Table of Contents
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
___________________________________________
FORM 10-K
___________________________________________
x
Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the Fiscal Year Ended December 31, 2024
or
o
Transition Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
For the transition period from to
Commission file number 001-35662
___________________________________________
QUALYS, INC.
(Exact name of registrant as specified in its charter)
___________________________________________
Delaware
77-0534145
(State or other jurisdiction of
incorporation or organization)
(I.R.S. Employer
Identification Number)
919 E. Hillsdale Boulevard, 4th Floor, Foster City, California 94404
(Address of principal executive offices, including zip code)
(650) 801-6100
(Registrant’s telephone number, including area code)
___________________________________________
Securities registered pursuant to section 12(b) of the Act:
Title of each class
Trading Symbol(s)
Name of exchange on which registered
Common stock, $0.001 par value per share
QLYS
NASDAQ Stock Market
Securities registered pursuant to section 12(g) of the Act: None
Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act.
Yes x No o
Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or Section 15(d) of the Act. Yes o No x
Indicate by check mark whether the registrant (1) has filed all reports required to be filed by Section 13 or 15(d) of the Securities Exchange Act of 1934
during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing
requirements for the past 90 days. Yes x No o
Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of
Regulation S-T during the preceding 12 months (or for such shorter period that the registrant was required to submit such files). Yes x No o
Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an
emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth
company” in Rule 12b-2 of the Exchange Act.
Large accelerated filer
x
Accelerated filer
o
Non-accelerated filer
o
Smaller reporting company
o
Emerging growth company
o
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new
or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. o
Indicate by check mark whether the registrant has filed a report on and attestation to its management’s assessment of the effectiveness of its internal control
over financial reporting under Section 404(b) of the Sarbanes-Oxley Act (15 U.S.C. 7262(b)) by the registered public accounting firm that prepared or
issued its audit report. x
If securities are registered pursuant to Section 12(b) of the Act, indicate by check mark whether the financial statements of the registrant included in the
filing reflect the correction of an error to previously issued financial statements. o
Indicate by check mark whether any of those error corrections are restatements that required a recovery analysis of incentive-based compensation received
by any of the registrant’s executive officers during the relevant recovery period pursuant to §240.10D-1(b). o
Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act). Yes o No x
As of June 30, 2024, the aggregate market value of voting shares of common stock held by non-affiliates of the registrant was $3,908 million based on the
last reported sale price of the registrant's common stock on June 30, 2024. Shares of common stock held by each executive officer and director and by each
person who owns 10% or more of the outstanding common stock have been excluded in that such persons may be deemed to be affiliates. This
determination of affiliate status is not necessarily a conclusive determination for other purposes.
The number of shares of the registrant's common stock outstanding as of February 11, 2025 was 36,477,672 shares.
DOCUMENTS INCORPORATED BY REFERENCE
Portions of the registrant's Proxy Statement for its 2025 Annual Meeting of Stockholders are incorporated by reference in Part III of this Annual Report on
Form 10-K where indicated. Such proxy statement will be filed with the Securities and Exchange Commission within 120 days of the registrant's fiscal year
ended December 31, 2024.
Table of Contents
Qualys, Inc.
TABLE OF CONTENTS
Page
Risk Factor Summary
3
Note Regarding Forward-Looking Statements
5
PART I
Item 1.
Business
6
Item 1A.
Risk Factors
15
Item 1B.
Unresolved Staff Comments
36
Item 1C.
Cybersecurity
36
Item 2.
Properties
38
Item 3.
Legal Proceedings
38
Item 4.
Mine Safety Disclosures
38
PART II
Item 5.
Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
39
Item 6.
[Reserved]
41
Item 7.
Management's Discussion and Analysis of Financial Condition and Results of Operations
42
Item 7A.
Quantitative and Qualitative Disclosures About Market Risk
50
Item 8.
Financial Statements and Supplementary Data
52
Item 9.
Changes in and Disagreements with Accountants on Accounting and Financial Disclosure
87
Item 9A.
Controls and Procedures
87
Item 9B.
Other Information
88
Item 9C.
Disclosure Regarding Foreign Jurisdictions that Prevent Inspections
88
PART III
Item 10.
Directors, Executive Officers and Corporate Governance
89
Item 11.
Executive Compensation
89
Item 12.
Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters
89
Item 13.
Certain Relationships and Related Transactions, and Director Independence
90
Item 14.
Principal Accountant Fees and Services
90
PART IV
Item 15.
Exhibits and Financial Statement Schedules
91
Item 16.
Form 10-K Summary
93
Signatures
94
2
Table of Contents
RISK FACTOR SUMMARY
Our business is subject to significant risks and uncertainties that make an investment in us speculative and risky. Below we summarize what we
believe are the principal risk factors but these risks are not the only ones we face, and you should carefully review and consider the full discussion of our
risk factors in the section titled “Risk Factors,” together with the other information in this Annual Report on Form 10-K. If any of the following risks
actually occurs (or if any of those listed elsewhere in this Annual Report on Form 10-K occur), our business, reputation, financial condition, results of
operations, revenue, and future prospects could be seriously harmed. Additional risks and uncertainties that we are unaware of, or that we currently believe
are not material, may also become important factors that adversely affect our business.
•
Our quarterly and annual operating results may vary from period to period, which could result in our failure to meet expectations with
respect to operating results and cause the trading price of our stock to decline.
•
If we do not successfully anticipate market needs and opportunities or are unable to enhance our solutions and develop new solutions that
meet those needs and opportunities on a timely or cost-effective basis, we may not be able to compete effectively and our business and
financial condition may be harmed.
•
If we fail to continue to effectively scale and adapt our platform to meet the performance and other requirements of our customers, our
operating results and our business would be harmed.
•
If we are unable to renew existing subscriptions for our IT, security and compliance solutions, sell additional subscriptions for our
solutions and attract new customers, our operating results would be harmed.
•
Our current research and development efforts may not produce successful products or enhancements to our platform that result in
significant revenue, cost savings or other benefits in the near future.
•
Our platform, products, website and internal systems may be subject to intentional disruption or other security incidents that could result
in liability and adversely impact our reputation and future sales.
•
Our sales cycle can be long and unpredictable, and our sales efforts require considerable time and expense. As a result, revenues may
vary from period to period, which may cause our operating results to fluctuate and could harm our business.
•
Adverse economic conditions or reduced IT spending may adversely impact our business.
•
Our IT, security and compliance solutions are delivered from 14 shared cloud platforms, and any disruption of service at these facilities
would interrupt or delay our ability to deliver our solutions to our customers which could reduce our revenues and harm our operating
results.
•
We face competition in our markets, and we may lack sufficient financial or other resources to maintain or improve our competitive
position.
•
The sales prices of our solutions are subject to competitive pressures and may decrease, which may reduce our gross profits and adversely
impact our financial results.
•
If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could
have an adverse effect on our business and results of operations.
3
Table of Contents
•
If we are unable to recruit and retain qualified sales personnel, sales of our solutions and the growth of our business would be harmed.
•
We rely on third-party channel partners to generate a substantial amount of our revenues, and if we fail to effectively manage our
distribution channels, our revenues could decline and our growth prospects could suffer.
•
A significant portion of our customers, channel partners and employees are located outside of the United States, which subjects us to a
number of risks associated with conducting international operations, and if we are unable to successfully manage these risks, our business
and operating results could be harmed.
•
Our business and operations have continued to grow since inception, and if we do not appropriately manage any future growth, or are
unable to improve our systems and processes, our operating results may be negatively affected.
•
We depend on the continued services and performance of our senior management and other key employees, the loss of any of whom
could adversely affect our business, operating results and financial condition.
•
If we are unable to hire, retain and motivate qualified personnel, our business may suffer.
•
A portion of our revenues are generated by sales to government entities, which are subject to a number of challenges and risks.
•
Our success in acquiring and integrating other businesses, products or technologies could impact our financial position.
•
Undetected software errors or flaws in our solutions could harm our reputation, decrease market acceptance of our solutions or result in
liability.
•
Our solutions could be used to collect and store personal information of our customers’ employees or customers, and therefore privacy
and other data handling concerns could result in additional cost and liability to us or inhibit sales of our solutions.
•
We use AI/machine learning technologies in our solutions that could result in harm to our business and operating results.
•
Our solutions contain third-party open source software components, and our failure to comply with the terms of the underlying open
source software licenses could restrict our ability to sell our solutions.
•
We use third-party software and data that may be difficult to replace or cause errors or failures of our solutions that could lead to lost
customers or harm to our reputation and our operating results.
•
Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.
•
Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs
and harm our business and operating results.
4
Table of Contents
NOTE REGARDING FORWARD-LOOKING STATEMENTS
In addition to historical information, this Annual Report on Form 10-K contains “forward-looking” statements within the meaning of Section 21E of
the Securities Exchange Act of 1934, as amended, or the Exchange Act. Forward-looking statements generally relate to future events or our future financial
or operating performance. In some cases, it is possible to identify forward-looking statements because they contain words such as “anticipates,”
“believes,” “contemplates,” “continue,” “could,” “estimates,” “expects,” “future,” “intends,” “likely,” “may,” “plans,” “potential,” “predicts,”
“projects,” “seek,” “should,” “target,” or “will,” or the negative of these words or other similar terms or expressions that concern our expectations,
strategy, plans or intentions. Forward-looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:
•
our financial performance, including our revenues, costs, expenditures, growth rates, operating expenses and ability to generate positive
cash flow to fund our operations and sustain profitability;
•
anticipated technology trends, such as the use of cloud solutions, and use of artificial intelligence ("AI");
•
our ability to adapt to changing market conditions;
•
economic and financial conditions, including volatility in foreign exchange rates, inflation concerns, high interest rates, recessionary fears,
significant volatility of global markets, reduced spending and extended sales cycles, and geopolitical conflicts;
•
our ability to diversify our sources of revenues, including selling additional solutions to our existing customers and our ability to pursue new
customers;
•
the effects of increased competition in our market;
•
our ability to innovate and enhance our cloud solutions and platform and introduce new solutions;
•
our ability to effectively manage our growth;
•
our anticipated investments in sales and marketing, our infrastructure, new solutions, research and development, and acquisitions;
•
maintaining and enhancing our relationships with channel partners;
•
our ability to maintain, protect and enhance our brand and intellectual property;
•
costs associated with defending intellectual property infringement and other claims;
•
our ability to attract and retain qualified employees and key personnel, including sales and marketing personnel;
•
our ability to successfully enter new markets and manage our international expansion;
•
our expectations, assumptions and conclusions related to our income tax provision, our deferred tax assets and our effective tax rate;
•
our expectations regarding the performance of, and our future trading activity with respect to, the marketable securities we hold;
•
our expectations regarding our share repurchase program; and
•
other factors discussed in this Annual Report on Form 10-K in the sections titled “Risk Factors” and “Management's Discussion and
Analysis of Financial Condition and Results of Operations.”
We have based the forward-looking statements contained in this Annual Report on Form 10-K primarily on our current expectations and projections
about future events and trends that we believe may affect our business, financial condition, results of operations and prospects. The results, events and
circumstances reflected in these forward-looking statements are subject to risks, uncertainties, assumptions, and other factors including those described in
Part I, Item 1A (Risk Factors) of this Annual Report on Form 10-K and those discussed in other documents we file with the U.S. Securities and Exchange
Commission (SEC). Moreover, we operate in a very competitive and rapidly changing environment. New risks and uncertainties emerge from time to time,
and it is not possible for us to predict all risks and uncertainties that could have an impact on the forward-looking statements used herein. We cannot
provide assurance that the results, events, and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results,
events or circumstances could differ materially from those described in the forward-looking statements.
You should not rely on forward-looking statements as predictions of future events. Except as required by law, neither we nor any other person assumes
responsibility for the accuracy and completeness of the forward-looking statements, and we undertake no obligation to update any forward-looking
statements to reflect events or circumstances after the date of such statements.
Qualys, the Qualys logo and other trademarks and service marks of Qualys appearing in this Annual Report on Form 10-K are the property of Qualys.
This Annual Report on Form 10-K also contains trademarks and trade names of other businesses that are the property of their respective holders. We have
omitted the ® and ™ designations, as applicable, for the trademarks used in this Annual Report on Form 10-K.
5
Table of Contents
PART I
Item 1. Business
Overview
We are a leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions. Our integrated suite
of IT, security and compliance solutions delivered on Qualys' Enterprise TruRisk Platform enables our customers to: 1) identify and manage their internal
and external IT and operational technology (OT) assets across on-premises, endpoints, cloud, containers, and mobile environments; 2) collect and analyze
large amounts of IT security data; 3) discover and prioritize vulnerabilities; 4) quantify cyber risk exposure; 5) recommend and implement remediation
actions; and 6) verify the implementation of such actions. This helps organizations protect their systems and applications from ever-evolving cyber-attacks
and helps achieve compliance with internal policies and external regulations.
Our cloud platform addresses the growing IT, security and compliance complexities and risks that are amplified by the dissolving boundaries
between IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of
geographically dispersed IT assets. Organizations use our integrated suite of solutions to cost-effectively obtain a unified view of their internal and external
IT and OT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform
for information technology, information security, application security, endpoint, developer security and cloud teams.
IT infrastructures are more complex and globally-distributed today than ever before, as organizations of all sizes increasingly rely upon a myriad of
interconnected information systems and related assets, such as servers, databases, web applications, routers, switches, desktops, laptops, other physical and
virtual infrastructure, and numerous external networks and cloud services. In this environment, new and evolving digital technologies intended to improve
organizations’ operations can also increase vulnerability to cyber-attacks, which can expose sensitive data, damage IT and physical infrastructures, and
result in serious financial or reputational consequences. In addition, the rapidly increasing amount of data and devices in IT environments makes it more
difficult to identify and remediate vulnerabilities in a timely manner. The predominant approach to IT security has been to implement multiple disparate
security products that can be costly and difficult to deploy, integrate and manage and may not adequately protect organizations. As a result, we believe
there is a large and growing opportunity for comprehensive cloud-based IT, security and compliance solutions that detect, measure, prioritize and remediate
cyber risk delivered in a single platform.
We designed our cloud platform to transform the way organizations secure and protect their IT infrastructures and applications. Our cloud platform
offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security and compliance assessments, and
remediation for an organization’s IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network
perimeter, on endpoints or in the cloud. Since inception, our solutions have been designed to be delivered through the cloud and to be easily and rapidly
deployed on a global scale, enabling faster implementation and lower total cost of ownership than traditional on-premise enterprise software products. Our
customers, ranging from some of the largest global organizations to small businesses, are served from our globally-distributed cloud platform, enabling us
to rapidly deliver new solutions, enhancements and security updates.
We believe that our cloud platform provides our customers with unique advantages, including:
•
No hardware to buy or manage. There is no infrastructure or software to buy and maintain thus reducing our customers’ operating costs; all
services are accessible in the cloud via web interface. Qualys operates and maintains the platform.
•
Real-time visibility in one place, anytime and anywhere. Our customers can conveniently see their security and compliance posture across
their global IT and OT asset inventory in one browser window, without plugins or a virtual private network (VPN), whenever and wherever
Internet access is available.
•
Easy global scanning. Our customers can easily perform scans on geographically distributed and segmented networks at the perimeter, behind
the firewall, on dynamic cloud environments and on endpoints.
•
Seamless scaling. Our cloud platform is a scalable, comprehensive, and end-to-end solution for the IT, security and compliance needs of our
customers. Our customers can seamlessly add new coverage, users and services after they have deployed our platform.
•
Up to date resources. Qualys has one of the largest knowledge bases of vulnerability signatures in the industry. All security updates are made
in real-time.
•
Data stored securely. Data is securely stored and processed in a multi-tiered architecture of load-balanced servers. Our encrypted databases
are physically and logically secured.
6
Table of Contents
We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their IT infrastructure
and applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000. As VM gained acceptance, we introduced
additional solutions to help customers manage increasing IT, security and compliance requirements. Today, the suite of solutions that we offer on our cloud
platform and refer to as the Qualys Cloud Apps help our customers detect, measure, prioritize and remediate cyber risk spanning a range of assets across
on-premises, endpoints, cloud, containers, and mobile environments.
We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions require
customers to pay a fee in order to access each of our cloud solutions. We generally invoice our customers for the entire subscription amount at the start of
the subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription. We continue
to experience revenue growth from our existing customers as they renew and purchase additional subscriptions, as well as from the addition of new
customers to our cloud platform.
Our cloud platform is currently used by over 10,000 customers worldwide, including a majority of the Forbes Global 100. Our revenues increased to
$607.6 million in 2024 from $554.5 million in 2023 and $489.7 million in 2022.
Our Platform
Our cloud platform consists of a suite of IT security, compliance, web application security, asset management and cloud security solutions, which we
refer to as the Qualys Cloud Apps, that leverage our shared and extensible core services and our highly scalable multi-tenant cloud infrastructure. We also
provide open application program interfaces, or APIs, and other developer tools that allow third parties to embed our technology into their solutions and
build applications on our platform.
Our cloud platform utilizes physical and virtual sensors, and cloud agents that provide our customers with continuous visibility enabling customers
to respond to threats immediately. Customers can extend visibility to all known IT infrastructure using our Out-of-Band Configuration Assessment sensor
for systems that are air-gapped or otherwise difficult to assess.
Our cloud platform automatically gathers and analyzes security and compliance data in a scalable, state-of-the-art backend. The technology
underlying our cloud infrastructure enables us to ingest, process, analyze and store a high volume of sensor data coming from our agents, scanners and
passive analyzers, and correlate information at very high speeds in a distributed manner for millions of devices.
Our cloud platform is delivered to our customers via our 14 global shared cloud platforms, or via our private platform offering, Qualys Private Cloud
Platform (PCP), for customers or partners that want the platform to reside within the customer's shared cloud platform. The PCP is a standalone version of
our multi-layer, multi-tenant services architecture and is a fully integrated turnkey solution, making it more scalable, cost effective and faster to deploy
within a customer's shared cloud platform.
7
Table of Contents
Solutions delivered through our PCP are typically on the same subscription basis as solutions delivered through our shared platform. Our PCP utilizes
hardware and software owned by us and is physically located on the customer's premises. The customer is not permitted to take possession of the software
or access the software code. We also offer our PCP as a subscription-based platform services to the customer using a virtual version of our software. This
virtualized PCP allows us to extend our security and compliance solutions without the complexity and cost associated with deploying traditional enterprise
software.
Qualys Core Services
Our core services enable our customers to detect vulnerabilities, measure and remediate cyber risk through integrated workflows, management and
real-time analysis and reporting inside their organizations, on the perimeter, on endpoints or in the cloud.
Our core services constitute dynamic and customizable dashboards and centrally managed, self-updating integrated Cloud Apps, through a natively
integrated unified platform. Our interactive, dynamic dashboards and cloud platform allow our customers to aggregate and correlate all of their IT, security
and compliance data in one place, drill down into details, and generate reports customized for different audiences. Our cloud platform’s powerful
Elasticsearch clusters enable customers to instantly find detailed data on any asset.
Our core services include:
•
Asset Tagging and Management. Enables customers to easily identify, categorize and manage large numbers of assets in highly dynamic IT
and OT environments and automates the process of inventory management and hierarchical organization of all internal and external assets.
Built on top of this core service is the Qualys GAV framework, which is a global asset inventory service enabling our customers to search for
information on any asset, scaling to millions of assets for customers of all sizes, helping IT and security personnel to search assets and
maintain an up-to-date inventory on a continuous basis.
•
Reporting and Dashboards. A highly configurable reporting engine that provides customers with reports and dashboards based on their roles
and access privileges.
•
Questionnaires and Collaboration. A configurable workflow engine that enables customers to easily build questionnaires and capture existing
business processes and workflows to evaluate controls and gather evidence to validate and document compliance.
•
Remediation and Workflow. An integrated workflow engine that allows customers to automatically generate helpdesk tickets for remediation
to manage compliance exceptions based on customer-defined policies, enabling subsequent review, commentary, tracking and escalation. This
engine automatically distributes remediation tasks to IT administrators upon scan completion, tracks remediation progress and closes open
tickets once patches or other mitigating actions are applied and remediation is verified in subsequent scans.
•
Big Data Correlation and Analytics Engine. Provides Elasticsearch capabilities for indexing, searching and correlating large amounts of
security and compliance data with other security incidents and third-party security intelligence data. Embedded workflows enable customers
to quickly assess risk and access information for remediation, incident analysis and forensic investigations.
•
Alerts and Notifications. Creates email notifications to alert customers of new vulnerabilities, malware infections, scan completion, open
trouble tickets and system updates.
Qualys Cloud Apps
Many organizations have an array of heterogeneous point tools that do not interoperate well and are difficult and costly to maintain and integrate,
making it difficult for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to obtain a single, unified view of their
organization’s security and compliance posture. Qualys’ Enterprise TruRisk Platform and its Cloud Apps help organizations escape this tool-fragmentation
dilemma by drastically simplifying their security stacks and regaining unimpeded visibility across their on-premises, endpoints, cloud, container, and
mobile environments.
The Cloud Apps are self-updating, centrally managed and tightly integrated, and cover a broad range of functionality in areas such as asset
management, vulnerability and configuration management, risk remediation, threat detection and response, compliance and cloud security solutions.
We believe that our applications are easy to use and provide our customers with a high level of control because our applications are part of one
platform, share a common user interface, utilize the same scanners and agents, access the same collected data, and leverage the same user permissions.
8
Table of Contents
Our customers can subscribe to one or more of our 20+ Cloud Apps based on their initial needs and expand their subscriptions over time to new
areas within their organization or to additional Qualys solutions to develop a more complete understanding of their respective environment's IT, security
and compliance posture and remediate cybersecurity risk. Many of our customers use multiple Cloud Apps, some of which are noted below:
Asset Management
Cybersecurity Asset Management (CSAM): CSAM is an all-in-one solution that leverages the power of our cloud platform with its multiple native
sensors and CMDB synchronization to continuously inventory known and unknown assets, discover installed applications, and overlay business and risk
context to establish asset criticality. It identifies unauthorized or end-of-life and end-of-service software and the absence of required security tools, and
assesses the health of the attack surface. Further, CSAM enables response options with threat alerts and software removal and delivers regulatory reporting
in support of the Federal Risk and Authorization Management Program (FedRAMP), Payment Card Industry Data Security Standard (PCI-DSS) and other
mandates. CSAM includes External Attack Surface Management (EASM), which allows discovery of internet facing unknown assets.
Vulnerability and Configuration Management
Vulnerability Management, Detection and Response (VMDR): VMDR enables organizations to automatically discover every asset in their
environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. VMDR
continuously assesses these assets for the latest vulnerabilities and applies the latest threat intel analysis to prioritize actively exploitable vulnerabilities.
VMDR automatically detects the latest superseding patch for the vulnerable asset and easily deploys it for remediation. Finally, VMDR quantifies risk
across vulnerabilities, assets and groups of assets helping organizations proactively reduce cyber risk exposure and track cyber risk reduction over time. By
delivering all this in a single app workflow, VMDR automates the entire process and significantly accelerates an organization’s ability to respond to threats,
thus preventing possible exploitation across on-premises, endpoints, cloud, containers, and mobile environments.
Web Application Scanning (WAS): WAS continuously discovers and catalogs web applications – including new and unknown ones – and detects
vulnerabilities and misconfigurations in web apps and APIs. Scaling to thousands of scans, it conducts incisive, thorough and precise testing of browser-
based web apps, mobile app backends, and Internet of things (IoT) services. WAS' powerful API enables integration with other systems and allows teams to
detect issues within DevOps environments early in the application development process. Bundled malware detection capability with WAS uses
reputational, behavioral, antivirus, and heuristic analyses to identify and alert on malware infecting a user's websites. By Integrating WAS with manual
testing tools and bug bounty solutions, customers can build a comprehensive web application vulnerability testing program.
Risk Remediation
Patch Management (PM): PM provides automated patch deployment capabilities for Windows, Linux, Mac and third party software by correlating
vulnerabilities and the right set of remediation including patches and configuration fixes. It continuously gathers and uploads telemetry about installed
software, open vulnerabilities and missing patches to our cloud platform. The resulting shared visibility of assets and their posture enables IT and security
teams to collaborate using common vulnerability-centric terminology and provides a consistent data set to analyze, prioritize, deploy and verify patches
more efficiently. Patch Management is a component of Qualys' TruRisk Eliminate suite of remediation solutions. TruRusk Eliminate encompasses a broad
range of remediation capabilities for organizations when patches are not yet available or feasible to deploy.
Custom Assessment and Remediation (CAR): CAR enables security architects to create custom scripts in popular scripting languages, user-defined
controls and automation, all seamlessly integrated within existing programs to quickly assess, respond to and remediate threats across global hybrid
environments.
Threat Detection and Response
Multi-Vector Endpoint Detection and Response (EDR): Traditional endpoint detection and response solutions focus only on endpoint activity to
detect attacks. As a result, they lack the full context to analyze attacks accurately. This leads to an incomplete picture and a high rate of false positives and
negatives, requiring organizations to use multiple point solutions and large incident response teams. Our highly scalable platform fills the gaps by bringing
a new multi-vector approach and the unifying power to EDR, providing vital context and comprehensive visibility to the entire attack chain, from
prevention to detection to response. EDR unifies different context vectors like asset discovery, rich normalized software inventory, end-of-life visibility,
vulnerabilities
9
Table of Contents
and exploits, misconfigurations, in-depth endpoint telemetry, and network reachability with a powerful backend to correlate it all for accurate assessment,
detection and response.
Compliance
Policy Compliance (PC): PC performs automated security configuration assessments on IT systems throughout a network, helping to reduce risk and
continuously ensure compliance with internal policies and external regulations. PC leverages out-of-the-box library content to fast-track compliance
assessments using industry-recommended best practices. PC also provides a centralized, interactive console for specifying baseline standards for different
hosts. By automating requirement evaluation against multiple standards for operating systems, network devices, databases and server applications, PC
enables the quick identification of security issues and works to prevent configuration drift. PC works to prioritize and track remediation and exceptions,
while demonstrating a repeatable auditable process for compliance management
File Integrity Monitoring (FIM): FIM logs and centrally tracks file change events on common enterprise operating systems in organizations of all
sizes. FIM provides customers with a simple way to achieve centralized cloud-based visibility of activity resulting from normal patching and administrative
tasks, change control exceptions or violations, or malicious activity - then reports on that system activity as part of compliance mandates. FIM collects the
critical details needed to quickly identify changes and root out activity that violates policy or is potentially malicious. FIM helps customers to comply with
change control policy enforcement and change monitoring requirements.
Cloud Security
Qualys TotalCloud is a Cloud-Native Application Protection Platform (CNAPP), which provides an integrated suite of security capabilities designed
for multi-cloud environments. It provides complete visibility and cyber-risk exposure assessment across cloud assets, enabling continuous discovery and
monitoring of the cloud landscape to identify risks and maintain compliance. With its FlexScan technology, TotalCloud offers comprehensive assessment
features that include no-touch, agentless, API, and snapshot-based scanning, along with agent and network-based scanning for thorough vulnerability
detection. The TruRisk component allows for a unified risk view, correlating vulnerabilities, security controls, and compliance across resources to prioritize
and reduce cyber risks effectively. For real-time defense, TotalCloud's InstaProtect continuously monitors all cloud assets to detect and protect against
evolving and unknown threats. Remediation is streamlined through our QFlow technology, which provides no-code, drag-and-drop workflows for efficient
vulnerability management. TotalCloud provides organizations with an all-encompassing solution, delivering fast, agentless, real-time security and
compliance across a variety of use cases, including Cloud Workload Protection (CWP), Cloud Detection and Response (CDR), Cloud Security Posture
Management (CSPM), Infrastructure as Code (IaC), SaaS Security Posture Management (SSPM), and Kubernetes and Container Security (KCS) to offer
organizations a single unified solution for comprehensively securing their cloud and multi-cloud environments.
Free Services
We also offer organizations of all sizes free security and compliance services based on our cloud platform:
•
Qualys Global AssetView app automatically creates a continuous, real-time inventory of known and unknown assets throughout a user's global
IT footprint across on-premises, endpoints, cloud, containers, and mobile environments. The app also automatically normalizes and categorizes
assets to ensure clean, reliable, and consistent data. In-depth asset details provide fine-grained visibility on the system, services, installed
software, network, and users. It also detects any device that connects to a user's networks, via passive scanning technology. Upon an unknown
device detection, users can install a light-weight Qualys self-updating agent (3MB) to turn the device into a managed device or launch a
vulnerability scan.
•
Qualys Certificate Inventory inventories and assesses all Internet-facing certificates to generate SSL/TLS configuration grades, identifies the
certificate issuer and tracks certificate expirations to help stop expired and expiring certificates from interrupting critical business functions.
Our Growth Strategy
We intend to strengthen our leadership position as a trusted provider of cloud-based IT, security and compliance solutions. The key elements of our
growth strategy are:
•
Continue to innovate and enhance our cloud platform and suite of solutions. We intend to continue to make significant investments in
research and development to extend our cloud platform’s functionality by developing new security solutions and capabilities and further
enhancing our existing suite of solutions.
10
Table of Contents
•
Expand the use of our suite of solutions by our large and diverse customer base. With more than 10,000 customers, across many industries
and geographies, we believe we have a significant opportunity to sell additional solutions to our customers and expand their use of our suite of
solutions. Because our customers typically initially deploy one or two of our solutions in select parts of their IT infrastructures, our existing
customers serve as a strong source of new sales as they expand their scope and increase their subscriptions or choose to adopt additional
solutions from our integrated suite of IT, security and compliance offerings. In this regard, we continue to enhance our sales execution and
marketing functions to increase adoption of our newly developed solutions among our existing customers.
•
Drive new customer growth and broaden our global reach. We are pursuing new customers by targeting key accounts, releasing free IT,
security and compliance services and enhancing both our sales and marketing organization and network of channel partners. We will continue
to seek to make significant investments to encourage organizations to replace their existing security products with our cloud solutions. We
intend to enhance our relationships with key security consulting organizations, leading cloud service providers, managed security service
providers, leading cloud providers and value-added resellers to accelerate the adoption of our cloud platform. We seek to strengthen existing
relationships as well as establish new relationships to increase the distribution and market awareness of our cloud platform and target new
geographic regions. We also plan to partner with such security providers that can host our private cloud offering within their shared cloud
platforms, helping us expand our reach in new markets and new geographies.
•
Selectively pursue technology acquisitions to bolster our capabilities and leadership position. We may explore acquisitions that are
complementary to and can expand the functionality of our cloud platform. We may also seek to acquire development teams to supplement our
own personnel and acquire technology to increase the breadth of our cloud-based IT, security and compliance solutions. In 2022, we acquired
certain intangible assets of Blue Hexagon Inc., enabling us to leverage our cloud platform with deep learning AI and machine learning (ML)
technologies to uncover behavior patterns including active vulnerability exploitation, identification of advanced network threats, and adaptive
risk mitigation across all assets and applications.
Our Customers
We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries,
including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. As of December 31, 2024,
we had over 10,000 customers worldwide, including a majority of the Forbes Global 100. In each of 2024, 2023 and 2022, no one customer accounted for
more than 10% of our revenues. In 2024, 2023 and 2022, 58%, 60% and 60%, respectively, of our revenues were derived from customers in the United
States based on our customers' billing addresses. We sell our solutions to enterprises and government entities primarily through our field sales force and to
small and medium-sized businesses through our inside sales force. We generate a significant portion of sales through our channel partners, including
managed security service providers, value-added resellers and consulting firms in the United States and internationally.
