implementing additional internal controls and procedures and hiring accounting or internal audit staff.Our internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reportingand the preparation of financial statements in accordance with GAAP. Our current controls and any new controls that we develop may becomeinadequate because of changes in conditions in our business. Any failure to maintain effective controls, or any difficulties encountered in theirimprovement, could harm our operating results or cause us to fail to meet our reporting obligations. Any failure to maintain effective internal controlover financial reporting also could adversely affect the results of periodic management evaluations regarding the effectiveness of our internal controlover financial reporting that we are required to include in our periodic reports we file with the SEC under Section 404 of the Sarbanes-Oxley Act.While we were able to assert in this Annual Report on Form 10-K that our internal control over financial reporting was effective as of December 31,2017 , we cannot predict the outcome of our testing in future periods. If we are unable to assert in any future reporting period that our internal controlover financial reporting is effective (or if our independent registered public accounting firm is unable to express an opinion on the effectiveness ofour internal controls), investors may lose confidence in our operating results and our stock price could decline. In addition, if we are unable tocontinue to meet these requirements, we may not be able to remain listed on the NASDAQ Stock Market.Market volatility may affect our stock price and the value of an investment in our common stock and could subject us to litigation.The trading price of our common stock has been, and may continue to be, subject to significant fluctuations in response to a number of factors,most of which we cannot predict or control, including:•announcements of new solutions, services or technologies, commercial relationships, acquisitions or other events by us or our competitors;•fluctuations in stock market prices and trading volumes of securities of similar companies;•general market conditions and overall fluctuations in U.S. equity markets;•variations in our operating results, or the operating results of our competitors;•changes in our financial guidance or securities analysts’ estimates of our financial performance;•changes in accounting principles;•sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders;•additions or departures of any of our key personnel;•announcements related to litigation;•changing legal or regulatory developments in the United States and other countries; and•discussion of us or our stock price by the financial press and in online investor communities.In addition, the stock market in general, and the stocks of technology companies such as ours in particular, have experienced substantial priceand volume volatility that is often seemingly unrelated to the operating performance of particular companies. These broad market fluctuations maycause the trading price of our common stock to decline. In the past, securities class action litigation has often been brought against a company aftera period of volatility in the trading price of its common stock. We may become involved in this type of litigation in the future. Any securities litigationclaims brought against us could result in substantial expenses and the diversion of our management’s attention from our business.34Table of ContentsOur actual operating results may differ significantly from our guidance.From time to time, we have released, and may continue to release, guidance in our quarterly earnings conference calls, quarterly earningsreleases, or otherwise, regarding our future performance that represents our management's estimates as of the date of release. This guidance,which includes forward-looking statements, has been and will be based on projections prepared by our management. These projections are notprepared with a view toward compliance with published guidelines of the American Institute of Certified Public Accountants, and neither ourregistered public accountants nor any other independent expert or outside party compiles or examines the projections. Accordingly, no such personexpresses any opinion or any other form of assurance with respect to the projections.Projections are based upon a number of assumptions and estimates that, while presented with numerical specificity, are inherently subject tosignificant business, economic and competitive uncertainties and contingencies, many of which are beyond our control and are based upon specificassumptions with respect to future business decisions, some of which will change. We intend to state possible outcomes as high and low rangeswhich are intended to provide a sensitivity analysis as variables are changed but are not intended to imply that actual results could not fall outside ofthe suggested ranges. The principal reason that we release guidance is to provide a basis for our management to discuss our business outlook withanalysts and investors. We do not accept any responsibility for any projections or reports published by any such third parties.Guidance is necessarily speculative in nature, and it can be expected that some or all of the assumptions underlying the guidance furnished byus will not materialize or will vary significantly from actual results. Accordingly, our guidance is only an estimate of what management believes isrealizable as of the date of release. Actual results may vary from our guidance and the variations may be material. In light of the foregoing, investorsare urged not to rely upon our guidance in making an investment decision regarding our common stock.Any failure to successfully implement our operating strategy or the occurrence of any of the events or circumstances set forth in this “RiskFactors” section in this Annual Report on Form 10-K could result in the actual operating results being different from our guidance, and thedifferences may be adverse and material.Concentration of ownership among our existing executive officers, directors and holders of 10% or more of our outstanding commonstock may prevent new investors from influencing significant corporate decisions.As of December 31, 2017 , our executive officers, directors and holders of 10% or more of our outstanding common stock beneficially own, inthe aggregate, approximately 14% of our outstanding common stock. As a result, such persons, acting together, have significant ability to control ourmanagement and affairs and substantially all matters submitted to our stockholders for approval, including the election and removal of directors andapproval of any significant transaction. These persons also have significant ability to control our management and business affairs. Thisconcentration of ownership may have the effect of delaying, deferring or preventing a change in control, impeding a merger, consolidation, takeoveror other business combination involving us, or discouraging a potential acquirer from making a tender offer or otherwise attempting to obtain controlof our business, even if such a transaction would benefit other stockholders.Future sales of shares by existing stockholders could cause our stock price to decline.The market price of shares of our common stock could decline as a result of substantial sales of our common stock, particularly sales by ourdirectors, executive officers, employees and significant stockholders, a large number of shares of our common stock becoming available for sale, orthe perception in the market that holders of a large number of shares intend to sell their shares. As of December 31, 2017 , we had approximately38.6 million shares of our common stock outstanding. Certain holders of shares of common stock have rights, subject to some conditions, to requireus to file registration statements covering their shares or to include these shares in registration statements that we may file for ourselves or otherstockholders.In addition, as of December 31, 2017 , there were approximately 1.4 million restricted stock units and options to purchase approximately 4.5million shares of our common stock outstanding. If such options are exercised and restricted stock units are released, these additional shares willbecome available for sale. As of December 31, 2017 , we had an aggregate of 2.2 million shares of our common stock reserved for future issuanceunder our 2012 Equity Incentive Plan, which can be freely sold in the public market upon issuance. If a large number of these shares are sold in thepublic market, the sales could reduce the trading price of our common stock.35Table of ContentsWe cannot guarantee that our recently announced stock repurchase program will be fully consummated or that it will enhancestockholder value, and any stock repurchases we make could affect the price of our common stock.In February 2018, we announced a $100.0 million stock repurchase program. Although our board of directors authorized this stock repurchaseprogram, we are not obligated to repurchase any specific dollar amount or to acquire any specific number of shares. The stock repurchase programcould affect the price of our common stock, increase volatility and diminish our cash reserves. In addition, it may be suspended or terminated at anytime, which may result in a decrease in the price of our common stock.We do not intend to pay dividends on our common stock and therefore any returns will be limited to the value of our stock.We have never declared or paid any cash dividend on our common stock. We currently anticipate that we will retain future earnings for thedevelopment, operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Anyreturn to stockholders will therefore be limited to the value of their stock.Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of us, which may be beneficial toour stockholders, more difficult and may prevent attempts by our stockholders to replace or remove our current management.Our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that may delay or prevent anacquisition of us or a change in our management. These provisions include:•authorizing “blank check” preferred stock, which could be issued by the board without stockholder approval and may contain voting,liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and couldthwart a takeover attempt;•a classified board of directors whose members can only be dismissed for cause;•the prohibition on actions by written consent of our stockholders;•the limitation on who may call a special meeting of stockholders;•the establishment of advance notice requirements for nominations for election to our board of directors or for proposing matters that can beacted upon at stockholder meetings; and•the requirement of at least two-thirds of the outstanding capital stock to amend any of the foregoing second through fifth provisions.In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General CorporationLaw, which limits the ability of stockholders owning in excess of 15% of our outstanding voting stock to merge or combine with us. Although webelieve these provisions collectively provide for an opportunity to obtain greater value for stockholders by requiring potential acquirers to negotiatewith our board of directors, they would apply even if an offer rejected by our board were considered beneficial by some stockholders. In addition,these provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficultfor stockholders to replace members of our board of directors, which is responsible for appointing the members of our management.Item 1B.Unresolved Staff CommentsNone.36Table of ContentsItem 2.PropertiesOur principal executive offices are located in Foster City, California, where we occupy a 76,922 square-foot facility under a lease expiring onApril 30, 2028. We have additional U.S. offices in Bellevue, Washington and Raleigh, North Carolina. We also lease offices in Courbevoie, France;Moscow, Russia; Munich, Germany; Frankfurt, Germany; Nuremberg, Germany; Pune, India; Dubai, United Arab Emirates; Reading, UnitedKingdom; and Tokyo, Japan. We believe our facilities are adequate for our current needs and for the foreseeable future.We operate principal data centers at third-party facilities in Santa Clara, California; Ashburn, Virginia; Geneva, Switzerland; Pune, India; andAmsterdam, the Netherlands.Item 3.Legal ProceedingsFrom time to time we may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. We arenot presently a party to any legal proceedings that, if determined adversely to us, would individually or taken together have a material adverse effecton our business, operating results, financial condition or cash flows. Regardless of the outcome, litigation can have an adverse impact on usbecause of defense and settlement costs, diversion of management resources and other factors.Item 4.Mine Safety Disclosures.Not Applicable.37Table of ContentsPART IIItem 5.Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases ofEquity SecuritiesMarket InformationOur common stock is listed on the NASDAQ Stock Market under the trading symbol “QLYS”. The following table sets forth the high and low pershare sales prices for our common stock as reported on the NASDAQ Stock Market for the two most recent fiscal years: Low HighFiscal 2017: Fourth quarter $50.00 $62.35 Third quarter $39.45 $53.55 Second quarter $34.80 $44.35 First quarter $31.80 $38.38Fiscal 2016: Fourth quarter $30.61 $39.67 Third quarter $29.69 $38.32 Second quarter $23.77 $32.65 First quarter $16.96 $32.48Holders of Common EquityAs of January 31, 2018, there were approximately 94 holders of record of our common stock. Because many of our shares of common stockare held by brokers and other institutions on behalf of stockholders, we are unable to estimate the total number of stockholders represented bythese record holders.Dividend PolicyWe have never declared or paid any cash dividends on our capital stock. We currently intend to retain any future earnings to fund businessdevelopment and growth, and do not expect to pay any dividends in the foreseeable future. Any future determination to declare cash dividends willbe made at the discretion of our board of directors, subject to applicable laws, and will depend on a number of factors, including our financialcondition, results of operations, capital requirements, contractual restrictions, general business conditions and other factors that our board ofdirectors may deem relevant.Securities Authorized for Issuance under Equity Compensation PlansThe following table summarizes information about our equity compensation plans as of December 31, 2017 . All outstanding awards relate toour common stock.Plan Category (a) Number of Securities to beIssued UponExercise ofOutstandingOptions, Warrantsand Rights (b) Weighted-AverageExercise Price ofOutstanding Options,Warrants and Rights (c) Number of SecuritiesRemaining Available forFuture Issuance UnderEquity CompensationPlans (ExcludingSecurities Reflected inColumn (a))Equity compensation plans approved bysecurity holders(1) 4,495,891 $25.29 2,208,858Equity compensation plans not approvedby security holders — $— —(1) Equity compensation plans approved by stockholders include the 2000 Equity Incentive Plan, as amended and the 2012 Equity IncentivePlan. Prior to our IPO, we issued securities under our 2000 Equity Incentive Plan, as amended. Following our IPO, we issued securities underour 2012 Equity Incentive Plan.38Table of ContentsStock Price Performance GraphThe following graph shows a comparison from December 31, 2012 through December 31, 2017 of the cumulative total return for an investmentof $100 (and the reinvestment of dividends) in our common stock, the NASDAQ Global Select Market and the NASDAQ Computer. Such returns arebased on historical results and are not intended to suggest future performance.COMPARISON OF CUMULATIVE TOTAL RETURN*Among Qualys, Inc., NASDAQ-Global Select Market Composite Index, and NASDAQ Computer Index Dec 31, 2012 Dec 31, 2013 Dec 31, 2014 Dec 31, 2015 Dec 31, 2016 Dec 31, 2017Qualys, Inc.$100.00 $156.25 $255.24 $223.73 $214.00 $401.28NASDAQ Global Select Market$100.00 $138.00 $156.90 $166.49 $179.13 $230.05NASDAQ Computer$100.00 $131.95 $158.17 $168.05 $188.67 $261.81The information on the above Stock Price Performance Graph shall not be deemed to be “filed” for purposes of Section 18 of the SecuritiesExchange Act of 1934, as amended, or otherwise subject to the liabilities of that section or Sections 11 and 12(a)(2) of the Securities Act of 1933, asamended, and shall not be incorporated by reference into any registration statement or other document filed by us with the Securities and ExchangeCommission, whether made before or after the date of this Annual Report on Form 10-K, regardless of any general incorporation language in suchfiling, except as shall be expressly set forth by specific reference in such filing.Purchases of Equity Securities by the Issuer and Affiliated PurchasersNo shares of our common stock were repurchased during the fourth quarter of 2017 .39Table of ContentsItem 6.Selected Consolidated Financial DataThe following selected consolidated financial data should be read in conjunction with "Item 7. Management’s Discussion and Analysis ofFinancial Condition and Results of Operations” and our consolidated financial statements, related notes and other financial information includedelsewhere in this Annual Report on Form 10-K. Our historical results are not necessarily indicative of the results that may be expected in the future,and the results for the year ended December 31, 2017 are not necessarily indicative of operating results to be expected for any other period. Year Ended December 31, 2017 2016 2015 2014 2013 (in thousands, except per share data)Consolidated Statements of Operations Data: Revenues $230,828 $197,925 $164,284 $133,579 $107,962Income from operations $37,243 $30,107 $24,806 $9,247 $2,309Net income $40,440 $19,224 $15,865 $30,244 $1,541Net income per share attributable to common stockholders: (1) Basic $1.08 $0.55 $0.47 $0.92 $0.05Diluted $1.01 $0.50 $0.42 $0.81 $0.04 As of December 31, 2017 2016 2015 2014 2013 (in thousands)Consolidated Balance Sheet Data: Cash, cash equivalents and short-term investments $288,414 $243,856 $178,966 $127,218 $97,196Long-term investments 67,224 45,725 43,277 39,448 35,608Total assets 537,525 407,004 323,514 260,024 192,603Deferred revenues, current 143,186 114,964 98,025 81,147 67,505Deferred revenues, noncurrent 17,136 15,528 14,564 10,064 8,889Total stockholders’ equity 343,544 258,413 195,566 151,827 103,117 (1) See Notes 1 and 12 to our consolidated financial statements included elsewhere in this Annual Report on Form 10-K for an explanation of the calculation ofour basic and diluted income per share attributable to common stockholders.40Table of ContentsItem 7.Management's Discussion and Analysis of Financial Condition and Results of OperationsYou should read the following discussion in conjunction with the section titled "Selected Consolidated Financial Data" and ourconsolidated financial statements and the related notes included elsewhere in this Annual Report on Form 10-K. In addition to historicalinformation, this discussion contains forward-looking statements that involve risks and uncertainties that could cause our actual results todiffer materially from our expectations, as discussed in "Forward-Looking Statements" in Part I of this Annual Report on Form 10-K. Factorsthat could cause such differences include, but are not limited to, those described in the section titled "Risk Factors" and elsewhere in thisAnnual Report on Form 10-K.OverviewWe are a pioneer and leading provider of a cloud-based platform delivering security and compliance solutions that enable organizations toidentify security risks to their information technology (IT) infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations. Our cloud solutions address the growing security and compliancecomplexities and risks that are amplified by the dissolving boundaries between internal and external IT infrastructures and web environments,the rapid adoption of cloud computing and the proliferation of geographically dispersed IT assets. Our integrated suite of security andcompliance solutions delivered on our Qualys cloud platform enables our customers to identify their IT assets, collect and analyze largeamounts of IT security data, discover and prioritize vulnerabilities, recommend remediation actions and verify the implementation of suchactions. Organizations use our integrated suite of solutions delivered on our Qualys cloud platform to cost-effectively obtain a unified view oftheir security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for informationsecurity, application security, endpoint, developer security and cloud teams.We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their ITinfrastructure and applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000. As VM gained acceptance,we introduced new solutions to help customers manage increasing IT security and compliance requirements. Today, the suite of solutionsoffered on our cloud platform, which we refer to as the Qualys Cloud Apps, includes: Asset Inventory (AI), CMDB Sync (SYN), VM, ContinuousMonitoring (CM), Cloud Agent Platform (CAP), Threat Protection (TP), Security Configuration Assessment (SCA), Indication ofCompromise (IOC), Policy Compliance (PC), PCI Compliance (PCI), Security Assessment Questionnaire (SAQ), File Integrity Monitoring (FIM),Web Application Scanning (WAS) and Web Application Firewall (WAF). Our VM solutions (including VM, AI, SYN, CM, TP, Cloud Agent for VM,allocated scanner revenue and Qualys Private Cloud Platform) have provided a substantial majority of our revenues to date, representing 75% ,76% and 77% of total revenues in 2017 , 2016 and 2015 , respectively.We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptionsrequire customers to pay a fee in order to access our cloud solutions. We invoice our customers for the entire subscription amount at the start ofthe subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of eachsubscription. We continue to experience significant revenue growth from existing customers as they renew and purchase additionalsubscriptions . Revenues from customers existing at or prior to December 31, 2016 grew by $21.5 million to $219.4 million during 2017 .Subscriptions from new customers added in 2017 contributed $11.4 million to the increase in revenues. We expect revenue growth from existingand new customers to continue.We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range ofindustries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. Asof December 31, 2017 , we had over 10,300 customers in more than 130 countries, including a majority of each of the Forbes Global 100 andFortune 100. In 2017 , 2016 and 2015 , approximately 70% , 71% and 70% , respectively, of our revenues were derived from customers in theUnited States. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force. We generate a significant portion of sales through our channel partners, including managedservice providers, value-added resellers and consulting firms in the United States and internationally.We have had continued revenue growth over the past three years. Our revenues increased from $164.3 million in 2015 to $197.9 million in2016 , and reached $230.8 million in 2017 , representing period-over-period increases of $33.6 million and $32.9 million , or 20% and 17% ,respectively. We generated net income of $ 15.9 million in 2015 , $19.2 million in 2016 , and $40.4 million in 2017 .41Table of ContentsKey MetricIn addition to measures of financial performance presented in our consolidated financial statements, we monitor the key metric set forth belowto help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operationalefficiencies. Year Ended December 31, 2017 2016 2015 (in thousands)Adjusted EBITDA $84,933 $67,966 $56,660Adjusted EBITDAWe monitor Adjusted EBITDA, a non-GAAP financial measure, to analyze our financial results and believe that it is useful to investors, as asupplement to U.S. GAAP measures, in evaluating our ongoing operational performance and enhancing an overall understanding of our pastfinancial performance. We believe that Adjusted EBITDA helps illustrate underlying trends in our business that could otherwise be masked by theeffect of the income or expenses that we exclude in Adjusted EBITDA. Furthermore, we use this measure to establish budgets and operational goalsfor managing our business and evaluating our performance. We also believe that Adjusted EBITDA provides an additional tool for investors to use incomparing our recurring core business operating results over multiple periods with other companies in our industry.Adjusted EBITDA should not be considered in isolation from, or as a substitute for, financial information prepared in accordance with U.S.GAAP. We calculate Adjusted EBITDA as net income before (1) other (income) expense, net, which includes interest income, interest expense andother income and expense, (2) provision for (benefit from) income taxes, (3) depreciation and amortization of property and equipment, (4)amortization of intangible assets, (5) stock-based compensation, (6) non-recurring expenses and (7) acquisition-related expenses that do not reflectongoing costs of operating the business.The following unaudited table presents the reconciliation of net income to Adjusted EBITDA for each of the periods presented. Year Ended December 31, 2017 2016 2015 (in thousands)Net income $40,440 $19,224 $15,865Depreciation and amortization of property and equipment 19,828 16,621 13,974Amortization of intangible assets 808 373 386Interest expense 3 26 6(Benefit from) provision for income taxes (1,062) 11,205 8,655EBITDA 60,017 47,449 38,886Stock-based compensation 26,961 20,149 17,494Other (income) expense, net (2,138) (348) 280Acquisition-related expense (1) 93 — —One-time tax related expense (2) — 716 —Adjusted EBITDA $84,933 $67,966 $56,660Percentage of revenues 37% 34% 34%(1) Adjusted EBITDA for 2017 excludes approximately $0.1 million of compensation expense from the acquisition of NetWatcher.(2) Adjusted EBITDA for 2016 excludes approximately $0.7 million of a non-recurring expense related to the remittance of payroll taxes from fiscal year 2013 through May2016. During this same period, we have not excluded any amounts related to other non-recurring items from Adjusted EBITDA because we have considered such amounts tobe immaterial.42Table of ContentsLimitations of Adjusted EBITDAAdjusted EBITDA, a non-GAAP financial measure, has limitations as an analytical tool, and should not be considered in isolation from or as asubstitute for the measures presented in accordance with U.S. GAAP. Some of these limitations are:•Adjusted EBITDA does not reflect certain cash and non-cash charges that are recurring;•Adjusted EBITDA does not reflect income tax payments that reduce cash available to us;•Adjusted EBITDA excludes depreciation and amortization of property and equipment and, although these are non-cash charges, the assetsbeing depreciated and amortized may have to be replaced in the future; and•Other companies, including companies in our industry, may calculate Adjusted EBITDA differently or not at all, which reduces its usefulnessas a comparative measure.Because of these limitations, Adjusted EBITDA should be considered alongside other financial performance measures, including revenues, netincome, cash flows from operating activities and our financial results presented in accordance with U.S. GAAP.43Table of ContentsKey Components of Results of OperationsRevenuesWe derive revenues from the sale of subscriptions to our security and compliance solutions, which are delivered on our cloud platform.Subscriptions to our solutions allow customers to access our cloud-based security and compliance solutions through a unified, web-based interface.Customers generally enter into one year renewable subscriptions. The subscription fee entitles the customer to an unlimited number of scans for aspecified number of devices or web applications and, if requested by a customer as part of their subscription, a specified number of physical orvirtual scanner appliances. Our physical and virtual scanner appliances are requested by certain customers as part of their subscriptions in order toscan IT infrastructures within their firewalls and do not function without, and are not sold separately from, subscriptions for our solutions. Customersare required to return physical scanner appliances and computer equipment if they do not renew their subscriptions.We typically invoice our customers for the entire subscription amount at the start of the subscription term. Invoiced amounts are reflected onour consolidated balance sheets as accounts receivable or as cash when collected, and as deferred revenues until earned and recognized ratablyover the subscription period. Accordingly, deferred revenues represent the amount billed to customers that has not yet been earned or recognizedas revenues, pursuant to subscriptions entered into in current and prior periods.Cost of RevenuesCost of revenues consists primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-basedcompensation, for employees who operate our data centers and provide support services to our customers. Other expenses include depreciation ofdata center equipment and physical scanner appliances and computer hardware provided to certain customers as part of their subscriptions,expenses related to the use of third-party data centers, amortization of third-party technology licensing fees, amortization of intangibles related toacquisitions, maintenance support, fees paid to contractors who supplement or support our operations center personnel and overhead allocations.We expect to continue to make capital investments to expand and support our data center operations, which will increase the cost of revenues inabsolute dollars.Operating ExpensesResearch and DevelopmentResearch and development expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-basedcompensation and stock-based compensation, for our research and development teams. Other expenses include third-party contractor fees,amortization of intangibles related to acquisitions and overhead allocations. All research and development costs are expensed as incurred. Weexpect to continue to devote substantial resources to research and development in an effort to continuously improve our existing solutions as well asdevelop new solutions and capabilities and expect that research and development expenses will increase in absolute dollars.Sales and MarketingSales and marketing expenses consist primarily of personnel expenses, comprised of salaries, benefits, sales commissions, performance-based compensation and stock-based compensation for our worldwide sales and marketing teams. Other expenses include marketing andpromotional events, lead-generation marketing programs, public relations, travel, software licenses and overhead allocations. All costs are expensedas incurred, including sales commissions. Sales commissions are expensed in the quarter in which the related order is received and are paid in themonth subsequent to the end of that quarter, which results in increased expenses prior to the recognition of related revenues. Our new salespersonnel are typically not immediately productive, and the resulting increase in sales and marketing expenses we incur when we add newpersonnel may not result in increased revenues if these new sales personnel fail to become productive. The timing of our hiring of sales personnel,or the participation in new marketing events or programs, and the rate at which these generate incremental revenues, may affect our futureoperating results. We expect to continue to significantly invest in additional sales personnel worldwide and also in more marketing programs tosupport new solutions on our platform, which will increase sales and marketing expenses in absolute dollars.44Table of ContentsGeneral and AdministrativeGeneral and administrative expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-basedcompensation and stock-based compensation, for our executive, finance and accounting, legal and human resources teams, as well as professionalservices, insurance, fees, and software licenses. We expect that general and administrative expenses will increase in absolute dollars, as wecontinue to add personnel and incur professional services to support our growth and compliance with legal requirements.Other Income (Expense), NetOur other income (expense), net consists primarily of interest and investment income from our short-term and long-term investments; foreignexchange gains and losses, the majority of which result from fluctuations between the U.S. dollar and the Euro, British Pound and Indian Rupee;losses on disposal of property and equipment; and impairment of long-lived assets.Provision for Income TaxesWe are subject to federal, state and foreign income taxes for jurisdictions in which we operate, and we use estimates in determining ourprovision for these income taxes and deferred tax assets. Earnings from our non-U.S. activities are subject to income taxes in the local countries atrates which were generally lower than U.S. tax rates during 2017 and may also be subject to U.S. income taxes. Our effective rates differ from theU.S. statutory rate primarily due to foreign income subject to different tax rates than the U.S., research and development tax credits, non-deductiblestock-based compensation expense, excess tax benefits related to stock-based compensation and other adjustments.Income taxes are accounted for under the asset and liability method. Deferred tax assets and liabilities are recognized for the tax impact oftiming differences between the financial statement carrying amounts of existing assets and liabilities and their respective tax bases and operatingloss and tax credit carry-forwards. Deferred tax assets and liabilities are measured using statutory tax rates expected to apply to taxable income inthe years in which those temporary differences are expected to be recovered or settled. The effect on deferred tax assets and liabilities of a changein tax rates is recognized in income in the period when the statutory rate change is enacted into law. During 2017, we recognized an expense of$10.4 million as a result of re-measuring deferred tax assets and liabilities using the reduced U.S. federal tax rate of 21% which decreased from35% due to the enactment of the 2017 Tax Act.We assess the likelihood that deferred tax assets will be realized, and we recognize a valuation allowance if it is more likely than not that someportion of the deferred tax assets will not be recognized. This assessment requires judgment as to the likelihood and amounts of future taxableincome. Our benefit from income taxes in 2017 consists of a tax benefit for excess tax benefits related to stock-based compensation and the recognitionof our U.S. federal and certain state deferred tax assets including federal research credits. The tax benefit was partially offset by the re-measurement of deferred taxes due to the 2017 Tax Act and income taxes for profits generated in foreign jurisdictions by wholly-owned subsidiaries.45Table of ContentsResults of OperationsThe following tables set forth selected consolidated statements of operations data for each of the periods presented. Year Ended December 31, 2017 2016 2015 (in thousands)Consolidated Statements of Operations data: Revenues $230,828 $197,925 $164,284Cost of revenues (1) 51,580 43,128 34,327Gross profit 179,248 154,797 129,957Operating expenses: Research and development (1) 42,816 36,591 30,438Sales and marketing (1) 63,855 58,985 50,397General and administrative (1) 35,334 29,114 24,316Total operating expenses 142,005 124,690 105,151Income from operations 37,243 30,107 24,806Other income (expense), net 2,135 322 (286)Income before income taxes 39,378 30,429 24,520(Benefit from) provision for income taxes (1,062) 11,205 8,655Net income $40,440 $19,224 $15,865(1) Includes stock-based compensation as follows: Year Ended December 31, 2017 2016 2015 (in thousands)Cost of revenues $2,159 $1,858 $1,250Research and development 5,944 5,678 4,936Sales and marketing 4,755 4,870 3,867General and administrative 14,103 7,743 7,441Total stock-based compensation $26,961 $20,149 $17,49446Table of ContentsThe following table sets forth selected consolidated statements of operations data for each of the periods presented as a percentage ofrevenues. Year Ended December 31, 2017 2016 2015Revenues 100 % 100% 100 %Cost of revenues 22 22 21Gross profit 78 78 79Operating expenses: Research and development 19 18 18Sales and marketing 28 30 31General and administrative 15 15 15Total operating expenses 62 63 64Income from operations 16 15 15Other income (expense), net 1 0 0Income before income taxes 17 15 15(Benefit from) provision for income taxes (1) 5 5Net income 18 % 10% 10 %Comparison of Years Ended December 31, 2017 and 2016Revenues Year Ended December 31, Change 2017 2016 $ % (in thousands, except percentages)Revenues $230,828 $197,925 $32,903 17%Revenues increased $32.9 million in 2017 compared to 2016 . Revenues from customers existing at or prior to December 31, 2016 grew by $21.5 million to $219.4 million during 2017 . Subscriptions from new customers added in 2017 contributed $ 11.4 million to the increase in revenues.Of the total increase of $32.9 million , $22.9 million was from customers in the United States and the remaining $10.0 million was from customers inforeign countries. We expect revenue growth from existing and new customers to continue. The growth in revenues reflects the continued demandfor our solutions.Cost of Revenues Year Ended December 31, Change 2017 2016 $ % (in thousands, except percentages)Cost of revenues $51,580 $43,128 $8,452 20%Percentage of revenues 22% 22% Gross profit percentage 78% 78% Cost of revenues increased $8.5 million in 2017 compared to 2016 , primarily due to an increase in personnel expenses of $4.1 million, drivenby the increase in the number of employees to support the continued growth of our business; a $2.8 million increase in depreciation expense relatedto additional computer hardware and software; a $0.5 million increase in amortization expense related to acquired technology resulting from ourbusiness acquisitions; increased data center costs of $0.5 million; and increased consulting services and third-party software license maintenanceexpense of $0.2 million each as our business continues to grow.47Table of ContentsResearch and Development Expenses Year Ended December 31, Change 2017 2016 $ % (in thousands, except percentages)Research and development $42,816 $36,591 $6,225 17%Percentage of revenues 19% 18% Research and development expenses increased $6.2 million in 2017 compared to 2016 , primarily due to an increase in personnel expenses of$5.7 million, driven by additional employees hired to support the growth of our business; and increased related facilities costs and expenses of $1.0million to support our research and development activities. These increases were partially offset by lower consulting services of $0.4 million. Wecontinue to significantly invest in and expand our research and development teams to continuously improve our platform and existing solutions, aswell as develop new solutions and capabilities.Sales and Marketing Expenses Year Ended December 31, Change 2017 2016 $ % (in thousands, except percentages)Sales and marketing $63,855 $58,985 $4,870 8%Percentage of revenues 28% 30% Sales and marketing expenses increased $4.9 million in 2017 compared to 2016 , primarily due to an increase in personnel expenses of $3.8million, driven by the increase in the number of employees to support the growth of our business; and increased marketing expenses of $1.2 million,including lead generation expense.General and Administrative Expenses Year Ended December 31, Change 2017 2016 $ % (in thousands, except percentages)General and administrative $35,334 $29,114 $6,220 21%Percentage of revenues 15% 15% General and administrative expenses increased $6.2 million in 2017 compared to 2016 , primarily driven by an increase in personnel expensesof $7.4 million, principally due to higher executive stock-based compensation and the addition of new employees to support the growth of ourbusiness. The increase was partially offset by lower legal fees of $1.4 million.48Table of ContentsTotal Other Income (Expense), Net Year Ended December 31, Change 2017 2016 $ % (in thousands, except percentages)Total other income (expense), net $2,135 $322 $1,813 563%Percentage of revenues 1% 0 % Total other income (expense), net, increased $1.8 million in 2017 compared to 2016 , primarily due to an increase in interest income as ourcash and investment balances increased year over year.(Benefit from) Provision for Income Taxes Year Ended December 31, Change 2017 2016 $ % (in thousands, except percentages)(Benefit from) provision for income taxes $(1,062) $11,205 $(12,267) (109)%Percentage of revenues (1)% 5% We recorded an income tax benefit of $1.1 million in 2017 as compared to an income tax provision of $11.2 million in 2016 . This was primarilydue to the favorable impact of excess tax benefits from stock-based compensation of $27.1 million due to the adoption of A SU 2016-09 in 2017.This benefit was partially offset by $10.4 million of expense recorded for the re-measuring of deferred tax assets and liabilities due to the decreasein the federal rate from 35% to 21% resulting from the Tax Cuts and Jobs Act, enacted into law on December 22, 2017.Comparison of Years Ended December 31, 2016 and 2015Revenues Year Ended December 31, Change 2016 2015 $ % (in thousands, except percentages)Revenues $197,925 $164,284 $33,641 20%Revenues increased $33.6 million in 2016 compared to 2015 . Revenues from customers existing at or prior to December 31, 2015 grew by$20.4 million to $184.7 million during 2016 . Subscriptions from new customers added in 2016 contributed $ 13.2 million to the increase in revenues.Of the total increase of 33.6 million , $24.4 million was from customers in the United States and the remaining $9.3 million was from customers inforeign countries. The growth in revenues reflects the continued demand for our solutions.49Table of ContentsCost of Revenues Year Ended December 31, Change 2016 2015 $ % (in thousands, except percentages)Cost of revenues $43,128 $34,327 $8,801 26%Percentage of revenues 22% 21% Gross profit percentage 78% 79% Cost of revenues increased $8.8 million in 2016 compared to 2015 , primarily due to an increase in personnel expenses of $2.7 million tosupport the continued growth of our business; a $2.2 million increase in depreciation expenses related to additional computer hardware andsoftware; an increase in third-party software maintenance expense of $2.1 million; increased data center and equipment repair and maintenance of$0.5 million; increased overhead costs of $0.5 million; and increased temporary services of $0.2 million as we continued to grow.Research and Development Expenses Year Ended December 31, Change 2016 2015 $ % (in thousands, except percentages)Research and development $36,591 $30,438 $6,153 20%Percentage of revenues 18% 18% Research and development expenses increased $6.2 million in 2016 compared to 2015 , primarily due to an increase in personnel expenses of$4.9 million, driven by the increase in the number of employees; increased temporary services of $0.5 million; and increased overhead costs of $0.5million we continued to grow. We continue to significantly invest in and expand our research and development teams to continuously improve ourplatform and existing solutions, as well as develop new solutions and capabilities.Sales and Marketing Expenses Year Ended December 31, Change 2016 2015 $ % (in thousands, except percentages)Sales and marketing $58,985 $50,397 $8,588 17%Percentage of revenues 30% 31% Sales and marketing expenses increased $8.6 million in 2016 compared to 2015 , primarily due to an increase in personnel expenses of $5.2million. principally due to the increase in the number of employees; increased marketing expenses of $2.1 million, primarily trade show, leadgeneration and branding expenses; and increased software license and maintenance fees of $0.9 million.50Table of ContentsGeneral and Administrative Expenses Year Ended December 31, Change 2016 2015 $ % (in thousands, except percentages)General and administrative $29,114 $24,316 $4,798 20%Percentage of revenues 15% 15% General and administrative expenses increased $4.8 million in 2016 compared to 2015 , primarily driven by increased legal, accounting,consulting and temporary services of $2.8 million; increased personnel expenses of $2.4 million, primarily due to additional employees to supportthe growth of our business; $0.7 million of a non-recurring expense in 2016 related to the remittance of payroll taxes from fiscal year 2013 throughMay 2016; and a $0.3 million increase in dues and subscriptions. These increases were partially offset by $0.7 million of lower allocated costs forcertain information technology expenses and by lower bad debt expense of $0.7 million.Total Other Income (Expense), Net Year Ended December 31, Change 2016 2015 $ % (in thousands, except percentages)Total other income (expense), net $322 $(286) $608 (213)%Percentage of revenues 0% 0 % Total other income (expense), net increased $0.6 million in 2016 compared to 2015 , primarily due to an increase in investment and interestincome and lower foreign exchange