Sales and Marketing
Sales
We market and sell our IT, security and compliance solutions to customers directly through our sales teams as well as indirectly through our network
of channel partners.
Our global sales force is organized into a field sales team, which focuses on enterprises, generally including organizations with more than 5,000
employees, and an inside sales team, which focuses on small to medium-sized businesses, which generally include organizations with less than 5,000
employees. Both our field and inside sales teams are divided into three geographic regions, the Americas; Europe, Middle East and Africa; and Asia-
Pacific. We also further assign each of our sales teams into groups that focus on adding new customers or managing relationships with existing customers.
Our channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customers with
services and third-party solutions to help meet those customers’ evolving security and compliance requirements. As such, these partners offer our IT,
security and compliance solutions in conjunction with one or more of their own products or services and act as a conduit through which we can connect
with these prospective customers to offer our solutions. Our channel partners include security consulting organizations, leading cloud providers, managed
service providers and resellers.
For sales involving a channel partner, the channel partner engages with the prospective customer directly and involves our sales team as needed to
assist in developing and closing an order. When a channel partner secures a sale, we sell the associated
11
Table of Contents
subscription to the channel partner who in turn resells the subscription to the customer, with the channel partner retaining the margin between the price they
purchase from us and the price they sell to the end user. Once the order is completed, we provide these customers with direct access to our solutions and
other associated back-office applications, enabling us to establish a direct relationship as part of ensuring customer satisfaction with our solutions. At the
end of the subscription term, the channel partner engages with the customer to execute a renewal order, with our sales team providing assistance as
required. In 2024, 2023 and 2022, 46%, 43% and 42%, respectively, of our revenues were generated by channel partners.
Marketing
Our marketing programs include a variety of online marketing, advertising, conferences, events, public relations activities and web-based seminar
campaigns targeted at key decision makers within our prospective customers.
We have a number of marketing initiatives to build awareness and encourage customer adoption of our solutions. We offer free trials and services to
allow prospective customers to experience the quality of our solutions, to learn in detail about the features and functionality of our cloud platform, and to
quantify the potential benefits of our solutions.
Customer Support
Qualys Support delivers 24x7x365 day customer technical support from global centers located in Foster City, California; Raleigh, North Carolina;
and Pune, India. We recruit senior level technical personnel and trained subject matter experts who work closely with engineering and operations personnel
to resolve issues quickly. Our IT, security and compliance solutions can be deployed easily and are designed to be implemented and operated without the
need for significant professional services. We also offer various training programs as part of our subscriptions to all of our customers. In addition, we
leverage the insights drawn from our customers to further improve the functionality of our IT, security and compliance solutions. Our mission is to ensure
customer satisfaction and play a critical role in retaining and expanding our customer base.
Research and Development and Operations
We devote significant resources to maintain, enhance and add new functionality to our cloud platform and the integrated suite of solutions that we
offer. Our development organization consists of agile engineering teams with substantial security expertise in specific areas of our solutions. In addition to
our development teams, we also built a sophisticated research team focused on identifying threats and developing signatures for vulnerabilities and
compliance checks so that we can provide our customers with daily updates and enable them to scan their assets for the latest threats. We conduct our
research and development in the United States, France and India, which gives us access to some of the best research and engineering talent in the world.
Our focus remains to attract engineering talent as we continue to add new solutions and improve existing ones.
Our development team works closely with our customers and partners to gain valuable insights into their environments and gather feedback for
threat research, product development and innovations. We typically release updates to our solutions, including enhancements and new features multiple
times a year, and we measure the quality of our scan results on a frequent basis in an effort to maintain the highest level of scan accuracy.
The modular architecture of our cloud platform enables our engineering teams to simultaneously work on different features, accelerating the delivery
of new functionalities to customers. Our research and development team also works collaboratively with our technical support team to ensure customer
satisfaction and with our sales team to accelerate the adoption of our solutions.
Shared Cloud Platform Agreements
Our shared cloud platform operations are provided by large third-party vendors and are located in the United States, Canada, Switzerland, the
Netherlands, United Arab Emirates, Australia, United Kingdom, Italy, the Kingdom of Saudi Arabia and India. Our shared cloud platform agreements have
varying terms through 2030.
Competition
The expanding capabilities of our IT, security and compliance solutions have enabled us to address a growing array of opportunities in the cloud IT,
security and compliance market. We compete with a large and broad array of established and emerging vulnerability management vendors, compliance
vendors and data security vendors in a highly fragmented and competitive environment.
12
Table of Contents
We compete with large and small public companies, such as CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately
held security providers including Invicti, Tanium, and Wiz. We also seek to replace IT, security and compliance solutions that organizations have developed
internally. As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as Cybersecurity
Asset Management and Patch Management, we expect to face additional competition in these new markets. Our competitors may also attempt to further
expand their presence in the IT, security and compliance market and compete more directly against one or more of our solutions.
We believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of delivery
models, ease of deployment and use, total cost of ownership, scalability and performance, customer support and the extensibility of our platform. We
believe that our suite of solutions generally competes favorably with respect to these factors. However, many of our primary competitors have greater name
recognition, longer operating histories, more established customer relationships, larger marketing budgets and significantly greater resources than we do.
Intellectual Property
We rely on a combination of trade secrets, copyrights, patents and trademarks, as well as contractual protections, to establish and protect our
intellectual property rights and protect our proprietary technology. As of December 31, 2024, we have 42 issued patents, which expire from 2029 to 2042,
several pending U.S. patent applications and an exclusive license to four U.S. patents. The inbound license remains in effect until the licensed patents are
no longer enforceable, unless the applicable license agreement is first terminated by us or terminated by the licensor for a breach of the agreement or if we
undergo certain bankruptcy events. The licenses are currently exclusive and will remain exclusive so long as we make an appropriately-timed written
election and pay an annual fixed royalty for ten years thereafter. These exclusive licenses are subject to the licensor’s reservation of certain rights in the
patents and subject to the U.S. government’s reserved rights in the technology. We have a number of registered and unregistered trademarks. We require our
employees, consultants and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation
and other proprietary information. We view our trade secrets and know-how as a significant component of our intellectual property assets, as we have spent
years designing and developing our cloud platform, which we believe differentiates us from our competitors.
We expect that software and other solutions in our industry may be subject to third-party infringement claims as the number of competitors grows
and the functionality of products in different industry segments overlaps. Any of these third parties might make a claim of infringement against us at any
time.
Human Capital Resources
We take a holistic approach to our human capital management strategy, striving to create a culture where talented people want to come to work,
develop their careers, become leaders, and make a difference for all our stakeholders and communities. Doing the right thing for our people, our
communities and our environment upholds the trust of our customers, partners, employees, and stockholders, enabling us to grow our business profitably
and meet the diverse needs of our constituents. As of December 31, 2024, we had 2,400 full-time employees, including 1,144 in research and development,
474 in sales and marketing, 554 in operations and customer support, and 228 in general and administrative. As of December 31, 2024, approximately 77%
of our employees were located outside of the United States, with 68% of our employees located in India. None of our U.S. employees are covered by
collective bargaining agreements. Employees in certain European countries and Brazil have collective bargaining arrangements at the national level. We
believe our employee relations are good, and we have not experienced any work stoppages.
Compensation and Benefits
Our Competitive Compensation and Benefits Policy. We understand that providing competitive compensation and benefits plays a critical role in
attracting and retaining the best available personnel. That is why we offer robust compensation and benefits to our employees, including competitive base
salaries, variable pay and equity awards, and generous benefits packages. To support the health and wellness of our workforce, Qualys offers premium
health coverage with minimal out-of-pocket contributions for our employees.
Corporate Governance. Qualys maintains a Compensation and Talent Committee of the Board of Directors to oversee our compensation policies,
plans and benefits programs, and overall compensation philosophy. The Committee approves CEO and executive officers’ compensation plans, and
reviews, approves, and administers various employee benefit plans, among other duties. As part of its ongoing review of the performance criteria and
compensation of designated key executives, the Compensation and Talent Committee also meets annually with the CEO, our principal human resources
executive, and any other corporate officers as it deems appropriate.
13
Table of Contents
Supporting our Team and Community
Talent Development and Safety. We take a holistic approach to our social strategy, striving to create a culture where talented people want to come to
work, develop their careers, become leaders, and make a difference for all our stakeholders and communities. We believe every employee makes a
difference, so we empower them in their roles and support them for professional growth. We assist employees in achieving their career goals by helping
them improve their skillsets and transition to increasingly challenging roles.
Diversity and Inclusion. We are proud to be a leader in the promotion and practice of diversity and inclusion. We take pride in our cultural diversity
with offices and employees all over the world. Our objective is to continue to improve our hiring, development, advancement, and retention of diverse
talent and to foster an inclusive environment. In addition to having more than 50% of the executive team from underrepresented communities, we are also
continuing to improve diversity among our growing workforce, with over half of our US-based employees from underrepresented communities.
Qualys searches the globe for top talent in an effort to recruit and hire diverse individuals with a variety of skills, experiences, and backgrounds. Our
company holiday calendar includes events and festivals from many regions and religions, and we include diverse cultural initiatives throughout the year.
Promoting a Healthy Work-life Balance. Qualys aims to maintain a healthy work-life balance and provide resources to support our employees’ mental
and physical well-being. During 2022, our workforce gradually transitioned into a hybrid work schedule, which resulted in a significant portion of our
workforce working either in-person on a part-time basis, or remotely on a permanent basis. During 2024, we continued to offer this hybrid work schedule
to our workforce. Our top priority remains providing support for our employees, partners, and customers.
Community Engagement. We value the communities that support our operations and have several company and employee-led initiatives to support the
communities in which we operate. In 2024, our efforts were centered on advancing education, technology, local communities, and environmental
initiatives. For example, we provided scholarships for women in Science, Technology, Engineering, and Mathematics (STEM), partnered with nonprofit
organizations to provide back-to-school backpacks to underserved youth in our community, and donated to food drives and holiday fundraisers to support
local families in need, among other initiatives. Our employees participated in environmental initiatives such as World Environment Day that encourage
awareness and action for the protection of the environment, in addition to taking part in local clean-up activities across the world.
Training and Development
Employee Training. We require our employees and managers to participate in myriad training programs directed at maintaining a harassment-free,
diverse, and secure workplace. With our diverse employee population, we uphold the rights to work in an environment that promotes equal opportunity and
prohibits discriminatory practices against race, color, national origin, ancestry, medical condition, religious creed (including religious dress and grooming
practices), marital status, registered domestic partner status, sex, sexual orientation, gender identity and expression, genetic characteristics and information,
age, veteran status, or any other protected characteristic. Creating a respectful workplace and preventing harassment to our employees remain our on-going
commitment.
Employee Development. Investing in employees is critical to our success. Qualys employees participate in an onboarding program to integrate new
hires into role-specific functions and company culture. Qualys offers managers and employees various training courses as needed. To support career growth
inside and outside Qualys, we offer free self-paced and instructor-led certified training on core Qualys topics, giving employees and non-employees an
opportunity to achieve certifications and job-related courses free of charge.
To allow for open dialogue between employees and managers, we conduct formal employee reviews each year. Corrective action plans are developed
for employees who may be struggling to meet his or her job responsibilities. Employee performance is considered during compensation reviews. In
addition to formal reviews, our Human Resources team regularly meets with managers to check in with teams and conducts exit interviews globally.
Sustainable Business Operations
Our Sustainable Solutions. Qualys products, delivered via our multi-tenant cloud platform, enable improved environmental sustainability for our
customers. In particular, our cloud-based solutions minimize the number of physical servers our customers
14
Table of Contents
have to deploy within their own environments, reducing energy consumption on their end. Qualys Cloud Apps, delivering rich content and dashboards
visible on any device, also reduce paper and printing costs for our customers.
Our Eco-Friendly Operations. Our environmental, health and safety systems, processes and tools in place across our footprint enable Qualys to meet
or exceed governmental and industry requirements. We strive to consistently improve how we operate our platforms in energy-efficient networks and data
centers as well as pursue sustainability initiatives that reduce energy, waste and materials consumption. We have 14 multi-tenant platforms across the
world, six of which are in collocated facilities. The others are hosted in public cloud environments. Though data centers are inherently energy-intensive,
utilizing collocated facilities allows us to leverage economies of scale for power and cooling. In addition, most of our third-party providers continue to
advance their own sustainability programs to reduce their environmental impact.
Environmental Standards Within Supply Chain. We are committed to advancing supply chain responsibility and strive to enhance transparency and
promote greater accountability in our own operations and with our suppliers. Qualys outsources product manufacturing and recycling to suppliers and
vendors that follow the highest environmental standards in the industry, such as ISO 14001. We also seek to prohibit our suppliers from profiting from the
sale of tantalum, tin, tungsten, and gold (also known as “conflict minerals”) that funds conflict in the Democratic Republic of the Congo (DRC) and
adjoining countries, and we seek to require that our suppliers source these minerals from socially responsible suppliers.
Available Information
Our principal executive offices are located at 919 E. Hillsdale Blvd., 4th Floor, Foster City, California 94404. The telephone number of our principal
executive offices is (650) 801-6100, and our main corporate website is www.qualys.com. Information contained on, or that can be accessed through, our
website, does not constitute part of this Annual Report on Form 10-K and inclusion of our website address in this Annual Report on Form 10-K is an
inactive textual reference only.
We make available our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to those
reports filed or furnished pursuant to Section 13(a) or Section 15(d) of the Securities Exchange Act of 1934, as amended, free of charge on our website,
www.qualys.com as soon as reasonably practicable after they are electronically filed with or furnished to the SEC. Additionally, copies of materials filed by
us with the SEC may be accessed at the SEC's website, www.sec.gov.
Item 1A. Risk Factors
An investment in our common stock involves a high degree of risk. You should carefully consider the risks and uncertainties described below, and all other
information contained in this Annual Report on Form 10-K, including our consolidated financial statements and the related notes, before making a
decision to invest in our common stock. Our business, operating results, financial condition, or prospects could be materially and adversely affected by any
of these risks and uncertainties. In that case, the trading price of our common stock could decline, and you might lose all or part of your investment. In
addition, the risks and uncertainties discussed below are not the only ones we face. Our business, operating results, financial performance or prospects
could also be harmed by risks and uncertainties not currently known to us or that we currently do not believe are material.
Risks Related to Our Business and Industry
Our quarterly and annual operating results may vary from period to period, which could result in our failure to meet expectations with respect to
operating results and cause the trading price of our stock to decline.
Our operating results have historically varied from period to period, and we expect that they will continue to do so as a result of a number of factors,
many of which are outside of our control, including:
•
the level of demand for our solutions, from both existing and new customers;
•
the extent to which customers subscribe for additional solutions;
•
changes in customer renewals of our solutions;
•
timing of deals signed within the applicable fiscal period;
•
seasonal buying patterns of our customers;
•
timely invoicing or changes in billing terms of customers;
•
the length of our sales cycle for our products and services;
15
Table of Contents
•
price competition;
•
the timing and success of new product or service introductions by us or our competitors or any other changes in the competitive landscape of our
industry, including consolidation among our competitors;
•
the introduction or adoption of new technologies that compete with our solutions;
•
decisions by potential customers to purchase IT, security and compliance products or services from other vendors;
•
general economic conditions, both domestically and in the foreign markets in which we sell our solutions;
•
changes in foreign currency exchange rates;
•
changes in the growth rate of the IT, security and compliance market;
•
actual or perceived security breaches and incidents, technical difficulties or interruptions with our service;
•
failure of our products and services to operate as designed;
•
publicity regarding security breaches and incidents generally and the level of perceived threats to IT security;
•
the announcement or adoption of new regulations and policy mandates or changes to existing regulations and policy mandates;
•
the amount and timing of operating costs and capital expenditures related to the operations and expansion of our business;
•
pace and cost of hiring employees;
•
expenses associated with our existing and new products and services;
•
the timing of sales commissions relative to the recognition of revenues;
•
insolvency or credit difficulties confronting our customers, affecting their ability to purchase or pay for our solutions;
•
our ability to integrate any products or services that we have acquired or may acquire in the future into our product suite or migrate existing
customers of any companies that we have acquired or may acquire in the future to our products and services;
•
future accounting pronouncements or changes in our accounting policies;
•
our effective tax rate, changes in tax rules, tax effects of infrequent or unusual transactions, and tax audit settlements;
•
the amount and timing of income tax that we recognize resulting from stock-based compensation;
•
the timing of expenses related to the development or acquisition of technologies, services or businesses; and
•
potential goodwill and intangible asset impairment charges associated with acquired businesses.
Further, the interpretation and application of international laws and regulations in many cases is uncertain, and our legal and regulatory obligations in
foreign jurisdictions are subject to frequent and unexpected changes, including the potential for various regulatory or other governmental bodies to enact
new or additional laws or regulations or to issue rulings that invalidate prior laws or regulations.
Each factor above or discussed elsewhere in this Annual Report on Form 10-K or the cumulative effect of some of these factors may result in
fluctuations in our operating results. This variability and unpredictability could result in our failure to meet expectations with respect to operating results, or
those of securities analysts or investors, for a particular period. In addition, a significant percentage of our operating expenses are fixed in nature and based
on forecasted trends in revenues. Accordingly, in the event of shortfalls in revenues, we are generally unable to mitigate the negative impact on margins in
the short term by reducing our operating expenses. If we fail to meet or exceed expectations for our operating results for these or any other reasons, the
trading price of our common stock could fall and we could face costly lawsuits, including securities class action suits.
If we do not successfully anticipate market needs and opportunities or are unable to enhance our solutions and develop new solutions that meet those
needs and opportunities on a timely or cost-effective basis, we may not be able to compete effectively and our business and financial condition may be
harmed.
The IT, security and compliance market is characterized by rapid technological advances, customer price sensitivity, short product and service life
cycles, intense competition, changes in customer requirements, frequent new product introductions and enhancements and evolving industry standards and
regulatory mandates. Any of these factors could create downward pressure on
16
Table of Contents
pricing and gross margins, and could adversely affect our renewal rates, as well as our ability to attract new customers. Our future success will depend on
our ability to enhance existing solutions, introduce new solutions on a timely and cost-effective basis, meet changing customer needs, extend our core
technology into new applications, and anticipate and respond to emerging standards and business models. We must also continually change and improve
our solutions in response to changes in operating systems, application software, computer and communications hardware, networking software, shared
cloud platform infrastructures, programming tools and computer language technology.
We may not be able to anticipate future market needs and opportunities or develop enhancements or new solutions to meet such needs or
opportunities in a timely manner or at all. The market for cloud solutions for IT, security and compliance continues to evolve, and it is uncertain whether
our new solutions will gain market acceptance.
Our solution enhancements or new solutions could fail to attain sufficient market acceptance for many reasons, including:
•
failure to timely meet market demand for product functionality;
•
inability to identify and provide intelligence regarding the attacks or techniques used by cyber-attackers;
•
inability to inter-operate effectively with the database technologies, file systems or web applications of our prospective customers;
•
defects, errors or failures;
•
delays in releasing our enhancements or new solutions;
•
negative publicity about their performance or effectiveness;
•
introduction or anticipated introduction of products by our competitors;
•
poor business conditions, causing customers to delay IT, security and compliance purchases;
•
easing or changing of external regulations related to IT, security and compliance; and
•
reluctance of customers to purchase cloud solutions for IT, security and compliance.
Furthermore, diversifying our solutions and expanding into new IT, security and compliance markets will require significant investment and planning,
require that our research and development and sales and marketing organizations develop expertise in these new markets, bring us more directly into
competition with IT, security compliance providers that may be better established or have greater resources than we do, require additional investment of
time and resources in the development and training of our channel partners and entail significant risk of failure.
If we fail to anticipate market requirements or fail to develop and introduce solution enhancements or new solutions to satisfy those requirements in a
timely manner, such failure could substantially decrease or delay market acceptance and sales of our present and future solutions and cause us to lose
existing customers or fail to gain new customers, which would significantly harm our business, financial condition and results of operations.
If we fail to continue to effectively scale and adapt our platform to meet the performance and other requirements of our customers, our operating
results and our business would be harmed.
Our future growth depends to a significant extent on our ability to continue to meet the expanding needs of our customers as their use of our cloud
platform grows. As these customers gain more experience with our solutions, the number of users and the number of locations where our solutions are
being accessed may expand rapidly in the future. In order to ensure that we meet the performance and other requirements of our customers, we intend to
continue to make significant investments to develop and implement new proprietary and third-party technologies at all levels of our cloud platform. These
technologies, which include databases, applications and server optimizations, and network and hosting strategies, are often complex, new and unproven.
We may not be successful in developing or implementing these technologies. To the extent that we do not effectively scale our platform to maintain
performance as our customers expand their use of our platform, our operating results and our business may be harmed.
If we are unable to renew existing subscriptions for our IT, security and compliance solutions, sell additional subscriptions for our solutions and attract
new customers, our operating results would be harmed.
We offer our cloud platform and integrated suite of solutions pursuant to a software-as-a-service model, and our customers purchase subscriptions
from us that are generally one year in length. Our customers have no obligation to renew their subscriptions
17
Table of Contents
after their subscription period expires, and they may not renew their subscriptions at the same or higher levels or at all. As a result, our ability to grow
depends in part on customers renewing their existing subscriptions and purchasing additional subscriptions and solutions. Our customers may choose not to
renew their subscriptions to our solutions or purchase additional solutions due to a number of factors, including their satisfaction or dissatisfaction with our
solutions, the prices of our solutions, the prices of products or services offered by our competitors, reductions in our customers’ spending levels due to the
macroeconomic environment or other factors. If our customers do not renew their subscriptions to our solutions, renew on less favorable terms, or do not
purchase additional solutions or subscriptions, our revenues may grow more slowly than expected or decline and our operating results would be harmed.
In addition, our future growth depends in part upon increasing our customer base. Our ability to achieve significant growth in revenues in the future
will depend, in large part, upon continually attracting new customers and obtaining subscription renewals to our solutions from those customers. If we fail
to attract new customers, our revenues may grow more slowly than expected and our operating results would be harmed.
Our current research and development efforts may not produce successful products or enhancements to our platform that result in significant revenue,
cost savings or other benefits in the near future.
We must continue to dedicate significant financial and other resources to our research and development efforts if we are to maintain our competitive
position. However, developing products and enhancements to our platform is expensive and time consuming, and there is no assurance that such activities
will result in significant new marketable products or enhancements to our platform, design improvements, cost savings, revenue or other expected benefits.
If we spend significant resources on research and development and are unable to generate an adequate return on our investment, our business and results of
operations may be materially and adversely affected.
Our platform, products, website and internal systems may be subject to intentional disruption or other security incidents that could result in liability
and adversely impact our reputation and future sales.
We and our service providers face threats from a variety of sources, including attacks on our networks and systems from numerous sources, including
but not limited to traditional “hackers,” sophisticated nation-state and nation-state supported actors, other sources of malicious code (such as viruses and
worms), ransomware, social engineering, denial of service attacks, and phishing attempts. We and our service providers could be a target of cyber-attacks
or other malfeasance designed to impede the performance of our solutions, penetrate our network security or the security of our cloud platform, products, or
our internal systems, misappropriate proprietary information, gain access to our customers' systems and data, and/or cause interruptions to our services. We
and our service providers have experienced and may continue to experience security incidents and attacks of varying degrees from time to time. We have
incurred costs to respond to such incidents and may continue to incur costs to support our efforts to enhance our security measures. Additionally, due to
political uncertainty and military actions in parts of Eastern Europe and the Middle East, we and our service providers are vulnerable to heightened risks of
cybersecurity incidents and security and privacy breaches and incidents caused or initiated by nation-state or affiliated actors, including attacks that could
materially disrupt our systems, operations and services, or impact our customers systems, operations, and services.
Our solutions, platforms, and system, and those of our service providers, may be, and have in the past been, subject to security incidents as a result of
technical and non-technical issues, including as a result of intentional or inadvertent acts or omissions by our employees or service providers. With the
increase in personnel working remotely, at least part-time in our case, we and our service providers are at increased risk for security breaches and incidents.
We have taken and intend to continue to take steps to monitor and enhance the security of our solutions, cloud platform, and other relevant systems, IT
infrastructure, networks, and data; however, the unprecedented scale of remote work may require additional personnel and resources, which nevertheless
cannot be guaranteed to fully safeguard our solutions, our cloud platform, or any systems, IT infrastructure networks, or data upon which we rely. Further,
because our operations involve providing IT security solutions to our customers, we may be, and have in the past been, targeted for cyber-attacks and other
security incidents. We also have incorporated AI/machine learning technologies into our technology, and may continue to incorporate additional
AI/machine learning technologies in the future. Our use of such technologies may create additional cybersecurity risks or increase cybersecurity risks,
including risks of technical error, security breaches and incidents. Further, AI/machine learning technologies may be used in connection with certain
cybersecurity attacks, resulting in heightened risks of security breaches and incidents.
A breach in or incident impacting our data security, an attack against our service availability, or any breach, incident, or attack impacting our third-
party service providers, or a technical error or outage, could impact our networks or networks secured by our solutions, creating system disruptions or
slowdowns and exploiting security vulnerabilities of our solutions, and the information stored on our networks or those of our third-party service providers
could be accessed, used, disclosed publicly or to
18
Table of Contents
unauthorized persons, altered, lost, destroyed, or stolen, which could subject us to liability and cause us financial harm. If an actual or perceived disruption
in the availability of our solutions or the breach or other compromise of our security measures or those of our service providers occurs, it could adversely
affect the market perception of our solutions, result in a loss of competitive advantage, have a negative impact on our reputation, or result in the loss of
customers, channel partners and sales, and it may expose us to the loss, unavailability or alteration of information, claims, demands and litigation,
regulatory investigations, actions and other proceedings and possible liability. Any such actual or perceived security breach or incident or disruption could
also divert the efforts of our technical and management personnel. We and our service providers may face difficulties or delays in identifying and
responding to any security breach or incident. We also may incur significant costs and operational consequences of investigating, remediating, eliminating
and putting in place additional tools and devices designed to prevent actual or perceived security incidents, as well as costs to respond to and otherwise
address any breach or incident, including any to comply with any notification obligations resulting from any security incidents. In addition, any such actual
or perceived security breach or incident could impair our ability to operate our business and provide solutions to our customers. If this happens, our
reputation could be harmed, our revenues could decline and our business could suffer.
Although we maintain insurance coverage that may be applicable to certain liabilities in the event of a security breach or other security incident, we
cannot be certain that our insurance coverage will be adequate for liabilities that actually are incurred, that insurance will continue to be available to us on
economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large
claims against us that exceed available insurance coverage or the occurrence of changes in our insurance policies, including premium increases or the
imposition of large deductible or co-insurance requirements, could have a material and adverse effect on our business, including our financial condition,
operating results and reputation.
Our sales cycle can be long and unpredictable, and our sales efforts require considerable time and expense. As a result, revenues may vary from period
to period, which may cause our operating results to fluctuate and could harm our business.
The timing of sales of subscriptions for our solutions can be difficult to forecast because of the length and unpredictability of our sales cycle,
particularly with large transactions and in the current macroeconomic environment. We sell subscriptions to our IT, security and compliance solutions
primarily to IT departments that are managing a growing set of user and compliance demands, which has increased the complexity of customer
requirements to be met and confirmed during the sales cycle and prolonged our sales cycle. Further, the length of time that potential customers devote to
their testing and evaluation, contract negotiation and budgeting processes varies significantly, which has also made our sales cycle long and unpredictable.
The length of the sales cycle for our solutions typically ranges from six to twelve months but can be more than eighteen months. In addition, we might
devote substantial time and effort to a particular unsuccessful sales effort, and as a result we could lose other sales opportunities or incur expenses that are
not offset by an increase in revenues, which could harm our business.
Adverse economic conditions or reduced IT spending may adversely impact our business.
Our business depends to a significant extent on the overall demand for IT and on the economic health of our current and prospective customers.
Economic weakness, customer financial difficulties, change in interest rates, inflationary pressures and potential for a recession, and constrained spending
on IT security, as well as longer sales cycles, which factors we have experienced in 2023 and 2024, have resulted and may in the future result in decreased
revenue and earnings. In addition, continued governmental budgetary challenges in the United States and Europe, inflationary pressures and potential for a
recession, and geopolitical turmoil in many parts of the world, including the ongoing military conflicts in parts of Eastern Europe and the Middle East, and
other disruptions to global and regional economies and markets in many parts of the world, as well as uncertainties related to changes in public policies
such as domestic and international regulations, taxes or international trade agreements, have and may continue to put pressure on global economic
conditions and overall spending on IT security and may further increase inflation, both in the U.S. and globally, which could increase our operating costs in
the future and reduce overall spending on IT security. General economic weakness may also lead to longer collection cycles for payments due from our
customers, an increase in customer bad debt, restructuring initiatives and associated expenses, and impairment of investments. Furthermore, the continued
weakness and uncertainty in worldwide credit markets, including the sovereign debt situation in certain countries in the European Union, may adversely
impact our European operations, as well as our current and potential customers' available budgetary spending, which could lead to delays or reductions in
planned purchases of our solutions.
Uncertainty about future economic conditions also makes it difficult to forecast operating results and to make decisions about future investments.
Future or continued economic weakness for us or our customers, failure of our customers and markets to recover from such weakness, customer financial
difficulties, and reductions in spending on IT security could have a material adverse effect on demand for our platform and consequently on our business,
financial condition and results of operations.
19
Table of Contents
Our IT, security and compliance solutions are delivered from 14 shared cloud platforms, and any disruption of service at these facilities would interrupt
or delay our ability to deliver our solutions to our customers which could reduce our revenues and harm our operating results.
We currently host substantially all of our solutions from third-party shared cloud platforms located in the United States, Canada, Switzerland, the
Netherlands, United Arab Emirates, Australia, United Kingdom, Italy, the Kingdom of Saudi Arabia and India. These facilities are vulnerable to damage or
interruption from earthquakes, hurricanes, floods, fires, cybersecurity attacks, terrorist attacks, employee negligence, power losses, technical errors,
telecommunications failures and similar events. The facilities also could be subject to break-ins, sabotage, intentional acts of vandalism and other
misconduct. The occurrence of a natural disaster, an act of terrorism or misconduct, a decision to close the facilities without adequate notice or other
unanticipated problems could result in interruptions in our services.
Some of our shared cloud platforms are not currently redundant and we may not be able to rapidly move our customers from one shared cloud
platform to another, which may increase delays in the restoration of our service for our customers if an adverse event occurs. We have added shared cloud
platforms to provide additional capacity and to enable disaster recovery. We continue to build out these facilities; however, these additional facilities may
not be operational in the anticipated time-frame and we may incur unplanned expenses.
Additionally, our existing shared cloud platform providers have no obligations to renew their agreements with us on commercially reasonable terms,
or at all. If we are unable to renew our agreements with the facilities providers on commercially reasonable terms or if in the future we add additional
shared cloud platform providers, we may experience costs or downtime in connection with the loss of an existing facility or the transfer to, or addition of,
new facilities.
Any disruptions or other performance problems with our solutions could harm our reputation and business and may damage our customers’
businesses. Interruptions in our service delivery might reduce our revenues, cause us to issue credits to customers, subject us to potential liability and cause
customers to terminate their subscriptions or not renew their subscriptions.
We face competition in our markets, and we may lack sufficient financial or other resources to maintain or improve our competitive position.