losses.Provision for Income Taxes Year Ended December 31, Change 2016 2015 $ % (in thousands, except percentages)Provision for income taxes $11,205 $8,655 $2,550 29%Percentage of revenues 5% 5% The increase in the provision is primarily due to the significant increase in income before tax of $30.4 million in 2016 compared to $24.5 millionin 2015.51Table of ContentsLiquidity and Capital ResourcesAt December 31, 2017 , our principal source of liquidity was cash, cash equivalents and short-term and long-term investments of $355.6 million, including $7.5 million held outside of the United States by our foreign subsidiaries. We do not anticipate that we will need funds generated fromforeign operations to fund our domestic operations. However, if we repatriate these funds, we could be subject to foreign withholding taxes.We have experienced positive cash flows from operations during the years ended December 31, 2017, 2016 and 2015 , respectively. Webelieve our existing cash, cash equivalents, short-term and long-term investments, and cash from operations will be sufficient to fund our operationsfor at least the next twelve months. We expect to spend approximately $23.0 to $28.0 million through December 31, 2018 for capital expenditures,primarily related to infrastructure to support the anticipated growth in our business. Our future capital requirements will depend on many factors,including our rate of revenue growth, the expansion of our sales and marketing activities, the timing, type and extent of our spending on researchand development efforts, international expansion and investment in data centers. We may also seek to invest in or acquire complementarybusinesses or technologies.Cash FlowsThe following summary of cash flows for the periods indicated has been derived from our consolidated financial statements included elsewherein this report: Year Ended December 31, 2017 2016 2015 (in thousands)Cash provided by operating activities $107,646 $68,110 $65,960Cash used in investing activities (118,195) (96,490) (61,348)Cash provided by financing activities 10,403 23,419 10,582Net (decrease) increase in cash and cash equivalents $(146) $(4,961) $15,194Cash Flows from Operating ActivitiesIn 2017 , cash provided by operating activities of $107.6 million was primarily due to $40.4 million of net income, as adjusted by increases indeferred revenues of $29.8 million , attributable to our continued growth in sales; non-cash items including depreciation and amortization expense of$20.6 million and stock-based compensation expense of $27.0 million; and an increase in other noncurrent liabilities of $7.3 million, primarilyattributable to deferred rent relating to our office facility . These increases were partially offset by an increase in accounts receivable of $18.0 milliondue to the timing of customer payments.In 2016 , cash flows from operating activities of $68.1 million resulted primarily from our net income of approximately $19.2 million , as adjustedby increases in deferred revenues of $17.9 million , attributable to our continued growth in sales; accrued liabilities of $9.7 million; non-cash itemsincluding depreciation and amortization expense of $17.0 million; and stock-based compensation expense of $20.1 million . These increases werepartially offset by the non-cash effect of excess tax benefits from stock based compensation of $8.7 million, an increase in prepaid expenses andother assets of $2.1 million and an increase in accounts receivable of $4.9 million.In 2015 , cash flows from operating activities of $66.0 million resulted primarily from our net income of approximately $15.9 million , asadjusted by an increase in deferred revenues of $21.4 million, attributable to our continued growth; an increase in subscriptions exceeding one year;and non-cash items including depreciation and amortization expense of $14.4 million, stock-based compensation expense of $17.5 million and netutilization of deferred income taxes of $6.6 million. These increases were partially offset by an increase in accounts receivable of $10.2 million.52Table of ContentsCash Flows from Investing ActivitiesIn 2017 , cash used in investing activities of $118.2 million was primarily attributable to net purchases of investments of $67.9 million and netcash paid in connection with our acquisitions of Nevis Networks (India) Private Limited (Nevis) and Defensative, LLC (NetWatcher) of $12.5 million.Additionally, $37.8 million of cash was used for capital expenditures, including the buildout of our new headquarters facility, computer hardware andsoftware for our data centers to support our growth and development, and to purchase physical scanner appliances and computer hardwareprovided to certain customers as part of their subscriptions.In 2016, cash used in investing activities of $96.5 million was primarily attributable to net purchases of investments of $73.2 million, arisingfrom cash provided from operating activities. Additionally, $23.2 million of cash was used for capital expenditures, including computer hardware andsoftware for our data centers to support our growth and development, and to purchase physical scanner appliances and computer hardwareprovided to certain customers as part of their subscriptions.In 2015, cash used in investing activities of $61.3 million was primarily attributable to $20.1 million of cash for capital expenditures, includingcomputer hardware and software for our data centers to support our growth and development, and to purchase physical scanner appliances andcomputer hardware provided to certain customers as part of their subscriptions. Additionally, there were also net purchases of investments of $41.2million, arising from cash provided from operating activities.Cash Flows from Financing ActivitiesIn 2017 , cash provided by financing activities of $10.4 million was primarily attributable to $31.3 million of proceeds from the exercise of stockoptions, offset by employee payroll taxes paid related to net share settlement of equity awards of $20.9 million.In 2016, cash provided by financing activities of $23.4 million was primarily attributable to $15.2 million of proceeds from the exercise of stockoptions and $8.7 million of excess tax benefits from stock based compensation.In 2015, cash provided by financing activities of $10.6 million was primarily attributable to $10.1 million of proceeds from the exercise of stockoptions. 53Table of ContentsContractual ObligationsOur principal commitments consist of obligations under our outstanding leases for office space, third-party data centers and office equipment.The following table summarizes our contractual cash obligations at December 31, 2017 and the effect such obligations are expected to have on ourliquidity and cash flows in future periods: Payment Due by PeriodContractual Obligations Total Less Than1 Year 1-3Years 3-5Years More than 5Years (in thousands) Operating lease obligations $48,896 $6,893 $11,199 $8,804 $22,000On October 14, 2016, we entered into a lease agreement (included in the table above) for our new headquarters office facility. The leasepayments commence on May 1, 2018 and the lease has a ten-year term through April 2028. The total commitment of $38.6 million is payablemonthly with escalating rental payments throughout the lease term. We took possession of the facility on May 1, 2017, completed construction of thefacility and moved into the facility in November 2017.In connection with this lease, we have provided the landlord with a $1.2 million standby letter of credit (classified as restricted cash) to secureour obligations through the end of the lease term.Operating lease obligations represent our obligations to make payments under the lease agreements for our facilities, data centers, and officeequipment leases. During the year ended December 31, 2017, we made regular payments on our operating lease obligations of $4.4 million.Off-Balance Sheet ArrangementsDuring the periods presented, we did not have, nor do we currently have, any relationships with unconsolidated entities or financialpartnerships, such as entities often referred to as structured finance or special purpose entities.Recent Accounting PronouncementsSee Note 1 to the consolidated financial statements in Part II, Item 8 of this Annual Report on Form10-K for a discussion of recent accountingpronouncements.54Table of ContentsCritical Accounting Policies and EstimatesOur consolidated financial statements are prepared in accordance with U.S. GAAP. The preparation of these financial statements requires usto make estimates and assumptions that affect the reported amounts of assets, liabilities, revenues, expenses and related disclosures. On anongoing basis, we evaluate our estimates and assumptions. Our actual results may differ from these estimates under different assumptions orconditions.We believe that of our significant accounting policies, which are described in the notes to our consolidated financial statements, the followingaccounting policies involve the greatest degree of judgment and complexity and have the greatest potential impact on our consolidated financialstatements. A critical accounting policy is one that is material to the presentation of our consolidated financial statements and requires us to makedifficult, subjective or complex judgments for uncertain matters that could have a material effect on our financial condition and results of operations.Accordingly, these are the policies we believe are the most critical to aid in fully understanding and evaluating our financial condition and results ofoperations. For further information on all of our significant accounting policies, see Note 1 - The Company and Summary of Significant AccountingPolicies in the accompanying notes to the consolidated financial statements included in Part II, Item 8, "Financial Statements and SupplementaryData" of this Annual Report on Form 10-K.Revenue RecognitionWe derive revenues from the sale of subscriptions to our security and compliance solutions, which are delivered on our cloud platform.Subscriptions to our solutions allow customers to access our cloud-based security and compliance solutions through a unified, web-based interface.Customers generally enter into one year renewable subscriptions though some customers do enter into subscriptions with longer terms. Thesubscription fee entitles the customer to an unlimited number of scans for a specified number of devices or web applications and, if requested by acustomer as part of their subscription, a specified number of physical or virtual scanner appliances. Our physical and virtual scanner appliances arerequested by certain customers as part of their subscriptions in order to scan IT infrastructures within their firewalls and do not function without, andare not sold separately from, subscriptions for our solutions. In some limited cases, we also provide certain computer equipment used to extend ourQualys cloud platform into our customers’ private cloud environment. Customers are required to return physical scanner appliances and computerequipment if they do not renew their subscriptions.Subscriptions for unlimited scans and certain limited scan arrangements with firm expiration dates are recognized ratably over the period inwhich the services are performed, generally one year. We recognize revenues for certain other limited scan arrangements, where expiration datescan be extended, on an as-used basis. We recognize the subscription of physical scanner appliances and other computer equipment as revenuesratably over the period of the subscription, which is commensurate with the term of the related subscription. Because the customer’s access to ourcloud solutions are delivered at the same time or within close proximity to the delivery of physical scanner appliances and the terms arecommensurate for these services and equipment, we consider these elements as a single unit of accounting recognized ratably over thesubscription term. Physical equipment (scanners and private cloud platforms) are accounted for as operating leases and revenue is recognized overthe subscription term. Costs of shipping and handling charges associated with physical scanner appliances and other computer equipment areincluded in cost of revenues.Deferred r evenues consist of revenues billed or received that will be recognized in the future under subscriptions existing at the balance sheetdate.Income TaxesWe are subject to income taxes in the United States as well as other tax jurisdictions in which we conduct business. Earnings from our non-U.S. activities are subject to local income tax and may also be subject to U.S. income tax.55Table of ContentsIncome tax expense or benefit is recognized for the amount of taxes payable or refundable for the current year, and for deferred tax assets andliabilities for the tax consequences of events that have been recognized in an entity’s financial statements or tax returns. We must make significantassumptions, judgments and estimates to determine our current provision for (benefit from) income taxes, our deferred tax assets and liabilities, andany valuation allowance to be recorded against our deferred tax assets. Our judgments, assumptions and estimates relating to the current provisionfor (benefit from) income taxes include the geographic mix and amount of income (loss), our interpretation of current tax laws, and possibleoutcomes of current and future audits conducted by foreign and domestic tax authorities. Our judgments also include anticipating the tax positionswe will record in the financial statements before actually preparing and filing the tax returns. Our estimates and assumptions may differ from theactual results as reflected in our income tax returns and we record the required adjustments when they are identified or resolved. Changes in ourbusiness, tax laws or our interpretation of tax laws, and developments in current and future tax audits, could significantly impact the amountsprovided for income taxes in our results of operations, financial position, or cash flows.Deferred tax assets and liabilities are recognized for the estimated future tax consequences attributable to tax benefit carry-forwards and todifferences between the financial statement amounts of assets and liabilities and their respective tax basis. We regularly review our deferred taxassets for recoverability and establish a valuation allowance if it is more likely than not that some portion or all of the deferred tax assets will not berealized. To make this assessment, we take into account predictions of the amount and category of taxable income from various sources and allavailable positive and negative evidence about these possible sources of taxable income. The weight given to the potential effect of negative andpositive evidence is commensurate with the extent to which the strength of the evidence can be objectively verified.Based on the analysis of positive and negative factors noted above, we do not have a valuation allowance against U.S. federal and certainstate deferred tax assets. We believe it is more likely than not that our California deferred tax assets will not be realized because the incomeattributed to California is not expected to be sufficient to recognize these deferred tax assets. Accordingly, we continue to record a valuationallowance as of December 31, 2017 for our California deferred tax assets. If, in the future, we determine that these deferred tax assets are morelikely than not to be realized, a release of all or part, of the related valuation allowance could result in an income tax benefit in the period suchdetermination is made.We recognize an income tax expense or benefit with respect to uncertain tax positions in our financial statements that we judge is more likelythan not to be sustained solely on its technical merits in a tax audit, including resolution of any related appeals or litigation processes. To make thisjudgment, we must interpret complex and sometimes ambiguous tax laws, regulations and administrative practices. If an income tax position meetsthe more likely than not recognition threshold, then we must measure the amount of the tax benefit to be recognized by determining the largestamount of tax benefit that has a greater than a 50% likelihood of being realized upon effective settlement with a taxing authority that has fullknowledge of all of the relevant facts. It is inherently difficult and subjective to estimate such amounts, as this requires us to determine theprobability of various possible settlement outcomes. To determine if a tax position is effectively settled after a tax examination has been completed,we must also estimate the likelihood that another taxing authority could review the respective tax position. We must also determine when it isreasonably possible that the amount of unrecognized tax benefits will significantly increase or decrease in the 12 months after each fiscal year-end.These judgments are difficult because a taxing authority may change its behavior as a result of our disclosures in our financial statements. We mustreevaluate our income tax positions on a quarterly basis to consider factors such as changes in facts or circumstances, changes in tax law,effectively settled issues under audit, the potential for interest and penalties, and new audit activity. Such a change in recognition or measurementwould result in recognition of a tax benefit or an additional charge to the tax provision.On December 22, 2017, the 2017 Tax Act was enacted into law. The new legislation contains several key tax provisions that impact theCompany, including the reduction of the corporate income tax rate from 35% to 21% effective January 1, 2018 and a variety of other changes, suchas a one-time repatriation tax on accumulated foreign earnings (transition tax), acceleration of business asset expensing, and reduction in theamount of executive pay that could qualify as a tax deduction, among others. We have estimated our provision for income taxes in accordance withthe 2017 Tax Act and guidance available as of the date of this filing and as a result have recorded $10.4 million as additional income tax expensedue to the re-measurement of certain deferred tax assets and liabilities as a result in the reduction of the federal tax rate. No amount related to theone-time transition tax on the mandatory deemed repatriation of foreign earnings was recorded due to cumulative foreign losses of our subsidiaries.56Table of ContentsOn December 22, 2017, Staff Accounting Bulletin No. 118 ("SAB 118") was issued to address the application of US GAAP in situations when aregistrant does not have the necessary information available, prepared, or analyzed (including computations) in reasonable detail to complete theaccounting for certain income tax effects of the 2017 Tax Act. In accordance with SAB 118, we have determined that the $10.4 million of thedeferred tax expense recorded in connection with the re-measurement of certain deferred tax assets and liabilities and the zero amount of transitiontax on the mandatory deemed repatriation of foreign earnings were provisional amounts and reasonable estimates at December 31, 2017. Acomprehensive analysis of the newly introduced provisions for Global Intangible Low Tax Income (“GILTI”), for which additional guidance isexpected from the U.S. Internal Revenue Service, is required to finalize the amounts of our deferred tax assets and liabilities, and a detailed analysisof historical foreign earnings and the potential correlative adjustments will be performed to verify the transitional tax does not apply. Subsequentadjustments resulting from the additional work referred to above will be recorded to current tax expense in the quarter of 2018 when the analysis iscomplete.As a result of the adoption of ASU 2016-09 on January 1, 2017, the Company recorded a cumulative effect adjustment to increase retainedearnings by $7.7 million with a corresponding increase to deferred tax assets for the federal and state net operating losses and federal researchcredits attributable to excess tax benefits from stock-based compensation which had not been previously recognized. All excess tax benefits anddeficiencies in the current and future periods will be recognized as income tax expense in the Company’s Consolidated Statement of Operations inthe reporting period in which they occur. This will result in increased volatility in the Company’s effective tax rate. For the year ended December 31,2017, the Company recognized a benefit of $27.1 million related to excess tax benefits.Stock-Based CompensationWe recognize the fair value of our employee stock options and restricted stock units over the requisite service period for those awardsultimately expected to vest. The fair value of each option is estimated on date of grant using the Black-Scholes-Merton option pricing model and thefair value of each restricted stock unit is based on the fair value of our stock on the date of grant. Forfeitures are estimated on the date of grant andrevised if actual or expected forfeiture activity differs materially from original estimates.Determining the appropriate fair value model and calculating the fair value of employee stock options requires the use of highly subjectiveassumptions, including the expected life of the stock option and stock price volatility. The assumptions used in calculating the fair value of employeestock options represent management’s best estimates, but the estimates involve inherent uncertainties and the application of management’sjudgment. As a result, if factors change and we use different assumptions, our stock-based compensation expense could be materially different inthe future.We also record compensation representing the fair value of stock options granted to non-employees. Stock-based non-employeecompensation is recognized over the vesting periods of the options. The value of options granted to non-employees is periodically re-measured asthey vest over a performance period.Fair Value MeasurementFair value is defined as the price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between marketparticipants at the measurement date. For certain of our financial instruments, including cash and certain cash equivalents, accounts receivable,accounts payable, and other current liabilities, the carrying amounts approximate their fair value due to the relatively short maturity of thesebalances.We measure and report certain cash equivalents, investments and derivative foreign currency forward contracts at fair value in accordance withthe provisions of the authoritative accounting guidance that addresses fair value measurements. This guidance establishes a hierarchy for inputsused in measuring fair value that maximizes the use of observable inputs and minimizes the use of unobservable inputs by requiring that the mostobservable inputs be used when available. The hierarchy is broken down into three levels based on the reliability of inputs as follows:Level 1 —Valuations based on quoted prices in active markets for identical assets or liabilities.Level 2 —Valuations based on other than quoted prices in active markets for identical assets and liabilities, quoted prices for identical orsimilar assets or liabilities in inactive markets, or other inputs that are observable or can be corroborated by observable market data for substantiallythe full term of the assets or liabilities.57Table of ContentsLevel 3— Valuations based on inputs that are generally unobservable and typically reflect management’s estimates of assumptions thatmarket participants would use in pricing the asset or liability.Our financial instruments consist of assets measured using Level 1 and 2 inputs. Level 1 assets include a highly liquid money market fund,which is valued using unadjusted quoted prices that are available in an active market for an identical asset. Level 2 assets include fixed-income U.S.government agency securities, commercial paper, corporate bonds, asset-backed securities and derivative financial instruments consisting offoreign currency forward contracts. The securities, bonds and commercial paper are valued using prices from independent pricing services based onquoted prices in active markets for similar instruments or on industry models using data inputs such as interest rates and prices that can be directlyobserved or corroborated in active markets. The foreign currency forward contracts are valued using observable inputs.58Table of ContentsItem 7A.Quantitative and Qualitative Disclosures about Market RiskWe have domestic and international operations and we are exposed to market risks in the ordinary course of our business. These risksprimarily include interest rate, foreign exchange and inflation risks, as well as risks relating to changes in the general economic conditions in thecountries where we conduct business. To reduce certain of these risks, we monitor the financial condition of our large customers and limit creditexposure by collecting subscription fees in advance.Foreign Currency RiskOur results of operations and cash flows have been and will continue to be subject to fluctuations because of changes in foreign currencyexchange rates, particularly changes in exchange rates between the U.S. dollar and the Euro, British Pound, and Indian Rupee, the currencies ofcountries where we currently have our most significant international operations. A portion of our invoicing is denominated in the Euro, British Poundand Japanese Yen. Our expenses in international locations are generally denominated in the currencies of the countries in which our operations arelocated.Derivative financial instruments are utilized by the Company to reduce foreign currency exchange risks. We use foreign currency forwardcontracts to partially mitigate the impact of fluctuations in cash and accounts receivable balances denominated in Euros and British Pounds. We donot use these contracts for speculative or trading purposes, nor are they designated as hedges. These contracts typically have a maturity of onemonth, and we record gains and losses from these instruments in other income (expense), net. The effect of an immediate 10% adverse change inforeign exchange rates would not be material to our financial condition, operating results or cash flows.Interest Rate SensitivityWe have $355.6 million in cash, cash equivalents and short-term and long-term investments at December 31, 2017 . Cash and cashequivalents include cash held in banks, highly liquid money market funds, U.S. government agency securities, and commercial paper. Investmentsconsist of fixed-income U.S. government agency securities, corporate bonds, asset-backed securities and commercial paper. We determine theappropriate balance sheet classification of our investments at the time of purchase and reevaluate such designation at each balance sheet date. Weclassify our investments as either short-term or long-term based on each instrument's underlying contractual maturity date.The primary objectives of our investment activities are the preservation of principal and support of our liquidity requirements. We do not enterinto investments for trading or speculative purposes. Our investments are subject to market risk due to changes in interest rates, which may affectthe interest income we earn and the fair market value. We do not believe that a 10% increase or decrease in interest rates would have a materialimpact on our operating results or cash flows.59Table of ContentsItem 8.Financial Statements and Supplementary DataQualys, Inc.INDEX TO CONSOLIDATED FINANCIAL STATEMENTSTable of Contents PageReports of Independent Registered Public Accounting Firm61Consolidated Balance Sheets63Consolidated Statements of Operations64Consolidated Statements of Comprehensive Income65Consolidated Statements of Cash Flows66Consolidated Statements of Stockholders' Equity67Notes to Consolidated Financial Statements6860Table of ContentsReport of Independent Registered Public Accounting FirmBoard of Directors and ShareholdersQualys, Inc.Opinion on the financial statementsWe have audited the accompanying consolidated balance sheets of Qualys, Inc. (a Delaware corporation) and subsidiaries (the “Company”) as ofDecember 31, 2017 and 2016, the related consolidated statements of operations, comprehensive income, changes in stockholders’ equity, and cashflows for each of the three years in the period ended December 31, 2017, and the related notes and financial statement schedule listed in the indexappearing under Item 15(a)(2) (collectively referred to as the “financial statements”). In our opinion, the financial statements present fairly, in allmaterial respects, the financial position of the Company as of December 31, 2017 and 2016, and the results of its operations and its cash flows foreach of the three years in the period ended December 31, 2017, in conformity with accounting principles generally accepted in the United States ofAmerica.We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (“PCAOB”), theCompany’s internal control over financial reporting as of December 31, 2017, based on criteria established in the 2013 Internal Control-IntegratedFramework issued by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”), and our report dated February 23, 2018expressed unqualified opinion.Basis for opinionThese financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on the Company’sfinancial statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent withrespect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and ExchangeCommission and the PCAOB.We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtainreasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Our audits includedperforming procedures to assess the risks of material misstatement of the financial statements, whether due to error or fraud, and performingprocedures that respond to those risks. Such procedures included examining, on a test basis, evidence supporting the amounts and disclosures inthe financial statements. Our audits also included evaluating the accounting principles used and significant estimates made by management, as wellas evaluating the overall presentation of the financial statements. We believe that our audits provide a reasonable basis for our opinion./s/ GRANT THORNTON LLPWe have served as the Company’s auditor since 2005.San Jose, CaliforniaFebruary 23, 201861Table of ContentsReport of Independent Registered Public Accounting FirmBoard of Directors and ShareholdersQualys, Inc.Opinion on internal control over financial reportingWe have audited the internal control over financial reporting of Qualys, Inc. (a Delaware corporation) and subsidiaries (the “Company”) as ofDecember 31, 2017, based on criteria established in the 2013 Internal Control-Integrated Framework issued by the Committee of SponsoringOrganizations of the Treadway Commission (“COSO”). In our opinion, the Company maintained, in all material respects, effective internal controlover financial reporting as of December 31, 2017, based on criteria established in the 2013 Internal Control-Integrated Framework issued by COSO.We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (“PCAOB”), theconsolidated financial statements of the Company as of and for the year ended December 31, 2017, and our report dated February 23, 2018expressed an unqualified opinion on those financial statements.Basis for opinionThe Company’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of theeffectiveness of internal control over financial reporting, included in the accompanying Management’s Report on Internal Control over FinancialReporting (“Management’s Report”). Our responsibility is to express an opinion on the Company’s internal control over financial reporting based onour audit. We are a public accounting firm registered with the PCAOB and are required to be independent with respect to the Company inaccordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange Commission and thePCAOB. We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtainreasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit includedobtaining an understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating thedesign and operating effectiveness of internal control based on the assessed risk, and performing such other procedures as we considerednecessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.Definition and limitations of internal control over financial reportingA company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financialreporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. Acompany’s internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, inreasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance thattransactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles,and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of thecompany; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of thecompany’s assets that could have a material effect on the financial statements.Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of anyevaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or thatthe degree of compliance with the policies or procedures may deteriorate./s/ GRANT THORNTON LLPSan Jose, CaliforniaFebruary 23, 201862Table of ContentsQualys, Inc.CONSOLIDATED BALANCE SHEETS(in thousands, except share and per share data) December 31, December 31, 2017 2016Assets Current assets: Cash and cash equivalents $86,591 $86,737Short-term investments 201,823 157,119Accounts receivable, net of allowance of $816 and $702 at December 31, 2017 and 2016, respectively 64,412 47,024Prepaid expenses and other current assets 16,524 9,808Total current assets 369,350 300,688Long-term investments 67,224 45,725Property and equipment, net 58,557 39,401Deferred tax assets, net 25,066 16,590Intangible assets, net 12,401 987Goodwill 1,549 317Restricted cash 1,200 1,200Other noncurrent assets 2,178 2,096Total assets $537,525 $407,004Liabilities and Stockholders’ Equity Current liabilities: Accounts payable $1,144 $2,051Accrued liabilities 21,444 13,317Deferred revenues, current 143,186 114,964Total current liabilities 165,774 130,332Deferred revenues, noncurrent 17,136 15,528Other noncurrent liabilities 11,071 2,731Total liabilities 193,981 148,591Commitments and contingencies (Note 6) Stockholders’ equity: Preferred stock: $0.001 par value; 20,000,000 shares authorized, no shares issued and outstanding at December 31,2017 and 2016 — —Common stock, $0.001 par value; 1,000,000,000 shares authorized, 38,598,117 and 35,841,001 shares issued andoutstanding at December 31, 2017 and 2016, respectively 39 36Additional paid-in capital 304,155 266,794Accumulated other comprehensive loss (574) (156)Retained earnings (deficit) 39,924 (8,261)Total stockholders’ equity 343,544 258,413Total liabilities and stockholders’ equity $537,525 $407,004The accompanying notes are an integral part of these Consolidated Financial Statements.63Table of ContentsQualys, Inc.CONSOLIDATED STATEMENTS OF OPERATIONS(in thousands, except per share data) Year Ended December 31, 2017 2016 2015Revenues $230,828 $197,925 $164,284Cost of revenues 51,580 43,128 34,327Gross profit 179,248 154,797 129,957Operating expenses: Research and development 42,816 36,591 30,438Sales and marketing 63,855 58,985 50,397General and administrative 35,334 29,114 24,316Total operating expenses 142,005 124,690 105,151Income from operations 37,243 30,107 24,806Other income (expense), net: Interest expense (3) (26) (6)Interest income 2,674 1,320 570Other expense, net (536) (972) (850)Total other income (expense), net 2,135 322 (286)Income before income taxes 39,378 30,429 24,520(Benefit from) provision for income taxes (1,062) 11,205 8,655Net income $40,440 $19,224 $15,865Net income per share: Basic $1.08 $0.55 $0.47Diluted $1.01 $0.50 $0.42Weighted average shares used in computing net income per share: Basic 37,443 35,247 34,050Diluted 40,071 38,369 38,184The accompanying notes are an integral part of these Consolidated Financial Statements.64Table of ContentsQualys, Inc.CONSOLIDATED STATEMENTS OF COMPREHENSIVE INCOME(in thousands) Year Ended December 31, 2017 2016 2015Net income $40,440 $19,224 $15,865Available-for-sale investments: Change in net unrealized loss on investments, net of tax (462) (57) (202)Less: reclassification adjustment for net realized gain (loss) included in net income, net of tax 44 112 (19)Other comprehensive (loss) income, net of tax (418) 55 (221)Comprehensive income $40,022 $19,279 $15,644The accompanying notes are an integral part of these Consolidated Financial Statements.65Table of ContentsQualys, Inc.CONSOLIDATED STATEMENTS OF CASH FLOWS(in thousands) Year Ended December 31, 2017 2016 2015Cash flows from operating activities: Net income $40,440 $19,224 $15,865Adjustments to reconcile net income to net cash provided by operating activities: Depreciation and amortization expense 20,636 16,994 14,360Bad debt expense 657 199 851Loss on disposal of property and equipment 161 55 5Stock-based compensation 26,961 20,149 17,494Amortization of premiums and accretion of discounts on investments 1,324 1,000 594Excess tax benefits from stock-based compensation — (8,700) (487)Impairment of intangible assets — — 255Deferred income taxes (10,414) (440) 6,564Excess tax benefits included in deferred tax assets 7,696 — —Changes in operating assets and liabilities: Accounts receivable (17,966) (4,898) (10,183)Prepaid expenses and other assets (53) (2,107) (1,011)Restricted cash — (1,200) —Accounts payable (454) (1,220) (3,293)Accrued liabilities 1,485 9,696 3,339Deferred revenues 29,830 17,903 21,378Other noncurrent liabilities 7,343 1,455 229Net cash provided by operating activities 107,646 68,110 65,960Cash flows from investing activities: Purchases of investments (299,891) (222,953) (146,707)Sales and maturities of investments 231,996 149,708 105,509Purchases of property and equipment (37,818) (23,245) (20,051)Business acquisitions (12,482) — —Capitalized software development costs — — (99)Net cash used in investing activities (118,195) (96,490) (61,348)Cash flows from financing activities: Proceeds from exercise of stock options 31,327 15,157 10,095Excess tax benefits from stock-based compensation — 8,700 487Payments for taxes related to net share settlement of equity awards (20,924) (438) —Net cash provided by financing activities 10,403 23,419 10,582Net (decrease) increase in cash and cash equivalents (146) (4,961) 15,194Cash and cash equivalents at beginning of period 86,737 $91,698 76,504Cash and cash equivalents at end of period $86,591 $86,737 $91,698Supplemental disclosures of cash flow information Cash paid for interest expense 3 27 6Cash paid for income taxes, net of refunds 1,584 856 995Non-cash investing and financing activities Business acquisitions recorded in Intangible Assets and Accrued liabilities 1,000 — —Purchases of property and equipment recorded in accounts payable and accrued liabilities 2,765 1,438 —Vesting of early exercised common stock options — — 19The accompanying notes are an integral part of these Consolidated Financial Statements.66Table of ContentsQualys, Inc.CONSOLIDATED STATEMENTS OF STOCKHOLDERS’ EQUITY (in thousands, except share data) Common Stock AdditionalPaid-InCapital AccumulatedOtherComprehensiveIncome (Loss) Retainedearnings(deficit) TotalStockholders’Equity Shares Amount Balances at December 31, 2014 33,594,285 $34 $195,133 $10 $(43,350) $151,827Net income — — — — 15,865 15,865Other comprehensive loss, net of tax — — — (221) — (221)Issuance of common stock upon exercise of stock options 807,846 — 10,095 — — 10,095Issuance of common stock upon vesting of restricted stock units 12,500 — — — — —Vesting of early exercised common stock options — — 19 — — 19Excess tax benefits from stock-based compensation — — 487 — — 487Stock-based compensation — — 17,494 — — 17,494Balances at December 31, 2015 34,414,631 34 223,228 (211) (27,485) 195,566Net income — — — — 19,224 19,224Other comprehensive income, net of tax — — — 55 — 55Issuance of common stock upon exercise of stock options 1,399,157 2 15,155 — — 15,157Issuance of common stock upon vesting of restricted stock units 25,213 — — — — —Issuance of common stock in exchange for services 2,000 — 26 — — 26Excess tax benefits from stock-based compensation — — 8,700 — — 8,700Taxes related to net share settlement of equity awards — — (438) — — (438)Stock-based compensation — — 20,123 — — 20,123Balances at December 31, 2016 35,841,001 36 266,794 (156) (8,261) 258,413Cumulative effect of a change in accounting principle related to stock-based compensation — — — — 7,745 7,745Net income — — — — 40,440 40,440Other comprehensive loss, net of tax — — — (418) — (418)Issuance of common stock upon exercise of stock options 2,997,095 3 31,324 — — 31,327Issuance of common stock upon vesting of restricted stock units 217,111 — — — — —Taxes related to net share settlement of equity awards (457,090) — (20,924) — — (20,924)Stock-based compensation — — 26,961 — — 26,961Balances at December 31, 2017 38,598,117 $39 $304,155 $(574) $39,924 $343,544The accompanying notes are an integral part of these Consolidated Financial Statements.67Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTSNOTE 1.The Company and Summary of Significant Accounting PoliciesDescription of BusinessQualys, Inc. (the “Company”, "we", "us", "our") was incorporated in the state of Delaware on December 30, 1999. The Company isheadquartered in Foster City, California and has majority-owned subsidiaries throughout the world. The Company is a pioneer and leading providerof cloud-based security and compliance solutions that enable organizations to identify security risks to their IT infrastructures, help protect their ITsystems and applications from ever-evolving cyber-attacks and achieve compliance with internal policies and external regulations. The Company’scloud solutions address the growing security and compliance complexities and risks that are amplified by the dissolving boundaries between internaland external IT infrastructures and web environments, the rapid adoption of cloud computing and the proliferation of geographically dispersed ITassets. Organizations can use the Company’s integrated suite of solutions delivered on its Qualys cloud platform to cost-effectively obtain a unifiedview of their security and compliance posture across globally-distributed IT infrastructures.Basis of PresentationThe accompanying consolidated financial statements and footnotes have been prepared by the Company in accordance with accountingprinciples generally accepted in the United States (“U.S. GAAP”) as well as the instructions to Form 10-K and the rules and regulations of the U.S.Securities and Exchange Commission ("SEC"). In the opinion of management, the accompanying consolidated financial statements include alladjustments necessary for the fair presentation of the Company’s consolidated financial position, results of operations and cash flows for the periodspresented. The accompanying consolidated financial statements include the accounts of the Company and its majority-owned subsidiaries. Allsignificant intercompany transactions and balances have been eliminated upon consolidation.ReclassificationThe Company reclassified certain information technology expenses across the functions that benefit from their support. In 2016, the Companyreclassified $3.0 million out of general and administrative expenses. Of this amount the Company reclassified $0.7 million to cost of revenues, $1.3million to research and development and $1.0 million to sales and marketing. In 2015, the Company reclassified $2.3 million out of general andadministrative expenses. Of this amount the Company reclassified $0.5 million to cost of revenues, $1.0 million to research and development and$0.8 million to sales and marketing. Use of EstimatesThe preparation of the consolidated financial statements in conformity with U.S. GAAP requires management to make certain estimates andassumptions that affect the reported amounts of assets and liabilities and disclosure of assets and liabilities at the date of the consolidated financialstatements and the reported results of operations during the reporting period. The Company’s management regularly assesses these estimates,which primarily affect revenue recognition, the valuation of accounts receivable, goodwill and intangible assets, stock-based compensation and theprovision for income taxes. Actual results could differ from those estimates and such differences may be material to the accompanying consolidatedfinancial statements.Concentration of Credit RiskThe Company invests its cash and cash equivalents with major financial institutions. Cash balances with any one institution at times may be inexcess of federally insured limits. Cash equivalents are invested in high-quality investment grade financial instruments and are diversified. TheCompany has not experienced any losses in such accounts and believes it is not exposed to any significant credit risk.Credit risk with respect to accounts receivable is dispersed due to the large number of customers. Collateral is not required for accountsreceivable. The Company maintains an allowance for potential credit losses based upon the expected collectability of accounts receivable. TheCompany writes off its receivables once collection efforts are unsuccessful. As of December 31, 2017 and 2016 , no customer or channel partneraccounted for more than 10% of the Company's revenues and accounts receivable balance.68Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)Cash, Cash Equivalents, Short-Term and Long-Term InvestmentsCash and cash equivalents include cash held in banks, highly liquid money market funds, commercial paper, and fixed-income