We compete with a large range of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a
highly fragmented and competitive environment. We face significant competition for each of our solutions from companies with broad product suites and
greater name recognition and resources than we have, as well as from small companies focused on specialized security solutions.
We compete with large and small public companies, such as CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately
held security providers including Invicti, Tanium, and Wiz. We also seek to replace IT, security and compliance solutions that organizations have developed
internally. As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as Cybersecurity
Asset Management and Patch Management, we expect to face additional competition in these new markets. Our competitors may also attempt to further
expand their presence in the IT, security and compliance market and compete more directly against one or more of our solutions.
We believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of delivery
models, ease of deployment and use, total cost of ownership, scalability and performance, customer support and the extensibility of our platform. Many of
our existing and potential competitors have competitive advantages, including:
•
greater brand name recognition;
•
larger sales and marketing budgets and resources;
•
broader distribution networks and more established relationships with distributors and customers;
•
access to larger customer bases;
•
greater customer support resources;
•
greater resources to make acquisitions;
•
greater resources to develop and introduce products that compete with our solutions;
•
greater resources to meet relevant regulatory requirements; and
20
Table of Contents
•
substantially greater financial, technical and other resources.
As a result, our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies,
standards or customer requirements. With the introduction of new technologies, the evolution of our service and new market entrants, we expect
competition to intensify in the future.
In addition, some of our larger competitors have substantially broader product offerings and can bundle competing products and services with other
software offerings. As a result, customers may choose a bundled product offering from our competitors, even if individual products have more limited
functionality than our solutions. These competitors may also offer their products at a lower price as part of this larger sale, which could increase pricing
pressure on our solutions and cause the average sales price for our solutions to decline. These larger competitors are also often in a better position to
withstand any significant reduction in capital spending and will therefore not be as susceptible to economic downturns.
Furthermore, our current and potential competitors may establish cooperative relationships among themselves or with third parties that may further
enhance their resources and product and services offerings in the markets we address. In addition, current or potential competitors may be acquired by third
parties with greater available resources. As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more
quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand
substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly
than we do. For all of these reasons, we may not be able to compete successfully against our current or future competitors.
The sales prices of our solutions are subject to competitive pressures and may decrease, which may reduce our gross profits and adversely impact our
financial results.
The sales prices for our solutions may decline for a variety of reasons, including competitive pricing pressures, discounts, a change in our mix of
solutions and subscriptions, anticipation of the introduction of new solutions or subscriptions, or promotional programs. Competition continues to increase
in the market segments in which we participate, and we expect competition to further increase in the future, thereby leading to increased pricing pressures.
Larger competitors with more diverse product and service offerings may reduce the price of products or subscriptions that compete with ours or may bundle
them with other products and subscriptions. Additionally, although we price our products and subscriptions worldwide in U.S. Dollars, Euros, British
Pounds, Canadian Dollars, Japanese Yen, Indian Rupees, Australian Dollars and Singapore Dollar, currency fluctuations in certain countries and regions
may negatively impact actual prices that partners and customers are willing to pay in those countries and regions, or the effective prices we realize in our
reporting currency. We cannot assure you that we will be successful in developing and introducing new offerings with enhanced functionality on a timely
basis, or that our new product and subscription offerings, if introduced, will enable us to maintain our prices and gross profits at levels that will allow us to
maintain positive gross margins and profitability.
If our solutions fail to detect vulnerabilities or incorrectly detect vulnerabilities, our brand and reputation could be harmed, which could have an
adverse effect on our business and results of operations.
If our solutions fail to detect vulnerabilities in our customers’ IT infrastructures, or if our solutions fail to identify and respond to new and
increasingly complex methods of attacks, our business and reputation may suffer. There is no guarantee that our solutions will detect all vulnerabilities.
Additionally, our IT, security and compliance solutions may falsely detect vulnerabilities or threats that do not actually exist. For example, some of our
solutions rely on information on attack sources aggregated from third-party data providers who monitor global malicious activity originating from a variety
of sources, including anonymous proxies, specific IP addresses, botnets and phishing sites. If the information from these data providers is inaccurate, the
potential for false indications of security vulnerabilities increases. These false positives, while typical in the industry, may impair the perceived reliability
or usability of our solutions and may therefore adversely impact market acceptance of our solutions and could result in negative publicity, loss of customers
and sales, increased costs to remedy any incorrect information or problem, or claims by aggrieved parties. Similar issues may be generated by the misuse of
our tools to identify and exploit vulnerabilities.
Further, our solutions sometimes are tested against other security products, and may fail to perform as effectively, or to be perceived as performing as
effectively, as competitive products for any number of reasons, including misconfiguration. To the extent current or potential customers, channel partners,
or others believe there has been an occurrence of an actual or perceived failure of our solutions to detect a vulnerability or otherwise to function as
effectively as competitive products in any particular test, or indicates our solutions do not provide significant value, our business, competitive position, and
reputation could be harmed.
21
Table of Contents
In addition, our solutions do not currently extend to cover all mobile and personal devices that employees may bring into an organization. As such,
our solutions would not identify or address vulnerabilities in all mobile and personal devices, and our customers’ IT infrastructures may be compromised
by attacks that infiltrate their networks through such devices.
An actual or perceived security breach or incident or loss, theft, unavailability or other compromise of the sensitive data of one of our customers,
regardless of whether the breach is attributable to the failure of our solutions, could adversely affect the market’s perception of our security solutions.
If we are unable to recruit and retain qualified sales personnel, sales of our solutions and the growth of our business would be harmed.
We believe that our growth will depend, to a significant extent, on our success in recruiting and retaining a sufficient number of qualified sales
personnel and their ability to, whether directly or indirectly in collaboration with channel partners, obtain new customers, manage our existing customer
base and expand the sales of our newer solutions. We plan to continue to recruit and retain a team of qualified sales personnel and invest in our sales and
marketing activities. Our recent hires and planned hires may not become as productive as quickly as we would like, and we may be unable to hire or retain
sufficient numbers of qualified individuals in the future in the competitive markets where we do business. Competition for highly skilled personnel is
frequently intense and we may not be able to compete for these employees. If we are unable to recruit and retain a sufficient number of productive sales
personnel, sales of our solutions and the growth of our business may be harmed. Additionally, if our efforts do not result in increased revenues, our
operating results could be negatively impacted due to the upfront operating expenses associated with expanding our sales force.
We rely on third-party channel partners to generate a substantial amount of our revenues, and if we fail to effectively manage our distribution
channels, our revenues could decline and our growth prospects could suffer.
Our success significantly depends to a significant extent on establishing and maintaining relationships with a variety of channel partners and we
anticipate that we will continue to depend on these partners in order to grow our business. For the years ended December 31, 2024, 2023 and 2022, we
derived approximately 46%, 43% and 42% of our revenues from sales of subscriptions for our solutions through channel partners, and the percentage of
revenues derived from channel partners may increase in future periods. Our agreements with our channel partners are generally non-exclusive and do not
prohibit them from working with our competitors or offering competing solutions, and many of our channel partners have more established relationships
with our competitors. If our channel partners choose to place greater emphasis on products of their own or those offered by our competitors, do not
effectively market and sell our solutions, or fail to meet the needs of our customers, then our ability to grow our business and sell our solutions may be
adversely affected. In addition, the loss of one or more of our larger channel partners, who may cease marketing our solutions with limited or no notice, and
our possible inability to replace them, could adversely affect our sales. Moreover, our ability to expand our distribution channels depends in part on our
ability to educate our channel partners about our solutions, which can be complex. Our failure to effectively manage our relationship with channel partners,
or any reduction or delay in their sales of our solutions or conflicts between channel sales and our direct sales and marketing activities may harm our results
of operations. Even if we are successful, these relationships may not result in greater customer usage of our solutions or increased revenues.
In addition, the financial health of our channel partners and our continuing relationships with them are important to our success. Some of these
channel partners may be unable to withstand adverse changes in economic conditions, which could result in insolvency and/or the inability of such
distributors to obtain credit to finance purchases of our products and services. In addition, weakness in the end-user market could negatively affect the cash
flows of our channel partners who could, in turn, delay paying their obligations to us, which would increase our credit risk exposure. Our business could be
harmed if the financial condition of some of these channel partners substantially weakened and we were unable to timely secure replacement channel
partners.
A significant portion of our customers, channel partners and employees are located outside of the United States, which subjects us to a number of risks
associated with conducting international operations, and if we are unable to successfully manage these risks, our business and operating results could
be harmed.
We market and sell subscriptions to our solutions throughout the world and have personnel in many parts of the world. In addition, we have sales
offices and research and development facilities outside the United States and we conduct, and expect to continue to conduct, a significant amount of our
business with organizations that are located outside the United States, particularly in Europe and Asia. Therefore, we are subject to risks associated with
having international sales and worldwide operations, including:
•
foreign currency exchange fluctuations;
22
Table of Contents
•
trade and foreign exchange restrictions;
•
economic or political instability in foreign markets;
•
greater difficulty in enforcing contracts, accounts receivable collection and longer collection periods;
•
changes in regulatory requirements;
•
tax laws (including U.S. taxes on foreign subsidiaries);
•
difficulties and costs of staffing and managing foreign operations;
•
the uncertainty and limitation of protection for intellectual property rights in some countries;
•
costs of compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;
•
costs of complying with U.S. laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, import and export control
laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our solutions in certain
foreign markets, and the risks and costs of non-compliance;
•
heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact
financial results and result in restatements of, and irregularities in, financial statements;
•
the potential for political unrest, acts of terrorism, hostilities or war;
•
management communication and integration problems resulting from cultural differences and geographic dispersion; and
•
multiple and possibly overlapping tax structures.
Some of our business partners also have international operations and are subject to the risks described above. Even if we are able to successfully
manage the risks of international operations, our business may be adversely affected if our business partners are not able to successfully manage these risks.
Our business, including the sales of subscriptions of our solutions, may be subject to foreign governmental regulations, which vary substantially from
country to country and change from time to time. Failure to comply with these regulations could adversely affect our business. Further, in many foreign
countries it is common for others to engage in business practices that are prohibited by our internal policies and procedures or U.S. regulations applicable
to us. Although we have implemented policies and procedures designed to ensure compliance with these laws and policies, there can be no assurance that
all of our employees, contractors, channel partners and agents have complied or will comply with these laws and policies. Violations of laws or key control
policies by our employees, contractors, channel partners or agents could result in delays in revenue recognition, financial reporting misstatements, fines,
penalties or the prohibition of the importation or exportation of our solutions and could have a material adverse effect on our business and results of
operations. If we are unable to successfully manage the challenges of international operations, our business and operating results could be adversely
affected.
In addition, as of December 31, 2024, approximately 77% of our employees were located outside of the United States, with 68% of our employees
located in India. Accordingly, we are exposed to changes in laws governing our employee relationships in various U.S. and foreign jurisdictions, including
laws and regulations regarding wage and hour requirements, fair labor standards, employee data privacy, unemployment tax rates, workers’ compensation
rates, citizenship requirements and payroll and other taxes which may have a direct impact on our operating costs. We may continue to expand our
international operations and international sales and marketing activities. Expansion in international markets has required, and will continue to require,
significant management attention and resources. We may be unable to scale our infrastructure effectively or as quickly as our competitors in these markets
and our revenues may not increase to offset any increased costs and operating expenses, which would cause our results to suffer.
We are exposed to fluctuations in currency exchange rates, which could negatively affect our financial condition and results of operations.
Our reporting currency is the U.S. dollar and we generate a majority of our revenues in U.S. dollars. However, for the year ended December 31, 2024,
we incurred approximately 29% of our expenses in foreign currencies, primarily the Euro, British Pound, and Indian Rupee, principally with respect to
salaries and related personnel expenses associated with our European and Indian operations. Additionally, for the year ended December 31, 2024,
approximately 25% of our revenues were generated in foreign currencies. Accordingly, changes in exchange rates may have a material adverse effect on
our business, operating results and financial condition. The exchange rate between the U.S. dollar and foreign currencies has fluctuated substantially in
recent
23
Table of Contents
years and may continue to fluctuate substantially in the future. We expect that a majority of our revenues will continue to be generated in U.S. dollars for
the foreseeable future and that a significant portion of our expenses, including personnel costs, as well as capital and operating expenditures, will continue
to be denominated in the Euro, British Pound and Indian Rupee. The result of our operations may be adversely affected by foreign exchange fluctuations.
We use derivative financial instruments to reduce our foreign currency exchange risks. We use foreign currency forward contracts to mitigate the
impact of foreign currency fluctuations of certain non-U.S. dollar denominated net asset positions, to date primarily cash, accounts receivable and operating
lease liabilities (non-designated), as well as to manage foreign currency fluctuation risk related to forecasted transactions (designated). However, we may
not be able to purchase derivative instruments that are adequate to insulate ourselves from foreign currency exchange risks. Additionally, our hedging
activities may contribute to increased losses as a result of volatility in foreign currency markets.
Our business and operations have continued to grow since inception, and if we do not appropriately manage any future growth, or are unable to
improve our systems and processes, our operating results may be negatively affected.
We have continued to grow over the last several years, with revenues increasing from $489.7 million in 2022 to $607.6 million in 2024, and
headcount increasing from 1,823 employees at the beginning of 2022 to 2,400 employees as of December 31, 2024. We rely on information technology
systems to help manage critical functions such as order processing, revenue recognition and financial forecasts. To manage any future growth effectively
we must continue to improve and expand our IT systems, financial infrastructure, and operating and administrative systems and controls, and continue to
manage headcount, capital and processes in an efficient manner. We may not be able to successfully implement improvements to these systems and
processes in a timely or efficient manner.
Our failure to improve our systems and processes, or their failure to operate in the intended manner, may result in our inability to manage the growth
of our business and to accurately forecast our revenues, expenses and earnings, or to prevent certain losses. In addition, as we continue to grow, our
productivity and the quality of our solutions may also be adversely affected if we do not integrate and train our new employees quickly and effectively. Any
future growth would add complexity to our organization and require effective coordination across our organization. Failure to manage any future growth
effectively could result in increased costs, harm our results of operations and lead to investors losing confidence in our internal systems and processes.
We depend on the continued services and performance of our senior management and other key employees, the loss of any of whom could adversely
affect our business, operating results and financial condition.
Our future performance depends to a significant extent on the continued services and continuing contributions of our senior management and other
key employees, to execute on our business plan and to identify and pursue new opportunities and product innovations. We do not maintain key-man
insurance for any member of our senior management team. Our senior management and key employees are generally employed on an at-will basis, which
means that they could terminate their employment with us at any time. From time to time, there may be changes in our senior management team resulting
from the termination or departure of executives. The loss of the services of our senior management or other key employees for any reason could
significantly delay or prevent the achievement of our development and strategic objectives and harm our business, financial condition and results of
operations.
24
Table of Contents
If we are unable to hire, retain and motivate qualified personnel, our business may suffer.
Our future success depends, in part, on our ability to continue to attract and retain highly skilled personnel. The loss of the services of any of our key
personnel, the inability to attract or retain qualified personnel or delays in hiring required personnel, particularly in engineering and sales, may seriously
harm our business, financial condition and results of operations. Any of our employees may terminate their employment at any time. Competition for
highly skilled personnel is frequently intense, especially within our industry, and we may not be able to compete for such personnel.
We are required under accounting principles generally accepted in the United States (U.S. GAAP) to recognize compensation expense in our
operating results for employee stock-based compensation under our equity grant programs, which may negatively impact our operating results and may
increase the pressure to limit stock-based compensation that we might otherwise offer to current or potential employees, thereby potentially harming our
ability to attract or retain highly skilled personnel. In addition, to the extent we hire personnel from competitors, we may be subject to allegations that they
have been improperly solicited or divulged proprietary or other confidential information, which could result in a diversion of management's time and our
resources.
A portion of our revenues are generated by sales to government entities, which are subject to a number of challenges and risks.
Government entities have historically been particularly concerned about adopting cloud-based solutions for their operations, including security
solutions, and increasing sales of subscriptions for our solutions to government entities may be more challenging than selling to commercial organizations.
Selling to government entities can be highly competitive, expensive and time-consuming, often requiring significant upfront time and expense without any
assurance that we will win a sale. We have invested in the creation of a cloud offering certified under the Federal Information Security Management Act for
government usage but we cannot be sure that we will continue to sustain or renew this certification, that the government will continue to mandate such
certification or that other government agencies or entities will use this cloud offering. Government demand and payment for our solutions may be impacted
by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our solutions.
Government entities may have contractual or other legal rights to terminate contracts with our channel partners for convenience or due to a default, and any
such termination may adversely impact our future results of operations. Governments routinely investigate and audit government contractors’
administrative processes, and any unfavorable audit could result in the government refusing to continue buying our solutions, a reduction of revenues or
fines or civil or criminal liability if the audit uncovers improper or illegal activities. Any such penalties could adversely impact our results of operations in
a material way.
Our success in acquiring and integrating other businesses, products or technologies could impact our financial position.
In order to remain competitive, we have in the past and may in the future seek to acquire additional businesses, products, services or technologies. For
example, we acquired certain assets of Blue Hexagon on October 4, 2022. The environment for acquisitions in our industry is very competitive and
acquisition candidate purchase prices may exceed what we would prefer to pay. Moreover, achieving the anticipated benefits of past and future acquisitions
will depend in part upon whether we can integrate acquired operations, products and technology in a timely and cost-effective manner, and even if we
achieve benefits from acquisitions, such acquisitions may still be viewed negatively by customers, financial markets or investors. The acquisition and
integration process is complex, expensive and time-consuming, and may cause an interruption of, or loss of momentum in, product development and sales
activities and operations of both companies, as well as divert the attention of management, and we may incur substantial cost and expense. We may issue
equity securities which could dilute current stockholders’ ownership, incur debt, assume contingent or other liabilities and expend cash in acquisitions,
which could negatively impact our financial position, stockholder equity and stock price. We may not find suitable acquisition candidates, and acquisitions
we complete may be unsuccessful. If we consummate a transaction, we may be unable to integrate and manage acquired products and businesses
effectively or retain key personnel. If we are unable to effectively execute acquisitions, our business, financial condition and operating results could be
adversely affected.
If our solutions fail to help our customers achieve and maintain compliance with regulations and industry standards, our revenues and operating
results could be harmed.
We generate a portion of our revenues from solutions that help organizations achieve and maintain compliance with regulations and industry
standards. For example, many of our customers subscribe to our IT, security and compliance solutions to help them comply with the security standards
developed and maintained by the Payment Card Industry Security Standards Council, or the PCI Council, which apply to companies that store cardholder
data. Industry organizations like the PCI Council may significantly change their security standards with little or no notice, including changes that could
make their standards more or less
25
Table of Contents
onerous for businesses. Governments may also adopt new laws or regulations, or make changes to existing laws or regulations, which could impact the
demand for or value of our solutions.
If we are unable to adapt our solutions to changing regulatory standards in a timely manner, or if our solutions fail to assist with or expedite our
customers’ compliance initiatives, our customers may lose confidence in our solutions and could switch to products offered by our competitors. In addition,
if regulations and standards related to data security, vulnerability management and other IT, security and compliance requirements are relaxed or the
penalties for non-compliance are changed in a manner that makes them less onerous, our customers may view government and industry regulatory
compliance as less critical to their businesses, and our customers may be less willing to purchase our solutions. In any of these cases, our revenues and
operating results could be harmed.
We rely on software-as-a-service vendors to operate certain functions of our business and any failure of such vendors to provide services to us could
adversely impact our business and operations.
We rely on third-party software-as-a-service vendors to operate certain critical functions of our business, including financial management and human
resource management. If these services become unavailable due to extended outages or interruptions or because they are no longer available on
commercially reasonable terms or prices, our expenses could increase, our ability to manage our finances could be interrupted and our processes for
managing sales of our solutions and supporting our customers could be impaired until equivalent services, if available, are identified, obtained and
integrated, all of which could harm our business.
Incorrect or improper implementation or use of our solutions could result in customer dissatisfaction and harm our business and reputation.
If our customers are unable to implement our solutions successfully, customer perceptions of our platform and solutions may be impaired or our
reputation and brand may suffer. Our customers have in the past inadvertently misused our solutions, which triggered downtime in their internal
infrastructure until the problem was resolved. Additionally, any failure to implement and configure our solutions correctly may result in our solutions
failing to detect vulnerabilities or compliance issues, or otherwise to perform effectively, and may result in disruptions to our customers’ IT environments
and businesses. Any misuse of our solutions, including any failure to implement and configure them appropriately, could result in disruption to our
customers’ businesses, customer dissatisfaction, negative impacts on the perceived reliability or effectiveness of our solutions, and claims and litigation,
and may result in negative press coverage, negative effects on our reputation and competitive position, a loss of sales, customers, and channel partners, and
harm our financial results.
We recognize revenues from subscriptions over the term of the relevant service period, and therefore any decreases or increases in bookings are not
immediately reflected in our operating results.
We recognize revenues from subscriptions over the term of the relevant service period, which is typically one year. As a result, most of our reported
revenues in each quarter are derived from the recognition of deferred revenues relating to subscriptions entered into during previous quarters.
Consequently, a shortfall in demand for our solutions in any period may not significantly reduce our revenues for that period, but could negatively affect
revenues in future periods. Accordingly, the effect of significant downturns in bookings may not be fully reflected in our results of operations until future
periods. We may be unable to adjust our costs and expenses to compensate for such a potential shortfall in revenues. Our subscription model also makes it
difficult for us to rapidly increase our revenues through additional bookings in any period, as revenues are recognized ratably over the subscription period.
26
Table of Contents
If the market for cloud solutions for IT, security and compliance does not evolve as we anticipate, our revenues may not grow and our operating results
would be harmed.
Our success depends to a significant extent on the willingness of organizations to increase their use of cloud solutions for their IT, security and
compliance. Some organizations may be reluctant to use cloud solutions because they have concerns regarding the risks associated with the reliability or
security of the technology delivery model associated with these solutions. If other cloud service providers experience security incidents, loss, unavailability,
or unauthorized processing of customer data, disruptions in service delivery or other problems, the market for cloud solutions as a whole, including our
solutions, may be negatively impacted. Moreover, organizations that have invested substantial personnel and financial resources to integrate on-premise
software into their businesses may be reluctant or unwilling to migrate to a cloud solution. Organizations that use on-premise security products, such as
network firewalls, security information and event management products or data loss prevention solutions, may also believe that these products sufficiently
protect their IT infrastructure and deliver adequate security. Therefore, they may continue spending their IT security budgets on these products and may not
adopt our IT, security and compliance solutions in addition to or as a replacement for such products.
If customers do not recognize the benefits of our cloud solutions over traditional on-premise enterprise software products, and as a result we are
unable to increase sales of subscriptions to our solutions, then our revenues may not grow or may decline, and our operating results would be harmed.
Our business is subject to the risks of earthquakes, fire, power outages, floods and other catastrophic events, and to interruption by man-made
problems such as terrorism.
A significant natural disaster, such as an earthquake, fire or a flood, or a significant power outage could have a material adverse impact on our
business, operating results and financial condition. Our corporate headquarters and a significant portion of our operations are located in the San Francisco
Bay Area, a region known for seismic activity. In addition, natural disasters could affect our business partners’ ability to perform services for us on a timely
basis. In the event we or our business partners are hindered by any of the events discussed above, our ability to provide our solutions to customers could be
delayed, resulting in our missing financial targets, such as revenues and net income, for a particular quarter. Further, if a natural disaster occurs in a region
from which we derive a significant portion of our revenues, customers in that region may delay or forego subscriptions of our solutions, which may
materially and adversely impact our results of operations for a particular period. In addition, war, acts of terrorism, pandemics or other health emergencies,
or responses to these events could cause disruptions in our business or the business of our business partners, customers or the economy as a whole. All of
the aforementioned risks may be exacerbated if the disaster recovery plans for us and our suppliers prove to be inadequate. To the extent that any of the
above results in delays of customer subscriptions or commercialization of our solutions, our business, financial condition and results of operations could be
adversely affected.
Risks Related to Intellectual Property, Legal, Tax and Regulatory Matters
Undetected software errors or flaws in our solutions could harm our reputation, decrease market acceptance of our solutions or result in liability.
Our solutions may contain undetected errors or defects when first introduced or as new versions are released. We have experienced these errors or
defects in the past in connection with new solutions and solution upgrades and we expect that these errors or defects will be found from time to time in the
future in new or enhanced solutions after commercial release of these solutions. Since our customers use our solutions for IT, security and compliance
reasons, any errors, defects, disruptions in service or other performance problems with our solutions, or any other failure of our solutions to detect
vulnerabilities or compliance problems or otherwise to perform effectively, may result in disruptions or damage to the business of our customers, including
security breaches or compliance failures. Additionally, any such issues, or the perception that they have occurred, whether or not relating to any actual or
perceived error or defect in our solutions, could hurt our reputation and competitive position and we may incur significant costs, the attention of key
personnel could be diverted, our customers may delay or withhold payment to us or elect not to renew, we could face a loss of sales, customers, and
channel partners, and other significant problems with our relationships with customers and channel partners may arise. We may also be subject to liability
claims for damages related to actual or perceived errors or defects in our solutions. A material liability claim or other occurrence that harms our reputation
or decreases market acceptance of our solutions may harm our business, competitive and financial position, and operating results.
Although we maintain insurance coverage that may be applicable to certain liabilities in connection with these matters, we cannot be certain that our
insurance coverage will be adequate for liabilities that actually are incurred, that insurance will continue to be available to us on economically reasonable
terms, or at all, or that any insurer will not deny coverage as to any future claim.
27
Table of Contents
The successful assertion of one or more large claims against us that exceed available insurance coverage or the occurrence of changes in our insurance
policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material and adverse effect on our
business, including our financial condition, operating results and reputation.
Our solutions could be used to collect and store personal information of our customers’ employees or customers, and therefore privacy and other data
handling concerns could result in additional cost and liability to us or inhibit sales of our solutions.
We collect certain personal and confidential information of our customers in connection with subscriptions to our solutions. Additionally, the data that
our solutions collect to help secure and protect the IT infrastructure of our customers may include additional personal or confidential information of our
customers’ employees and their customers, and we may collect, store and otherwise process personal or confidential information more generally in
connection with our business and operations. Privacy, data protection, and cybersecurity have become significant issues in the United States and in many
other countries where we offer our solutions. The regulatory framework for privacy issues worldwide is currently evolving and is likely to remain uncertain
for the foreseeable future. Many federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations
regarding the collection, use, disclosure, retention, transfer, and other processing of personal information. In the United States, these include, for example,
rules and regulations promulgated under the authority of the Federal Trade Commission, the Health Insurance Portability and Accountability Act of 1996,
the Gramm-Leach-Bliley Act, state privacy laws, and state breach notification laws. Internationally, virtually every jurisdiction in which we operate has
established its own data security and privacy legal framework with which we or our customers must comply.
These privacy, data protection and information security laws and regulations may result in ever-increasing regulatory and public scrutiny and
escalating levels of enforcement and sanctions. Additionally, new laws and regulations relating to privacy and data protection continue to be proposed and
enacted. For example, the European Union's General Data Protection Regulation (“GDPR”), which took effect in May of 2018, provides for substantial
obligations relating to the handling, storage and other processing of data relating to individuals and administrative fines for violations, which can be up to
the greater of four percent of the previous year’s annual revenue or €20 million. Similarly, the California Consumer Privacy Act (“CCPA”) requires covered
companies to, among other things, provide certain disclosures to California consumers and affords such consumers rights to opt-out of certain sales of
personal information. The CCPA also creates a private right of action for statutory damages for certain breaches of information. Additionally, the California
Privacy Rights Act (“CPRA”), was approved by voters in the November 3, 2020 election. The CPRA modified the CCPA significantly, creating obligations
relating to consumer data beginning on January 1, 2022, with enforcement authorized as of July 1, 2023. In addition, other states have enacted or proposed
legislation that regulates the collection, use, and sale of personal information, including, for example, Washington's My Health, My Data Act and
legislation similar to the CCPA adopted in Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Montana, Tennessee, Oregon, Florida, Delaware, Texas,
Kentucky, New Jersey, New Hampshire, Maryland, Minnesota, Nebraska, and Rhode Island. Aspects of the CCPA, CPRA, and these other new and
evolving state laws, as well their interpretation and enforcement, remain uncertain. The GDPR, CCPA, and other laws and regulations relating to privacy,
data protection, and cybersecurity may be subject to new or changing interpretations by courts, and our interpretation of the law and efforts to comply with
the rules and regulations of the law may be ruled invalid. We cannot predict the impact of the CCPA, CPRA, or other evolving privacy, data protection and
cybersecurity obligations on our business or operations, but they may require us to modify our data processing practices and policies and incur substantial
costs and expenses in an effort to comply.
The privacy, data protection, and cybersecurity laws and regulations we must comply with also are subject to change. For example, the United
Kingdom has enacted a Data Protection Act, and has implemented legislation referred to as the “UK GDPR,” which substantially implement the GDPR in
the United Kingdom following the United Kingdom’s exit from the European Union. This legislation provides for substantial penalties for noncompliance
of up to the greater of £17.5 million or four percent of the previous year’s annual revenues. While the European Union has deemed the United Kingdom an
“adequate country” to which personal data could be exported from the European Economic Area (“EEA”), this decision is required to be renewed after four
years of being in effect and may be modified, revoked, or challenged in the interim, creating uncertainty regarding transfers of personal data to the United
Kingdom from the EEA. It remains unclear how United Kingdom data protection laws or regulations will develop in the medium to longer term and how
data transfers to and from the United Kingdom will be regulated. Additionally, we have self-certified under the EU-U.S. Data Privacy Framework, the
Swiss-U.S. Data Privacy Framework, and the United Kingdom extension to the EU-U.S. Data Privacy Framework, and have adopted certain standard
contractual clauses approved by the European Commission (“SCCs”) as part of our data processing agreements with regard to certain transfers of personal
data from the EEA to the U.S. Both the EU-U.S. Data Privacy Framework and SCCs have, however, been subject to legal challenge. In its July 16, 2020
opinion, the CJEU imposed additional obligations on companies when relying on SCCs to transfer personal data. The European Commission has published
revised SCCs addressing the CJEU concerns on June 4, 2021, that are required to be implemented. The United Kingdom has adopted new standard
contractual clauses (“UK SCCs”), that became effective as of March 21, 2022, and which also are required to be implemented. The EU-U.S. Data Privacy
Framework, Swiss-U.S. Data Privacy
28
Table of Contents
Framework, United Kingdom extension to the EU-U.S. Data Privacy Framework, revised SCCs and UK SCCs, guidance and opinions of regulators, and
other developments relating to cross-border data transfer may require us to implement additional contractual and technical safeguards for any personal data
transferred out of Europe, which may increase compliance costs, lead to increased regulatory scrutiny or liability, and which may adversely impact our
business, financial condition and operating results. We may be unsuccessful in maintaining legitimate means for our transfer and receipt of personal data
from the EEA, United Kingdom, Switzerland, or other jurisdictions. We may experience reluctance or refusal by current or prospective customers in these
or other jurisdictions to use our products, and we and our customers may face a risk of regulatory enforcement actions or other proceedings relating to
personal data transfers to us and by us from the EEA, United Kingdom, and Switzerland. Any such proceedings could result in substantial costs and
diversion of resources, distract management and technical personnel and negatively affect our business, operating results and financial condition. Some
countries also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the
cost and complexity of delivering our services.