U.S.government agency securities, all with original maturities of three months or less when acquired. The Company’s investments consist of fixed-income U.S. government agency securities, corporate bonds, asset-backed securities and commercial paper. Management determines theappropriate classification of the Company's investments at the time of purchase and reevaluates such designation at each balance sheet date.The Company classifies its investments as either short-term or long-term based on each instrument's underlying contractual maturity date.Cash equivalents are stated at cost, which approximates fair market value. Short-term and long-term investments are classified as available-for-sale and are carried at fair value. Unrealized gains and losses in fair value are reported in other comprehensive income (loss). When theavailable-for-sale securities are sold, cost is based on the specific identification method, and the realized gains and losses are included in otherincome (expense) in the consolidated statements of operations. Short-term and long-term investments are reviewed quarterly for impairment that isdeemed to be other-than-temporary. An investment is considered other-than-temporarily impaired when its fair value is below its amortized cost and(1) there is an intent to sell the security, (2) it is “more likely than not” that the security will be sold before recovery of its amortized cost basis or(3) the present value of expected cash flows from the investment is not expected to recover the entire amortized cost basis. Declines in value thatare considered to be other-than-temporary and adjustments to amortized cost for the amortization of premiums and the accretion of discounts arerecorded in other income (expense). Interest and dividends are recorded in interest income as earned.Accounts ReceivableAccounts receivable are recorded at the invoiced amount and do not bear interest. The allowance for doubtful accounts represents theCompany’s best estimate of the amount of probable credit losses and is determined based on a review of existing accounts receivable by agingcategory to identify significant customers or invoices with collectability issues. For those invoices not specifically reviewed, the reserve is calculatedbased on the age of the receivable and historical write-offs.Any change in the assumptions used in analyzing a specific account receivable may result in an additional provision for doubtful accountsbeing recognized in the period in which the change occurs. When the Company ultimately concludes that a receivable is uncollectible, the balance iswritten off against the allowance for doubtful accounts. Payments subsequently received on such receivables are credited back to the allowance fordoubtful accounts.Property and Equipment, netProperty and equipment are stated at cost less accumulated depreciation and amortization. Depreciation is computed using the straight-linemethod over the estimated useful lives of the assets, which range from three to five years. Leasehold improvements are amortized on a straight-linebasis over the lesser of the estimated useful life of the asset or the lease term.The Company purchases physical scanner appliances and other computer equipment that are provided to customers on a subscription basis.This equipment is recorded within property and equipment on the accompanying consolidated balance sheet, and the depreciation is recorded tocost of revenues over an estimated useful life of three years.Upon retirement or disposal, the cost of assets and the related accumulated depreciation are removed from the accounts and any resultinggain or loss is reflected in the consolidated statements of operations. Repairs and maintenance that do not extend the life of an asset are expensedas incurred and major improvements are capitalized as property and equipment.69Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)LeasesOn certain of our operating lease agreements, the Company may receive rent free periods or escalating rent payments over the terms of theleases. The Company recognizes rent expense under these agreements on a straight-line basis over the term of the lease, starting when theCompany takes possession of the property from the landlord. The Company records the difference between the recognized rent expense and theamounts payable under the lease as a short-term or long-term deferred rent liability. When the Company receives tenant allowances upon enteringinto certain leases, the Company records the allowances as an offset to short-term or long-term deferred rent liability and amortizes them using thestraight-line method as a reduction to rent expense over the term of the lease.Impairment of Long-Lived AssetsThe Company evaluates its long-lived assets, which consist of property and equipment, and intangible assets subject to amortization, forindicators of possible impairment when events or changes in circumstances indicate the carrying amount of an asset may not be recoverable.Impairment exists if the carrying amounts of such assets exceed the estimates of future undiscounted cash flows expected to be generated by suchassets. Should an impairment exist, the impairment loss would be measured based on the excess carrying value of the asset over the asset’sestimated fair value. In each of 2017, 2016 and 2015, the Company had no impairment of long-lived assets.Goodwill and Intangible AssetsGoodwill represents the excess of the purchase price over the fair value of the net tangible and identifiable intangible assets acquired in abusiness combination and is not subject to amortization. Goodwill and other intangible assets with indefinite lives are not amortized, but tested forimpairment annually or if certain circumstances indicate a possible impairment may exist. These tests are performed at the reporting unit level. TheCompany’s operations are organized as one reporting unit.In testing for a potential impairment of goodwill, the Company first performs a qualitative assessment of its reporting unit to determine if it ismore likely than not (a more than 50% likelihood) that the fair value of the reporting unit is less than its carrying amount. If the fair value is notconsidered to be less than the carrying amount, no further evaluation is necessary. The Company performed the annual qualitative assessment forthe year ended December 31, 2017 and concluded there was no potential impairment of goodwill.In testing for a potential impairment of intangible assets with indefinite lives that are not subject to amortization, the Company first performs aqualitative assessment to determine if it is more likely than not (a more than 50% likelihood) that the fair value of the indefinite-lived intangible assetsis less than the carrying amount. If the fair value is not considered to be less than the carrying amount, no further evaluation is necessary. TheCompany performed the annual qualitative assessment in 2017 and concluded that as of December 31, 2017 , there was no potential impairment ofthe indefinite-lived intangible assets.If the qualitative assessment indicates there is more than a 50% likelihood that the fair value is less than the carrying amount of the reportingunit or the intangible asset, the Company would perform a two-step test. In the first step, the carrying value of the reporting unit or intangible asset iscompared to its estimated fair value. If the estimated fair value is less than the carrying value, then potential impairment exists. In the second step,for goodwill, the Company calculates the amount of any impairment by determining the implied fair value of goodwill using a hypothetical purchaseprice allocation, similar to that which would be applied if it were an acquisition and the purchase price was equivalent to fair value as calculated inthe first step. Impairment is equivalent to any excess of goodwill carrying value over its implied fair value. For indefinite-lived intangible assets, theCompany performs the currently prescribed quantitative impairment test by comparing the fair value of the indefinite-lived intangible asset with itscarrying value. In 2015, the Company determined there was an impairment of certain indefinite-lived intangible assets and recorded a write-off of$0.3 million recorded in other expense, net.Certain other intangible assets acquired are amortized over their estimated useful lives and tested for impairment if certain circumstancesindicate an impairment may exist. The Company’s intangible assets are comprised primarily of existing technology, patent license, and non-competition agreements and are amortized over periods ranging from three to fourteen years on a straight-line basis. As of December 31, 2017 , theCompany has not written down any of these intangible assets as a result of impairment.70Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)Software Development CostsThe Company capitalizes qualifying software costs developed for internal use. These costs include internal costs, such as payroll and benefitsof those employees directly associated with the development of the software, and other consulting expenses. Total capitalized development costsand the related accumulated amortization were $0.4 million each at both December 31, 2017 and 2016.Business CombinationsWe apply the provisions of ASC 805, Business Combinations, in accounting for our acquisitions. It requires us to recognize separately fromgoodwill the assets acquired and the liabilities assumed at their acquisition date fair values. Goodwill as of the acquisition date is measured as theexcess of consideration transferred over the net of the acquisition date fair values of the assets acquired and the liabilities assumed. While we useour best estimates and assumptions to accurately value assets acquired and liabilities assumed at the acquisition date as well as any contingentconsideration, where applicable, our estimates are inherently uncertain and subject to refinement. As a result, during the measurement period,which may be up to one year from the acquisition date, we record adjustments to the assets acquired and liabilities assumed with the correspondingoffset to goodwill. Upon the conclusion of the measurement period or final determination of the values of assets acquired or liabilities assumed,whichever comes first, any subsequent adjustments are recorded to our consolidated statements of operations.Derivative Financial InstrumentsDerivative financial instruments are utilized by the Company to reduce foreign currency exchange risks. The Company uses foreign currencyforward contracts to mitigate the impact of foreign currency fluctuations of certain non-U.S. dollar denominated asset positions, primarily cash andaccounts receivable. These contracts are recorded within prepaid expenses and other current assets in the consolidated balance sheets. Gains andlosses resulting from currency exchange rate movements on these forward contracts are recognized in other income (expense) in the accompanyingconsolidated statements of operations in the period in which the exchange rates change and offset the foreign currency gains and losses on theunderlying exposure being hedged. The Company does not enter into derivative financial instruments for trading or speculative purposes.At December 31, 2017 , the Company had two outstanding forward contracts with notional amounts of 7.0 million Euros and 4.8 million BritishPounds , respectively, both with the expiry date of January 31, 2018 . At December 31, 2016 , the Company had two outstanding forward contractswith notional amounts of 7.6 million Euros and 4.6 million British Pounds , which expired on February 2, 2017 . These forward contracts wereentered into as of December 29, 2017 and December 30, 2016 , respectively, and had a fair value of $0 at both December 31, 2017 and 2016 .These derivatives did not meet the criteria to be designated as hedges. These instruments were valued using Level 2 inputs.The following summarizes the gains (losses) recognized from forward contracts and other foreign currency transactions: Year Ended December 31, 2017 2016 2015 Net (loss) gain from forward contracts $(1,665) $554 $608Other foreign currency transaction gains (losses) 1,310 (1,324) (1,052)Total foreign exchange loss, net $(355) $(770) $(444)Stock-Based CompensationThe Company recognizes the fair value of its employee stock options and restricted stock units (RSUs) over the requisite service period forthose awards ultimately expected to vest. The fair value of each option is estimated on date of grant using the Black-Scholes-Merton option pricingmodel and the fair value of each restricted stock unit is based on the fair value of the Company's stock on the date of grant. Forfeitures areestimated on the date of grant and revised if actual or expected forfeiture activity differs materially from original estimates.71Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)Option grants to non-employees are accounted for at the fair value of the equity instrument issued, as calculated using the Black-Scholes-Merton option-pricing model and the expense is recognized over the vesting periods of the options. The value of options granted to non-employeesis re-measured as they vest over a performance period.Revenue RecognitionThe Company derives revenues from subscriptions that require customers to pay a fee in order to access the Company’s cloud solutions.Customers generally enter into one year renewable subscriptions though some customers do enter into subscriptions with longer terms. Thesubscription fee entitles the customer to an unlimited number of scans for a specified number of networked devices or web applications and, ifrequested by a customer as part of their subscription, a specified number of physical or virtual scanner appliances. The Company’s physical andvirtual scanner appliances are requested by certain customers as part of their subscriptions in order to scan IT infrastructures within their firewallsand do not function without, and are not sold separately from, subscriptions for the Company’s solutions. In some limited cases, the Company alsoprovides certain computer equipment used to extend its Qualys cloud platform into its customers’ private cloud environment. Customers are requiredto return physical scanner appliances and computer equipment if they do not renew their subscriptions.The Company recognizes revenues when all of the following conditions are met:•There is persuasive evidence of an arrangement.•The service has been provided to the customer.•The collection of the fees is reasonably assured.•The amount of fees to be paid by the customer is fixed or determinable.Subscriptions are recognized ratably over the subscription period. The Company recognizes revenues from subscriptions that include physicalscanner appliances and other computer equipment ratably over the period of the subscription. Physical equipment (scanners and private cloudplatforms) are accounted for as operating leases and revenue is recognized over the subscription term.The Company recognizes revenues for certain limited scan arrangements, for which expiration dates can be extended, on an as-used basis.Deferred revenues consist of revenues billed or received that will be recognized in the future under subscriptions existing at the balance sheetdate. The current portion of deferred revenues represents amounts that are expected to be recognized within one year of the balance sheet date.Costs of shipping and handling charges incurred by the Company associated with physical scanner appliances and other computer equipmentare included in cost of revenues.Sales taxes and other taxes collected from customers to be remitted to government authorities are excluded from revenues.Advertising ExpensesAdvertising costs are expensed as incurred and include costs of advertising, trade show costs and promotional materials. The Companyincurred advertising costs of $8.6 million , $7.7 million and $6.1 million for 2017 , 2016 and 2015 , respectively.Income TaxesThe Company provides for the effect of income taxes in its consolidated financial statements using the asset and liability method whichrequires the recognition of deferred tax assets and liabilities for the expected future tax consequences of events that have been included in theconsolidated financial statements. Under this method, deferred tax assets and liabilities are recognized for the future tax consequences attributableto differences between the financial statement carrying amounts of existing assets and liabilities and their respective tax bases, net operating losscarryovers, and tax credit carry forwards. Deferred tax assets and liabilities are measured using enacted tax rates72Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)expected to apply to taxable income in the years in which those temporary differences are expected to be recovered or settled. The effect ondeferred tax assets and liabilities of a change in tax rates is recognized in the period that includes the enactment date. As a result of the 2017 TaxAct the Company re-measured certain deferred tax assets and liabilities as of December 31, 2017 and recorded $10.4 million of deferred taxexpense during 2017 as detailed in Note 9, “Income Taxes”.Income tax expense or benefit is recognized for the amount of taxes payable or refundable for the current year, and for deferred tax assets andliabilities for the tax consequences of events that have been recognized in an entity’s financial statements or tax returns. The Company must makesignificant assumptions, judgments and estimates to determine its current provision (benefit) for income taxes, its deferred tax assets and liabilities,and any valuation allowance to be recorded against its deferred tax assets. The Company's judgments, assumptions and estimates relating to thecurrent provision (benefit) for income taxes include the geographic mix and amount of income (loss), its interpretation of current tax laws, andpossible outcomes of current and future audits conducted by foreign and domestic tax authorities. The Company's judgments also includeanticipating the tax positions the Company will record in the consolidated financial statements before actually preparing and filing the tax returns.The Company's estimates and assumptions may differ from the actual results as reflected in its income tax returns and the Company records therequired adjustments when they are identified or resolved. Changes in the Company's business, tax laws or the Company's interpretation of taxlaws, and developments in current and future tax audits, could significantly impact the amounts provided for income taxes in the Company's resultsof operations, financial position, or cash flows.Deferred tax assets and liabilities are recognized for the estimated future tax consequences attributable to tax benefit carry-forwards and todifferences between the financial statement amounts of assets and liabilities and their respective tax basis. The Company regularly reviews itsdeferred tax assets for recoverability and establishes a valuation allowance if it is more likely than not that some portion or all of the deferred taxassets will not be realized. To make this assessment, the Company takes into account predictions of the amount and category of taxable incomefrom various sources and all available positive and negative evidence about these possible sources of taxable income. The weight given to thepotential effect of negative and positive evidence is commensurate with the extent to which the strength of the evidence can be objectively verified.The Company applies a two-step approach to determining the financial statement recognition and measurement of uncertain tax positions. TheCompany only recognizes an income tax expense or benefit with respect to uncertain tax positions in its financial statements that the Companyjudges is more likely than not to be sustained solely on its technical merits in a tax audit, including resolution of any related appeals or litigationprocesses. To make this judgment, the Company must interpret complex and sometimes ambiguous tax laws, regulations and administrativepractices. If an income tax position meets the more likely than not recognition threshold, then the Company must measure the amount of the taxbenefit to be recognized by determining the largest amount of tax benefit that has a greater than a 50% likelihood of being realized upon effectivesettlement with a taxing authority that has full knowledge of all of the relevant facts. It is inherently difficult and subjective to estimate such amounts,as this requires the Company to determine the probability of various possible settlement outcomes. To determine if a tax position is effectivelysettled after a tax examination has been completed, the Company must also estimate the likelihood that another taxing authority could review therespective tax position. The Company must also determine when it is reasonably possible that the amount of unrecognized tax benefits willsignificantly increase or decrease in the 12 months after each fiscal year-end. These judgments are difficult because a taxing authority may changeits behavior as a result of the Company's disclosures in its financial statements. The Company must reevaluate its income tax positions on aquarterly basis to consider factors such as changes in facts or circumstances, changes in tax law, effectively settled issues under audit, and newaudit activity. Such a change in recognition or measurement would result in recognition of a tax benefit or an additional charge to the tax provision.The Company's policy is to recognize interest and penalties related to unrecognized tax benefits as a component of the provision for income taxes.Comprehensive Income (Loss)Other comprehensive income (loss) consists of unrealized gains (losses) on available-for-sale investments, net of tax, which are not included inthe Company’s net income. Total comprehensive income includes net income and other comprehensive income (loss) and is included in theconsolidated statements of comprehensive income.73Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)Foreign Currency TransactionsThe Company’s operations are conducted in various countries around the world and the financial statements of its foreign subsidiaries arereported in the U.S. dollar as their respective functional currency. Monetary assets and liabilities denominated in foreign currencies have been re-measured into U.S. dollars using the exchange rates in effect at the balance sheet date, and income and expenses are re-measured at averageexchange rates during the period. Foreign currency re-measurement gains and losses and foreign currency transaction gains and losses arerecognized in other income (expense), net. The Company recorded total foreign currency transaction losses of $0.4 million , $0.8 million and $0.4million during 2017 , 2016 and 2015 , respectively.Fair Value MeasurementsFair value is defined as the price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between marketparticipants at the measurement date. For certain of the Company’s financial instruments, including certain cash equivalents, accounts receivable,accounts payable, and other current liabilities, the carrying amounts approximate their fair value due to the relatively short maturity of thesebalances.The Company measures and reports certain cash equivalents, investments and derivative foreign currency forward contracts at fair value inaccordance with the provisions of the authoritative accounting guidance that addresses fair value measurements. This guidance establishes ahierarchy for inputs used in measuring fair value that maximizes the use of observable inputs and minimizes the use of unobservable inputs byrequiring that the most observable inputs be used when available. The hierarchy is broken down into three levels based on the reliability of inputs asfollows:Level 1 —Valuations based on quoted prices in active markets for identical assets or liabilities.Level 2 —Valuations based on other than quoted prices in active markets for identical assets and liabilities, quoted prices for identical orsimilar assets or liabilities in inactive markets, or other inputs that are observable or can be corroborated by observable market data for substantiallythe full term of the assets or liabilities.Level 3— Valuations based on inputs that are generally unobservable and typically reflect management’s estimates of assumptions thatmarket participants would use in pricing the asset or liability.The Company's financial instruments consist of assets measured using Level 1 and 2 inputs. Level 1 assets include a highly liquid moneymarket fund, which is valued using unadjusted quoted prices that are available in an active market for an identical asset. Level 2 assets includefixed-income U.S. government agency securities, commercial paper, corporate bonds, asset-backed securities and derivative financial instrumentsconsisting of foreign currency forward contracts. The securities, bonds and commercial paper are valued using prices from independent pricingservices based on quoted prices in active markets for similar instruments or on industry models using data inputs such as interest rates and pricesthat can be directly observed or corroborated in active markets. The foreign currency forward contracts are valued using observable inputs , such asquotations on forward foreign exchange points and foreign interest rates . See Note 2 for more information regarding the fair value measurement ofthe Company's financial instruments.Net Income Per ShareBasic net income per share is computed by dividing net income by the weighted-average number of common shares outstanding during theperiod. All participating securities are excluded from basic weighted average common shares outstanding. In computing diluted net income pershare, undistributed earnings are reallocated to reflect the potential impact of dilutive securities. Diluted net income per share is computed bydividing net income by the weighted-average number of shares of common stock outstanding during the period, adjusted for the effects of potentiallydilutive common shares, which are comprised of outstanding stock options . The dilutive potential common shares are computed using the treasurystock method or the as-if converted method, as applicable. The effects of outstanding stock options are excluded from the computation of diluted netincome per common share in periods in which the effect would be antidilutive.74Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)Recently Adopted Accounting PronouncementsIn March 2016, the Financial Accounting Standards Board (“FASB”) issued Accounting Standards Update (“ASU”) No. 2016-09, Compensation- Stock Compensation (Topic 718): Improvements to Employee Share-Based Payment Accounting. ASU 2016-09 intended to simplify and improvevarious aspects related to how employee-share based payment transactions are accounted for and presented in the financial statements, requiringexcess tax benefits and deficiencies to be recognized as a component of income tax expense rather than equity. The inclusion of excess taxbenefits and deficiencies as a component of income tax expense will increase volatility within our provision for income taxes as the amount ofexcess tax benefits or deficiencies from stock-based compensation awards depends on our stock price at the date the awards vest. This guidancealso requires excess tax benefits to be presented as an operating activity on the statement of cash flows and allows an entity to make an accountingpolicy election to either estimate expected forfeitures or to account for them as they occur. The Company adopted this ASU in its first quarter of2017 and elected to apply this adoption prospectively, recording an increase to retained earnings of $7.7 million with a corresponding increase todeferred tax assets for federal and state net operating losses and federal research credits. Additionally, the income tax consequences in the currentyear include a tax deduction benefit of $27.1 million and increased current and deferred tax benefits for federal research credits. The Company hasprospectively adjusted its consolidated statements of cash flows. The Company has made the accounting policy election to continue to estimateforfeitures expected to occur to determine the amount of stock-based compensation expense to record each period. See Note 9, "Income Taxes",for additional impact on the Company's consolidated financial statements.Recently Issued Accounting Pronouncements Not Yet AdoptedIn May 2014, the FASB issued ASU 2014-09, Revenue from Contracts with Customers (Topic 606), which amends the existing accountingstandards for revenue recognition. ASU 2014-09 is based on principles that govern the recognition of revenue at an amount an entity expects to beentitled when products or services are transferred to customers. Subsequently, the FASB has issued the following standards related to ASU 2014-09: ASU 2016-08, Revenue from Contracts with Customers (Topic 606): Principal versus Agent Considerations; ASU 2016-10, Revenue fromContracts with Customers (Topic 606): Identifying Performance Obligations and Licensing; ASU 2016-12, Revenue from Contracts with Customers(Topic 606): Narrow-Scope Improvements and Practical Expedients and ASU 2016-20, Technical Corrections and Improvements to Topic 606,Revenue from Contracts with Customers. We must adopt ASU 2016-08, ASU 2016-10, ASU 2016-12 and ASU 2016-20 with ASU 2014-09(collectively, the “new revenue standards”) on January 1, 2018. The Company has considered the impact of the standards' requirements and we donot expect that the adoption will have a material impact on the amount or timing of revenue recognized but will impact the Company's consolidatedfinancial statements with respect to the capitalization and amortization of incremental costs of obtaining a contract, primarily sales commissions.Under the Company’s current accounting policy, sales commissions are expensed as incurred. The new revenue standards require the capitalizationof all incremental costs that the Company incurs to obtain a contract with a customer that it would not have incurred if the contract had not beenobtained, provided the Company expects to recover the costs. Under the new revenue standards, the Company will amortize these costs over aperiod of benefit, as estimated by management, which may extend beyond the contract term. The Company will elect to use the practical expedientin Accounting Standards Codification ("ASC") 340-40- 25-4 and expense commissions related to contract renewals with a renewal contract term ofone year or less. The Company will adopt the new revenue standards as of January 1, 2018, using the modified retrospective transition methodapplied to those contracts which are not completed as of that date. For sales commissions that are capitalized, the Company expects to record anestimated net cumulative-effect adjustment to retained earnings of $2.7 million associated with the capitalization of sales commissions related tocontracts in progress as of January 1, 2018. In addition, we expect to amortize sales commissions over five years, representing the period which ourgoods and services are being transferred to our customers.In January 2016, the FASB issued ASU 2016-01, Financial Instruments - Overall (Subtopic 825-10): Recognition and Measurement ofFinancial Assets and Financial Liabilities, which will impact certain aspects of recognition, measurement, presentation and disclosure of financialinstruments. The ASU will impact the accounting for equity investments, financial liabilities under the fair value option, and the presentation anddisclosure requirements for financial instruments. This ASU is effective for public business entities in fiscal years beginning after December 15,2017, and interim periods within those fiscal years. The adoption of this ASU is not expected to have a material impact on the Company'sconsolidated financial statements.75Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)In February 2016, the FASB issued ASU 2016-02, Leases (Topic 842), which requires lessees to recognize all leases, including operatingleases, on the balance sheet as a lease asset or lease liability, unless the lease is a short-term lease. ASU 2016-02 also requires additionaldisclosures regarding leasing arrangements. ASU 2016-02 is effective for us beginning in the first quarter of fiscal 2019 and early adoption ispermitted. Pursuant to the leasing criteria, most of our leased space and equipment leases will be required to be accounted for as capitalized assetson the balance sheet with an offsetting financing obligations. In the statement of operations, what was formerly rent expense will be bifurcated intodepreciation and interest expense. The Company is currently evaluating the impact and expects the ASU will have a material impact on itsconsolidated financial statements.In August 2016, the FASB issued ASU 2016-15, Classification of Certain Cash Receipts and Cash Payments (a consensus of the EmergingIssues Task Force), to provide guidance on the presentation of certain cash receipts and cash payments in the statement of cash flows in order toreduce diversity in existing practice. This ASU is effective for public business entities in fiscal years beginning after December 15, 2017, and interimperiods within those fiscal years. The adoption of this ASU is not expected to have a material impact on the Company's consolidated financialstatements.In November 2016, the FASB issued ASU 2016-18, Statement of Cash Flows (Topic 230): Restricted Cash. The update provides guidance onthe presentation of restricted cash or restricted cash equivalents in the statement of cash flows. The Company will adopt ASU 2016-18retrospectively in the first quarter of fiscal 2018. Restricted cash at both December 31, 2017 and 2016 was $1.2 million .In January 2017, the FASB issued ASU 2017-01, Business Combinations (Topic 805): Clarifying the Definition of a Business, which revises thedefinition of a business and provides new guidance in evaluating when a set of transferred assets and activities is a business. This ASU is effectivefor public business entities in fiscal years, and interim periods within those fiscal years, beginning after December 15, 2017 on a prospectivebasis. The adoption of this ASU is not expected to have a material impact on the Company's consolidated financial statements.In January 2017, the FASB issued ASU 2017-04, Simplifying the Test for Goodwill Impairment (Topic 350). This standard eliminates Step 2from the goodwill impairment test, instead requiring an entity to recognize a goodwill impairment charge for the amount by which the goodwillcarrying amount exceeds the reporting unit’s fair value. This ASU is effective for interim and annual goodwill impairment tests in fiscal yearsbeginning after December 15, 2019 with early adoption permitted. This ASU must be applied on a prospective basis. The adoption of this ASU is notexpected to have a material impact on the Company's consolidated financial statements.76Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)NOTE 2.Fair Value of Financial InstrumentsThe Company's cash and cash equivalents, short-term investments, and long-term investments consist of the following: December 31, 2017 Amortized Cost Unrealized Gains Unrealized Losses Fair Value (in thousands)Cash and cash equivalents: Cash $86,500 $— $— $86,500Money market funds 91 — — 91Total 86,591 — — 86,591Short-term investments: Commercial paper 12,623 — (3) 12,620Corporate bonds 38,425 1 (64) 38,362U.S. government agencies 151,058 — (217) 150,841Total 202,106 1 (284) 201,823Long-term investments: Asset-backed securities 4,998 — (12) 4,986U.S. government agencies 24,269 — (54) 24,215Corporate bonds 38,198 — (175) 38,023Total 67,465 — (241) 67,224Total $356,162 $1 $(525) $355,638 December 31, 2016 Amortized Cost Unrealized Gains Unrealized Losses Fair Value (in thousands)Cash and cash equivalents: Cash $72,673 $— $— $72,673Money market funds 473 — — 473Commercial paper 13,591 — — 13,591Total 86,737 — — 86,737Short-term investments: Commercial paper 14,782 5 — 14,787Corporate bonds 13,490 — (11) 13,479Asset-backed securities 1,235 — — 1,235U.S. government agencies 127,660 — (42) 127,618Total 157,167 5 (53) 157,119Long-term investments: Asset-backed securities 5,091 2 — 5,093U.S. government agencies 29,501 — (71) 29,430Corporate bonds 11,243 — (41) 11,202Total 45,835 2 (112) 45,725Total $289,739 $7 $(165) $289,58177Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)The following table sets forth by level within the fair value hierarchy the fair value of the Company's available-for-sale securities measured on arecurring basis, excluding cash and money market funds: December 31, 2017 Level 1 Level 2 Level 3 Fair Value (in thousands)Commercial paper $— $12,620 $— $12,620U.S. government agencies — 175,056 — 175,056Corporate bonds — 76,385 — 76,385Asset-backed securities — 4,986 — 4,986Total $— $269,047 $— $269,047 December 31, 2016 Level 1 Level 2 Level 3 Fair Value (in thousands)Commercial paper $— $28,378 $— $28,378U.S. government agencies — 157,048 — 157,048Corporate bonds — 24,681 — 24,681Asset-backed securities — 6,328 — 6,328Total $— $216,435 $— $216,435The following summarizes the fair value of securities classified as available-for-sale by contractual maturity: December 31, 2017 Mature within OneYear After One Yearthrough TwoYears Over Two Years Fair Value (in thousands)Commercial paper $12,620 $— $— $12,620U.S. government agencies 150,841 22,033 2,182 175,056Corporate bonds 38,362 22,717 15,306 76,385Asset-backed securities 4,702 284 — 4,986Total $206,525 $45,034 $17,488 $269,047At December 31, 2017 and 2016 , derivative financial instruments, consisting of foreign currency forward contracts, were valued at $0 as thecontracts were entered into on the last day of the respective reporting periods. These instruments were valued using Level 2 inputs.There were no transfers between Level 1, Level 2 or Level 3 of the fair value hierarchy, as determined at the end of each reporting period.78Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)NOTE 3.Property and Equipment, NetProperty and equipment consists of the following: December 31, December 31, 2017 2016 (in thousands)Computer equipment $77,883 $57,295Computer software 20,447 19,716Furniture, fixtures and equipment 5,075 3,425Scanner appliances 14,325 14,776Leasehold improvements 16,067 3,694Total property and equipment 133,797 98,906Less: accumulated depreciation and amortization (75,240) (59,505)Property and equipment, net $58,557 $39,401Physical scanner appliances and other computer equipment that are or will be subject to leases by customers have a net carrying value of $6.8million and $8.3 million at December 31, 2017 and 2016, respectively, including assets that have not been placed in service of $0.9 million and $1.3million , respectively. Other fixed assets not placed in service at December 31, 2017 and 2016 were $9.6 million and $3.6 million , respectively.Depreciation and amortization expense relating to property and equipment was $19.9 million , $16.6 million and $13.9 million for 2017 , 2016 and2015 , respectively.On November 20, 2017, the Company moved its headquarters office from Redwood City, California to Foster City, California. Due to the move,the Company incurred a loss of disposal of $0.2 million from abandoning the Redwood City office facilities. The gross amount of abandoned costswas $2.4 million with accumulated depreciation of $2.2 million and a net book value of $0.2 million . The loss was recognized in operating expenses.79Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)NOTE 4.Business CombinationsIn 2017, the Company purchased certain assets of Nevis Networks (India) Private Limited (“Nevis”) and Defensative, LLC (NetWatcher). TheNevis acquisition accelerates the Company's development of network security solutions for detection and awareness of external intrusions tocomputer networks. The NetWatcher acquisition expands the Company's threat protection and management capabilities and adds new offerings tomanaged security service providers. Total purchase consideration related to the Company’s business combinations was $5.8 million in cash forNevis, and $7.7 million for NetWatcher of which $1.0 million is payable in the future subject to terms and conditions of the purchase agreement.Total cash paid in the business combinations completed during 2017 was $12.5 million . Pro forma financial information for these acquisitions havenot been presented because they are not material to our consolidated financial statements, either individually or in aggregate.In connection with the NetWatcher acquisition, certain founders of NetWatcher will receive future payments with continued employment attheir one year and two year anniversaries with the Company. These future payments are being recorded as employee compensation expenseratably over the two-year period.The Company accounted for the acquisition of certain assets of Nevis and Netwatcher as business combinations. The allocation of theconsideration for business combinations completed in year of 2017 is summarized as follows (in thousands): Acquiree Purchase Consideration Net Tangible Assets Acquired/(liabilities assumed) Purchased IntangibleAssets GoodwillNevis $5,753 $14 $5,156 $583NetWatcher 7,729 80 7,000 649Total $13,482 $94 $12,156 $1,232 Purchased intangible assets represent the estimated fair value of purchased technology from our acquisitions of Nevis and NetWatcher. Theexcess of purchase consideration over the fair value of net tangible and identifiable intangible assets acquired was recorded as goodwill. Goodwillgenerated from these acquisitions was primarily related to the acquired workforce, expected improvements in technology performance andadditional product functionality. The fair values assigned to tangible assets acquired and identifiable intangible assets are based on management'sestimates and assumptions.The intangible assets have an estimated useful life of 5 years. Goodwill is deductible for tax purposes over 15 years.80Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)NOTE 5.Goodwill and Intangible Assets, NetIntangible assets consist primarily of developed technology and patent licenses in business combinations. Acquired intangibles are amortizedon a straight-line basis over the respective estimated useful lives of the assets.The carrying values of intangible assets are as follows (in thousands): December 31, 2017 Weighted AverageLives WeightedRemainingAverage Lives Cost AccumulatedAmortization Net Book ValueDeveloped technology5 years 5 years $14,067 $(2,371) $11,696Patent licenses14 years 7 years 1,388 (723) 665Total intangibles subject to amortization $15,455 $(3,094) 12,361Intangible assets not subject to amortization 40Total intangible assets, net $12,401 December 31, 2016 Weighted AverageLives WeightedRemainingAverage Lives Cost AccumulatedAmortization Net Book ValueDeveloped technology7 years 1 year $1,910 $(1,728) $182Patent licenses14 years 8 years 1,388 (623) 765Total intangibles subject to amortization $3,298 $(2,351) 947Intangible assets not subject to amortization 40Total intangible assets, net $987Intangible assets amortization expense was $0.7 million and $0.4 million for 2017 and 2016 , respectively. As of December 31, 2017 , the Company expects amortization expense in future periods to be as follows (in thousands):2018$2,53120192,53120202,53120212,53120222,0712023 and thereafter166Total expected future amortization expense$12,361Goodwill, which is not subject to amortization, totaled $1.5 million and $0.3 million as of December 31, 2017 and 2016 , respectively.81Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)NOTE 6.Commitments and ContingenciesLeasesThe Company leases certain computer equipment and its corporate office and data center facilities under non-cancelable operating leases forvarying periods through 2028.The following are the minimum annual lease payments due under operating leases at December 31, 2017 (in thousands):2018 $6,8932019 5,7842020 5,4152021 4,6632022 4,1412023 and thereafter 22,000Total minimum lease payments $48,896Rent expense was $9.6 million , $7.1 million and $6.6 million for 2017 , 2016 and 2015 , respectively. Although certain of the operating leaseagreements provide for rent free periods or escalating rent payments over the terms of the leases, rent expense under these agreements isrecognized on a straight-line basis over the term of the lease, starting when the Company takes possession of the property from the landlord. As ofDecember 31, 2017 and 2016 , the Company has accrued $9.5 million and $0.4 million of deferred rent related to these agreements, which isreflected in accrued liabilities and other noncurrent liabilities in the accompanying consolidated balance sheets.On October 14, 2016, the Company entered into a lease agreement (included in the table above) for its new headquarters office facility. Thelease payments commence on May 1, 2018 and the lease has a ten -year term through April 2028. The total commitment of $38.6 million is payablemonthly with escalating rental payments throughout the lease term. The Company took possession of the facility on May 1, 2017, completedconstruction of the facility and moved into the facility in November 2017.In connection with this lease, the Company has provided the landlord with a $1.2 million standby letter of credit to secure the Company’sobligations through the end of the lease term, which was classified as restricted cash in the accompanying consolidated balance sheets.IndemnificationsThe Company from time to time