In addition to laws and regulations, privacy advocacy and industry groups or other private parties may propose new and different standards relating to
privacy, data protection, and cybersecurity that apply, or are alleged to apply, to us. Because the interpretation and application of privacy and data
protection laws, regulations, standards and contractual obligations relating to these matters are uncertain, it is possible that they may be interpreted and
applied in a manner that is, or perceived to be, inconsistent with our data management practices or the features of our solutions. If so, in addition to the
possibility of regulatory investigations and enforcement actions or other proceedings, fines, lawsuits and other claims, other forms of injunctive or
operations-limiting relief, and damage to our reputations and loss of goodwill, we could be required to fundamentally change our business activities and
practices or modify our solutions and may face limitations in our ability to develop new solutions and features, any of which could have an adverse effect
on our business. Any inability to adequately address concerns relating to privacy, data protection, or cybersecurity, even if unfounded, or any actual or
perceived inability to comply with applicable privacy or data protection laws, regulations and privacy standards relating to these matters, could result in
cost and liability to us, damage our reputation, inhibit sales of subscriptions and harm our business.
Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and privacy standards that are applicable to the
businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our solutions. Privacy and data protection concerns,
whether valid or not valid, may inhibit market adoption of our solutions particularly in certain industries and foreign countries.
We use AI/machine learning technologies in our solutions that could result in harm to our business and operating results.
We have incorporated and may continue to incorporate additional AI/machine learning solutions and features into our solutions, and these solutions
and features may become more important to our operations or to our future growth over time. We expect to rely on AI/machine learning solutions and
features to help drive future growth in our business, but there can be no assurance that we will realize the desired or anticipated benefits from AI/machine
learning or at all. We may also fail to properly implement or market our AI/machine learning solutions and features. Our competitors or other third parties
may incorporate AI/machine learning into their products, offerings, and solutions more quickly or more successfully than us, which could impair our ability
to compete effectively and adversely affect our results of operations. Additionally, our offerings based on AI/machine learning may expose us to additional
claims, demands and proceedings by private parties and regulatory authorities and subject us to legal liability as well as brand and reputational harm. The
legal, regulatory, and policy environments around AI/machine learning are evolving rapidly, including the European Union's enactment of its Artificial
Intelligence Act and legislative efforts in various other jurisdictions, and we may become subject to new and evolving legal and other obligations. These
and other developments may require us to make significant changes to our use of AI/machine learning, including by limiting or restricting our use of
AI/machine learning, and which may require us to make significant changes to our policies and practices, which may necessitate expenditure of significant
time, expense, and other resources, AI/machine learning also presents emerging ethical issues that could harm our reputation and business if our use of
AI/machine learning becomes controversial.
Our solutions contain third-party open source software components, and our failure to comply with the terms of the underlying open source software
licenses could restrict our ability to sell our solutions.
Our solutions contain software licensed to us by third-parties under so-called “open source” licenses, including the GNU General Public License, the
GNU Lesser General Public License, the BSD License, the Apache License and others. From time to time, there have been claims against companies that
distribute or use open source software in their products and services, asserting that such open source software infringes the claimants’ intellectual property
rights. We could be subject to suits by parties claiming that what we believe to be licensed open source software infringes their intellectual property rights.
Use and distribution of open source software may entail greater risks than use of third-party commercial software, as open source licensors generally do not
29
Table of Contents
provide warranties or other contractual protections regarding infringement claims or the quality of the code. In addition, certain open source licenses
require that source code for software programs that are subject to the license be made available to the public and that any modifications or derivative works
to such open source software continue to be licensed under the same terms. If we combine our proprietary software with open source software in certain
ways, we could, in some circumstances, be required to release the source code of our proprietary software to the public. Disclosing the source code of our
proprietary software could make it easier for cyber attackers and other third parties to discover vulnerabilities in or to defeat the protections of our
solutions, which could result in our solutions failing to provide our customers with the security they expect from our services. This could harm our business
and reputation. Disclosing our proprietary source code also could allow our competitors to create similar products with lower development effort and time
and ultimately could result in a loss of sales for us. Any of these events could have a material adverse effect on our business, operating results and financial
condition.
Although we monitor our use of open source software in an effort both to comply with the terms of the applicable open source licenses and to avoid
subjecting our solutions to conditions we do not intend, the terms of many open source licenses have not been interpreted by U.S. courts, and there is a risk
that these licenses could be construed in a way that could impose unanticipated conditions or restrictions on our ability to commercialize our solutions. In
this event, we could be required to seek licenses from third parties to continue offering our solutions, to make our proprietary code generally available in
source code form, to re-engineer our solutions or to discontinue the sale of our solutions if re-engineering could not be accomplished on a timely basis, any
of which could adversely affect our business, operating results and financial condition.
We use third-party software and data that may be difficult to replace or cause errors or failures of our solutions that could lead to lost customers or
harm to our reputation and our operating results.
We license third-party software as well as security and compliance data from various third parties to deliver our solutions. In the future, this software
or data may not be available to us on commercially reasonable terms, or at all. Any loss of the right to use any of this software or data could result in delays
in the provisioning of our solutions until equivalent technology or data is either developed by us, or, if available, is identified, obtained and integrated,
which could harm our business. In addition, any errors or defects in or failures of this third-party software or data could result in errors or defects in our
solutions or cause our solutions to fail, which could harm our business and be costly to correct. Many of these providers attempt to impose limitations on
their liability for such errors, defects or failures, and if enforceable, we may have additional liability to our customers or third-party providers that could
harm our reputation and increase our operating costs.
We will need to maintain our relationships with third-party software and data providers, and to obtain software and data from such providers that do
not contain any errors or defects. Any failure to do so could adversely impact our ability to deliver effective solutions to our customers and could harm our
operating results.
Failure to protect our proprietary technology and intellectual property rights could substantially harm our business and operating results.
The success of our business depends in part on our ability to protect and enforce our trade secrets, trademarks, copyrights, patents and other
intellectual property rights. We attempt to protect our intellectual property under copyright, trade secret, patent and trademark laws, and through a
combination of confidentiality procedures, contractual provisions and other methods, all of which offer only limited protection.
We primarily rely on our unpatented proprietary technology and trade secrets. Despite our efforts to protect our proprietary technology and trade
secrets, unauthorized parties may attempt to misappropriate, reverse engineer or otherwise obtain and use them. The contractual provisions that we enter
into with employees, consultants, partners, vendors and customers may not prevent unauthorized use or disclosure of our proprietary technology or
intellectual property rights and may not provide an adequate remedy in the event of unauthorized use or disclosure of our proprietary technology or
intellectual property rights. Moreover, policing unauthorized use of our technologies, solutions and intellectual property is difficult, expensive and time-
consuming, particularly in foreign countries where the laws may not be as protective of intellectual property rights as those in the United States and where
mechanisms for enforcement of intellectual property rights may be weak. We may be unable to determine the extent of any unauthorized use or
infringement of our solutions, technologies or intellectual property rights.
The process of obtaining patent protection is expensive and time-consuming, and we may not be able to prosecute all necessary or desirable patent
applications at a reasonable cost or in a timely manner, if at all. We may choose not to seek patent protection for certain innovations and may choose not to
pursue patent protection in certain jurisdictions.
30
Table of Contents
Furthermore, it is possible that our patent applications may not result in granted patents, that the scope of our issued patents will be limited or not
provide the coverage originally sought, that our issued patents will not provide us with any competitive advantages, or that our patents and other
intellectual property rights may be challenged by others or invalidated through administrative processes or litigation. In addition, issuance of a patent does
not guarantee that we have an absolute right to practice the patented invention. As a result, we may not be able to obtain adequate patent protection or to
enforce our issued patents effectively.
From time to time, legal action by us may be necessary to enforce our patents and other intellectual property rights, to protect our trade secrets, to
determine the validity and scope of the intellectual property rights of others or to defend against claims of infringement or invalidity. Such litigation could
result in substantial costs and diversion of resources and could negatively affect our business, operating results and financial condition. If we are unable to
protect our intellectual property rights, we may find ourselves at a competitive disadvantage to others who need not incur the additional expense, time and
effort required to create the innovative solutions that have enabled us to be successful to date.
Assertions by third parties of infringement or other violations by us of their intellectual property rights could result in significant costs and harm our
business and operating results.
Patent and other intellectual property disputes are common in our industry. Some companies, including some of our competitors, own large numbers
of patents, copyrights and trademarks, which they may use to assert claims against us. Third parties may in the future assert claims of infringement,
misappropriation or other violations of intellectual property rights against us. They may also assert such claims against our customers or channel partners
whom we typically indemnify against claims that our solutions infringe, misappropriate or otherwise violate the intellectual property rights of third parties.
As the numbers of products and competitors in our market increase and overlaps occur, claims of infringement, misappropriation and other violations of
intellectual property rights may increase. Any claim of infringement, misappropriation or other violation of intellectual property rights by a third party,
even those without merit, could cause us to incur substantial costs defending against the claim and could distract our management from our business.
The patent portfolios of our most significant competitors are larger than ours. This disparity may increase the risk that they may sue us for patent
infringement and may limit our ability to counterclaim for patent infringement or settle through patent cross-licenses. In addition, future assertions of patent
rights by third parties, and any resulting litigation, may involve patent holding companies or other adverse patent owners who have no relevant product
revenues and against whom our own patents may therefore provide little or no deterrence or protection. There can be no assurance that we will not be found
to infringe or otherwise violate any third-party intellectual property rights or to have done so in the past.
An adverse outcome of a dispute may require us to:
•
pay substantial damages, including treble damages, if we are found to have willfully infringed a third party’s patents or copyrights;
•
cease making, licensing or using solutions that are alleged to infringe or misappropriate the intellectual property of others;
•
expend additional development resources to attempt to redesign our solutions or otherwise develop non-infringing technology, which may
not be successful;
•
enter into potentially unfavorable royalty or license agreements in order to obtain the right to use necessary technologies or intellectual
property rights; and
•
indemnify our partners and other third parties.
In addition, royalty or licensing agreements, if required or desirable, may be unavailable on terms acceptable to us, or at all, and may require
significant royalty payments and other expenditures. Some licenses may also be non-exclusive, and therefore our competitors may have access to the same
technology licensed to us. Any of the foregoing events could seriously harm our business, financial condition and results of operations.
Governmental export or import controls could subject us to liability if we violate them or limit our ability to compete in foreign markets.
Our solutions are subject to U.S. export controls, specifically, the Export Administration Regulations and economic sanctions enforced by the Office
of Foreign Assets Control. We incorporate encryption technology into certain of our solutions. These encryption solutions and the underlying technology
may be exported only with the required export authorizations, including by
31
Table of Contents
license, a license exception or other appropriate government authorizations. U.S. export controls may require submission of an encryption registration,
product classification and/or annual or semi-annual reports. Governmental regulation of encryption technology and regulation of imports or exports of
encryption products, or our failure to obtain required import or export authorization for our solutions, when applicable, could harm our international sales
and adversely affect our revenues. Compliance with applicable regulatory requirements regarding the export of our solutions, including with respect to new
releases of our solutions, may create delays in the introduction of our solutions in international markets, prevent our customers with international operations
from deploying our solutions throughout their globally-distributed systems or, in some cases, prevent the export of our solutions to some countries
altogether. In addition, various countries regulate the import of our appliance-based solutions and have enacted laws that could limit our ability to distribute
solutions or could limit our customers’ ability to implement our solutions in those countries. Any new export or import restrictions, new legislation or
shifting approaches in the enforcement or scope of existing regulations, or in the countries, persons or technologies targeted by such regulations, could
result in decreased use of our solutions by existing customers with international operations, declining adoption of our solutions by new customers with
international operations and decreased revenues. If we fail to comply with export and import regulations, we may be fined or other penalties could be
imposed, including denial of certain export privileges.
If we are required to collect higher sales and use or other taxes on the solutions we sell, we may be subject to liability for past sales and our future sales
may decrease.
Taxing jurisdictions, including state and local entities, have differing rules and regulations governing sales and use or other taxes, and these rules and
regulations are subject to varying interpretations that may change over time. In particular, the applicability of sales taxes to our subscription services in
various jurisdictions is unclear. It is possible that we could face sales tax audits and that our liability for these taxes could exceed our estimates as tax
authorities could still assert that we are obligated to collect additional amounts as taxes from our customers and remit those taxes to those authorities. We
could also be subject to audits with respect to state and international jurisdictions for which we may not have accrued tax liabilities. A successful assertion
that we should be collecting additional sales or other taxes on our services in jurisdictions where we have not historically done so and do not accrue for
sales taxes could result in substantial tax liabilities for past sales, discourage customers from purchasing our solutions or otherwise harm our business and
operating results.
Changes in our income tax provision or adverse outcomes resulting from examination of our income tax returns could adversely affect our operating
results, in which case we could be subject to additional taxes.
We are subject to income taxes in the United States and various foreign jurisdictions, and our domestic and international tax liabilities are subject to
the allocation of expenses in differing jurisdictions. Our tax rate is affected by changes in the mix of earnings and losses in countries with differing
statutory tax rates, certain non-deductible expenses, excess tax benefits arising from stock-based compensation, other tax benefits and credits, and the
valuation of deferred tax assets and liabilities. Increases in our effective tax rate could harm our operating results.
Additionally, significant judgment is required in evaluating our tax positions and our worldwide tax provisions. During the ordinary course of
business, there are many activities and transactions for which the ultimate tax determination is uncertain. In addition, our tax obligations and effective tax
rates could be adversely affected by changes in the relevant tax, accounting and other laws, regulations, principles and interpretations, including those
relating to income tax nexus, by recognizing tax losses or lower than anticipated earnings in jurisdictions where we have lower statutory rates and higher
than anticipated earnings in jurisdictions where we have higher statutory rates, by changes in foreign currency exchange rates, or by changes in the
valuation of our deferred tax assets and liabilities. The Tax Cuts and Jobs Act of 2017 (or "TCJA") introduced a Base Erosion and Anti-Abuse Tax which
imposes a minimum tax on adjusted income of corporations with average applicable gross receipt of at least $500 million for prior three tax years and that
make certain payments to related foreign persons. While these rules do not impact our results of operations in the current year, they could impact our
financial results in future periods. The TCJA introduced provisions to reduce the deduction rates for foreign income in the US beginning 2026 that may
increase our effective income tax rate in the future. The Organization for Economic Cooperation and Development has issued model rules in connection
with the Base Erosion and Profit Shifting integrated framework that determine multi-jurisdictional taxing rights (Pillar One) and the minimum rate of tax
applicable to certain types of income (Pillar Two). Many countries have enacted legislation to apply the Pillar Two directive for tax years beginning in
January 2024, which generally provides for a minimum effective tax rate of 15% on the income arising in each jurisdiction where the Company operates.
These rules do not impact our current year’s financial results as the Company is below the revenue threshold. If applicable in the future, these rules could
have an impact on our financial results, the extent of which is currently uncertain. We may be audited in various jurisdictions, and such jurisdictions may
assess additional taxes, including sales taxes and value-added taxes against us. Although we believe our tax estimates are reasonable, the final
determination of any tax audits or litigation could be materially different from our historical tax provisions and accruals, which could have a material
adverse effect on our operating results or cash flows in the period or periods for which a determination is made.
32
Table of Contents
Risks Related to Ownership of Our Common Stock
Market volatility may affect our stock price and the value of an investment in our common stock and could subject us to litigation.
The trading price of our common stock has been, and may continue to be, subject to significant fluctuations in response to a number of factors, most
of which we cannot predict or control, including:
•
announcements of new solutions, services or technologies, commercial relationships, acquisitions or other events by us or our competitors;
•
fluctuations in stock market prices and trading volumes of securities of similar companies;
•
general market conditions and overall fluctuations in U.S. equity markets;
•
variations in our operating results, or the operating results of our competitors;
•
changes in our financial guidance or securities analysts’ estimates of our financial performance;
•
changes in accounting principles;
•
sales of large blocks of our common stock, including sales by our executive officers, directors and significant stockholders;
•
additions or departures of any of our key personnel;
•
announcements related to litigation;
•
changing legal or regulatory developments in the United States and other countries; and
•
discussion of us or our stock price by the financial press and in online investor communities.
In addition, the stock market in general, and the stocks of technology companies such as ours in particular, have experienced substantial price and
volume volatility that is often seemingly unrelated to the operating performance of particular companies. These broad market fluctuations may cause the
trading price of our common stock to decline. In the past, securities class action litigation has often been brought against a company after a period of
volatility in the trading price of its common stock. We may become involved in this type of litigation in the future. Any securities litigation claims brought
against us could result in substantial expenses and the diversion of our management’s attention from our business.
Our actual operating results may differ significantly from our guidance.
From time to time, we have released, and may continue to release, guidance in our quarterly earnings conference calls, quarterly earnings releases, or
otherwise, regarding our future performance that represents our management's estimates as of the date of release. This guidance, which includes forward-
looking statements, has been and will be based on projections prepared by our management. These projections are not prepared with a view toward
compliance with published guidelines of the American Institute of Certified Public Accountants, and neither our registered public accountants nor any other
independent expert or outside party compiles or examines the projections. Accordingly, no such person expresses any opinion or any other form of
assurance with respect to the projections.
Projections are based upon a number of assumptions and estimates that, while presented with numerical specificity, are inherently subject to
significant business, economic and competitive uncertainties and contingencies, many of which are beyond our control and are based upon specific
assumptions with respect to future business decisions, some of which will change. We intend to state possible outcomes as high and low ranges which are
intended to provide a sensitivity analysis as variables are changed but are not intended to imply that actual results could not fall outside of the suggested
ranges. The principal reason that we release guidance is to provide a basis for our management to discuss our business outlook with analysts and investors.
We do not accept any responsibility for any projections or reports published by any such third parties.
Guidance is necessarily speculative in nature, and it can be expected that some or all of the assumptions underlying the guidance furnished by us will
not materialize or will vary significantly from actual results. Accordingly, our guidance is only an estimate of what management believes is realizable as of
the date of release. Actual results may vary from our guidance and the variations may be material. In light of the foregoing, investors are urged not to rely
upon our guidance in making an investment decision regarding our common stock.
33
Table of Contents
Any failure to successfully implement our operating strategy or the occurrence of any of the events or circumstances set forth in this “Risk Factors”
section in this Annual Report on Form 10-K could result in our actual operating results being different from our guidance, and the differences may be
adverse and material.
Future sales of shares by existing stockholders could cause our stock price to decline.
The market price of shares of our common stock could decline as a result of substantial sales of our common stock, particularly sales by our directors,
executive officers, employees and significant stockholders, a large number of shares of our common stock becoming available for sale, or the perception in
the market that holders of a large number of shares intend to sell their shares. As of December 31, 2024, we had approximately 36.5 million shares of our
common stock outstanding.
In addition, as of December 31, 2024, there were approximately 1.3 million options and 1.1 million restricted stock units outstanding. If such options
are exercised and restricted stock units are released, these additional shares will become available for sale. As of December 31, 2024, we had an aggregate
of 2.3 million shares of our common stock reserved for future issuance under our Restated 2012 Equity Incentive Plan and 0.4 million shares reserved for
future purchase under our 2021 Employee Stock Purchase Plan, which can be freely sold in the public market upon issuance. If a large number of these
shares are sold in the public market, the sales could reduce the trading price of our common stock.
We cannot guarantee that our share repurchase program will be fully consummated or that it will enhance stockholder value, and any share
repurchases we make could affect the price of our common stock.
On February 12, 2018, we announced that our board of directors had authorized a $100.0 million repurchase program. On each of October 30, 2018,
October 30, 2019, May 7, 2020, February 10, 2021 and February 9, 2023, we announced that our board of directors had authorized an increase of $100.0
million, and on each of November 3, 2021, May 4, 2022 and February 7, 2024, we announced that our board of directors had authorized an increase of
$200.0 million to the share repurchase program. On February 6, 2025 we announced that our board of directors had authorized an increase of $200.0
million to the share repurchase program, resulting in an aggregate authorization of $1.4 billion to date ($1.2 billion as of December 31, 2024). Although our
board of directors authorized the share repurchase program, we are not obligated to repurchase any specific dollar amount or to acquire any specific number
of shares. The share repurchase program could affect the price of our common stock, increase volatility and diminish our cash reserves. In addition, it may
be suspended or terminated at any time, which may result in a decrease in the price of our common stock. Finally, our share repurchases in 2023 and 2024
were subject to the 1% excise tax introduced in the Inflation Reduction Act. The amount of share repurchases subject to the excise tax are reduced by the
fair market value of any shares issued during the taxable year. This provision does not currently have a material impact to our results of operations. During
the year ended December 31, 2024, we repurchased 1.0 million shares of our common stock for approximately $140.3 million. As of December 31, 2024,
approximately $143.4 million remained available for share repurchases pursuant to our share repurchase program (excluding the $200.0 million increase to
our share repurchase program announced on February 6, 2025).
We do not intend to pay dividends on our common stock and therefore any returns will be limited to the value of our stock.
We have never declared or paid any cash dividend on our common stock. We currently anticipate that we will retain future earnings for the
development, operation and expansion of our business and do not anticipate declaring or paying any cash dividends for the foreseeable future. Any return
to stockholders will therefore be limited to the value of their stock.
Anti-takeover provisions in our charter documents and under Delaware law could make an acquisition of us, which may be beneficial to our
stockholders, more difficult and may prevent attempts by our stockholders to replace or remove our current management.
Our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that may delay or prevent an acquisition of
us or a change in our management. These provisions include:
•
authorizing “blank check” preferred stock, which could be issued by our board of directors without stockholder approval and may contain
voting, liquidation, dividend and other rights superior to our common stock, which would increase the number of outstanding shares and
could thwart a takeover attempt;
•
a classified board of directors whose members can only be dismissed for cause;
•
the prohibition on actions by written consent of our stockholders;
•
the limitation on who may call a special meeting of stockholders;
34
Table of Contents
•
the establishment of advance notice requirements for nominations for election to our board of directors or for proposing matters that can be
acted upon at stockholder meetings; and
•
the requirement of at least two-thirds of the outstanding capital stock to amend any of the foregoing second through fifth provisions.
In addition, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law,
which limits the ability of stockholders owning in excess of 15% of our outstanding voting stock to merge or combine with us. Although we believe these
provisions collectively provide for an opportunity to obtain greater value for stockholders by requiring potential acquirers to negotiate with our board of
directors, they would apply even if an offer rejected by our board of directors were considered beneficial by some stockholders. In addition, these
provisions may frustrate or prevent any attempts by our stockholders to replace or remove our current management by making it more difficult for
stockholders to replace members of our board of directors, which is responsible for appointing the members of our management.
General Risk Factors
Disruptive technologies could gain wide adoption and supplant our cloud-based IT, security and compliance solutions, thereby weakening our sales
and harming our results of operations.
The introduction of products and services embodying new technologies could render our existing solutions obsolete or less attractive to customers.
Our business could be harmed if new IT, security and compliance technologies are widely adopted. We may not be able to successfully anticipate or adapt
to changing technology or customer requirements on a timely basis, or at all. If we fail to keep up with technological changes or to convince our customers
and potential customers of the value of our solutions even in light of new technologies, our business could be harmed and our revenues may decline.
We may not maintain profitability in the future.
We may not be able to sustain or increase our growth or maintain profitability in the future. We plan to continue to invest in our infrastructure, new
solutions, research and development and sales and marketing, and as a result, we cannot assure you that we will maintain profitability. We may incur losses
in the future for a number of reasons, including without limitation, the other risks and uncertainties described in this Annual Report on Form 10-K.
Additionally, we may encounter unforeseen operating expenses, difficulties, complications, delays and other unknown factors that may result in losses in
future periods. If our revenue growth does not meet our expectations in future periods, our financial performance may be harmed and we may not again
achieve or maintain profitability in the future.
Forecasts of market growth may prove to be inaccurate, and even if the markets in which we compete achieve the forecasted growth, there can be no
assurance that our business will grow at similar rates, or at all.
Growth forecasts relating to the expected growth in the market for IT, security and compliance and other markets are subject to significant uncertainty
and are based on assumptions and estimates which may prove to be inaccurate. Even if these markets experience the forecasted growth, we may not grow
our business at similar rates, or at all. Our growth is subject to many factors, including our success in implementing our business strategy, which is subject
to many risks and uncertainties. Accordingly, forecasts of market growth should not be taken as indicative of our future growth.
Our financial results are based in part on our estimates or judgments relating to our critical accounting policies. These estimates or judgments may
prove to be incorrect, which could harm our operating results and result in a decline in our stock price.
The preparation of financial statements in conformity with U.S. GAAP requires management to make estimates and assumptions that affect the
amounts reported in the consolidated financial statements and accompanying notes. We base our estimates on historical experience and on various other
assumptions that we believe to be reasonable under the circumstances, as provided in the section titled “Part II, Item 7 - Management’s Discussion and
Analysis of Financial Condition and Results of Operations,” the results of which form the basis for making judgments about the carrying values of assets,
liabilities, equity, revenues and expenses that are not readily apparent from other sources. Our operating results may be adversely affected if our
assumptions change or if actual circumstances differ from those in our assumptions, which could cause our operating results to fall below the expectations
of securities analysts and investors, resulting in a decline in our stock price. Significant assumptions and estimates used in preparing our consolidated
financial statements include those related to revenue recognition, accounting for income taxes and stock-based compensation.
35
Table of Contents
Changes in financial accounting standards may cause adverse and unexpected revenue fluctuations and impact our reported results of operations.
We prepare our financial statements in accordance with U.S. GAAP. These principles are subject to interpretation by the SEC and various bodies
formed to interpret and create appropriate accounting principles. A change in these accounting standards or practices could harm our operating results and
could have a significant effect on our reporting of transactions and reported results and may even retroactively affect previously reported transactions. New
accounting pronouncements and varying interpretations of accounting pronouncements have occurred and may occur in the future. Changes to existing
rules or the questioning of current practices may harm our operating results or require that we make significant changes to our systems, processes and
controls or the way we conduct our business.
If we fail to maintain an effective system of internal control over financial reporting, our ability to produce timely and accurate financial statements or
comply with applicable regulations could be impaired.
As a public company, we are subject to the reporting requirements of the Securities Exchange Act of 1934, or the Exchange Act, the Sarbanes-Oxley
Act of 2002, or the Sarbanes-Oxley Act, and the rules and regulations of the NASDAQ Stock Market. To continue to comply with the requirements of
being a public company, we may need to undertake various actions, such as implementing additional internal controls and procedures and hiring additional
accounting or internal audit staff.
Our internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and
the preparation of financial statements in accordance with U.S. GAAP. Our current controls and any new controls that we develop may become inadequate
because of changes in conditions in our business. Any failure to maintain effective controls, or any difficulties encountered in their improvement, could
harm our operating results or cause us to fail to meet our reporting obligations. Any failure to maintain effective internal control over financial reporting
also could adversely affect the results of periodic management evaluations regarding the effectiveness of our internal control over financial reporting that
we are required to include in our periodic reports we file with the SEC under Section 404 of the Sarbanes-Oxley Act. While we are able to assert in our
Annual Report on Form 10-K that our internal control over financial reporting was effective as of December 31, 2024, we cannot predict the outcome of
our testing in future periods. If we are unable to assert in any future reporting period that our internal control over financial reporting is effective (or if our
independent registered public accounting firm is unable to express an opinion on the effectiveness of our internal controls), investors may lose confidence
in our operating results and our stock price could decline. In addition, if we are unable to continue to meet these requirements, we may not be able to
remain listed on the NASDAQ Stock Market.
Item 1B. Unresolved Staff Comments
None.
Item 1C. Cybersecurity
Risk Management and Strategy
We have established an Information Security Management System (“ISMS”) comprised of policies, procedures, and processes for assessing,
identifying, and managing material risks from cybersecurity threats, and have integrated these processes into our overall enterprise risk management
systems and processes. Our ISMS is aligned to generally accepted security standards and is certified by third-party auditors according to ISO/IEC 27001
standards. We routinely assess cybersecurity risks for materiality, including assessing any potential unauthorized occurrence on or conducted through our
information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information
residing therein.
We routinely conduct risk assessments to identify cybersecurity threats and weaknesses, as well as risk assessments of events that could potentially
materially change our business practices and affect our information systems that could be impacted by cybersecurity threats and vulnerabilities. These risk
assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such
risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any
identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level
personnel, including our Chief Information Security Officer (“CISO”) who reports to our Chief Executive Officer, to manage the risk assessment and
mitigation process.
36
Table of Contents
As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with
human resources, IT, and management. Personnel at all levels and departments are made aware of our cybersecurity policies through periodic trainings.
We have established a Computer Security Incident Response Team (“CSIRT”) that identifies security incidents, characterizes the nature and severity of
incidents, and provides diagnostic and corrective actions when appropriate. The CSIRT is responsible for identifying, managing, and responding to security
incidents against Qualys' infrastructure and corporate IT systems. The security measures the CSIRT employs are consistent with relevant requirements of
the National Institute of Standards and Technology (“NIST”), Federal Risk and Authorization Management Program (“FedRAMP”), International
Organization for Standardization (“ISO”), and Federal Information Security Management Act (“FISMA”). We have also adopted certain guidelines from
NIST and the United States Computer Emergency Readiness Team.
Our Incident Response Program and Plan describes the major phases of an incident management lifecycle which includes the preparation, detection
and analysis, containment, eradication and recovery, and post-incident activity. Qualys' 24x7 Cybersecurity Fusion Center and CSIRT conduct Incident
Response Plan testing and training on a periodic basis through tabletop exercises or simulated attack scenarios. This testing appraises our readiness to
respond to such scenarios and tests the completeness and accuracy of the incident response plan. The Cybersecurity Fusion Center and CSIRT teams drive
these exercises to participants via various cyber security incident scenarios in the form of multiple injects. Exercise participants primarily consist of
members from various Qualys departments such as security operations, IT operations, network operations, and other departments depending on the selected
scenario.
We have also established a Product Security Incident Response Team (“PSIRT”) that identifies, assesses, and responds to security incidents, risks, and
vulnerabilities associated with Qualys’ commercial products. The Qualys PSIRT investigates vulnerabilities and incidents across the entire Qualys product
portfolio. PSIRT coordinates product impact assessments and fixes based on industry standards such as the Common Vulnerabilities and Exposure (“CVE”)
and Common Vulnerability Scoring System (“CVSS”). PSIRT operates in alignment with relevant requirements and industry standards and coordinates its
activities with the CSIRT.
We routinely evaluate the risks posed by third-party providers and engage with those whom fail to comply with our relevant contract requirements, or
when we feel further action is needed to keep our risk levels within approved tolerance levels.
We engage assessors, consultants, auditors, and other third parties in order to obtain external validation for effectiveness and adequacy of our security
posture in compliance with regulatory requirements. These service providers attest to our organization-wide design and implementation of cybersecurity
policies and procedures, and annually monitor such policies and procedures from a safety perspective.
For additional information regarding whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect
our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on
Form 10-K, including the risk factor entitled “Our platform, products, website and internal systems may be subject to intentional disruption or other
security incidents that could result in liability and adversely impact our reputation and future sales.” We have not currently encountered any cybersecurity
threats that have materially impaired our operations or financial standing.
Governance
Our board of directors, with assistance from management, monitors and assesses strategic risk exposure, and our management team is responsible for
the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as
well as through the Audit and Risk Committee of our board of directors (“Audit and Risk Committee”).