enters into certain types of contracts that contingently require it to indemnify various parties against claimsfrom third parties. These contracts primarily relate to (i) the Company's by-laws, under which it must indemnify directors and executive officers, andmay indemnify other officers and employees, for liabilities arising out of their relationship, (ii) contracts under which the Company must indemnifydirectors and certain officers for liabilities arising out of their relationship, and (iii) contracts under which the Company may be required to indemnifycustomers or resellers from certain liabilities arising from potential infringement of intellectual property rights, as well as potential damages causedby limited product defects. To date, the Company has not incurred and has not recorded any liability in connection with such indemnifications.The Company maintains director and officer insurance, which may cover certain liabilities arising from its obligation to indemnify its directors.ContingenciesFrom time to time, the Company may have certain contingent liabilities that arise in the ordinary course of its business activities. The Companyaccrues a liability for such matters when it is probable a loss has been incurred and such loss can be reasonably estimated. As of December 31,2017 and 2016, the Company has not recorded and is not aware of any material liabilities for contingencies.82Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)NOTE 7.Stockholders' Equity and Stock-based CompensationCommon StockThe Company had reserved shares of common stock for future issuance as of December 31, 2017 as follows:Options and RSUs outstanding under equity incentive plans 2000 Equity Incentive Plan 691,5892012 Equity Incentive Plan 5,214,890Shares available for future grants under an equity incentive plan 2012 Equity Incentive Plan 2,208,858Total shares reserved for future issuance 8,115,337Preferred StockEffective October 3, 2012, the Company is authorized to issue 20,000,000 shares of undesignated preferred stock with a par value of $0.001per share. Each series of preferred stock will have such rights and preferences including dividend rights, dividend rate, conversion rights, votingrights, rights and terms of redemption (including sinking fund provisions), redemption price, and liquidation preferences as determined by the Board.As of December 31, 2017 and 2016 , there are no issued or outstanding shares of preferred stock.Stock Options2012 Equity Incentive PlanThe 2012 Equity Incentive Plan (the 2012 Plan) was adopted and approved in September 2012 and became effective on September 26, 2012.Under the 2012 Plan, the Company is authorized to grant to eligible participant's incentive stock options (ISOs), non-statutory stock options (NSOs),stock appreciation rights (SARs), restricted stock awards (RSAs), restricted stock units (RSUs), performance units and performance sharesequivalent to up to 9,861,234 shares of common stock as of December 31, 2017 . The number of shares of common stock available for issuanceunder the 2012 Plan includes an annual increase on January 1 of each year by an amount equal to the least of 3,050,000 shares; 5% of theoutstanding shares of stock as of the last day of the immediately preceding fiscal year; or an amount determined by the board of directors. Optionsmay be granted with an exercise price that is at least equal to the fair market value of the Company's stock at the date of grant and are exercisablewhen vested. Options granted generally vest over a period of up to four years, with a maximum term of ten years. ISOs may only be granted toemployees and any subsidiary corporations' employees. All other awards may be granted to employees, directors and consultants and subsidiarycorporations' employees and consultants. Options, SARs, RSAs, RSUs, performance units and performance awards may be granted with vestingterms as determined by the board of directors and expire no more than ten years after the date of grant or earlier if employment or service isterminated. As of December 31, 2017 , 2,208,858 shares were available for grant under the 2012 Plan.2000 Equity Incentive PlanUnder the 2000 Equity Incentive Plan (the 2000 Plan), the Company was authorized to grant to eligible participants either ISOs or NSOs. TheISOs were granted at a price per share not less than the fair market value at the date of grant. The NSOs were granted at a price per share not lessthan 85% of the fair market value at the date of grant. Options granted generally vest over a period of up to four years, with a maximum term of tenyears. The 2000 Plan was terminated in connection with the closing of the IPO, and accordingly, no shares are currently available for issuanceunder the 2000 Plan. The 2000 Plan continues to govern outstanding awards granted thereunder.Options granted under the 2000 Plan were immediately exercisable, and unvested shares are subject to repurchase by the Company. Upontermination of employment of an option holder, the Company has the right to repurchase at the original purchase price any issued but unvestedcommon shares. The amounts paid for shares purchased under an early exercise of stock options and subject to repurchase by the Company arenot reported as a83Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)component of stockholders ’ equity (deficit) until those shares vest. The amounts received in exchange for these shares are recorded as an accruedliability in the accompanying consolidated balance sheets and will be reclassified to common stock and additional paid-in capital as the shares vest.Stock-based CompensationStock-based compensation included in the consolidated statements of operations is as follows: Year Ended December 31, 2017 2016 2015 (in thousands)Cost of revenues $2,159 $1,858 $1,250Research and development 5,944 5,678 4,936Sales and marketing 4,755 4,870 3,867General and administrative 14,103 7,743 7,441Total stock-based employee compensation $26,961 $20,149 $17,494Stock-based compensation cost is recognized on a straight-line basis over the service period. Forfeitures are estimated at the time of grant andrevised, if necessary, in subsequent periods if actual forfeitures materially differ from those estimates.As of December 31, 2017 , the Company had $16.5 million of total unrecognized employee compensation cost related to unvested options thatit expects to recognize over a weighted-average period of 2.4 years.The fair value of each option granted to employees is estimated on the date of grant using the Black-Scholes-Merton option-pricing modelbased on the following assumptions: Year Ended December 31, 2017 2016 2015Expected term (in years) 5.1 to 5.5 5.0 to 5.9 4.9 to 5.9Volatility 47% to 49% 45% to 49% 45% to 48%Risk-free interest rate 1.8% to 2.0% 1.1% to 1.3% 1.3% to 1.7%Dividend yield — — —The expected term of the options is based on evaluations of historical and expected future employee exercise behavior. The risk-free interestrate is based on the U.S. Treasury rates at the date of grant with maturity dates approximately equal to the expected term at the grant date. Volatilityis based on a combination of the historical volatility of the Company and of several public entities that are similar to the Company. The Companybases volatility on this combination because it does not have sufficient historical transactions in its own shares on which to solely base expectedvolatility. Beginning in the third quarter of 2017, the volatility was estimated using the historical volatility derived from the Company's common stock.The Company has not historically declared any dividends and does not expect to in the future.Non-Employee Stock-based CompensationThe Company records compensation representing the fair value of stock options granted to non-employees. Stock-based non-employeecompensation was $0.9 million , $0.7 million and $0.6 million for 2017 , 2016 and 2015 , respectively. Non-employee stock-based compensation isrecognized over the vesting periods of the options. The value of options granted to non-employees is re-measured as they vest over a performanceperiod.Stock Option Plan ActivityA summary of the Company’s stock option activity is as follows:84Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued) OutstandingShares WeightedAverageExercisePrice WeightedAverageRemainingContractualLife (Years) AggregateIntrinsicValue (in thousands)Balance as of December 31, 2014 7,605,407 $12.93 6.5 $188,743Granted 1,526,450 $39.50 Exercised (807,846) $12.50 Canceled (744,953) $27.67 Balance as of December 31, 2015 7,579,058 $16.88 5.9 $131,345Granted 2,120,633 $26.64 Exercised (1,399,157) $10.83 Canceled (772,854) $31.57 Balance as of December 31, 2016 7,527,680 $19.25 6.0 $101,717Granted 408,225 $40.82 Exercised (2,997,095) $11.05 Canceled (442,919) $33.29 Balance as of December 31, 2017 4,495,891 $25.29 6.6 $153,129Vested and expected to vest—December 31, 2017 4,242,256 $24.75 6.6 $146,791Exercisable—December 31, 2017 3,002,205 $21.90 5.8 $112,447The following table summarizes the outstanding and vested stock options at December 31, 2017 : Outstanding ExercisableExercise Price Number of Shares Weighted Average Exercise Price Per Share Weighted Average Remaining Contractual Life (Years) Number of Shares Weighted Average Exercise Price Per Share$2.60 - $4.40 471,051 $3.76 2.1 471,051 $3.76$4.80 - $13.60 458,565 $10.50 4.8 458,565 $10.50$16.68 - $25.17 605,184 $22.46 6.6 445,629 $21.59$25.56 - $25.56 969,674 $25.56 8.3 394,095 $25.56$26.58 - $26.86 478,043 $26.86 6.1 477,613 $26.86$30.58 - $31.67 456,331 $30.87 7.2 350,657 $30.66$34.97 - $37.28 559,687 $36.62 7.9 266,436 $36.81$38.40 - $40.89 369,970 $39.57 7.7 100,054 $40.72$52.14 - $52.14 57,886 $52.14 6.7 38,105 $52.14$52.60 - $52.60 69,500 $52.60 9.8 — $— 4,495,891 $25.29 6.6 3,002,205 $21.90The weighted-average grant date fair value of the Company’s stock options granted during 2017 , 2016 and 2015 was $18.03 , $11.12 and$16.51 , respectively. The aggregate grant date fair value of the Company’s stock options granted during 2017 , 2016 and 2015 was $7.4 million ,$23.6 million and $25.2 million , respectively.The intrinsic value of options exercised was $92.1 million , $25.0 million and $22.7 million during 2017 , 2016 and 2015 , respectively. Intrinsicvalue of an option is the difference between the fair value of the Company’s common stock at the time of exercise and the exercise price paid.85Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)Restricted StockThe terms and conditions of RSUs and RSAs, including vesting criteria and timing are set by the board of directors. The cost of RSUs andRSAs is determined using the fair value of the Company’s common stock on the date of the grant. Compensation cost is recognized on a straight-line basis over the requisite service period of each grant adjusted for estimated forfeitures.A summary of the Company’s RSUs and RSAs activity is as follows: Number ofShares Weighted-Average GrantDate Fair Value PerShareBalance as of December 31, 2015 47,500 $37.28Granted 681,350 $28.52Vested (39,998) $27.49Cancelled (101,519) $31.12Balance as of December 31, 2016 587,333 $28.85Granted 1,326,849 $42.69Vested (368,367) $33.52Cancelled (135,227) $32.04Balance as of December 31, 2017 1,410,588 $40.34Expected to vest as of December 31, 2017 1,239,124 $39.87As of December 31, 2017 , the Company had $44.6 million of unrecognized compensation cost related to unvested awards that it expects torecognize over a weighted-average period of 2.9 years.401(k) PlanThe Company’s 401(k) Plan (the “401(k) Plan”) was established in 2000 to provide retirement and incidental benefits for its employees. Asallowed under section 401(k) of the Internal Revenue Code, the 401(k) Plan provides tax-deferred salary deductions for eligible employees.Contributions to the 401(k) Plan are limited to a maximum amount as set periodically by the Internal Revenue Service. During the years endedDecember 31, 2017 and 2016, the Company made contributions to the 401(k) Plan of $1.1 million and $0.6 million , respectively. During the yearended December 31, 2015, the Company made no contribution to the 401(k) Plan.86Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)NOTE 8.Other Expense, NetOther expense, net consists of the following: Year Ended December 31, 2017 2016 2015 (in thousands)Foreign exchange losses $(355) $(770) $(444)Other expense (181) (202) (406)Other expense, net $(536) $(972) $(850)87Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)NOTE 9.Income TaxesThe Company’s geographical breakdown of income before income taxes is as follows: Year Ended December 31, 2017 2016 2015 (in thousands)Domestic $34,914 $28,982 $22,540Foreign 4,464 1,447 1,980Income before income taxes $39,378 $30,429 $24,520The provision for (benefit from) income taxes consists of the following: Year Ended December 31, 2017 2016 2015 (in thousands)Current Federal $22 $8,334 $115State 23 1,125 1,041Foreign 1,471 963 693Total current provision 1,516 10,422 1,849Deferred Federal (1,650) 611 7,115State (996) 126 (247)Foreign 68 46 (62)Total deferred (benefit) provision (2,578) 783 6,806Total (benefit from) provision for income taxes $(1,062) $11,205 $8,655The reconciliation of the statutory federal income tax rate to the Company’s effective tax rate is as follows: Year Ended December 31, 2017 2016 2015Federal statutory rate 35.0 % 35.0 % 35.0 %State taxes (2.1) 2.1 2.2Stock-based compensation (58.1) 2.4 0.5Foreign source income (0.2) 0.9 0.6Change in valuation allowance 2.8 1.3 1.3Federal rate adjustment (due to 2017 Tax Act) 26.4 — —Federal and state research and development credit (5.3) (3.6) (3.9)Other (1.2) (1.3) (0.4)(Benefit from) provision for income taxes (2.7)% 36.8 % 35.3 %On December 22, 2017, the Tax Cuts and Jobs Act (the “2017 Tax Act”) was enacted into law. The new legislation contains several key taxprovisions that impact the Company, including the reduction of the corporate income tax rate from 35% to 21% effective January 1, 2018. The newlegislation also includes a variety of other changes, such as a one-time repatriation tax on accumulated foreign earnings (transition tax), accelerationof business asset expensing, and reduction in the amount of executive pay that could qualify as a tax deduction, among others. We have estimatedour provision for income taxes in accordance with the 2017 Tax Act and guidance available as of the date of this filing and as a result have recorded$10.4 million as additional income tax expense due to the re-measurement of certain88Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)deferred tax assets and liabilities as a result of the reduction of the federal tax rate. No deferred taxes were recorded for the newly introducedprovisions for Global Intangible Low Tax Income ("GILTI"), and no amount related to the one-time transition tax on the mandatory deemedrepatriation of foreign earnings was recorded due to cumulative foreign losses of our subsidiaries.On December 22, 2017, Staff Accounting Bulletin No. 118 ("SAB 118") was issued to address the application of US GAAP in situations when aregistrant does not have the necessary information available, prepared, or analyzed (including computations) in reasonable detail to complete theaccounting for certain income tax effects of the 2017 Tax Act. In accordance with SAB 118, we have determined that the $10.4 million of thedeferred tax expense recorded in connection with the re-measurement of certain deferred tax assets and liabilities and the $0 amount of transitiontax on the mandatory deemed repatriation of foreign earnings were provisional amounts and reasonable estimates at December 31, 2017. Acomprehensive analysis of GILTI, for which additional guidance is expected from the U.S. Internal Revenue Service, is required to finalize theamounts of our deferred tax assets and liabilities and a detailed analysis of historical foreign earnings and the potential correlative adjustments willbe performed to verify the transitional tax does not apply. Subsequent adjustments resulting from the additional analysis to be completed will berecorded to current tax expense in the quarter of 2018 when the analysis is complete.The 2017 Tax Act includes a mandatory one-time tax on accumulated earnings of foreign subsidiaries, and as a result, all previouslyunremitted earnings are no longer subject to U.S. tax after 2017. Depending on the jurisdiction, distributions of earnings could be subject towithholding taxes at rates applicable to the distributing jurisdiction. As the Company intends to continue to reinvest the earnings of foreignsubsidiaries indefinitely, no U.S. income taxes or foreign withholding taxes have been provided on undistributed earnings earned by our foreignsubsidiaries. The Company’s share of undistributed earnings of foreign subsidiaries that could be subject to foreign withholding taxes was $9.0million and $5.7 million as of December 31, 2017 and 2016, respectively. Determination of the amount of unrecognized deferred tax liability fortemporary differences related to investments in these non-U.S. subsidiaries that are essentially permanent in duration is not practicable.As a result of the adoption of ASU 2016-09 on January 1, 2017 we recorded a cumulative effect adjustment to increase retained earnings by $7.7 million with a corresponding increase to deferred tax assets for the federal and state net operating losses and federal research creditsattributable to excess tax benefits from stock-based compensation which had not been previously recognized. All excess tax benefits anddeficiencies in the current and future periods will be recognized as income tax expense in our Consolidated Statement of Operations in the reportingperiod in which they occur. This will result in increased volatility in our effective tax rate. For the year ended December 31, 2017, we recognized abenefit of $27.1 million related to the excess tax benefits.Deferred Income TaxesDeferred income taxes reflect the tax effects of temporary differences between the carrying amounts of assets and liabilities for financialreporting purposes and the amounts used for income tax purposes. The components of the Company’s deferred tax assets and liabilities are asfollows: 89Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued) December 31, 2017 2016 (in thousands)Deferred tax assets Net operating loss carryforwards $8,947 $1,472Research and development credit carryforwards 11,493 3,334Foreign tax credit carryforwards 1,149 —Accrued liabilities 470 681Deferred revenues 3,416 5,018Deferred rent 558 74Intangible assets 409 409Stock-based compensation 7,135 12,513Other 638 1,225Gross deferred tax assets 34,215 24,726Valuation allowance (5,773) (3,688)Net deferred tax assets 28,442 21,038Deferred tax liabilities Fixed assets (3,372) (4,448)Intangible assets (4) —Total deferred tax liabilities (3,376) (4,448)Net deferred tax assets $25,066 $16,590Realization of deferred tax assets is dependent upon future earnings, if any, and the timing and amount of such assets are uncertain. TheCompany believes it is more likely than not that its California deferred tax assets will not be realized because the income attributed to California isnot expected to be sufficient to recognize these deferred tax assets. Accordingly, the Company continues to record the valuation allowance of $5.8million as of December 31, 2017 for its California deferred tax assets. During the year ended December 31, 2017, the valuation allowance hadincreased by $2.1 million to $5.8 million .At December 31, 2017, the Company had federal and state net operating loss carryforwards of approximately $39.1 million and $15.3 million ,respectively, available to reduce federal and state taxable income. Federal net operating losses begin to expire in 2021 , and state net operatinglosses expire from 2029 to 2037 . Utilization of the Company’s net operating loss carryforwards may be subject to an annual limitation due to theownership change limitations provided by the Internal Revenue Code and similar state provisions. Such an annual limitation could result in theexpiration of the net operating loss carryforwards before utilization. As of December 31, 2017, the Company had $8.7 million of federal and $8.7million of state research and development credit carryforwards. Federal research and development credits expire in the years 2022 to 2037 . Stateresearch and development credits do not expire. As of December 31, 2017, the Company had foreign tax credit carryforwards of $1.1 million whichexpire in the years 2024 to 2027 .The evaluation of an unrecognized tax position is a two-step process. The first step requires the Company to determine whether it is more likelythan not that a tax position will be sustained upon examination based on the technical merits of the position. The second step requires the Companyto recognize in the financial statement each tax position that meets the more likely than not criteria, measured at the amount of benefit that has agreater than fifty percent likelihood of being realized.A reconciliation of the Company’s unrecognized tax benefits is as follows:90Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued) Year Ended December 31, 2017 2016 2015 (in thousands)Unrecognized tax benefits beginning balance $4,071 $3,506 $3,330Gross increase for tax positions of prior years 66 2 20Gross decrease for tax positions of prior years — (15) (171)Gross increase for tax positions of current year 1,101 659 418Lapse of statute of limitations (126) (81) (91)Total unrecognized tax benefits $5,112 $4,071 $3,506The unrecognized tax benefits, if recognized, would impact the income tax provision by $2.8 million , $2.4 million and $2.1 million as ofDecember 31, 2017 , 2016 and 2015 , respectively. The Company has elected to include interest and penalties as a component of income tax expense. The amounts were not material for 2017 ,2016 and 2015 .The Company files income tax returns in the United States, including various state jurisdictions. The Company’s subsidiaries file tax returns invarious foreign jurisdictions. The tax years 2012 to 2017 remain open to examination by the major taxing jurisdictions in which the Company issubject to tax, with the exception of France which remains open to examination for the 2013 through 2017 tax years only. As of December 31, 2017 ,the Company was not under examination by the Internal Revenue Service or any foreign or state tax jurisdiction.A retroactive and permanent reinstatement of the federal research and development tax credit was signed into law on December 18, 2015 inaccordance with the Protecting Americans from Tax Hikes Act of 2015. The Company recorded a 2017 federal research and development credit of$1.3 million , net of reserves, in the fourth quarter of 2017 . The California research and development credit estimated for 2017 , net of