Our CISO and our Security Steering Committee, which includes members from management across all company functions such as security, IT, human
resources, sales and marketing, engineering, legal, and finance, are primarily responsible for assessing and managing cybersecurity threats. Our CISO is a
cybersecurity industry expert with over two decades of experience in cybersecurity, including work at multi-national technology companies and for a U.S.
state government. He holds several industry certifications including CISSP, OSCP, CCSP, and GCFA and is also a graduate of the Carnegie Mellon
University’s Chief Information Security Officer Executive Program. Our CEO is also a cybersecurity industry expert who has deep insight and over two
decades of experience in cybersecurity, technology and information security.
37
Table of Contents
Our CISO and our Security Steering Committee, along with other senior executives including the CEO and CTO, review and manage our cybersecurity
policies and processes, including those described in “Risk Management and Strategy” above. The processes by which our CISO is informed about and
monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents, include prompt communication from the CSIRT and PSIRT
describing the severity and impact of the incident and status throughout the incident handling lifecycle and routine monitoring of key risk indicators.
Our CISO provides briefings to the Audit and Risk Committee along with our CEO and other members of our senior management team, both on a
quarterly basis via the Qualys Security Steering Committee and as needed, regarding our cybersecurity risks and activities, including, if any, critical and
high impact cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the emerging threat landscape. Our
Audit and Risk Committee provides regular updates to the board of directors on such reports. In addition, our CISO and management team provide periodic
briefings to the board of directors on cybersecurity risks and activities. Management is required to notify the Audit and Risk Committee, and the full Board
in the event of a cyber incident that is confirmed to have a material effect on Qualys, or in the event that Qualys has identified a cyber risk that is likely to
have a high probability of having a material impact on Qualys if not mitigated.
Item 2. Properties
Our principal executive offices are located in Foster City, California, where we occupy a 76,922 square-foot facility under a lease expiring on April 30,
2028. We also have 281,787 square feet of office space in Pune, India under a non-cancellable lease expiring in May 2029. We have an additional U.S.
office in North Carolina and other offices in France, United Arab Emirates and United Kingdom. We believe our facilities are adequate for our current
needs and for the foreseeable future.
We operate shared cloud platforms at third-party facilities in United States, Canada, Switzerland, the Netherlands, United Arab Emirates, Australia,
United Kingdom, Italy, the Kingdom of Saudi Arabia and India. Our shared cloud platform agreements have varying terms through 2030.
Item 3. Legal Proceedings
From time to time we may become involved in legal proceedings or be subject to claims arising in the ordinary course of our business. As of
December 31, 2024, there has not been at least a reasonable possibility that we have incurred a material loss from any ongoing legal proceedings,
individually or taken together. However, litigation is inherently unpredictable and is subject to significant uncertainties, some of which are beyond our
control. Should any of these estimates and assumptions change or prove to have been incorrect, we could incur significant charges related to legal matters
which could have a material impact on its results of operations, financial position and cash flows. For more information, please refer to Note 9 in the
accompanying notes to the consolidated financial statements, which is hereby incorporated by reference.
Item 4. Mine Safety Disclosures
Not Applicable.
38
Table of Contents
PART II
Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities
Market Information
Our common stock is listed and traded on the NASDAQ Global Select Market under the symbol “QLYS”.
Holders of Record
As of February 11, 2025, there were approximately 44 holders of record of our common stock. Because many of our shares of common stock are held
by brokers and other institutions on behalf of stockholders, we are unable to estimate the total number of stockholders represented by these record holders.
Dividend Policy
We have never declared or paid any cash dividends on our capital stock. We currently intend to retain any future earnings to fund business
development and growth, and do not expect to pay any dividends in the foreseeable future. Any future determination to declare cash dividends will be made
at the discretion of our board of directors, subject to applicable laws, and will depend on a number of factors, including our financial condition, results of
operations, capital requirements, contractual restrictions, general business conditions and other factors that our board of directors may deem relevant.
Stock Price Performance Graph
The following graph shows a comparison from December 31, 2019 through December 31, 2024 of the cumulative total return for an investment of
$100 (and the reinvestment of dividends) in our common stock, the NASDAQ Global Select Market Composite Index and the NASDAQ Computer Index
and the S&P 500 Index. Such returns are based on historical results and are not intended to suggest future performance.
39
Table of Contents
COMPARISON OF CUMULATIVE TOTAL RETURN*
Among Qualys, Inc., NASDAQ-Global Select Market Composite Index, and NASDAQ Computer Index and S&P 500 Index
* $100 invested on December 31, 2019 in stock or index, including reinvestment of dividends. Fiscal year ending December 31.
December 31,
2019
December 31,
2020
December 31,
2021
December 31,
2022
December 31,
2023
December 31,
2024
Qualys, Inc.
$
100.00 $
146.18 $
164.59 $
134.62 $
235.43 $
168.19
NASDAQ Global Select Market
$
100.00 $
143.04 $
176.11 $
118.67 $
172.13 $
222.62
NASDAQ Computer
$
100.00 $
149.98 $
206.76 $
132.79 $
221.06 $
301.44
S&P 500
$
100.00 $
118.40 $
152.39 $
124.79 $
157.59 $
197.02
The information on the above Stock Price Performance Graph shall not be deemed to be “filed” for purposes of Section 18 of the Securities Exchange
Act of 1934, as amended, or otherwise subject to the liabilities of that section or Sections 11 and 12(a)(2) of the Securities Act of 1933, as amended, and
shall not be incorporated by reference into any registration statement or other document filed by us with the SEC, whether made before or after the date of
this Annual Report on Form 10-K, regardless of any general incorporation language in such filing, except as shall be expressly set forth by specific
reference in such filing.
40
Table of Contents
Purchases of Equity Securities by the Issuer and Affiliated Purchasers
A summary of our repurchases of common stock during the three months ended December 31, 2024 is as follows:
Period
Total Number of
Shares
Purchased
Average Price Paid
per Share
Total Number of
Shares
Purchased as Part
of Publicly
Announced Plan or
Program (1)
Approximate Dollar
Value of
Shares that May Yet
Be
Purchased under
the Plan or
Program
October 1, 2024 - October 31, 2024
145,802 $
123.87
145,802 $
167,659,031
November 1, 2024 - November 30, 2024
74,190 $
144.16
74,190 $
159,964,062
December 1, 2024 - December 31, 2024
91,730 $
147.60
91,730 $
143,424,943 (2)
Total
311,722
311,722
(1) On February 12, 2018, we announced that our board of directors authorized a $100.0 million share repurchase program. On each of October 30, 2018,
October 30, 2019, May 7, 2020, February 10, 2021 and February 9, 2023, we announced that our board of directors had authorized an increase of $100.0
million, and on each of November 3, 2021, May 4, 2022, and February 7, 2024, we announced that our board of directors had authorized an increase of
$200.0 million to the share repurchase program, resulting in an aggregate authorization of $1.2 billion as of December 31, 2024. On February 6, 2025, we
announced that our board of directors authorized an increase of $200.0 million to the share repurchase program, resulting in an aggregate authorization of
$1.4 billion. Shares may be repurchased from time to time on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934. We have
entered into a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act to effect repurchases under our share repurchase
program. All share repurchases have been made using cash resources. Our share repurchase program does not have an expiration date.
(2) Does not reflect the $200.0 million increase to our share repurchase program announced on February 6, 2025.
Item 6. [RESERVED]
41
Table of Contents
Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations
You should read the following discussion in conjunction with our consolidated financial statements and the related notes included elsewhere in this
Annual Report on Form 10-K. You should carefully review and consider the information regarding our financial condition and results of operations set
forth under Part II-Item 7 (Management’s Discussion and Analysis of Financial Condition and Results of Operations) in our Annual Report on Form 10-K
for the fiscal year ended December 31, 2023, filed with the SEC on February 22, 2024, for an understanding of our results of operations and liquidity
discussions and analysis comparing fiscal year 2023 to fiscal year 2022, which information is hereby incorporated by reference. In addition to historical
information, this discussion contains forward-looking statements that involve risks and uncertainties that could cause our actual results to differ materially
from our expectations, as discussed in "Forward-Looking Statements" in Part I of this Annual Report on Form 10-K. Factors that could cause such
differences include, but are not limited to, those described in the section titled "Risk Factors" and elsewhere in this Annual Report on Form 10-K.
Overview
We are a leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions that enable
organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from ever-evolving cyber-attacks and
achieve compliance with internal policies and external regulations. Our cloud platform addresses the growing security and compliance complexities and
risks that are amplified by the dissolving boundaries between IT infrastructures and web environments, the rapid adoption of cloud computing, containers
and serverless IT models, and the proliferation of geographically dispersed IT assets. Our integrated suite of IT, security and compliance solutions delivered
on Qualys' Enterprise TruRisk Platform enables our customers to identify and manage their IT and operational technology (OT) assets, collect and analyze
large amounts of IT security data, discover and prioritize vulnerabilities, quantify cyber risk exposure, recommend and implement remediation actions and
verify the implementation of such actions. Organizations use our integrated suite of solutions to cost-effectively obtain a unified view of their internal and
external IT and OT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single
platform for information technology, information security, application security, endpoint, developer security and cloud teams.
We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their IT infrastructure
and applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000. As VM gained acceptance, we introduced
additional solutions to help customers manage increasing IT, security and compliance requirements. Today, the suite of solutions that we offer on our cloud
platform and refer to as the Qualys Cloud Apps help our customers detect, measure, prioritize and remediate cyber risk spanning a range of assets across
on-premises, endpoints, cloud, containers, and mobile environments.
We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions require
customers to pay a fee in order to access each of our cloud solutions. We generally invoice our customers for the entire subscription amount at the start of
the subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription. We continue
to experience revenue growth from our existing customers as they renew and purchase additional subscriptions, as well as from the addition of new
customers to our cloud platform.
We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries,
including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. In 2024, 2023 and 2022,
58%, 60% and 60%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses. We sell our
solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales
force. We generate a significant portion of sales through our channel partners, including managed security service providers, leading cloud providers,
value-added resellers and consulting firms in the United States and internationally.
Impacts of Current Macroeconomic Environment
The uncertainty surrounding macroeconomic factors in the U.S. and globally characterized by inflationary pressure, high interest rates, significant
volatility of global markets, reduced spending and extended sales cycles, and geopolitical conflicts could have a material adverse effect on our long-term
business and could lead to further economic disruption and expose us to greater risk as our current and potential customers may reduce or eliminate their
overall spending on IT security. We will continue to evaluate the nature and extent of the impact to our business, financial position, results of operations
and cash flows.
42
Table of Contents
Key Components of Results of Operations
Revenues
We derive revenues from the sale of subscriptions to our IT, security and compliance solutions, which are delivered on our cloud platform.
Subscriptions to our solutions allow customers to access our cloud-based IT, security and compliance solutions through a unified, web-based interface.
Customers generally enter into one-year renewable subscriptions. The subscription fee entitles the customer to an unlimited number of scans for a specified
number of devices or web applications and, if requested by a customer as part of their subscription, a specified number of physical or virtual scanner
appliances. Our physical and virtual scanner appliances are requested by certain customers as part of their subscriptions in order to scan IT infrastructures
within their firewalls and do not function without, and are not sold separately from, subscriptions for our solutions. In some cases, we also provide certain
computer equipment used to extend our cloud platform into our customers' private cloud environment. Customers are required to return physical scanner
appliances and computer equipment if they do not renew their subscriptions.
We typically invoice our customers for the entire subscription amount at the start of the subscription term. Invoiced amounts are reflected on our
consolidated balance sheets as accounts receivable or as cash when collected, and as deferred revenues until earned and recognized ratably over the
subscription period. Accordingly, deferred revenues represent the amount billed to customers that has not yet been earned or recognized as revenues,
pursuant to subscriptions entered into in current and prior periods.
Cost of Revenues
Cost of revenues consists primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and stock-based
compensation, for employees who operate our shared cloud platforms and provide support services to our customers. Other expenses include depreciation
of shared cloud platform equipment, physical scanner appliances and computer hardware provided to certain customers as part of their subscriptions,
expenses related to the use of shared cloud platforms, amortization of software and license fees, amortization of intangibles related to acquisitions,
maintenance support, fees paid to contractors who supplement or support our operations center personnel and overhead allocations. We expect to continue
to expand our shared cloud platform infrastructures and invest in our customer support and operations teams to support our customers and operations,
which in turn, is expected to increase the cost of revenues in absolute dollars.
Operating Expenses
Research and Development
Research and development expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and
stock-based compensation, for our research and development teams. Other expenses include third-party contractor fees, software and license fees,
amortization of intangibles related to acquisitions and overhead allocations. We expect to continue to devote resources to research and development in an
effort to continuously improve our existing solutions as well as develop new solutions and capabilities, which in turn, is expected to increase the research
and development expenses in absolute dollars.
Sales and Marketing
Sales and marketing expenses consist primarily of personnel expenses, comprised of salaries, benefits, sales commissions, performance-based
compensation and stock-based compensation for our worldwide sales and marketing teams. Other expenses include marketing and promotional events,
lead-generation marketing programs, public relations, travel, software licenses and overhead allocations. Sales commissions related to new business and
upsells are capitalized as an asset. We amortize the capitalized commission cost as a selling expense on a straight-line basis over a period of five years. We
expense sales commissions related to contract renewals as incurred. Our new sales personnel are typically not immediately productive, and the resulting
increase in sales and marketing expenses we incur when we add new personnel may not result in increased revenues if these new sales personnel fail to
become productive. The timing of our hiring of sales personnel, or the participation in new marketing events or programs, and the rate at which these
generate incremental revenues, may affect our future operating results. We expect to continue to invest in sales and marketing teams and also in more
marketing programs to support new solutions on our platform, which in turn, is expected to increase sales and marketing expenses in absolute dollars.
43
Table of Contents
General and Administrative
General and administrative expenses consist primarily of personnel expenses, comprised of salaries, benefits, performance-based compensation and
stock-based compensation for our executive, finance and accounting, IT, legal and human resources teams, as well as professional services, fees, software
licenses and overhead allocations. We expect to continue to invest in our people and incur professional services to support our growth and compliance with
legal and regulatory requirements, which in turn, is expected to increase general and administrative expenses in absolute dollars.
Other Income (Expense), Net
Our other income (expense), net consists primarily of interest and returns from our cash equivalent, short-term and long-term marketable securities,
non-marketable securities gains and losses, and foreign exchange gains and losses.
Income Tax Provision
We are subject to federal, state and foreign income taxes for jurisdictions in which we operate, and we use estimates in determining our income tax
provision and deferred tax assets. Earnings from our non-U.S. activities are subject to income taxes in the local countries at rates which are generally
similar to the U.S. statutory tax rate. We regularly assess the realizability of our net deferred tax assets. As of December 31, 2024, valuation allowances
remain in certain jurisdictions where we believe it is necessary to see positive evidence, such as sustained achievement of sufficient profits, to meet a more
likely than not stance that the valuation allowance should be reversed. The exact timing and amount of the valuation allowance release is subject to change
based on the level of profitability achieved in future periods. Release of the valuation allowance would result in the recognition of deferred tax assets and a
corresponding decrease to income tax expense in the period the release is recorded.
Results of Operations
The following table sets forth selected consolidated statements of operations data for each of the periods presented as a percentage of revenues:
Year Ended December 31,
2024
2023
Revenues
100 %
100 %
Cost of revenues
18
19
Gross profit
82
81
Operating expenses:
Research and development
19
20
Sales and marketing
21
20
General and administrative
11
12
Total operating expenses
51
52
Income from operations
31
29
Total other income, net
4
3
Income before income taxes
35
32
Income tax provision
6
5
Net income
29 %
27 %
44
Table of Contents
Comparison of Years Ended December 31, 2024 and 2023
Revenues
Year Ended
December 31,
Change
2024
2023
$
%
(in thousands, except percentages)
Revenues
$
607,571 $
554,458 $
53,113
10 %
Revenues increased by $53.1 million in 2024 compared to 2023, driven by increased demand for our subscription services by our end customers. Of
the total increase of $53.1 million in revenues, 69% was from customers existing at or prior to December 31, 2023, and the remaining 31% was from new
customers added in 2024. Of the total increase of $53.1 million, 42% was from customers in the United States and the remaining 58% was from customers
in foreign countries. In 2024, 54% of total revenues were direct and 46% of total revenues were through partners. Of the total increase of $53.1 million,
20% was direct and the remaining 80% was from partners.
With our strong market position driving further demand for our solutions, we expect revenue growth from new and existing customers to continue.
Cost of Revenues
Year Ended
December 31,
Change
2024
2023
$
%
(in thousands, except percentages)
Cost of revenues
$
111,482 $
107,485 $
3,997
4 %
Cost of revenues increased by $4.0 million in 2024 compared to 2023, primarily due to an increase in shared cloud platform cost of $6.0 million, an
increase in personnel costs, including stock-based compensation, of $4.6 million, driven by additional employees hired to support the growth of our
business, an increase in license expenses and professional service expenses of $1.2 million, partially offset by a decrease in depreciation and amortization
expense of $7.8 million resulting from certain of our assets becoming fully depreciated or amortized.
Research and Development Expenses
Year Ended
December 31,
Change
2024
2023
$
%
(in thousands, except percentages)
Research and development
$
111,852 $
110,472 $
1,380
1 %
Research and development expenses increased by $1.4 million in 2024 compared to 2023, primarily due to an increase in personnel costs, including
stock-based compensation, of $2.8 million, driven by increased headcount, partially offset by a decrease in depreciation and amortization expense in
property and equipment of $0.8 million, and a decrease in overhead allocation of $0.6 million.
45
Table of Contents
Sales and Marketing Expenses
Year Ended
December 31,
Change
2024
2023
$
%
(in thousands, except percentages)
Sales and marketing
$
128,303 $
111,691 $
16,612
15 %
Sales and marketing expenses increased by $16.6 million in 2024 compared to 2023, primarily due to an increase in personnel costs, including stock-
based compensation, of $12.9 million, driven by increased headcount, an increase in travel and entertainment cost of $1.8 million, an increase in marketing
expenses related to trade shows of $0.7 million, an increase in overhead allocation of $0.7 million, and an increase in subscribed license and software costs
of $0.5 million.
General and Administrative Expenses
Year Ended
December 31,
Change
2024
2023
$
%
(in thousands, except percentages)
General and administrative
$
68,738 $
61,741 $
6,997
11 %
General and administrative expenses increased by $7.0 million in 2024 compared to 2023, primarily due to an increase in personnel costs, including
stock-based compensation, of $6.3 million, driven by increased headcount, annual merit increases and refresh grants to eligible employees and executives,
and an increase in subscribed software costs and other expenses of $0.7 million.
Total other income, net
Year Ended
December 31,
Change
2024
2023
$
%
(in thousands, except percentages)
Total other income, net
$
22,626 $
15,582 $
7,044
45 %
Total other income, net increased by $7.0 million in 2024 compared to 2023, primarily due to an increase in interest income of $8.9 million driven
by an increase in our average daily cash and investment balance, a non-recurring unrealized loss of $0.5 million on a non-marketable equity security
recognized during 2023, partially offset by an increase in foreign currency loss of $2.4 million.
46
Table of Contents
Income tax provision
Year Ended
December 31,
Change
2024
2023
$
%
(in thousands, except percentages)
Income tax provision
$
36,142 $
27,056 $
9,086
34 %
Income tax provision increased by $9.1 million in 2024 compared to 2023, primarily due to the tax effect of an increase in pretax income, increase in
foreign withholding taxes, decrease in excess tax benefit from stock-based compensation compared to prior year, and decrease in other discrete tax
adjustments. The increase in tax expense was partially offset by an increase in foreign derived intangible income benefit, an increase in research and
development tax credits, and the recognition of an income tax benefit related to uncertain tax positions due to statute lapse.
For the year ended December 31, 2024, our income tax provision included a benefit of $2.5 million related to an increase in foreign derived
intangible income benefit and research and development tax credits associated with our U.S. income tax return filed during the year.
Key Operating and Non-GAAP Financial Performance Metrics
In addition to measures of financial performance presented in our consolidated financial statements, we monitor the key metrics set forth below to
help us evaluate growth trends, establish budgets, measure the effectiveness of our sales and marketing efforts and assess operational efficiencies.
Net Dollar Expansion Rate
We evaluate our ability to retain and grow existing customers by assessing our net dollar expansion rate on a last twelve months, or LTM, basis. This
metric is used to appropriately manage resources and customer retention and expansion. We calculate the net dollar expansion rate on a foreign exchange
neutral basis by dividing a numerator by a denominator, each defined as follows:
Denominator: To calculate our net dollar expansion rate as of the end of a reporting period, we first determine the annual recurring revenue, or ARR,
from all active subscriptions as of the last day of the same reporting period in the prior year. This represents recurring payments that we expect to receive in
the next 12-month period from the cohort of customers that existed on the last day of the same reporting period in the prior year.
Numerator: We measure the ARR for that same cohort of customers representing all active subscriptions as of the end of the reporting period, using
the same foreign exchange rate from the prior year.
Our net dollar expansion rates were 103% and 105% for the years ended December 31, 2024 and 2023, respectively.
Adjusted EBITDA
We monitor Adjusted EBITDA, a non-GAAP financial measure, to analyze our financial results and believe that it is useful to investors, as a
supplement to U.S. GAAP measures, in evaluating our ongoing operational performance and enhancing an overall understanding of our past financial
performance. We believe that Adjusted EBITDA helps illustrate underlying trends in our business that could otherwise be masked by the effect of the
income or expenses that we exclude in Adjusted EBITDA. Furthermore, we use this measure to establish budgets and operational goals for managing our
business and evaluating our performance. We also believe that Adjusted EBITDA provides an additional tool for investors to use in comparing our
recurring core business operating results over multiple periods with other companies in our industry.
Adjusted EBITDA should not be considered in isolation from, or as a substitute for, financial information prepared in accordance with U.S. GAAP.
We calculate Adjusted EBITDA as net income before (1) other (income) expense, net, which includes interest income, interest expense and other income
and expense, (2) income tax provision (benefit), (3) depreciation and amortization of property and equipment, (4) amortization of intangible assets, (5)
stock-based compensation and (6) non-recurring expenses that do not reflect ongoing costs of operating the business.
47
Table of Contents
Adjusted EBITDA has limitations as an analytical tool and should not be considered in isolation from or as a substitute for the measures presented in
accordance with U.S. GAAP. Some of these limitations are:
•
Adjusted EBITDA does not reflect certain cash and non-cash charges that are recurring;
•
Adjusted EBITDA does not reflect income tax payments that reduce cash available to us;
•
Adjusted EBITDA excludes depreciation and amortization of property and equipment and amortization of intangible assets, although these are
non-cash charges, the assets being depreciated and amortized may have to be replaced in the future; and
•
Other companies, including companies in our industry, may calculate Adjusted EBITDA differently or not at all, which reduces its usefulness as
a comparative measure.
Because of these limitations, Adjusted EBITDA should be considered alongside other financial performance measures, including revenues, net
income, cash flows from operating activities and our financial results presented in accordance with U.S. GAAP.
The following unaudited table presents the reconciliation of net income to Adjusted EBITDA for the years ended December 31, 2024 and 2023.
Year Ended December 31,
2024
2023
(in thousands)
Net income
$
173,680
$
151,595
Net income as a percentage of revenues
29 %
27 %
Depreciation and amortization of property and equipment
15,610
23,904
Amortization of intangible assets
2,903
3,087
Income tax provision
36,142
27,056
Stock-based compensation
77,133
69,079
Total other income, net
(22,626)
(15,582)
Adjusted EBITDA
$
282,842
$
259,139
Adjusted EBITDA as a percentage of revenues
47 %
47 %
Liquidity and Capital Resources
As of December 31, 2024, our principal source of liquidity was cash, cash equivalents and marketable securities of $575.3 million, including $119.9
million of cash held outside of the United States. The following summary of cash flows for the periods indicated have been derived from our consolidated
financial statements included elsewhere in this report:
Year Ended December 31,
2024
2023
(in thousands)
Net cash provided by operating activities
$
244,094 $
244,605
Net cash used in investing activities
(71,427)
(73,166)
Net cash used in financing activities
(145,650)
(141,493)
Net increase in cash, cash equivalents and restricted cash
$
27,017 $
29,946
Operating Activities
In 2024, we generated $243.9 million of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation
expense, depreciation and amortization expense and deferred taxes, as compared to $226.4 million in 2023. In addition, we also generated $0.2 million of
cash from working capital change in 2024, of which $11.7 million was related to the
48
Table of Contents
increases in accounts receivable and deferred revenue due to the timing of collections and growth in billings, a $3.2 million increase in payables and
accrued liabilities driven by the timing of payment, partially offset by a $14.7 million increase in prepaid expenses. In 2023, we generated $226.4 million
of cash from our net income, as adjusted for non-cash items mainly related to stock-based compensation expense, depreciation and amortization expense
and deferred taxes. In addition, we also generated $18.2 million of cash from working capital change in 2023, of which $22.7 million was related to the net
increase in deferred revenue and accounts receivable due to the growth in billing and the timing of collections, partially offset by a $1.1 million decrease in
payables and accrued liabilities and a $3.4 million increase in prepaid expenses primarily driven by the timing of payments.
Investing Activities
In 2024, we used $59.1 million of cash for purchases of marketable securities net of sales and maturities, and used $12.3 million of cash in capital
expenditures mainly related to computer equipment to support our growth and development and leasehold improvement for expansion of our office spaces
and shared cloud platform facilities, as compared to the use of $64.4 million of cash for purchases of marketable securities net of sales and maturities, and
the use of $8.8 million of cash in capital expenditures mainly related to computer equipment to support our growth and development in 2023.
Financing Activities
In 2024, we used $139.9 million of cash for share repurchases and $28.4 million of cash in payment of employee withholding taxes upon vesting of
restricted stock units and $1.5 million payment of cash held in escrow as part of the Blue Hexagon acquisition on October 4, 2022, partially offset by $17.3
million of proceeds from employee exercise of stock options and $6.9 million of proceeds from issuance of common stock through our employee stock
purchase plan ("ESPP"), as compared to $170.8 million of cash for share repurchase and $22.3 million of cash in payment of employee withholding taxes
upon vesting of restricted stock units, partially offset by $45.6 million of proceeds from employee exercise of stock options and $6.1 million of proceeds
from issuance of common stock through our ESPP in 2023.
Material Cash Requirements
We believe our existing cash and cash equivalents, marketable securities and our expected cash flow generated from operations will be sufficient to
fund our operations for the next twelve months and beyond. If we repatriate funds from our foreign subsidiaries, we could be subject to foreign withholding
taxes.
Our material cash requirements mainly include the following contractual and other obligations:
•
Our operating lease obligations to make payments under our non-cancelable lease agreements for our facilities and shared cloud platforms.
We had fixed operating lease payment obligations of $59.9 million as of December 31, 2024, with $13.5 million expected to be paid within
the next 12 months.
•
Cash outflow for capital expenditures in 2025 is expected to be in a range of $8.0 million to $13.0 million. Our future capital requirements
will depend on many factors, including our rate of revenue growth, the expansion of our sales and marketing activities, the timing, type and
extent of our spending on research and development efforts, international expansion and investment in shared cloud platforms and cloud
infrastructures. We may also seek to invest in or acquire complementary businesses or technologies.
•
Other non-cancelable purchase obligations related to cloud infrastructures and other service providers totaled $70.5 million, of which $39.2
million is expected to be paid within the next 12 months.
Share Repurchases
We expect to continue to use cash to repurchase shares in 2025 under our share repurchase program authorized by our board of directors on February
5, 2018. As of December 31, 2024, approximately $143.4 million remained available under our share repurchase program. Shares will be repurchased from
time to time in privately negotiated transactions or on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934, including pursuant to
a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act. On February 6, 2025, we announced that our board of directors
authorized an additional $200.0 million under the share repurchase program, increasing the total amount of authorized repurchase to $1.4 billion.
Critical Accounting Estimates
The preparation of our consolidated financial statements in accordance with U.S. GAAP requires us to make estimates and assumptions that affect
the reported amounts of assets, liabilities, revenues, expenses and related disclosures. Our significant
49
Table of Contents
accounting policies are described in Note 1 - The Company and Summary of Significant Accounting Policies in the accompanying notes to the
consolidated financial statements included in Part II, Item 8, "Financial Statements and Supplementary Data" of this Annual Report on Form 10-K. On an
ongoing basis, we evaluate our estimates and assumptions based on historical and anticipated results and trends that we believe represent our best estimate
under the circumstances. However, as accounting estimates are subject to inherent uncertainty, our actual results may differ from these estimates under
different assumptions or conditions.
Income Taxes
Significant assumptions, judgments and estimates are involved in determining our provision for (benefit from) income taxes, our deferred tax assets
and liabilities, and any valuation allowance to be recorded against our deferred tax assets. Our judgments, assumptions and estimates relating to the current
provision for income taxes include the geographic mix and amount of income (loss), expectations of future income, our interpretation of current tax laws,
our business, and possible outcomes of current and future audits conducted by foreign and domestic tax authorities. Our judgments also include anticipating
the tax positions we will record in the financial statements before preparing and filing the tax returns. Our estimates and assumptions may differ from the
actual results as reflected in our income tax returns and we record the required adjustments when they are identified or resolved. Changes in our business
and tax laws or our interpretation of those, and developments in current and future tax audits, could significantly impact the amounts provided for income
taxes in our results of operations, financial position, or cash flows.
The assessment of tax effects of our uncertain tax positions in our financial statements involves significant judgment in interpreting complex and
ambiguous tax laws, regulations, and administrative practices, determining the probability of various possible settlement outcomes, evaluating the litigation
process based on tax authority behaviors in similar cases, and estimating the likelihood that another taxing authority could review the respective tax
position. These judgments are inherently challenging and subjective because a taxing authority may change its behavior at any time. We must also
determine when it is reasonably possible that the amount of unrecognized tax benefits will significantly increase or decrease in the 12 months after each
fiscal year-end. We reevaluate our income tax positions on a quarterly basis to consider factors such as changes in facts or circumstances, changes in tax
laws, effectively settled issues under audit, the potential for interest and penalties, and new audit activity. Such a change in recognition or measurement
would result in recognition of a tax benefit or an additional charge to the tax provision that could be material in the future.
Stock-Based Compensation
We recognize the fair value of our employee stock options and restricted stock units, including performance-based restricted stock units, over the
requisite service period. The fair value of each stock option is estimated on date of grant using the Black-Scholes-Merton option pricing model.
Determining the appropriate fair value model and calculating the fair value of employee stock options requires the use of subjective assumptions, including
the expected life of the stock option and stock price volatility. The recognition of expenses for performance based restricted stock units requires us to
estimate the probability that the performance condition will be achieved and the number of awards that will vest are adjusted accordingly at each reporting
period. The assumptions used in calculating the fair value of employee stock options and estimating the probability of achievement of performance metrics
represent management’s best estimates, which require significant judgment and involve inherent uncertainties. If factors change and we use different
assumptions, our stock-based compensation expense could be materially different in the future.
Item 7A. Quantitative and Qualitative Disclosures about Market Risk
We have domestic and international operations and we are exposed to market risks in the ordinary course of our business. These risks primarily
include interest rate, foreign exchange and inflation risks, as well as risks relating to changes in the general economic conditions in the countries where we
conduct business. To reduce certain of these risks, we monitor the financial condition of our large customers and limit credit exposure by collecting
subscription fees in advance.
Foreign Currency Risk
Our results of operations and cash flows have been and will continue to be subject to fluctuations because of changes in foreign currency exchange
rates, particularly changes in exchange rates between the U.S. Dollar and the EUR, GBP, INR and Canadian Dollar ("C$" or "CAD"), the currencies of
countries where we currently have our most significant international operations. We enter into foreign currency forward contracts to reduce our exposure to
foreign currency exchange rate fluctuations related to forecasted subscription revenue, operating expenses and foreign currency denominated assets or
liabilities. As of December 31, 2024, we had designated cash flow hedge forward contracts with notional amounts of €51.4 million, £20.3 million and
Rs.4,381.0 million and non-designated forward contracts with notional amounts of €27.0 million, £8.0 million, Rs.1,252.0
50
Table of Contents
million and C$1.0 million. With our hedging strategy applied, the effect of an immediate 10% adverse change in foreign exchange rates would not be
material to our financial condition, operating results or cash flows.
Interest Rate Sensitivity
We had $575.3 million in cash, cash equivalents and short-term and long-term marketable securities as of December 31, 2024. Our exposure to
market risk for changes in interest rates primarily relates to our cash and cash equivalents and marketable securities. Our cash equivalents and marketable
securities are held in money market funds, fixed-income U.S. Treasury and government agency securities, commercial paper, corporate bonds and asset-
backed securities. The primary objectives of our investment activities are the preservation of principal and support of our liquidity requirements. We do not
invest for trading or speculative purposes. Our marketable securities are subject to market risk due to changes in interest rates, which may affect the interest
income we earn and the fair market value. As of December 31, 2024, a hypothetical 100 basis point increase in interest rate would not result in a material
decrease in the fair value of our marketable securities.
51
Table of Contents
Item 8. Financial Statements and Supplementary Data
Qualys, Inc.
INDEX TO CONSOLIDATED FINANCIAL STATEMENTS
Table of Contents
Page
Reports of Independent Registered Public Accounting Firm (PCAOB ID Number 248)
53
Consolidated Balance Sheets
55
Consolidated Statements of Operations
56
Consolidated Statements of Comprehensive Income
57
Consolidated Statements of Cash Flows
58
Consolidated Statements of Stockholders' Equity
59
Notes to Consolidated Financial Statements
60
52
Table of Contents
REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
Board of Directors and Stockholders
Qualys, Inc.
Opinion on the financial statements
We have audited the accompanying consolidated balance sheets of Qualys, Inc. (a Delaware corporation) and subsidiaries (the “Company”) as of
December 31, 2024 and 2023, the related consolidated statements of operations, comprehensive income, stockholders’ equity, and cash flows for each of
the three years in the period ended December 31, 2024, and the related notes (collectively referred to as the “consolidated financial statements”). In our
opinion, the consolidated financial statements present fairly, in all material respects, the financial position of the Company as of December 31, 2024 and
2023, and the results of its operations and its cash flows for each of the three years in the period ended December 31, 2024, in conformity with accounting
principles generally accepted in the United States of America.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (“PCAOB”), the Company’s
internal control over financial reporting as of December 31, 2024, based on criteria established in the 2013 Internal Control—Integrated Framework issued
by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”), and our report dated February 21, 2025 expressed an unqualified
opinion.
Change in accounting principle
As discussed in Note 1 to the consolidated financial statements, the Company has adopted new accounting guidance in 2024 related to the disclosure of
segment information in accordance with Accounting Standards Update ("ASU") 2023-07, Segment Reporting (Topic 280). The adoption was
retrospectively applied to 2023 and 2022.
Basis for opinion
These consolidated financial statements are the responsibility of the Company’s management. Our responsibility is to express an opinion on the Company’s
consolidated financial statements based on our audits. We are a public accounting firm registered with the PCAOB and are required to be independent with
respect to the Company in accordance with the U.S. federal securities laws and the applicable rules and regulations of the Securities and Exchange
Commission and the PCAOB.
We conducted our audits in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Our audits included performing
procedures to assess the risks of material misstatement of the financial statements, whether due to error or fraud, and performing procedures that respond to
those risks. Such procedures included examining, on a test basis, evidence regarding the amounts and disclosures in the financial statements. Our audits
also included evaluating the accounting principles used and significant estimates made by management, as well as evaluating the overall presentation of the
financial statements. We believe that our audits provide a reasonable basis for our opinion.
Critical audit matters
Critical audit matters are matters arising from the current period audit of the financial statements that were communicated or required to be communicated
to the audit committee and that: (1) relate to accounts or disclosures that are material to the financial statements and (2) involved our especially
challenging, subjective, or complex judgments. We determined that there are no critical audit matters.
/s/ GRANT THORNTON LLP
We have served as the Company’s auditor since 2005.
San Francisco, California
February 21, 2025
53
Table of Contents
REPORT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
Board of Directors and Stockholders
Qualys, Inc.
Opinion on internal control over financial reporting
We have audited the internal control over financial reporting of Qualys, Inc. (a Delaware corporation) and subsidiaries (the “Company”) as of
December 31, 2024, based on criteria established in the 2013 Internal Control—Integrated Framework issued by the Committee of Sponsoring
Organizations of the Treadway Commission (“COSO”). In our opinion, the Company maintained, in all material respects, effective internal control over
financial reporting as of December 31, 2024, based on criteria established in the 2013 Internal Control—Integrated Framework issued by COSO.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States) (“PCAOB”), the consolidated
financial statements of the Company as of and for the year ended December 31, 2024, and our report dated February 21, 2025 expressed an unqualified
opinion on those financial statements.
Basis for opinion
The Company’s management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of
internal control over financial reporting, included in the accompanying Management’s Annual Report on Internal Control over Financial Reporting. Our
responsibility is to express an opinion on the Company’s internal control over financial reporting based on our audit. We are a public accounting firm
registered with the PCAOB and are required to be independent with respect to the Company in accordance with the U.S. federal securities laws and the
applicable rules and regulations of the Securities and Exchange Commission and the PCAOB.
We conducted our audit in accordance with the standards of the PCAOB. Those standards require that we plan and perform the audit to obtain reasonable
assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit included obtaining an
understanding of internal control over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design and operating
effectiveness of internal control based on the assessed risk, and performing such other procedures as we considered necessary in the circumstances. We
believe that our audit provides a reasonable basis for our opinion.
Definition and limitations of internal control over financial reporting
A company’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting
and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company’s internal control
over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly
reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are
being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding
prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial
statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of
effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of
compliance with the policies or procedures may deteriorate.
/s/ GRANT THORNTON LLP
San Francisco, California
February 21, 2025
54
Table of Contents
Qualys, Inc.
CONSOLIDATED BALANCE SHEETS
(in thousands, except per share data)
December 31,
2024
2023
Assets
Current assets:
Cash and cash equivalents
$
232,182 $
203,665
Restricted cash
—
1,500
Short-term marketable securities
149,241
221,893
Accounts receivable, net of allowance of $1,064 and $778 as of December 31, 2024 and 2023, respectively
164,551
146,226
Prepaid expenses and other current assets
39,717
26,714
Total current assets
585,691
599,998
Long-term marketable securities
193,887
56,644
Property and equipment, net
30,349
32,599
Operating leases - right of use asset
40,968
22,391
Deferred tax assets, net
81,307
62,761
Intangible assets, net
6,812
9,715
Goodwill
7,447
7,447
Noncurrent restricted cash
1,200
1,200
Other noncurrent assets
25,876
19,863
Total assets
$
973,537 $
812,618
Liabilities and Stockholders’ Equity
Current liabilities:
Accounts payable
$
1,270 $
988
Accrued liabilities
45,942
43,096
Deferred revenues, current
371,457
333,267
Operating lease liabilities, current
9,721
11,857
Total current liabilities
428,390
389,208
Deferred revenues, noncurrent
24,265
31,671
Operating lease liabilities, noncurrent
37,500
16,885
Other noncurrent liabilities
6,266
6,680
Total liabilities
496,421
444,444
Commitments and contingencies (Note 9)
Stockholders’ equity:
Preferred stock: $0.001 par value; 20,000 shares authorized, no shares issued and outstanding as of
December 31, 2024 and 2023
—
—
Common stock: $0.001 par value; 1,000,000 shares authorized, 36,503 and 36,909 shares issued and outstanding
as of December 31, 2024 and 2023, respectively
37
37
Additional paid-in capital
664,879
597,921
Accumulated other comprehensive income (loss)
1,417
(1,704)
Accumulated deficit
(189,217)
(228,080)
Total stockholders’ equity
477,116
368,174
Total liabilities and stockholders’ equity
$
973,537 $
812,618
The accompanying notes are an integral part of these Consolidated Financial Statements.
55
Table of Contents
Qualys, Inc.
CONSOLIDATED STATEMENTS OF OPERATIONS
(in thousands, except per share data)
Year Ended December 31,
2024
2023
2022
Revenues
$
607,571 $
554,458 $
489,723
Cost of revenues
111,482
107,485
102,788
Gross profit
496,089
446,973
386,935
Operating expenses:
Research and development
111,852
110,472
101,186
Sales and marketing
128,303
111,691
97,221
General and administrative
68,738
61,741
57,981
Total operating expenses
308,893
283,904
256,388
Income from operations
187,196
163,069
130,547
Other income (expense), net:
Interest income
25,784
16,905
5,191
Other expense, net
(3,158)
(1,323)
(2,038)
Total other income, net
22,626
15,582
3,153
Income before income taxes
209,822
178,651
133,700
Income tax provision
36,142
27,056
25,708
Net income
$
173,680 $
151,595 $
107,992
Net income per share:
Basic
$
4.72 $
4.11 $
2.81
Diluted
$
4.65 $
4.03 $
2.74
Weighted average shares used in computing net income per share:
Basic
36,799
36,879
38,453
Diluted
37,353
37,602
39,344
The accompanying notes are an integral part of these Consolidated Financial Statements.
56
Table of Contents
Qualys, Inc.
CONSOLIDATED STATEMENTS OF COMPREHENSIVE INCOME
(in thousands)
Year Ended December 31,
2024
2023
2022
Net income
$
173,680 $
151,595 $
107,992
Other comprehensive income (loss), net of tax
Net change in unrealized gains (losses) on available-for-sale debt securities, net of tax
283
2,813
(2,520)
Net change in unrealized gains (losses) on cash flow hedges, net of tax
2,838
(2,570)
(434)
Other comprehensive income (loss), net of tax
3,121
243
(2,954)
Comprehensive income
$
176,801 $
151,838 $
105,038
The accompanying notes are an integral part of these Consolidated Financial Statements.
57
Table of Contents
Qualys, Inc.
CONSOLIDATED STATEMENTS OF CASH FLOWS
(in thousands)
Year Ended December 31,
2024
2023
2022
Cash flow from operating activities:
Net income
$
173,680
$
151,595
$
107,992
Adjustments to reconcile net income to net cash provided by operating activities:
Depreciation and amortization expense
18,513
26,991
34,622
Provision for credit losses
764
547
590
Loss on disposal of property and equipment
—
—
6
Loss on non-marketable securities
—
533
—
Stock-based compensation, net of amounts capitalized
77,133
69,079
53,408
Amortization (accretion) of premiums (discount) on marketable securities, net
(6,735)
(5,712)
833
Deferred income taxes
(19,465)
(16,636)
(20,251)
Changes in operating assets and liabilities:
Accounts receivable
(19,089)
(24,978)
(13,387)
Prepaid expenses and other assets
(14,655)
(3,407)
3,878
Accounts payable
219
(1,578)
2,107
Accrued liabilities and other noncurrent liabilities
2,945
451
3,867
Deferred revenues
30,784
47,720
25,189
Net cash provided by operating activities
244,094
244,605
198,854
Cash flow from investing activities:
Purchases of marketable securities
(368,277)
(306,812)
(178,788)
Sales and maturities of marketable securities
309,184
242,432
347,837
Purchases of property and equipment
(12,334)
(8,786)
(15,361)
Purchases of intangible assets
—
—
(8,620)
Net cash provided by (used in) investing activities
(71,427)
(73,166)
145,068
Cash flow from financing activities:
Repurchase of common stock
(139,875)
(170,800)
(317,344)
Proceeds from exercise of stock options
17,269
45,576
24,483
Payments for taxes related to net share settlement of equity awards
(28,416)
(22,346)
(17,615)
Proceeds from issuance of common stock through employee stock purchase plan
6,872
6,077
4,445
Payment of acquisition-related holdback
(1,500)
—
—
Net cash used in financing activities
(145,650)
(141,493)
(306,031)
Net increase in cash, cash equivalents and restricted cash
27,017
29,946
37,891
Cash, cash equivalents and restricted cash at beginning of period
206,365
176,419
138,528
Cash, cash equivalents and restricted cash at end of period
$
233,382
$
206,365
$
176,419
Supplemental disclosures of cash flow information:
Cash paid for income taxes, net of refunds
$
60,554
$
34,920
$
39,739
Non-cash investing and financing activities
Purchases of intangible assets recorded in accrued liabilities and other noncurrent liabilities
$
—
$
—
$
2,110
Purchases of property and equipment recorded in accounts payable and accrued liabilities
$
843
$
144
$
470
Accrual for repurchase of common stock
$
802
$
—
$
—
The accompanying notes are an integral part of these Consolidated Financial Statements.
58
Table of Contents
Qualys, Inc.
CONSOLIDATED STATEMENTS OF STOCKHOLDERS’ EQUITY
(in thousands)
Common Stock
Additional
Paid-In
Capital
Accumulated
Other
Comprehensive
Income (Loss)
Accumulated
Deficit
Total
Stockholders’
Equity
Shares
Amount
Balances at December 31, 2021
39,112 $
39 $
477,323 $
1,007 $
(41,655) $
436,714
Net income
—
—
—
—
107,992
107,992
Other comprehensive loss, net of tax
—
—
—
(2,954)
—
(2,954)
Issuance of common stock upon exercise of stock options
468
—
24,483
—
—
24,483
Repurchase of common stock
(2,460)
(2)
(29,558)
—
(287,784)
(317,344)
Issuance of common stock upon vesting of restricted stock
units
329
—
—
—
—
—
Taxes related to net share settlement of equity awards
(132)
—
(17,615)
—
—
(17,615)
Issuance of common stock through employee stock
purchase plan
45
—
4,445
—
—
4,445
Stock-based compensation
—
—
53,408
—
—
53,408
Balances at December 31, 2022
37,362
37
512,486
(1,947)
(221,447)
289,129
Net income
—
—
—
—
151,595
151,595
Other comprehensive income, net of tax
—
—
—
243
—
243
Issuance of common stock upon exercise of stock options
582
1
45,575
—
—
45,576
Repurchase of common stock
(1,342)
(1)
(12,990)
—
(158,228)
(171,219)
Issuance of common stock upon vesting of restricted stock
units
414
—
—
—
—
—
Taxes related to net share settlement of equity awards
(167)
—
(22,346)
—
—
(22,346)
Issuance of common stock through employee stock
purchase plan
60
—
6,077
—
—
6,077
Stock-based compensation
—
—
69,119
—
—
69,119
Balances at December 31, 2023
36,909
37
597,921
(1,704)
(228,080)
368,174
Net income
—
—
—
—
173,680
173,680
Other comprehensive income, net of tax
—
—
—
3,121
—
3,121
Issuance of common stock upon exercise of stock options
277
—
17,269
—
—
17,269
Repurchase of common stock
(993)
—
(5,956)
—
(134,817)
(140,773)
Issuance of common stock upon vesting of restricted stock
units
434
—
—
—
—
—
Taxes related to net share settlement of equity awards
(183)
—
(28,416)
—
—
(28,416)
Issuance of common stock through employee stock
purchase plan
59
—
6,872
—
—
6,872
Stock-based compensation
—
—
77,189
—
—
77,189
Balances at December 31, 2024
36,503 $
37 $
664,879 $
1,417 $
(189,217) $
477,116
The accompanying notes are an integral part of these Consolidated Financial Statements.
59
Table of Contents
Qualys, Inc.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS
NOTE 1. The Company and Summary of Significant Accounting Policies
Description of Business
Qualys, Inc. (the “Company”, "we", "us", "our") was incorporated in the state of Delaware on December 30, 1999. The Company is headquartered in
Foster City, California and has wholly-owned subsidiaries throughout the world. The Company is a leading provider of cloud-based IT, security and
compliance solutions that enable organizations to identify security risks to their IT infrastructures, help protect their IT systems and applications from ever-
evolving cyber-attacks and achieve compliance with internal policies and external regulations. The Company’s cloud solutions address the growing security
and compliance complexities and risks that are amplified by the dissolving boundaries between internal and external IT infrastructures and web
environments, the rapid adoption of cloud computing and the proliferation of geographically dispersed IT assets. Organizations can use the Company’s
integrated suite of solutions delivered on Qualys' Enterprise TruRisk Platform to cost-effectively obtain a unified view of their security and compliance
posture across globally-distributed IT infrastructures.
Basis of Presentation
The accompanying consolidated financial statements and footnotes have been prepared in accordance with U.S. GAAP as well as the instructions to
Form 10-K and the rules and regulations of the SEC. In the opinion of management, the accompanying consolidated financial statements reflect all
adjustments, which include only normal recurring adjustments, necessary for the fair presentation of the Company’s consolidated financial position, results
of operations and cash flows for the periods presented. The accompanying consolidated financial statements include the accounts of the Company and its
wholly-owned subsidiaries. All intercompany transactions and balances have been eliminated upon consolidation.
Use of Estimates
The preparation of the consolidated financial statements in conformity with U.S. GAAP requires management to make certain estimates and
assumptions that affect the reported amounts of assets and liabilities and disclosure of assets and liabilities at the date of the consolidated financial
statements and the reported results of operations during the reporting period. The Company’s management regularly assesses these estimates, which
primarily affect revenue recognition, allowance for credit loss, the valuation of goodwill and intangible assets, leases, stock-based compensation and
income tax provision. Actual results could differ from those estimates and such differences may be material to the accompanying consolidated financial
statements.
Concentration of Credit Risk
The Company invests its cash and cash equivalents with major financial institutions. Cash balances with any one institution at times may be in
excess of federally insured limits. Cash equivalents are invested in high-quality investment grade financial instruments and are diversified. The Company
has not experienced any losses in such accounts and believes it is not exposed to any significant credit risk.
Credit risk with respect to accounts receivable is dispersed due to the large number of customers. Collateral is not required for accounts receivable.
As of December 31, 2024 and 2023, no customer or channel partner accounted for more than 10% of the Company's revenues and accounts receivable
balance.
Cash, Cash Equivalents, Restricted cash and Short-Term and Long-Term Marketable Securities
Cash and cash equivalents include cash held in banks, highly liquid money market funds, commercial paper and fixed-income U.S. Treasury and
government agency securities, all with original maturities of three months or less when acquired. The Company’s short-term and long-term marketable
securities consist of fixed-income U.S. Treasury and government agency securities, corporate bonds, asset-backed securities and commercial paper.
Management determines the appropriate classification of the Company's investments at the time of purchase and reevaluates such designation at each
balance sheet date. The Company classifies its marketable securities as either short-term or long-term based on each instrument's underlying remaining
contractual maturity date.
60
Table of Contents
As of December 31, 2024 and 2023, the Company had a restricted cash balance of $1.2 million and $2.7 million, respectively, of which $1.2 million
in the form of a letter of credit issued to the landlord of the Company's California headquarter office lease as security deposit and $1.5 million was related
to cash held in escrow as part of the Blue Hexagon acquisition.
Cash equivalents are stated at cost, which approximates fair market value. Short-term and long-term marketable securities are classified as available-
for-sale debt securities (“AFS debt securities”) and are carried at fair value. Unrealized gains and losses in fair value of the AFS debt securities are reported
in other comprehensive income (loss). When the AFS debt securities are sold, cost is based on the specific identification method, and the realized gains and
losses are included in other income (expense), net in the consolidated statements of operations. AFS debt securities are reviewed quarterly for impairment.
An investment is considered impaired when its fair value is below its amortized cost. Declines in fair value from amortized cost for AFS debt securities that
the company intends to sell or will more likely than not be required to sell before the expected recovery of the amortized cost basis are charged to other
income (expense), net in the period in which the loss occurs. Otherwise, the credit loss component of the impairment is recorded as allowance for credit
losses with an offsetting entry charged to other income (expense), net, while the remaining loss is recognized in other comprehensive income (loss).
Accounts Receivable
Accounts receivable are recorded at the invoiced amount and do not bear interest. The allowance for credit losses is determined on a collective basis
where similar risk characteristics exist and on an individual basis when the Company identifies significant customers or invoices with collectability issues.
The estimate for credit losses considers historical write-offs by aging category, that are adjusted for current conditions and reasonable and supportable
forecasts of future losses. Any change in the assumptions used in analyzing credit losses may result in additional allowances being recognized in the period
in which the change occurs. When the Company ultimately concludes that a receivable is uncollectible, the balance is written off against the allowance for
credit losses. Payments subsequently received on such receivables are recognized in the period received. The allowance for credit losses recognized and
write-offs charged against the allowance were not significant for the years ended December 31, 2024 and 2023. The balance of accounts receivable, net of
allowance for credit losses was $164.6 million, $146.2 million and $121.8 million as of December 31, 2024, December 31, 2023 and December 31, 2022,
respectively.
Non-marketable securities
In 2018, the Company invested $2.5 million in preferred stock of a privately-held company (the “Investee”). The fair value of the investment is not
readily available, and there are no quoted market prices for the investment. The Company elected the measurement alternative to account for the investment
at cost less impairment and will measure the investment at fair value when the Company identifies observable price changes. The investment is assessed for
impairment annually or whenever events or changes in circumstances indicate that the fair value of the investment is less than carrying value. The
investment is included in other noncurrent assets in the consolidated balance sheets. The Company has not received any dividends from the investment.
During the second quarter of 2023, the Company identified an observable price change in the investment and recognized an immaterial unrealized loss in
other income (expense), net of the consolidated statement of operations.
Property and Equipment, net
Property and equipment are stated at cost less accumulated depreciation and amortization. Depreciation is computed using the straight-line method
over the estimated useful lives of the assets, which range from three to five years. Leasehold improvements are amortized on a straight-line basis over the
lesser of the estimated useful life of the asset or the remaining lease term.
The Company purchases physical scanner appliances and other computer equipment that are provided to some customers on a subscription basis.
This equipment is recorded within property and equipment and the depreciation is recorded in cost of revenues over an estimated useful life of three years.
Upon retirement or disposal, the cost of assets and the related accumulated depreciation are removed from the accounts and any resulting gain or loss
is reflected in the consolidated statements of operations. Repairs and maintenance that do not extend the life of an asset are expensed as incurred and major
improvements are capitalized as property and equipment.
Leases
The Company leases certain offices, computer equipment and its shared cloud platform facilities under finance leases and non-cancelable operating
leases. For both operating and finance leases, the Company recognizes a right-of-use asset, which
61
Table of Contents
represents the Company's right to use the underlying asset for the lease term, and a lease liability, which represents the present value of the Company's
obligation to make payments arising over the lease term. Many of the Company's leases include rental escalation clauses, renewal options and/or
termination options that are factored into the Company's determination of lease payments and lease terms when appropriate. The present value of the lease
payments is calculated using the incremental borrowing rate of the underlying leases determined at lease commencement. As most of the Company's leases
do not provide a readily determinable implicit rate, the Company determines an incremental borrowing rate using a portfolio approach based on the rate of
interest that the Company would have to pay to borrow an amount equal to the lease payments on a collateralized basis over a similar term as the leases.
Where the Company is the lessee, the Company elects to account for non-lease components associated with its leases (e.g., common area
maintenance costs) and lease components separately for substantially all of its asset classes, except for shared cloud platforms, for which the Company
elected to combine lease and non-lease components. For leases with a term of one year or less, the Company has elected not to record the right-of-use asset
or liability.
In arrangements where the Company is the lessor, the Company elected to apply the practical expedient to account for lease components (e.g.,
customer premise equipment) and non-lease components (e.g., service revenue) as combined components as revenue under Accounting Standards
Codification ("ASC") 606 Revenue from Contracts with Customers as service revenues are the predominant components in the arrangements.
Impairment of Long-Lived Assets
The Company evaluates its long-lived assets, which consist of property and equipment, and intangible assets subject to amortization, for indicators
of possible impairment when events or changes in circumstances indicate the carrying amount of an asset may not be recoverable. Impairment exists if the
carrying amounts of such assets exceed the estimates of future undiscounted cash flows expected to be generated by such assets. Should an impairment
exist, the impairment loss would be measured based on the excess carrying value of the asset over the asset’s estimated fair value. For the years ended
December 31, 2024, 2023 and 2022, there was no impairment of long-lived assets.
Goodwill and Intangible Assets
Goodwill represents the excess of the purchase price over the fair value of the net tangible and identifiable intangible assets acquired in a business
combination. Goodwill and indefinite-lived intangible assets are not amortized but tested for impairment at least annually or more frequently if certain
circumstances indicate a possible impairment may exist. The goodwill impairment tests are performed at the reporting unit level. The Company’s
operations are organized as one reporting unit.
In testing for a potential impairment of goodwill and the indefinite-lived intangible assets, the Company first performs a qualitative assessment to
determine if it is more likely than not (a more than 50% likelihood) that the fair value of the reporting unit or the indefinite-lived intangible assets is less
than their carrying amount. If the fair value is not considered to be less than the carrying amount, no further evaluation is necessary. Otherwise, the
Company will perform a quantitative test. Goodwill impairment is measured as the amount by which the carrying value of the reporting unit or the
indefinite-lived intangible assets exceeds their fair value. The Company performed the annual assessments on December 1, 2024 and 2023 and concluded
there was no impairment of goodwill or the indefinite-lived intangible assets.
Software Development Costs
Costs related to software developed, acquired or modified for internal use are capitalized and included in other noncurrent assets on the consolidated
balance sheets. Costs incurred during the preliminary planning and evaluation stage of the project and during the post implementation stages of the project
are expensed as incurred. Costs incurred during the application development stage of the project are capitalized. These capitalized costs consist of internal
compensation related costs and external direct costs. Costs related to software developed for internal use are amortized over an estimated useful life of three
years and recorded in cost of revenues. Management evaluates the useful lives of these assets on an annual basis and tests for impairment whenever events
or changes in circumstances occur that could impact the recoverability of these assets. As of December 31, 2024 and 2023, unamortized balances related to
the Company's internally developed software costs are immaterial.
Asset Acquisitions and Business Combinations
The Company applies the provisions of ASC 805 Business Combinations, in accounting for its acquisitions. To determine whether transactions
should be accounted for as asset acquisition or business combination, the Company evaluates whether
62
Table of Contents
substantially all of the fair value of gross assets included in a transaction is concentrated in a single asset (or a group of similar assets), resulting in an asset
acquisition, if not, resulting in a business combination. In an asset acquisition, the cost of acquiring the asset group, including transaction costs, is allocated
to the acquired assets or assumed liabilities based on their relative fair values without giving rise to goodwill. In a business combination, the Company
recognize separately from goodwill the assets acquired and the liabilities assumed at their acquisition date fair values. Goodwill as of the acquisition date is
measured as the excess of consideration transferred over the net of the acquisition date fair values of the assets acquired and the liabilities assumed. While
the Company uses its best estimates and assumptions to accurately value assets acquired and liabilities assumed at the acquisition date as well as any
contingent consideration, where applicable, its estimates are inherently uncertain and subject to refinement. As a result, during the measurement period,
which may be up to one year from the acquisition date, the Company records adjustments to the assets acquired and liabilities assumed with the
corresponding offset to goodwill. Upon the conclusion of the measurement period or final determination of the values of assets acquired or liabilities
assumed, whichever comes first, any subsequent adjustments are recorded to its consolidated statements of operations.
Derivative Financial Instruments
Derivative financial instruments are utilized by the Company to reduce foreign currency exchange risks. The Company uses foreign currency
forward contracts, with maturities of 13 months or less, to mitigate the impact of foreign currency fluctuations of certain non-U.S. dollar denominated net
asset positions, to date primarily cash, accounts receivable and operating lease liabilities, as well as to manage foreign currency fluctuation risk related to
forecasted transactions. Open contracts are recorded within prepaid expenses and other current assets, other noncurrent assets, accrued liabilities or other
noncurrent liabilities in the consolidated balance sheets. Gains and losses resulting from currency exchange rate movements on non-designated forward
contracts are recognized in other income (expense), net. Any gains or losses from derivatives designated as cash flow hedges are first recorded within
accumulated other comprehensive income (“AOCI”) and then reclassified into revenue or operating expenses when the hedged item impacts the
consolidated statements of operations. Cash flows related to these forward contracts are classified in the Company's consolidated statements of cash flows
in the same manner as the underlying hedged transaction within cash flows from operating activities.
Stock-Based Compensation
The Company recognizes the fair value of its stock options, restricted stock units (“RSUs”) and stock purchase rights under the ESPP on a straight-
line basis over the requisite service periods. The fair value of each stock option or stock purchase right is estimated on the date of grant using the Black-
Scholes-Merton option pricing model and the fair value of each RSU is based on the Company's common stock price on the date of grant. Compensation
expenses for performance-based restricted stock units (“PRSUs”) are recorded based on expected achievement of the performance metrics specified in the
grant, which are assessed on a quarterly basis. Forfeitures are estimated on the date of grant and revised if actual or expected forfeiture materially differs
from original estimates.
Revenue Recognition
The Company derives revenues from subscriptions that require customers to pay a fee in order to access the Company’s cloud solutions. Contract
period with customers generally are one year with occasional contracts ranging up to five years. The subscription fee entitles the customer to an unlimited
number of scans for a specified number of networked devices or web applications and, if requested by a customer as part of their subscription, a specified
number of physical or virtual scanner appliances. The Company’s physical and virtual scanner appliances are requested by certain customers as part of their
subscriptions in order to scan IT infrastructures within their firewalls and do not function without, and are not sold separately from, subscriptions for the
Company’s solutions. In some limited cases, the Company also provides certain computer equipment used to extend Qualys' Enterprise TruRisk Platform
into its customers’ private cloud environment. Customers are required to return physical scanner appliances and computer equipment if they do not renew
their subscriptions.
The Company determines revenue recognition through the following steps:
•
Identification of the contract, or contracts, with a customer;
•
Identification of the performance obligations in the contract;
•
Determination of the transaction price;
•
Allocation of the transaction price to the performance obligations in the contract; and
•
Recognition of revenue when, or as, the Company satisfies a performance obligation.
63
Table of Contents
At the inception of a customer contract, the Company makes an assessment as to that customer's ability to pay for the services provided. The
Company assesses collectability based on several factors, including credit worthiness of the customer along with past transaction history. In addition, the
Company performs periodic evaluations of its customers’ financial condition.
Most of the Company’s revenue contracts are subscription based and contain a single performance obligation. The subscription contracts typically do
not offer to the customers any future rights that would constitute material rights. Contract prices are generally composed of fixed consideration for a
specific period of time as the Company in general does not offer refunds, volume rebates, customer loyalty programs or other forms of customer incentive
payments. In limited situations, contract prices are contingent on future events, such as actual usage during the contract terms, which are accounted for as
variable consideration and estimated based on the most likely amount of consideration that the Company is expected to be entitled to. Estimates are
included in the contract price to the extent that it is considered probable that a significant reversal in the amount of cumulative revenue recognized will not
occur when the uncertainty associated with the variable consideration is subsequently resolved. Such estimates are made at contract inception and updated
periodically when additional information becomes available. A cumulative catch-up adjustment is made when there is a change in the estimate of variable
consideration.