reserves, is$1.3 million .91Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)NOTE 10.Segment Information and Information about Geographic AreaThe Company operates in one segment. The Company’s chief operating decision maker is the Chairman, President and Chief ExecutiveOfficer, who makes operating decisions, assesses performance and allocates resources on a consolidated basis. All of the Company’s principaloperations and decision-making functions are located in the United States. Revenues by geographic area, based on the location of the customer,are as follows: Year Ended December 31, 2017 2016 2015 (in thousands)United States $162,681 $139,743 $115,384Foreign 68,147 58,182 48,900Total revenues $230,828 $197,925 $164,284Property and equipment, net, by geographic area, are as follows: December 31, 2017 2016 (in thousands)United States $50,785 $30,733Foreign 7,772 8,668Total property and equipment, net $58,557 $39,40192Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)NOTE 11.Net Income Per ShareThe computations for basic and diluted net income per share are as follows: Year Ended December 31, 2017 2016 2015 (in thousands, except per share data)Numerator: Net income - basic and diluted $40,440 $19,224 $15,865 Denominator: Weighted-average shares used in computing net income per share - basic 37,443 35,247 34,050Effect of potentially dilutive securities: Common stock options 2,262 3,052 4,134RSUs 366 70 —Weighted-average shares used in computing net income per share - diluted 40,071 38,369 38,184Net income per share: Basic $1.08 $0.55 $0.47Diluted $1.01 $0.50 $0.42Potentially dilutive securities not included in the calculation of diluted net income per share because doing so would be antidilutive are as follows: Year Ended December 31, 2017 2016 2015 (in thousands)Common stock options 742 3,241 1,582RSUs 71 24 —93Qualys, Inc.NOTES TO CONSOLIDATED FINANCIAL STATEMENTS (Continued)NOTE 12.Selected Quarterly Financial Information (Unaudited)The following table shows a summary of the Company's quarterly financial information for each of the quarters in the two-year period endedDecember 31, 2017 : Three Months Ended Mar. 31,2016 Jun. 30,2016 Sep. 30,2016 Dec 31, 2016 Mar. 31,2017 Jun. 30,2017 Sep. 30, 2017 Dec. 31,2017 (unaudited) (in thousands, except per share data)Revenues$46,248 $48,466 $50,987 $52,224 $53,121 $55,302 $59,490 $62,915Income from operations7,597 5,712 7,987 8,811 7,656 9,009 10,849 9,729Other income (expense), net168 40 230 (116) 453 360 671 652Income before income taxes7,765 5,752 8,217 8,695 8,109 9,369 11,520 10,381Net income4,783 3,538 4,996 5,907 21,930 7,202 8,452 2,857Net income per share: Basic$0.14 $0.10 $0.14 $0.17 $0.60 $0.19 $0.22 $0.07Diluted$0.13 $0.09 $0.13 $0.15 $0.56 $0.18 $0.21 $0.0794Table of ContentsItem 9.Changes In and Disagreements with Accountants on Accounting and Financial DisclosureNone.Item 9A.Controls and ProceduresEvaluation of Disclosure Controls and ProceduresOur management, with the participation of our Chief Executive Officer and our Chief Financial Officer, evaluated the effectiveness of ourdisclosure controls and procedures as of December 31, 2017 . The term “disclosure controls and procedures,” as defined in Rules 13a-15(e) and15d-15(e) under the Exchange Act, means controls and other procedures of a company that are designed to ensure that information required to bedisclosed by a company in the reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within thetime periods specified in the Securities and Exchange Commission’s rules and forms. Disclosure controls and procedures include, without limitation,controls and procedures designed to ensure that information required to be disclosed by a company in the reports that it files or submits under theExchange Act is accumulated and communicated to the company’s management, including its principal executive and principal financial officers, asappropriate to allow timely decisions regarding required disclosure. Management recognizes that any controls and procedures, no matter how welldesigned and operated, can provide only reasonable assurance of achieving their objectives and management necessarily applies its judgment inevaluating the cost-benefit relationship of possible controls and procedures. Based on the evaluation of our disclosure controls and procedures as ofDecember 31, 2017 , our Chief Executive Officer and Chief Financial Officer concluded that, as of such date, our disclosure controls and procedureswere effective at the reasonable assurance level.Management's Annual Report on Internal Control over Financial ReportingOur management is responsible for establishing and maintaining adequate internal control over financial reporting, as such term is defined inRules 13a-15(f) and 15d-15(f) of the Exchange Act. Our internal control over financial reporting is a process designed to provide reasonableassurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance withU.S. generally accepted accounting principles, or GAAP. Our internal control over financial reporting includes those policies and procedures that:(i) pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of our assets,(ii) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance withGAAP, and that our receipts and expenditures are being made only in accordance with authorizations of our management and directors, and(iii) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of our assets that couldhave a material effect on our financial statements.Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of anyevaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or thatthe degree of compliance with the policies or procedures may deteriorate.Under the supervision and with the participation of our management, including our Chief Executive Officer and Chief Financial Officer, we conductedan evaluation of the effectiveness of our internal control over financial reporting as of December 31, 2017 based on the criteria established in the2013 Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO. Basedon our evaluation under the criteria set forth in the 2013 Internal Control - Integrated Framework issued by the COSO, our management concludedour internal control over financial reporting was effective as of December 31, 2017 .The effectiveness of the Company's internal control over financial reporting as of December 31, 2017 has been audited by Grant Thornton LLP,an independent registered public accounting firm, as stated in its report, which is included in Item 8 of this Annual Report on Form 10-K.95Table of ContentsChanges in Internal Control over Financial ReportingThere was no change in our internal control over financial reporting identified in connection with the evaluation required by Rule 13a-15(d) and15d-15(d) of the Exchange Act that occurred during the fourth quarter ended December 31, 2017 that has materially affected, or is reasonably likelyto materially affect, our internal control over financial reporting.Item 9B.Other InformationNone.96Table of ContentsPART IIIItem 10.Directors, Executive Officers and Corporate GovernanceExecutive Officers and DirectorsExcept as set forth below, the information required by this item is incorporated by reference to our Proxy Statement for our 2018 AnnualMeeting of Stockholders to be filed with the SEC within 120 days after the end of the fiscal year ended December 31, 2017 .Codes of Business Conduct and EthicsOur board of directors has adopted a code of business conduct and ethics that applies to all of our employees, officers and directors, includingour Chief Executive Officer, Chief Financial Officer and other executive and senior financial officers. The code of business conduct and ethics isavailable on our website. We expect that, to the extent required by law, any amendments to the code, or any waivers of its requirements, will bedisclosed on our website. We intend to disclose any waiver to the provisions of the code of business conduct and ethics that applies specifically todirectors or executive officers by filing such information on a Current Report on Form 8-K with the SEC, to the extent such filing is required by theNASDAQ Stock Market ' s listing requirements; otherwise, we will disclose such waiver by posting such information on our website.Item 11.Executive CompensationThe information required by this item is incorporated by reference to our Proxy Statement for our 2018 Annual Meeting of Stockholders to befiled with the SEC within 120 days after the end of the fiscal year ended December 31, 2017 .Item 12.Security Ownership of Certain Beneficial Owners and Management and Related StockholderMattersSecurity Ownership of Certain Beneficial Owners and ManagementThe information required by this item with respect to Item 403 of Regulation S-K regarding security ownership of certain beneficial owners andmanagement is incorporated by reference to our Proxy Statement for our 2018 Annual Meeting of Stockholders to be filed with the SEC within120 days after the end of the fiscal year ended December 31, 2017 . For the information required by this item with respect to Item 201(d) ofRegulation S-K regarding securities authorized for issuance under equity compensation plans, see “Item 5: Market for Registrant’s Common Equity,Related Stockholder Matters and Issuer Purchases of Equity Securities—Securities Authorized for Issuance under Equity Compensation Plans.”Item 13.Certain Relationships and Related Transactions, and Director IndependenceThe information required by this item is incorporated by reference to our Proxy Statement for our 2018 Annual Meeting of Stockholders to befiled with the SEC within 120 days after the end of the fiscal year ended December 31, 2017 .Item 14.Principal Accounting Fees and ServicesThe information required by this item is incorporated by reference to our Proxy Statement for our 2018 Annual Meeting of Stockholders to befiled with the SEC within 120 days after the end of the fiscal year ended December 31, 2017 .97Table of ContentsPART IVItem 15.Exhibits and Financial Statement Schedules(a)(1) Financial Statements - The financial statements filed as part of this Annual Report on Form 10-K are listed on the Index to ConsolidatedFinancial Statements in Item 8.(a)(2) Financial Statement SchedulesSCHEDULE IISUPPLEMENTARY CONSOLIDATED FINANCIAL STATEMENT SCHEDULEVALUATION AND QUALIFYING ACCOUNTS(in thousands) Additions Balance at Beginningof Year Charged to Costs andExpenses Deductions and Other(1) Balance at End ofYearAllowance for Doubtful Accounts Year Ended December 31, 2017 $702 $657 $(543)$816Year Ended December 31, 2016 $769 $199 $(266)$702Year Ended December 31, 2015 $590 $851 $(672)$769(1) Primarily represents write-offs of uncollectible accounts, net of recoveries.All other schedules have been omitted because they are not required, not applicable, or the required information is otherwise included.(b) Exhibits Incorporated by ReferenceExhibit DescriptionFiledHerewithFormFile No.Exhibit No.Filing DateNumber 3.1 Amended and Restated Certificate of Incorporation of Qualys,Inc. S-1/A333-1820273.3September 12, 2012 3.2 Amended and Restated Bylaws of Qualys, Inc. S-1/A333-1820273.5September 12, 2012 4.1 Form of common stock certificate. S-1/A333-1820274.1September 12, 2012 10.1* 2000 Equity Incentive Plan, as amended, and the form of stockoption agreement thereunder. S-1333-18202710.1June 8, 2012 10.2* 2012 Equity Incentive Plan and forms of agreementsthereunder. S-1/A333-18202710.2September 12, 2012 10.3* Offer Letter, between Qualys, Inc. and Philippe F. Courtot,dated December 7, 2000. S-1333-18202710.3June 8, 2012 10.4* Offer Letter, between Qualys, Inc. and Amer S. Deeba, datedSeptember 4, 2001. S-1333-18202710.4June 8, 2012 10.5* Offer Letter, between Qualys, Inc. and Sumedh S. Thakar,dated January 20, 2003. S-1333-18202710.5June 8, 2012 10.6* Offer Letter, between Qualys, Inc. and Melissa B. Fisher, datedApril 15, 2016 . 8-K001-3566210.1May 2, 2016 10.7* Offer Letter, between Qualys, Inc. and Bruce K. Posey, datedMay 8, 2012. S-1333-18202710.9June 8, 2012 10.8* Form of director and executive officer indemnificationagreement. S-1/A333-18202710.10August 10, 2012 10.9 Lease Agreement, between Qualys, Inc. and Hudson MetroCenter, LLC, dated October 14, 2016. 8-K001-3566210.1October 19, 2016 10.10* Qualys, Inc. Executive Performance Bonus Plan. Schedule 14A,Appendix A001-35662N/AApril 25, 2016 10.11*† Qualys, Inc. 2016 Corporate Bonus Plan, as amended. 10-Q135,662,00010.3August 4, 2016 10.12 Master Services Agreement, between Qualys, Inc. and SavvisCommunications Corporation, dated June 22, 2010. S-1/A333-18202710.14September 12, 2012 10.13† Master Agreement, between Qualys, Inc. and InterouteCommunications Limited, dated March 31, 2008. S-1/A333-18202710.15September 12, 2012 10.14† Manufacturing Services Agreement, between Qualys, Inc. andSynnex Corporation, dated March 1, 2011. S-1/A333-18202710.16September 12, 2012 21.1 List of subsidiaries of Qualys, Inc.X 23.1 Consent of Grant Thornton LLP, independent registered publicaccounting firm.X 31.1 Certification of Chief Executive Officer pursuant to Rule 13a-14(a) or Rule 15d-14(a) of the Securities Exchange Act of 1934,as adopted pursuant to Section 302 of The Sarbanes-Oxley Actof 2002.X 31.2 Certification of Chief Financial Officer pursuant to Rule 13a-14(a) or Rule 15d-14(a) of the Securities Exchange Act of 1934,as adopted pursuant to Section 302 of The Sarbanes-Oxley Actof 2002.X 32.1 Certification of Chief Executive Officer pursuant to Rule 13a-14(b) or Rule 15d-14(b) of the Securities Exchange Act of 1934and 18 U.S.C. Section 1350 as adopted pursuant to Section906 of The Sarbanes-Oxley Act of 2002.X 32.2 Certification of Chief Financial Officer pursuant to Rule 13a-14(b) or Rule 15d-14(b) of the Securities Exchange Act of 1934and 18 U.S.C. Section 1350 as adopted pursuant to Section906 of The Sarbanes-Oxley Act of 2002.X 101.INS XBRL Instance DocumentX 101.SCH XBRL Taxonomy Extension Schema DocumentX 101.CAL XBRL Taxonomy Extension Calculation Linkbase DocumentX 101.DEF XBRL Taxonomy Extension Definition LinkbaseX 101.LAB XBRL Taxonomy Extension Labels Linkbase DocumentX 101.PRE XBRL Taxonomy Extension Presentation Linkbase DocumentX *Indicates a management contract or compensatory plan orarrangement. †Portions of this exhibit have been omitted due to adetermination by the Securities and Exchange Commission thatthese portions should be granted confidential treatment. 98Table of ContentsSIGNATURESPursuant to the requirements of Section 13 or 15(d) of the Securities Exchange Act of 1934, the registrant has duly caused this Annual Reporton Form 10-K to be signed on its behalf by the undersigned, thereunto duly authorized , in the City of Foster City, State of California on February 23,2018 . QUALYS, INC.By:/s/ PHILIPPE F. COURTOT Philippe F. Courtot Chairman, President and Chief Executive Officer (principal executive officer)Pursuant to the requirements of the Securities Exchange Act of 1934, this report has been signed below by the following persons on behalf ofthe Registrant and in the capacities indicated:Signature TitleDate /s/ PHILIPPE F. COURTOT Chairman, President and Chief Executive Officer(principal executive officer)February 23, 2018Philippe F. Courtot /s/ MELISSA B. FISHER Chief Financial Officer (principal financial andaccounting officer)February 23, 2018Melissa B. Fisher /s/ SANDRA E. BERGERON DirectorFebruary 23, 2018Sandra E. Bergeron /s/ DONALD R. DIXON DirectorFebruary 23, 2018Donald R. Dixon /s/ JEFFREY P. HANK DirectorFebruary 23, 2018Jeffrey P. Hank /s/ TODD P. HEADLEY DirectorFebruary 23, 2018Todd P. Headley /s/ GENERAL PETER PACE DirectorFebruary 23, 2018General Peter Pace /s/ KRISTI M. ROGERS DirectorFebruary 23, 2018Kristi M. Rogers 99Exhibit 21.1List of subsidiaries of Qualys, Inc.Name of Subsidiary Jurisdiction of IncorporationQualys International, Inc. United StatesQualys Brazil Desenvolvimento de Produtos e Consultoria de Tecnologias deSeguranca LTDA. BrazilQualys Canada, Ltd. CanadaQualys Technologies, S.A. FranceQualys GmbH GermanyQualys Hong Kong Limited Hong KongQualys Security TechServices Private Ltd. IndiaQualys Japan K.K. JapanQualys Singapore Pte. Ltd. SingaporeQualys Middle East FZE United Arab EmiratesQualys Ltd. United KingdomQualys Australia Pty Ltd. AustraliaQualys Switzerland Sarl SwitzerlandQualys Colombia S.A.S. ColombiaQualys South Africa Proprietary Limited South AfricaQualys Netherlands B.V. The NetherlandsExhibit 23.1CONSENT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRMWe have issued our reports dated February 23, 2018, with respect to the consolidated financial statements, schedule, and internal control overfinancial reporting included in the Annual report of Qualys, Inc. on Form 10-K for the year ended December 31, 2017. We consent to theincorporation by reference of said reports in the Registration Statements of Qualys, Inc. on Forms S-8 (File Nos. 333-184394, 333-193576,333-202587, 333-209735, and 333-216232)./s/ GRANT THORNTON LLPSan Jose, CaliforniaFebruary 23, 2018Exhibit 31.1CERTIFICATION OF CHIEF EXECUTIVE OFFICERPURSUANT TO RULE 13a-14(a) OR RULE 15d-14(a)OF THE SECURITIES EXCHANGE ACT OF 1934I, Philippe F. Courtot, certify that:1.I have reviewed this annual report on Form 10-K of Qualys, Inc.;2.Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to makethe statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period coveredby this report;3.Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respectsthe financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;4.The registrant's other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined inExchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and15d-15(f)) for the registrant and have:(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under oursupervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us byothers within those entities, particularly during the period in which this report is being prepared;(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under oursupervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statementsfor external purposes in accordance with generally accepted accounting principles;(c) Evaluated the effectiveness of the registrant's disclosure controls and procedures and presented in this report our conclusions about theeffectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation;and(d) Disclosed in this report any change in the registrant's internal control over financial reporting that occurred during the registrant's mostrecent fiscal quarter (the registrant's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonablylikely to materially affect, the registrant's internal control over financial reporting; and5.The registrant's other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, tothe registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which arereasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internalcontrol over financial reporting.Date:February 23, 2018 By:/s/ PHILIPPE F. COURTOT Philippe F. Courtot Chairman, President and Chief Executive OfficerQualys, Inc. Exhibit 31.2CERTIFICATION OF CHIEF FINANCIAL OFFICERPURSUANT TO RULE 13a-14(a) OR RULE 15d-14(a)OF THE SECURITIES EXCHANGE ACT OF 1934I, Melissa B. Fisher, certify that:1.I have reviewed this annual report on Form 10-K of Qualys, Inc.;2.Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to makethe statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period coveredby this report;3.Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respectsthe financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;4.The registrant's other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined inExchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and15d-15(f)) for the registrant and have:(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under oursupervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us byothers within those entities, particularly during the period in which this report is being prepared;(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under oursupervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statementsfor external purposes in accordance with generally accepted accounting principles;(c) Evaluated the effectiveness of the registrant's disclosure controls and procedures and presented in this report our conclusions about theeffectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation;and(d) Disclosed in this report any change in the registrant's internal control over financial reporting that occurred during the registrant's mostrecent fiscal quarter (the registrant's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonablylikely to materially affect, the registrant's internal control over financial reporting; and5.The registrant's other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, tothe registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which arereasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internalcontrol over financial reporting.Date:February 23, 2018 By:/s/ MELISSA B. FISHER Melissa B. Fisher Chief Financial OfficerQualys, Inc.Exhibit 32.1CERTIFICATION OF CHIEF EXECUTIVE OFFICERPURSUANT TO RULE 13a-14(b) OR RULE 15d-14(b)OF THE SECURITIES EXCHANGE ACT OF 1934 AND 18 U.S.C. SECTION 1350In connection with the Annual Report of Qualys, Inc. (the “Company”) on Form 10-K for the year ended December 31, 2017 , as filed with theSecurities and Exchange Commission on the date hereof (the “Report”), I, Philippe F. Courtot, Chairman, President and Chief Executive Officer ofthe Company, certify, pursuant to 18 U.S.C. § 1350, as adopted pursuant to § 906 of the Sarbanes-Oxley Act of 2002, that, to the best of myknowledge: (1) The Report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and (2) The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of theCompany.Date:February 23, 2018 By:/s/ PHILIPPE F. COURTOT Philippe F. Courtot Chairman, President and Chief Executive OfficerQualys, Inc. Exhibit 32.2CERTIFICATION OF CHIEF FINANCIAL OFFICERPURSUANT TO RULE 13a-14(b) OR RULE 15d-14(b)OF THE SECURITIES EXCHANGE ACT OF 1934 AND 18 U.S.C. SECTION 1350In connection with the Annual Report of Qualys, Inc. (the “Company”) on Form 10-K for the year ended December 31, 2017 , as filed with theSecurities and Exchange Commission on the date hereof (the “Report”), I, Melissa B. Fisher, Chief Financial Officer of the Company, certify,pursuant to 18 U.S.C. § 1350, as adopted pursuant to § 906 of the Sarbanes-Oxley Act of 2002, that, to the best of my knowledge: (1) The Report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and (2) The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of theCompany.Date:February 23, 2018 By:/s/ MELISSA B. FISHER Melissa B. Fisher Chief Financial OfficerQualys, Inc.
Continue reading text version or see original annual report in PDF format above