As the Company's cloud-based subscription services are delivered to customers electronically and over time, revenue is generally recognized ratably
over the contract terms. When physical equipment is provided to the customers as part of the subscription service contract, the Company applies the
practical expedient allowed under ASC 842 Leases to combine lease and nonlease components as a combined component to be accounted for under ASC
606, as the Company determined that the software subscription is the predominant component of the combined components. Therefore, the Company
recognizes revenue for the physical equipment ratably over the related subscription period.
Contract modifications happen when there is an upsell, where the customers subsequently enter into contract with the Company to purchase
additional product offerings or additional scans for additional devices. Contract modifications related to upsells are accounted for prospectively.
Deferred revenues consist of customer contracts billed or cash received that will be recognized in the future under subscriptions existing at the
balance sheet date. The current portion of deferred revenues represents amounts that are expected to be recognized within one year of the balance sheet
date.
Costs of shipping and handling charges incurred by the Company associated with physical scanner appliances and other computer equipment are
included in cost of revenues. Sales taxes and other taxes collected from customers to be remitted to government authorities are excluded from revenues.
Incremental direct costs of obtaining a contract, which consist of sales commissions primarily for new business and upsells, are deferred and
amortized over the estimated life of the customer relationship if renewals are expected and the renewal commission is not commensurate with the initial
commission. The Company elected the practical expedient to expense commissions on renewals where the specific anticipated contract term amortization
period is one year or less. The Company amortizes the capitalized commission cost as a selling expense on a straight-line basis over a period of five years.
The Company classifies deferred commissions as current or noncurrent based on the timing of when it expects to recognize the expense. The current and
noncurrent portions of deferred commissions are included in prepaid expenses and other current assets and other noncurrent assets, respectively, in its
consolidated balance sheets.
Advertising Expenses
Advertising costs are expensed as incurred and are included in sales and marketing expense in the consolidated statements of operations. The
Company incurred advertising costs of $2.9 million, $3.0 million and $3.3 million for the years ended December 31, 2024, 2023 and 2022, respectively.
Income Taxes
The Company provides for the effect of income taxes in its consolidated financial statements using the asset and liability method which requires the
recognition of deferred tax assets and liabilities for the expected future tax consequences of events that have been included in the consolidated financial
statements. Under this method, deferred tax assets and liabilities are recognized for the future tax consequences attributable to differences between the
financial statement carrying amounts of existing assets and liabilities and their respective tax bases, net operating loss carryovers, and tax credit carry
forwards. The Company regularly reviews its deferred tax assets for recoverability and establishes a valuation allowance if it is more likely than not that
some portion or all of the deferred tax assets will not be realized. To make this assessment, the Company takes into account predictions of the
64
Table of Contents
amount and category of taxable income from various sources and all available positive and negative evidence about these possible sources of taxable
income. The weight given to the potential effect of negative and positive evidence is commensurate with the extent to which the strength of the evidence
can be objectively verified. Deferred tax assets and liabilities are measured using enacted tax rates expected to apply to taxable income in the years in
which those temporary differences are expected to be recovered or settled. The effect on deferred tax assets and liabilities of a change in tax rates is
recognized in the period that includes the enactment date.
Income tax expense or benefit is recognized for the amount of taxes payable or refundable for the current year and for deferred tax assets and
liabilities for the tax consequences of events that have been recognized in an entity’s financial statements or tax returns. The Company must make
significant assumptions, judgments and estimates to determine its current income tax provision (benefit), its deferred tax assets and liabilities, and any
valuation allowance to be recorded against its deferred tax assets. The Company's estimates and assumptions may differ from the actual results as reflected
on its income tax returns and will record the required adjustments when they are identified or resolved.
The Company applies a two-step approach to determining the financial statement recognition and measurement of uncertain tax positions. The
Company only recognizes an income tax expense or benefit with respect to uncertain tax positions in its financial statements that the Company judges is
more likely than not to be sustained solely on its technical merits in a tax audit, including resolution of any related appeals or litigation processes. To make
this judgment, the Company must interpret complex and sometimes ambiguous tax laws, regulations and administrative practices. If an income tax position
meets the more likely than not recognition threshold, then the Company must measure the amount of the tax benefit to be recognized by determining the
largest amount of tax benefit that has a greater than a 50% likelihood of being realized upon effective settlement with a taxing authority that has full
knowledge of all of the relevant facts. It is inherently difficult and subjective to estimate such amounts, as this requires the Company to determine the
probability of various possible settlement outcomes. To determine if a tax position is effectively settled after a tax examination has been completed, the
Company must also estimate the likelihood that another taxing authority could review the respective tax position. The Company must also determine when
it is reasonably possible that the amount of unrecognized tax benefits will significantly increase or decrease in the 12 months after each fiscal year-end.
These judgments are difficult because a taxing authority may change its behavior as a result of the Company's disclosures in its financial statements. The
Company must reevaluate its income tax positions on a quarterly basis to consider factors such as changes in facts or circumstances, changes in tax law,
effectively settled issues under audit, and new audit activity. Such a change in recognition or measurement would result in recognition of a tax benefit or an
additional charge to the tax provision. The Company's policy is to recognize interest and penalties related to unrecognized tax benefits as a component of
the provision for income taxes.
Comprehensive Income (Loss)
Other comprehensive income (loss) consists of unrealized gains (losses) on marketable securities, net of tax, and derivative financial instruments
designated as cash flow hedges, net of tax, which are not included in the Company’s net income. Total comprehensive income includes net income and
other comprehensive income (loss) and is included in the consolidated statements of comprehensive income.
Foreign Currency Transactions
The Company’s operations are conducted in various countries around the world and the financial statements of its foreign subsidiaries are reported in
the U.S. dollar as their respective functional currency. Monetary assets and liabilities denominated in foreign currencies have been re-measured into U.S.
dollars using the exchange rates in effect at the balance sheet date, and income and expenses are re-measured at average exchange rates during the period.
Foreign currency re-measurement gains and losses and foreign currency transaction gains and losses are recognized in other income (expense), net.
Net Income Per Share
Basic net income per share is computed by dividing net income by the weighted-average number of shares outstanding during the period. Diluted net
income per share is computed by dividing net income by the weighted-average number of shares outstanding plus potentially dilutive shares outstanding
during the period. The potentially dilutive shares are computed by applying the treasury stock method to the Company's stock options, RSUs and the stock
purchase rights under the ESPP. Any potential shares that would be anti-dilutive are excluded from the computation of diluted net income per share.
65
Table of Contents
Recently Adopted Accounting Pronouncements
In November 2023, the Financial Accounting Standards Board ("FASB") issued ASU 2023-07 - Segment Reporting (Topic 280): Improvements to
Reportable Segment Disclosures, requiring enhanced segment disclosures. The ASU requires disclosure of significant segment expenses regularly provided
to the chief operating decision maker ("CODM") included within segment operating profit or loss. Additionally, the ASU requires a description of how the
CODM utilizes segment operating profit or loss to assess segment performance. The requirements of the ASU are effective for annual periods beginning
after December 15, 2023, and interim periods within fiscal years beginning after December 15, 2024. The Company's annual reporting requirements will be
effective for fiscal 2024 and interim reporting requirements will be effective beginning with the first quarter of fiscal 2025. Retrospective application is
required for all periods presented. The Company adopted this ASU during fiscal year 2024. See Note 13, "Segment and Geographic Area Information" for
the additional required disclosures.
Recently Issued Accounting Pronouncements Not Yet Adopted
In December 2023, the FASB issued ASU 2023-09 - Income Taxes (Topic 740): Improvements to Income Tax Disclosures, requiring improvements to
income tax disclosures. The new ASU requires disclosure of disaggregated information about the effective tax rate and income taxes paid. The
requirements of the ASU are effective for annual periods beginning after December 15, 2024 and are to be applied on a prospective basis. The Company's
annual reporting requirements will be effective for fiscal year 2025. Companies can choose to early adopt and apply the guidance retrospectively. The
Company is in the process of analyzing the impact of the ASU on related disclosures.
In November 2024, the FASB issued ASU 2024-03 - Income Statement—Reporting Comprehensive Income—Expense Disaggregation Disclosures
(Subtopic 220-40): Disaggregation of Income Statement Expenses, requiring more detailed information about the types of expenses included in certain
expense captions presented on the consolidated statements of operations. Additionally, this amendment requires the disclosure of a qualitative description
of the amounts remaining in relevant expense captions that are not separately disaggregated quantitatively and the disclosure of the total amount of selling
expenses. The requirements of the ASU are effective for annual periods beginning after December 15, 2026, and for interim periods within fiscal years
beginning after December 15, 2027 and are to be applied on a retrospective or prospective basis, with early adoption permitted. The Company's annual
reporting requirements will be effective for fiscal year 2027. The Company is in the process of analyzing the impact of the ASU on related disclosures.
The Company does not believe any other new accounting pronouncements issued by the FASB that have not become effective will have a material
impact on its consolidated financial statements.
NOTE 2. Fair Value of Financial Instruments
Fair value is defined as the price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market
participants at the measurement date. For certain of the Company’s financial instruments, including certain cash equivalents, accounts receivable, accounts
payable and accrued liabilities, the carrying amounts approximate their fair values due to the relatively short maturity of these balances.
The Company measures and reports certain cash equivalents, marketable securities, derivative foreign currency forward contracts at fair value in
accordance with the provisions of the authoritative accounting guidance that addresses fair value measurements. This guidance establishes a hierarchy for
inputs used in measuring fair value that maximizes the use of observable inputs and minimizes the use of unobservable inputs by requiring that the most
observable inputs be used when available. The hierarchy is broken down into three levels based on the reliability of inputs as follows:
Level 1 - Valuations based on quoted prices in active markets for identical assets or liabilities.
Level 2 - Valuations based on other than quoted prices in active markets for identical assets and liabilities, including quoted prices for identical assets
or liabilities in less active or inactive markets, quoted prices for similar assets or liabilities in active markets, or inputs other than quoted prices that are
observable for substantially the full term of the assets or liabilities.
Level 3 - Valuations based on inputs that are generally unobservable and typically reflect management’s estimates of assumptions that market
participants would use in pricing the asset or liability.
The Company's financial instruments consist of assets and liabilities measured using Level 1 and 2 inputs. Level 1 assets include a highly liquid
money market fund, which is valued using unadjusted quoted prices that are available in an active market
66
Table of Contents
for an identical asset. Level 2 assets include fixed-income U.S. Treasury and government agency securities, commercial paper, corporate bonds, asset-
backed securities, and derivative financial instruments consisting of foreign currency forward contracts. The securities, bonds and commercial paper are
valued using prices from independent pricing services based on quoted prices of identical instruments in less active or inactive markets, quoted prices of
similar instruments in active markets, or industry models using data inputs such as interest rates and prices that can be directly observed or corroborated in
active markets. The foreign currency forward contracts are valued using observable inputs, such as quotations on forward foreign exchange points and
foreign interest rates.
The following table sets forth by level within the fair value hierarchy the fair value of the Company's financial assets and liabilities measured at fair
value on a recurring basis:
December 31, 2024
Level 1
Level 2
Fair Value
(in thousands)
Money market funds
$
404 $
— $
404
Commercial paper
—
6,443
6,443
U.S. Treasury and government agencies
—
233,279
233,279
Corporate bonds
—
131,812
131,812
Asset-backed securities
—
7,520
7,520
Foreign currency forward contracts
—
2,575
2,575
Total assets
$
404 $
381,629 $
382,033
Foreign currency forward contracts
$
— $
1,339 $
1,339
Total liabilities
$
— $
1,339 $
1,339
December 31, 2023
Level 1
Level 2
Fair Value
(in thousands)
Money market funds
$
87 $
— $
87
Commercial paper
—
54,279
54,279
U.S. Treasury and government agencies
—
208,536
208,536
Corporate bonds
—
56,465
56,465
Asset-backed securities
—
13,881
13,881
Foreign currency forward contracts
—
111
111
Total assets
$
87 $
333,272 $
333,359
Foreign currency forward contracts
$
— $
1,986 $
1,986
Total liabilities
$
— $
1,986 $
1,986
There were no transfers between Level 1, Level 2 and Level 3 categories during the years ended December 31, 2024 and 2023.
67
Table of Contents
Cash equivalent and investments
The Company's cash equivalents and marketable securities consist of the following:
December 31, 2024
Amortized Cost
Unrealized Gains
Unrealized
Losses
Fair Value
(in thousands)
Cash equivalents: (1)
Money market funds
$
404 $
— $
— $
404
Commercial paper
1,983
—
—
1,983
U.S. Treasury and government agencies
33,939
4
—
33,943
Total
36,326
4
—
36,330
Short-term marketable securities:
Commercial paper
4,459
3
(2)
4,460
Corporate bonds
47,155
107
(3)
47,259
U.S. Treasury and government agencies
97,338
207
(23)
97,522
Total
148,952
317
(28)
149,241
Long-term marketable securities:
Corporate bonds
84,414
310
(171)
84,553
Asset-backed securities
7,426
94
—
7,520
U.S. Treasury and government agencies
101,834
178
(198)
101,814
Total
193,674
582
(369)
193,887
Total
$
378,952 $
903 $
(397) $
379,458
(1)Excludes cash of $195.9 million.
December 31, 2023
Amortized Cost
Unrealized Gains
Unrealized
Losses
Fair Value
(in thousands)
Cash equivalents: (1)
Money market funds
$
87 $
— $
— $
87
U.S. Treasury and government agencies
54,620
4
—
54,624
Total
54,707
4
—
54,711
Short-term marketable securities:
Commercial paper
54,254
32
(7)
54,279
Corporate bonds
23,013
1
(149)
22,865
U.S. Treasury and government agencies
144,901
52
(204)
144,749
Total
222,168
85
(360)
221,893
Long-term marketable securities:
Corporate bonds
33,337
285
(22)
33,600
Asset-backed securities
13,785
102
(6)
13,881
U.S. Treasury and government agencies
9,116
49
(2)
9,163
Total
56,238
436
(30)
56,644
Total
$
333,113 $
525 $
(390) $
333,248
(1)Excludes cash of $149.0 million.
68
Table of Contents
The following table summarizes the gross unrealized losses and fair value of the Company's marketable securities that were in an unrealized loss
position aggregated by length of time:
December 31, 2024
Less than 12 months
12 months or longer
Total
Fair Value
Gross Unrealized
Losses
Fair Value
Gross Unrealized
Losses
Fair Value
Gross Unrealized
Losses
(in thousands)
Commercial paper
$
4,464 $
(2) $
— $
— $
4,464 $
(2)
Corporate bonds
27,154
(171)
672
(3)
27,826
(174)
U.S. Treasury and government
agencies
64,517
(221)
—
—
64,517
(221)
Total
$
96,135 $
(394) $
672 $
(3) $
96,807 $
(397)
December 31, 2023
Less than 12 months
12 months or longer
Total
Fair Value
Gross Unrealized
Losses
Fair Value
Gross Unrealized
Losses
Fair Value
Gross Unrealized
Losses
(in thousands)
Commercial paper
$
24,838 $
(7) $
— $
— $
24,838 $
(7)
Asset-backed securities
—
—
1,485
(6)
1,485
(6)
Corporate bonds
—
—
20,717
(171)
20,717
(171)
U.S. Treasury and government
agencies
43,373
(18)
18,172
(188)
61,545
(206)
Total
$
68,211 $
(25) $
40,374 $
(365) $
108,585 $
(390)
The Company considered the extent to which any unrealized losses on its marketable securities were driven by credit risk and other factors,
including market risk, and if it is more-likely-than-not that the Company would have to sell the security before the recovery of the amortized cost basis. At
December 31, 2024 and 2023, the unrealized losses related to its marketable securities were due to rising market interest rates compared to when the
investments were initiated. The Company does not believe the unrealized losses represent credit risk, and the Company does not intend to sell any of the
securities in an unrealized loss position and it is not likely that the Company would be required to sell these securities before recovery of their amortized
cost basis, which may be at maturity. Thus, no credit loss was recognized for the Company's marketable securities for the years ended December 31, 2024
and 2023.
The following summarizes the fair value of marketable securities by contractual maturity:
December 31, 2024
Amortized Cost
Fair Value
(in thousands)
Due within One Year
$
185,278 $
185,571
Due after One Year through Five
186,247
186,367
Asset-backed securities
7,427
7,520
Total
$
378,952 $
379,458
69
Table of Contents
Derivative Financial Instruments
Designated cash flow hedges
The Company enters into foreign currency forward contracts to reduce the risk of variability in future cash flow due to foreign currency exchange
rate fluctuation from certain forecasted subscription revenue orders billed in GBP and EUR and operating expenses incurred in INR, which are designated
as cash flow hedges. Hedge effectiveness is assessed at inception and at each reporting period utilizing regression analysis. Unrealized foreign exchange
gains or losses related to those designated cash flow hedge contracts are recorded in accumulated other comprehensive income ("AOCI") and will be
reclassified into revenues or operating expenses, respectively, in the same periods when the hedged transactions are recognized in earnings.
As of December 31, 2024, the Company had designated cash flow hedge forward contracts with notional amounts of €51.4 million, £20.3 million
and Rs.4,381.0 million. As of December 31, 2023, the Company had designated cash flow hedge forward contracts with notional amounts of €48.5 million,
£14.6 million and Rs.4,042.0 million.
As of December 31, 2024, the amount of net unrealized gains of $1.6 million before tax on the foreign currency forward contracts for GBP and EUR
reported in AOCI is expected to be reclassified into revenue within the next 12 months. As of December 31, 2024, the amount of net unrealized loss of $1.2
million before tax on the foreign currency forward contracts for INR reported in AOCI is expected to be reclassified into operating expenses within the next
12 months.
Non-designated forward contracts
The Company also uses foreign currency forward contracts to hedge certain foreign currency denominated assets or liabilities, which are not
designated as cash flow hedges. Unrealized foreign exchange gain or losses related to the non-designated forward contracts are recorded in other income
(expenses), net and offset the foreign exchange gain or loss on the underlying net monetary assets or liabilities.
As of December 31, 2024, the Company had non-designated forward contracts with notional amounts of €27.0 million, £8.0 million, Rs.1,252.0
million, and C$1.0 million. As of December 31, 2023, the Company had non-designated forward contracts with notional amounts of €19.2 million, £6.0
million, Rs.440.0 million, and C$1.0 million.
The following summarizes the fair value of derivative financial instruments as of December 31, 2024 and 2023:
December 31,
2024
2023
(in thousands)
Assets
Foreign currency forward contracts designated as cash flow hedge
$
2,495 $
63
Foreign currency forward contracts not designated as hedging instruments
80
48
Total
$
2,575 $
111
Liabilities
Foreign currency forward contracts designated as cash flow hedge
$
1,315 $
1,502
Foreign currency forward contracts not designated as hedging instruments
24
484
Total
$
1,339 $
1,986
The Company presents its derivative assets and derivative liabilities at gross fair values in the consolidated balance sheets. However, under the
master netting agreements with the respective counterparties of the foreign exchange contracts, subject to applicable requirements, the Company is allowed
to net settle transactions of the same currency with a single net amount payable by one party to the other. The potential offset to both assets and liabilities
under the right of set-off associated with the Company's foreign currency exchange contracts are immaterial as of December 31, 2024 and 2023. The
derivatives held by the Company are not subject to any credit contingent features negotiated with its counterparties. The Company is not required to pledge
nor is entitled to receive cash collateral related to the above contracts. The counterparties to these derivatives are large, global financial
70
Table of Contents
institutions that the Company believes are creditworthy, and therefore, it does not consider the risk of counterparty nonperformance to be material.
The following summarizes the gains (losses) recognized from forward contracts and other foreign currency transactions in other income (expense),
net in the consolidated statements of operations:
Year Ended December 31,
2024
2023
2022
(in thousands)
Net gains (losses) from non-designated forward contracts
$
1,445 $
(198) $
5,093
Other foreign currency transactions gains (losses)
(4,637)
(499)
(6,864)
Total foreign exchange gains (losses), net
$
(3,192) $
(697) $
(1,771)
NOTE 3. Accumulated Other Comprehensive Income (Loss)
The components and changes in accumulated other comprehensive income (loss) were as follows:
Available-for-
Sale Debt
Securities
Cash Flow
Hedges
Total
(in thousands)
Balances at December 31, 2021
$
(185) $
1,192 $
1,007
Change in unrealized gains (losses) during the period
(2,462)
581
(1,881)
Amount reclassified into income during the period
—
(1,147)
(1,147)
Tax effect
(58)
132
74
Net change during the period
(2,520)
(434)
(2,954)
Balances at December 31, 2022
(2,705)
758
(1,947)
Change in unrealized gains (losses) during the period
2,858
(1,362)
1,496
Amount reclassified into income during the period
(16)
(1,957)
(1,973)
Tax effect
(29)
749
720
Net change during the period
2,813
(2,570)
243
Balances at December 31, 2023
108
(1,812)
(1,704)
Change in unrealized gains (losses) during the period
370
2,414
2,784
Amount reclassified into income during the period
—
1,256
1,256
Tax effect
(87)
(832)
(919)
Net change during the period
283
2,838
3,121
Balances at December 31, 2024
$
391 $
1,026 $
1,417
71
Table of Contents
The effects on income before income taxes of amounts reclassified from AOCI to the consolidated statements of operations were as follows:
Year Ended December 31,
2024
2023
2022
(in thousands)
Reclassification of AOCI - Available-for-sale debt securities
Other income (expense), net
$
— $
16 $
—
Reclassification of AOCI - Cash flow hedges
Revenues
$
(1,145) $
3,077 $
1,897
Cost of revenues
(26)
(258)
(169)
Research and development
(70)
(712)
(478)
Sales and marketing
(7)
(44)
(30)
General and administrative
(8)
(106)
(73)
Total
$
(1,256) $
1,957 $
1,147
NOTE 4. Property and Equipment, Net
Property and equipment, net, which includes assets under finance leases, consists of the following:
December 31,
2024
2023
(in thousands)
Computer equipment
$
187,281 $
179,002
Computer software
26,229
26,133
Leasehold improvements
23,429
20,924
Scanner appliances
18,978
18,369
Furniture, fixtures and equipment
5,204
6,699
Total property and equipment
261,121
251,127
Less: accumulated depreciation and amortization
(230,772)
(218,528)
Property and equipment, net
$
30,349 $
32,599
As of December 31, 2024 and 2023, physical scanner appliances and other computer equipment that are or will be subject to leases by customers had
a net carrying value of $11.2 million and $10.1 million, respectively, including assets that had not been placed in service of $7.4 million and $6.4 million,
respectively.
Depreciation and amortization expenses relating to property and equipment were $15.6 million, $23.9 million and $28.2 million for the years ended
December 31, 2024, 2023 and 2022, respectively, which were mainly recorded in cost of revenues in the consolidated statements of operations.
NOTE 5. Revenue from Contracts with Customers
The Company records deferred revenue when cash payments are received or due in advance of its performance obligations offset by revenue
recognized in the period. Revenues of $332.3 million and $292.2 million were recognized during the years ended December 31, 2024 and December 31,
2023, respectively, which amounts were included in the deferred revenue balances of $364.9 million and $317.2 million as of December 31, 2023 and
December 31, 2022, respectively
72
Table of Contents
The Company's payment terms vary by the type and location of its customers. The term between invoicing and when payment is due is not
significant. In certain circumstances, based on the credit quality of the customer, the Company requires payment before the products or services are
delivered to the customer.
The following table sets forth the expected revenue from all remaining performance obligations as of December 31, 2024:
(in thousands)
2025
$
243,415
2026
136,689
2027
52,240
2028
1,776
2029
522
2030 and thereafter
3
Total
$
434,645
Revenues allocated to remaining performance obligations represents the transaction price of noncancelable orders for which service has not been
performed, which include deferred revenue and the amounts that will be invoiced and recognized as revenues in future periods from open contracts and
excludes unexercised renewals. The Company applied the short-term contract exemption to exclude the remaining performance obligations that are part of
a contract that has an original expected duration of one year or less.
From time to time, the Company enters into contracts with customers that extend beyond one year, with certain of its customers electing to pay for
more than one year of services upon contract execution. The Company concluded that these contracts did not contain a financing component.
Revenues by sales channel are as follows:
Year Ended December 31,
2024
2023
2022
(in thousands)
Direct
$
325,428 $
314,988 $
285,382
Partner
282,143
239,470
204,341
Total
$
607,571 $
554,458 $
489,723
The Company utilizes partners to enable and accelerate the adoption of its cloud platform by increasing its distribution capabilities and market
awareness of its cloud platform as well as by targeting geographic regions outside the reach of its direct sales force. The Company's channel partners
maintain relationships with their customers throughout the territories in which they operate and provide their customers with services and third-party
solutions to help meet those customers’ evolving security and compliance requirements. As such, these partners may offer the Company's IT security and
compliance solutions in conjunction with one or more of their own products or services and act as a conduit through which the Company can connect with
these prospective customers to offer its solutions. For sales involving a channel partner, the channel partner engages with the prospective customer directly
and involves the Company's sales team as needed to assist in developing and closing an order. When a channel partner secures a sale, the Company sells the
associated subscription to the channel partner who in turn resells the subscription to the customer. Sales to channel partners are made at a discount and
revenues are recorded at this discounted price over the subscription terms. The Company does not have any influence or specific knowledge of its partners'
selling terms with their customers. See Note 13, "Segment and Geographic Area Information" for disaggregation of revenue by geographic area.
73
Table of Contents
Deferred costs to obtain contracts are as follows:
December 31,
2024
2023
(in thousands)
Current
$
7,289 $
5,858
Noncurrent
$
15,301 $
11,844
For the years ended December 31, 2024, 2023 and 2022, the Company recognized $7.2 million, $6.0 million and $5.0 million, respectively, of
amortization expense relating to deferred costs to obtain contracts in sales and marketing expense in the consolidated statements of operations. During the
same periods, there was no impairment loss related to the deferred costs to obtain contracts.
NOTE 6. Acquisitions
On October 4, 2022, the Company acquired certain assets of Blue Hexagon Inc., a privately held company incorporated in Delaware, for $10.0
million in cash, of which $8.5 million was paid on the acquisition date and the remaining $1.5 million was deferred and paid in March 2024. In addition,
the Company assumed $1.4 million deferred revenue. Blue Hexagon's AI/ML-driven network detection enables the Company to leverage its cloud platform
with AI/machine learning to uncover behavior patterns including active vulnerability exploitation, identification of advanced network threats, and adaptive
risk mitigation across all assets and application. The Company accounted for this transaction as an asset acquisition, as substantially all of the fair value is
concentrated in developed technology acquired. The Company incurred $0.6 million transaction costs which is included as the cost of acquiring the
intangible assets. The Company recognized intangible assets of $11.5 million for developed technology and $0.4 million for assembled workforce, which
will be amortized over five years and two years, respectively.
On August 19, 2021, the Company acquired certain developed technology intangible assets of TotalCloud, a privately held company incorporated in
India, for a total cash consideration of $1.2 million, of which $1.1 million was paid on the acquisition date and the remaining $0.1 million was deferred and
paid in August 2022. TotalCloud's technology strengthens the Company's cloud security solution by allowing customers to build user-defined workflows
for custom policies and execute them on-demand for simplified security and compliance. The acquired intangible assets will be amortized over five years.
There were no changes in the carrying amount of goodwill for the years ended December 31, 2024 and 2023.
NOTE 7. Intangible Assets, Net
Intangible assets consist primarily of developed technology and patent licenses acquired from business or asset acquisitions. Acquired intangibles
are amortized on a straight-line basis over the respective estimated useful lives of the assets.
The carrying values of intangible assets are as follows:
December 31, 2024
(in thousands)
Weighted
Average Life
(Years)
Cost
Accumulated
Amortization
Net Book Value
Developed technology
4.6 $
40,141 $
(33,369) $
6,772
Patent licenses
14.0
1,387
(1,387)
—
Assembled workforce
2.0
359
(359)
—
Total intangibles subject to amortization
$
41,887 $
(35,115) $
6,772
Intangible assets not subject to amortization
40
Total intangible assets, net
$
6,812
74
Table of Contents
December 31, 2023
(in thousands)
Weighted
Average Life
(Years)
Cost
Accumulated
Amortization
Net Book Value
Developed technology
4.6 $
40,141 $
(30,667) $
9,474
Patent licenses
14.0
1,387
(1,322)
65
Assembled workforce
2.0
359
(223)
136
Total intangibles subject to amortization
$
41,887 $
(32,212)
9,675
Intangible assets not subject to amortization
40
Total intangible assets, net
$
9,715
Intangible assets amortization expenses were $2.9 million, $3.1 million and $5.7 million for the years ended December 31, 2024, 2023 and 2022,
respectively, which were recorded in the consolidated statements of operations.
As of December 31, 2024, the Company expects amortization expense in future periods to be as follows:
(in thousands)
2025
$
2,557
2026
2,477
2027
1,738
Total expected future amortization expense
$
6,772
NOTE 8. Leases
The Company leases certain offices, computer equipment and its shared cloud platform facilities under non-cancelable operating leases for varying
periods through 2030. While under the Company's lease agreements the Company has options to extend its certain leases, the Company has not included
renewal options in determining the lease terms for calculating its lease liabilities, as these options are not reasonably certain of being exercised. Lease
expense was $16.6 million, $16.1 million and $14.9 million for the years ended December 31, 2024, 2023 and 2022, respectively.
Supplemental cash flow information related to operating leases was as follows:
Year Ended December 31,
2024
2023
2022
(in thousands)
Cash payments included in the measurement of lease liabilities
$
14,720 $
14,984 $
15,751
Lease liabilities arising from obtaining right-of-use assets
$
30,639 $
121 $
8,669
The weighted average remaining lease term and the weighted average discount rate of the Company's operating leases were as follows:
December 31,
2024
2023
Weighted average remaining lease term (years)
4.2
3.1
Weighted average discount rate
7.4 %
5.2 %
75
Table of Contents
Maturities of the Company's operating lease liabilities as of December 31, 2024 are as follows:
(in thousands)
2025
$
12,875
2026
12,845
2027
12,831
2028
9,588
2029
5,879
2030 and thereafter
1,840
Total minimum lease payments
55,858
Less: interest
(8,637)
Present value of net minimum lease payments
47,221
Less: lease liabilities, current
(9,721)
Lease liabilities, noncurrent
$
37,500
The operating lease payments in the table above exclude approximately $4.1 million of legally binding minimum lease payments for a lease signed
during the year ended December 31, 2024 that has yet to commence.
NOTE 9. Commitment and Contingencies
Purchase Obligation
The Company has entered into agreements to purchase goods and services in the ordinary course of business. As of December 31, 2024, these
remaining purchase commitments for future periods are as follows:
(in thousands)
2025
$
25,050
2026
24,748
2027
6,607
Total purchase commitments
$
56,405
Indemnifications
The Company from time to time enters into certain types of contracts that contingently require it to indemnify various parties against claims from
third parties. These contracts primarily relate to (i) the Company's bylaws, under which it must indemnify directors and executive officers, and may
indemnify other officers and employees, for liabilities arising out of their relationship, (ii) contracts under which the Company must indemnify directors
and certain officers for liabilities arising out of their relationship, and (iii) contracts under which the Company may be required to indemnify customers or
resellers from certain liabilities arising from potential infringement of intellectual property rights, as well as potential damages caused by limited product
defects. To date, the Company has not incurred and has not recorded any liability in connection with such indemnifications.
The Company maintains director and officer insurance, which may cover certain liabilities arising from its obligation to indemnify its directors.
Legal Proceedings
From time to time the Company may become involved in legal proceedings or be subject to claims arising in the ordinary course of the Company's
business. The Company records a provision for a liability when it is both probable that a liability has been incurred and the amount can be reasonably
estimated. Legal expenses related to such matters are expensed as incurred. The Company provides disclosure if it is reasonably possible that a loss has
been incurred and a range of loss or possible loss can be reasonably estimated. Significant judgment is required to determine both probability and the
estimated amount. The Company
76
Table of Contents
reviews these provisions at least quarterly and adjust these provisions to reflect the impact of negotiations, settlements, rulings, advice of legal counsel, and
updated information.
As of December 31, 2024, there has not been at least a reasonable possibility that the Company has incurred a material loss from any ongoing legal
proceedings, individually or taken together. However, litigation is inherently unpredictable and is subject to significant uncertainties, some of which are
beyond the Company's control. Should any of these estimates and assumptions change or prove to have been incorrect, the Company could incur significant
charges related to legal matters which could have a material impact on its results of operations, financial position and cash flows.
NOTE 10. Stockholders' Equity and Stock-based Compensation
Preferred Stock
Effective October 3, 2012, the Company is authorized to issue 20.0 million shares of undesignated preferred stock with a par value of $0.001 per
share. Each series of preferred stock will have such rights and preferences including dividend rights, dividend rate, conversion rights, voting rights, rights
and terms of redemption (including sinking fund provisions), redemption price, and liquidation preferences as determined by the board of directors. As of
December 31, 2024, and 2023, there were no issued or outstanding shares of preferred stock.
Common Stock
Equity Incentive Plans
Restated 2012 Equity Incentive Plan
The 2012 Equity Incentive Plan (“Previous 2012 Plan”) was adopted and approved in September 2012 and became effective on September 26, 2012.
Under the Previous 2012 Plan, the Company is authorized to grant to eligible participant’s incentive stock options ("ISOs"), nonstatutory stock options
("NSOs"), stock appreciation rights (“SARs”), restricted stock awards, restricted stock units ("RSUs"), performance units and performance shares. The
number of shares of common stock available for issuance under the Previous 2012 Plan is subject to an annual increase on January 1 of each year by an
amount equal to the least of 3,050 thousand shares, 5% of the outstanding shares of stock as of the last day of the immediately preceding fiscal year or an
amount determined by the board of directors.
On June 8, 2022 ("Effective Date"), the Company's stockholders approved the Amended and Restated 2012 Equity Incentive Plan (the "Restated
2012 Plan"). Under the Restated 2012 Plan, the Company is authorized to grant to eligible participants ISOs, NSOs, restricted stock, RSUs, SARs,
performance units and performance shares. Pursuant to the relevant plan provisions, 3,072 thousand shares were available for grant under the Restated 2012
Plan on the Effective Date. In addition, any outstanding awards or options granted under the Previous 2012 Equity Incentive Plan will be added back to the
shares available for grant under the Restated 2012 Plan if they expire unexercised or are otherwise forfeited after the Effective Date. Any remaining shares
of 9,689 thousand available for grant under the Previous 2012 Plan as of the Effective Date were no longer available for future grants under the Restated
2012 Plan.
On June 12, 2024, the Company's stockholders approved an amendment and restatement to the Restated 2012 Plan to increase the number of shares
of the Company's common stock reserved for issuance by 1,092 thousand shares.
As of December 31, 2024, 2,326 thousand shares are available for future grants.
Options may be granted with an exercise price that is at least equal to the fair market value of the Company's stock at the date of grant and are
exercisable when vested. Options and RSU's granted generally vest over a period of up to four years. ISOs may only be granted to employees and any
subsidiary corporations' employees. All other awards may be granted to employees, directors and consultants and subsidiary corporations' employees and
consultants. Options, SARs, RSUs, performance units and performance awards may be granted with vesting terms as determined by the board of directors
and expire no more than ten years after the date of grant or earlier if employment or service is terminated.
77
Table of Contents
2021 Employee Stock Purchase Plan
On June 9, 2021, the Company’s stockholders approved the 2021 ESPP. A total of 600 thousand shares were authorized for issuance to eligible
participating employees upon adoption of the ESPP. The ESPP provides for consecutive 6-month offering periods beginning on or about August 16 and
February 16 of each year. Eligible employees who elect to participate can contribute from 1% to 15% of their eligible compensation through payroll
withholding. During any offering period, contribution rates cannot be changed. However, eligible employees may withdraw from the current offering
period. Any contributions made prior to each purchase date in the case of withdrawal or termination of employment will be refunded. On each purchase
date, eligible participating employees will purchase the shares at a price per share equal to 85% of the lesser of (i) the fair market value of the Company's
stock on the first trading day of the offering period or (ii) the fair market value of the Company's stock on the purchase date (i.e., the last trading day of the
offering period).
During the year ended December 31, 2024, 59 thousand shares were issued in connection with the purchase of common stock by participating
employees. As of December 31, 2024, 435 thousand shares were available for future purchase.
Stock Options
The weighted-average grant date fair value of the Company’s stock options granted for the years ended December 31, 2024, 2023 and 2022 was
$56.37, $49.08 and $50.32, respectively, using the Black-Scholes-Merton option-pricing model based on the following assumptions:
Year Ended December 31,
2024
2023
2022
Expected term (in years)
3.7 to 3.7
3.8 to 3.9
4.3 to 4.4
Volatility
38% to 42%
42% to 43%
40% to 43%
Risk-free interest rate
4.1% to 4.7%
3.7% to 4.9%
1.7% to 4.2%
Dividend yield
—
—
—
The expected term of the options is based on evaluations of historical and expected future employee exercise behavior. The risk-free interest rate is
based on the U.S. Treasury rates at the date of grant with maturity dates equal to the expected term at the grant date. The volatility was estimated using the
historical volatility derived from the Company's common stock. The Company has not historically declared any dividends and does not expect to in the
future.
A summary of the Company’s stock option activity is as follows:
Outstanding
Options
Weighted
Average Exercise
Price
Weighted
Average
Remaining
Contractual Life
Aggregate
Intrinsic Value
(in thousands)
(Years)
(in thousands)
Balance as of December 31, 2023
1,447 $
97.98
6.5 $
142,302
Granted
245 $
153.34
Exercised
(277) $
62.37
Canceled
(101) $
133.69
Balance as of December 31, 2024
1,314 $
113.07
6.6 $
40,141
Vested and expected to vest as of December 31, 2024
1,189 $
110.11
6.4 $
39,198
Exercisable as of December 31, 2024
770 $
94.77
5.2 $
35,614
The total intrinsic value of options exercised for the years ended December 31, 2024, 2023 and 2022 was $24.0 million, $41.7 million and $39.8
million, respectively. Intrinsic value of an option is the difference between the fair value of the Company’s common stock at the time of exercise and the
exercise price paid.
78
Table of Contents
Restricted Stock Units
A summary of the Company’s RSU activity, inclusive of PRSU activity, is as follows:
Outstanding
RSUs
Weighted
Average Grant
Date
Fair Value Per
Share
(in thousands)
Balance as of December 31, 2023
1,074 (1) $
133.60
Granted
669 (2) $
144.37
Vested
(434) (3) $
129.02
Forfeited
(223) (4) $
140.12
Balance as of December 31, 2024
1,086 (5) $
140.72
Outstanding and expected to vest as of December 31, 2024
859
$
138.46
(1)Included 139 thousand PRSUs granted to certain executive officers in 2023, 2022 and 2021.
(2)Included 156 thousand PRSUs granted to certain executive officers in 2024
(3)Included 64 thousand PRSUs granted to certain executive officers in 2023, 2022 and 2021.
(4)Included 70 thousand PRSUs granted to certain executive officers in 2023, 2022 and 2021.
(5)Included 161 thousand PRSUs granted to certain executive officers in 2024, 2023, 2022 and 2021.
The aggregate fair value of RSUs vested for the years ended December 31, 2024, 2023 and 2022 was $56.2 million, $55.7 million and $43.9 million,
respectively.
The Company, at times, grants PRSU under the Plans, to its executive officers and certain other members of its senior leadership team. These PRSUs
include both service-based and performance-based vesting conditions. During the fourth quarter each year, the Company’s board of directors (the “Board”)
or the Compensation and Talent Committee (“CTC”) approves the target value for the PRSUs. The target PRSUs are scheduled to vest in three equal annual
installments over a three-year period, beginning the year after approval. The performance-based vesting condition is satisfied upon the achievement of
certain Company annual performance metrics, including revenue growth and adjusted EBITDA margin, which are approved annually by the Board or the
CTC. Each annual installments at 200% of the annual target will be considered granted when the performance metrics for the corresponding performance
year is determined and approved. The actual number of the PRSUs earned and eligible to vest ranges from 0% to 200% of the annual target, based on the
weighted-average achievement of such Company annual performance metrics set for the corresponding annual performance period. Up to 100% of the first
and second installment will vest and be released upon completion of the respective performance period following the certification by the Audit and Risk
Committee (“ARC”), with cumulative achievement over 100%, if any, to be vested and released at the end of the third year performance period, along with
the third installment, following the certification by the ARC. Under the Plan, any unvested PRSU award may be accelerated in part or in full upon the
occurrence of certain events, such as death or disability, or a change in control, as defined in the grant agreement.
79
Table of Contents
Employee Stock Purchase Plan
The weighted-average grant date fair value of the Company’s ESPP for the year ended December 31, 2024 and 2023 was $35.67, $34.50 and $39.14
respectively, using the Black-Scholes-Merton option-pricing model based on the following assumptions:
Year Ended December 31,
2024
2023
2022
Expected term (in years)
0.5
0.5
0.5
Volatility
32.6% to 32.7%
30.0% to 43.8%
41.1% to 50.1%
Risk-free interest rate
5.0% to 5.3%
5.0% to 5.5%
0.7% to 3.1%
Dividend yield
—
—
—
The expected term of the ESPP represents the six-month offering period. The risk-free interest rate is based on the U.S. Treasury rates at the date of
grant with maturity dates equal to the expected term at the grant date. The volatility was estimated using the historical volatility derived from the
Company's common stock. The Company has not historically declared any dividends and does not expect to in the future.
Stock-based Compensation
The following table shows a summary of the stock-based compensation expenses included in the consolidated statements of operations for the years
ended December 31, 2024, 2023 and 2022:
Year Ended December 31,
2024
2023
2022
(in thousands)
Cost of revenues
$
8,129 $
7,300 $
5,305
Research and development
21,188
21,091
14,585
Sales and marketing
14,690
12,234
9,837
General and administrative
33,126
28,454
23,681
Total stock-based compensation, net of amounts capitalized (1)
$
77,133 $
69,079 $
53,408
(1)Total stock-based compensation expense capitalized was de minimis during the year ended December 31, 2024.
Of the total stock-based compensation expense in the table above, the Company recognized stock-based compensation expenses related to all PRSUs
of $12.4 million, $7.4 million and $3.9 million for the years ended December 31, 2024, 2023 and 2022, respectively.
The income tax benefit related to the stock-based compensation expenses was $11.6 million, $11.0 million and $8.3 million for the years ended
December 31, 2024, 2023 and 2022, respectively. The tax benefit realized from stock-based compensation vested or exercised was $5.2 million, $5.9
million, and $7.0 million for the years ended December 31, 2024, 2023 and 2022, respectively. As of December 31, 2024, the Company had unrecognized
stock-based compensation expenses of $19.7 million, $94.1 million, $1.4 million, and $0.3 million related to options, RSUs, performance-based RSUs, and
ESPP, respectively, which are expected to be recognized over weighted-average periods of 2.3 years, 2.9 years, 0.3 years, and 0.1 years, respectively.
80
Table of Contents
Share Repurchase Program
The Company's share repurchase program was authorized by the board of directors as follows:
Announcement Date
Authorized
Dollar Value
(in millions)
February 12, 2018
$
100.0
October 30, 2018
100.0
October 30, 2019
100.0
May 7, 2020
100.0
February 10, 2021
100.0
November 3, 2021
200.0
May 4, 2022
200.0
February 9, 2023
100.0
February 7, 2024
200.0
Total as of December 31, 2024
$
1,200.0
(1) Does not reflect the $200.0 million increase to the share repurchase program announced on February 6, 2025.
Shares may be repurchased from time to time on the open market in accordance with Rule 10b-18 of the Exchange Act of 1934, including pursuant
to a pre-set trading plan adopted in accordance with Rule 10b5-1 under the Exchange Act. All share repurchases have been made using cash resources.
Repurchased shares are retired and reclassified as authorized and unissued shares of common stock. On retirement of the repurchased shares, common
stock is reduced by an amount equal to the number of shares being retired multiplied by the par value. The excess amount that is retired over its par value is
first allocated as a reduction to additional paid-in capital based on the original cost of additional paid-in capital per share of identified issuances. The
remaining amount is allocated to accumulated deficit.
On February 6, 2025, the Company announced that its board of directors authorized an additional $200.0 million under the share repurchase
program, increasing the total amount of authorized repurchase to $1.4 billion.
For the years ended December 31, 2024, 2023 and 2022, the Company repurchased 1.0 million shares, 1.3 million shares and 2.5 million shares of
its common stock for $140.3 million, $170.8 million and $317.3 million, respectively. As of December 31, 2024, $143.4 million remained available for
share repurchases pursuant to the Company's share repurchase program.
Excise tax on stock repurchases net of issue was immaterial to the Company's financial results and cash flows for the years ended December 31, 2024
and 2023 and the Company's financial position as of December 31, 2024 and 2023.
NOTE 11. Employee Benefits Plan
The Company’s 401(k) Plan was established in 2000 to provide retirement and incidental benefits for its employees. As allowed under section
401(k) of the Internal Revenue Code, the 401(k) Plan provides tax-deferred salary deductions for eligible employees. Contributions to the 401(k) Plan are
limited to a maximum amount as set periodically by the Internal Revenue Service. For the years ended December 31, 2024, 2023 and 2022, the Company
made contributions to the 401(k) Plan of $4.4 million, $4.1 million and $3.5 million, respectively.
The Company contributes to a Provident Fund Plan for its employees in India, which is a defined contribution plan set up in accordance with local
labor and tax laws. Gratuity is also paid by the Company to eligible employees in India in accordance with Payment of Gratuity Act, 1972. For the years
ended December 31, 2024, 2023 and 2022, the Company contributed $3.2 million, $2.3 million and $2.0 million, respectively, to those plans.
(1)
81
Table of Contents
NOTE 12. Income Taxes
The Company’s geographical breakdown of income before income taxes is as follows:
Year Ended December 31,
2024
2023
2022
(in thousands)
Domestic
$
192,394 $
164,958 $
122,013
Foreign
17,428
13,693
11,687
Income before income taxes
$
209,822 $
178,651 $
133,700
Income tax provision consists of the following:
Year Ended December 31,
2024
2023
2022
(in thousands)
Current
Federal
$
39,989 $
32,405 $
35,286
State
5,885
6,061
6,269
Foreign
9,837
5,218
4,606
Current income tax provision
55,711
43,684
46,161
Deferred
Federal
(18,470)
(13,584)
(17,097)
State
(599)
(2,009)
(3,055)
Foreign
(500)
(1,035)
(301)
Deferred income tax benefit
(19,569)
(16,628)
(20,453)
Income tax provision
$
36,142 $
27,056 $
25,708
The reconciliation of the statutory federal income tax rate to the Company’s effective tax rate is as follows:
Year Ended December 31,
2024
2023
2022
Federal statutory rate
21.0 %
21.0 %
21.0 %
State taxes
2.3
2.6
2.3
Stock-based compensation
2.8
2.7
3.4
Excess tax benefits related to stock-based compensation
(2.2)
(2.9)
(5.2)
Foreign source income
2.1
0.3
3.8
Change in valuation allowance
—
0.1
0.3
Foreign-derived intangible income deduction
(4.8)
(4.4)
(4.9)
Federal and state research and development credit
(2.0)
(1.4)
(1.3)
Accrual to return adjustments and Other
(0.6)
(2.9)
(0.2)
Uncertain tax positions
(1.4)
—
—
Income tax provision
17.2 %
15.1 %
19.2 %
82
Table of Contents
Deferred Income Taxes
Deferred income taxes reflect the tax effects of temporary differences between the carrying amounts of assets and liabilities for financial reporting
purposes and the amounts used for income tax purposes. The components of the Company’s deferred tax assets and liabilities are as follows:
December 31,
2024
2023
(in thousands)
Deferred tax assets
Research and development credit carryforwards
$
11,636 $
11,502
Fixed assets
1,430
581
Accrued liabilities
4,243
3,020
Deferred revenues
4,787
3,381
Operating lease liabilities
9,504
7,722
Intangible assets
3,502
3,549
Stock-based compensation
3,659
4,263
Capitalized research and development
67,259
47,793
Other
1,026
2,999
Gross deferred tax assets
107,046
84,810
Valuation allowance
(12,454)
(12,375)
Total deferred tax assets
94,592
72,435
Deferred tax liabilities
Operating leases - right of use asset
(7,919)
(5,999)
Deferred commissions
(5,366)
(3,675)
Total deferred tax liabilities
(13,285)
(9,674)
Net deferred tax assets
$
81,307 $
62,761
The realization of deferred tax assets is dependent upon the generation of sufficient taxable income of the appropriate character in future periods.
The Company regularly assesses the ability to realize its deferred tax assets and establishes a valuation allowance if it is more-likely than-not that some
portion, or all, of the deferred tax assets will not be realized. The Company weighs all available positive and negative evidence, including its earnings
history and results of recent operations, scheduled reversals of deferred tax liabilities, projected future taxable income, and tax planning strategies. Due to
the weight of objectively verifiable negative evidence, it is more-likely-than-not that its California deferred tax assets will not be realized as of
December 31, 2024. Additionally, due to a lack of sufficient future income of the appropriate character, certain U.S. federal and state deferred tax assets are
not more-likely-than-not to be realized. Accordingly, the Company has recorded a valuation allowance of $12.5 million and $12.4 million against such
deferred tax assets as of December 31, 2024 and 2023, respectively. The increase in valuation allowance was mainly associated with the California research
and development credits generated during the year ended December 31, 2024.
As of December 31, 2024 and 2023, the Company had $18.4 million and $17.0 million, respectively, of California research and development credit
carryforwards. California research and development credits are carried forward indefinitely. As of December 31, 2024 and 2023, the Company had foreign
tax credit carryforwards of zero and $1.0 million, respectively.
83
Table of Contents
The following table summarizes the activity related to the Company’s unrecognized tax benefits:
Year Ended December 31,
2024
2023
2022
(in thousands)
Unrecognized tax benefits beginning balance
$
11,898 $
10,542 $
9,676
Gross increase for tax positions of prior years
1,283
262
89
Gross decrease for tax positions of prior years
—
—
—
Gross increase for tax positions of current year
2,048
1,127
777
Lapse of statute of limitations
(3,121)
(33)
—
Total unrecognized tax benefits
$
12,108 $
11,898 $
10,542
The unrecognized tax benefits, if recognized, would impact the income tax provision by $5.3 million, $6.1 million and $5.3 million as of
December 31, 2024, 2023 and 2022, respectively. The remaining amount would result in the recognition of a corresponding deferred tax asset that is then
offset by a full valuation allowance. As of December 31, 2024, the Company does not believe that its estimates, as otherwise provided for, on such tax
positions will significantly increase within the next twelve months. It is reasonably possible that the Company may recognize approximately $1.9 million of
its unrecognized tax benefits within the next twelve months if the statutes lapse in certain jurisdictions without an examination. The Company has elected
to include interest and penalties as a component of income tax expense. The amounts were not material for the years ended December 31, 2024, 2023 and
2022.
The Company files income tax returns in the United States, including various state jurisdictions. The Company’s subsidiaries file tax returns in India
and various other foreign jurisdictions. The tax years 2001 through 2023 still remain open to examination by certain major taxing jurisdictions in which the
Company is subject to tax. The Company is also currently subject to tax audits in various jurisdictions. The Company believes that an adequate provision
has been made for any adjustments that may result from tax examinations. However, the outcome of tax audits cannot be predicted with certainty. If any
issues addressed in the Company's tax audits are resolved in a manner inconsistent with its expectations, the Company could be required to adjust its
income tax provision in the period such resolution occurs.
As of December 31, 2024, the Company has undistributed earnings in certain foreign subsidiaries that the Company has indefinitely reinvested
outside the United States. Due to U.S. tax rules related to taxation of foreign earnings, the unrecorded deferred tax liability is immaterial. The Company
may be required to pay additional foreign withholding taxes if the Company repatriates those earnings in the future.
NOTE 13. Segment and Geographic Area Information
Under ASC 280 Segment Reporting, operating segments are defined as components of an entity about which separate financial information is
evaluated regularly by the chief operating decision maker in deciding how to allocate resources and in assessing performance. The Company operates in
one operating segment and has only one reportable segment. The Company’s chief operating decision maker is the Chief Executive Officer, who makes
operating decisions, assesses performance and allocates resources on a consolidated basis. All of the Company’s principal operations and decision-making
functions are located in the United States.
The key measure of segment profit or loss that the CODM uses to allocate resources and in assessing performance is the Company’s consolidated net
income, as reported on the Consolidated Statements of Operations. The CODM uses net income to monitor actual results against budgeted and prior period
operating results for the purpose of evaluating operational efficiency, and to evaluate income generated from the assets in making strategic decisions on
organizational resource allocation, as well as to benchmark segment performance against industry competitors.
The CODM manages the business using consolidated expense information. The following table sets forth the Company's reported segment revenue,
segment profit or loss, and significant segment expenses:
84
Table of Contents
Year Ended December 31,
2024
2023
2022
(in thousands)
Revenues
$
607,571 $
554,458 $
489,723
Less: Significant segment expenses
Cost of revenues (exclusive of stock-based compensation and amortization of intangible
assets)
100,516
97,198
92,136
Research and development (exclusive of stock-based compensation and amortization of
intangible assets)
90,598
89,281
86,262
Sales and marketing (exclusive of stock-based compensation)
113,613
99,457
87,384
General and administrative (exclusive of stock-based compensation)
35,612
33,287
34,300
Add: Other segment items (1)
(3,158)
(1,323)
(2,038)
Less: Stock-based compensation
77,133
69,079
53,408
Less: Amortization of intangible assets
2,903
3,087
5,686
Add: Interest income
25,784
16,905
5,191
Less: Income tax provision
36,142
27,056
25,708
Consolidated net income
$
173,680 $
151,595 $
107,992
(1)Other segment items included in Segment net income includes interest expense, realized and unrealized gain/loss on foreign exchange
transactions, and unrealized loss on non-marketable securities.
Revenue by geographic area, based on the customer's billing address, is as follows:
Year Ended December 31,
2024
2023
2022
(in thousands)
United States
$
354,584 $
332,315 $
292,291
Foreign
252,987
222,143
197,432
Total revenues
$
607,571 $
554,458 $
489,723
The measure of segment assets is reported on the balance sheet as total consolidated assets. Long-lived assets, which consist of Property and
equipment, net and Operating leases - right of use asset, by geographic area, are as follows:
December 31,
2024
2023
(in thousands)
United States
$
47,916 $
42,622
India
21,076
9,952
Rest of world
2,325
2,416
Total Long-lived Assets
$
71,317 $
54,990
85
Table of Contents
NOTE 14. Net Income Per Share
The computations for basic and diluted net income per share are as follows:
Year Ended December 31,
2024
2023
2022
(in thousands, except per share data)
Numerator:
Net income
$
173,680 $
151,595 $
107,992
Denominator:
Basic weighted average shares
36,799
36,879
38,453
Effect of potentially dilutive shares:
Stock options
343
482
672
Restricted stock units
206
237
216
Employee stock purchase plan
5
4
3
Diluted weighted average shares
37,353
37,602
39,344
Net income per share:
Basic
$
4.72 $
4.11 $
2.81
Diluted
$
4.65 $
4.03 $
2.74
Potentially dilutive shares not included in the calculation of diluted net income per share because doing so would be anti-dilutive are as follows:
Year Ended December 31,
2024
2023
2022
(in thousands)
Stock options
635
763
686
Restricted stock units
97
140
90
Employee stock purchase plan
—
7
5
Total anti-dilutive shares
732
910
781
86
Table of Contents
Item 9. Changes In and Disagreements with Accountants on Accounting and Financial Disclosure
None.
Item 9A. Controls and Procedures
Evaluation of Disclosure Controls and Procedures
Our management, with the participation of our Chief Executive Officer and Chief Financial Officer, evaluated the effectiveness of our disclosure
controls and procedures as of December 31, 2024. The term “disclosure controls and procedures,” as defined in Rules 13a-15(e) and 15d-15(e) under the
Exchange Act, means controls and other procedures of a company that are designed to ensure that information required to be disclosed by a company in the
reports that it files or submits under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Securities
and Exchange Commission’s rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure
that information required to be disclosed by a company in the reports that it files or submits under the Exchange Act is accumulated and communicated to
the company’s management, including its principal executive and principal financial officers, as appropriate to allow timely decisions regarding required
disclosure. Management recognizes that any controls and procedures, no matter how well designed and operated, can provide only reasonable assurance of
achieving their objectives and management necessarily applies its judgment in evaluating the cost-benefit relationship of possible controls and procedures.
Based on the evaluation of our disclosure controls and procedures as of December 31, 2024, our Chief Executive Officer and Chief Financial Officer
concluded that, as of such date, our disclosure controls and procedures were effective at the reasonable assurance level.
Management's Annual Report on Internal Control over Financial Reporting
Our management is responsible for establishing and maintaining adequate internal control over financial reporting, as such term is defined in Rules
13a-15(f) and 15d-15(f) of the Exchange Act. Our internal control over financial reporting is a process designed to provide reasonable assurance regarding
the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with U.S. GAAP. Our internal control
over financial reporting includes those policies and procedures that: (i) pertain to the maintenance of records that in reasonable detail accurately and fairly
reflect the transactions and dispositions of our assets, (ii) provide reasonable assurance that transactions are recorded as necessary to permit preparation of
financial statements in accordance with U.S. GAAP, and that our receipts and expenditures are being made only in accordance with authorizations of our
management and directors, and (iii) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition
of our assets that could have a material effect on our financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any
evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree
of compliance with the policies or procedures may deteriorate.
Under the supervision and with the participation of our management, including our Chief Executive Officer and Chief Financial Officer, we
conducted an evaluation of the effectiveness of our internal control over financial reporting as of December 31, 2024 based on the criteria established in the
2013 Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO. Based on our
evaluation under the criteria set forth in the 2013 Internal Control - Integrated Framework issued by the COSO, our management concluded our internal
control over financial reporting was effective as of December 31, 2024.
The effectiveness of the Company's internal control over financial reporting as of December 31, 2024 has been audited by Grant Thornton LLP, an
independent registered public accounting firm, as stated in its report, which is included in Item 8 of this Annual Report on Form 10-K.
Changes in Internal Control over Financial Reporting
There was no change in our internal control over financial reporting identified in connection with the evaluation required by Rule 13a-15(d) and
15d-15(d) of the Exchange Act that occurred during the fourth quarter ended December 31, 2024 that has materially affected, or is reasonably likely to
materially affect, our internal control over financial reporting.
87
Table of Contents
Item 9B. Other Information
Securities Trading Plans of Directors and Executive Officers
During the three months ended December 31, 2024, no director or officer, as defined in Rule 16a-1(f), adopted or terminated a “Rule 10b5-1 trading
arrangement” or a “non-Rule 10b5-1 trading arrangement,” each as defined in Regulation S-K Item 408.
Item 9C. Disclosure Regarding Foreign Jurisdictions that Prevent Inspections
Not applicable.
88
Table of Contents
PART III
Item 10. Directors, Executive Officers and Corporate Governance
Executive Officers and Directors
Except as set forth below, the information required by this item is incorporated by reference to our Proxy Statement for our 2025 Annual Meeting of
Stockholders to be filed with the SEC within 120 days after the end of the fiscal year ended December 31, 2024.
Codes of Business Conduct and Ethics
Our Board of Directors has adopted a code of business conduct and ethics that applies to all of our employees, officers and directors, including our
Chief Executive Officer, Chief Financial Officer and other executive and senior financial officers. The code of business conduct and ethics is available on
our website at www.qualys.com. We expect that, to the extent required by law, any amendments to the code, or any waivers of its requirements, will be
disclosed on our website. We intend to disclose any waiver to the provisions of the code of business conduct and ethics that applies specifically to directors
or executive officers by filing such information on a Current Report on Form 8-K with the SEC, to the extent such filing is required by the NASDAQ Stock
Market's listing requirements; otherwise, we will disclose such waiver by posting such information on our website.
Item 11. Executive Compensation
The information required by this item is incorporated by reference to our Proxy Statement for our 2025 Annual Meeting of Stockholders to be filed
with the SEC within 120 days after the end of the fiscal year ended December 31, 2024.
Item 12. Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters
The information required by this item with respect to Item 403 of Regulation S-K regarding security ownership of certain beneficial owners and
management is incorporated by reference to our Proxy Statement for our 2025 Annual Meeting of Stockholders to be filed with the SEC within 120 days
after the end of the fiscal year ended December 31, 2024.
Securities Authorized for Issuance under Equity Compensation Plans
The following table summarizes information about our equity compensation plans as of December 31, 2024. All outstanding awards relate to our
common stock.
Plan Category
(a) Number of
Securities to be
Issued Upon
Exercise of
Outstanding
Options, Warrants
and
Rights
(b) Weighted-
Average Exercise
Price of
Outstanding
Options, Warrants
and Rights
(c) Number of
Securities
Remaining
Available for
Future Issuance
Under Equity
Compensation
Plans (Excluding
Securities Reflected
in Column (a))
(in thousands)
(in thousands)
Equity compensation plans approved by security holders
2,400 (2)
$
113.07 (3)
2,761 (4)
Equity compensation plans not approved by security holders
—
$
—
—
(1)Includes our Amended and Restated 2012 Equity Incentive Plan (Restated 2012 Plan) and 2021 Employee Stock Purchase Plan (ESPP).
(2)Consists of 1,086 thousand restricted stock units and 1,314 thousand shares underlying stock options.
(3)The weighted average exercise price is calculated based solely on outstanding stock options.
(1)
89
Table of Contents
(4)Consists of 2,326 thousand shares reserved for issuance under our Amended and Restated 2012 Plan and 435 thousand shares reserved for issuance
under our ESPP.
Item 13. Certain Relationships and Related Transactions, and Director Independence
The information required by this item is incorporated by reference to our Proxy Statement for our 2025 Annual Meeting of Stockholders to be filed
with the SEC within 120 days after the end of the fiscal year ended December 31, 2024.
Item 14. Principal Accountant Fees and Services
The information required by this item is incorporated by reference to our Proxy Statement for our 2025 Annual Meeting of Stockholders to be filed
with the SEC within 120 days after the end of the fiscal year ended December 31, 2024.
90
Table of Contents
PART IV
Item 15. Exhibits and Financial Statement Schedules
(a)(1) Financial Statements - The financial statements filed as part of this Annual Report on Form 10-K are listed on the Index to Consolidated
Financial Statements in Item 8.
(a)(2) Financial Statement Schedules - All financial statement schedules have been omitted since the required information is not applicable or has
been included in the consolidated financial statements and accompanying notes included in this Form 10-K.
(b) Exhibits
Incorporated by Reference
Exhibit
Number
Description
Filed
Herewith
Form
File No.
Exhibit
No.
Filing Date
3.1
Amended and Restated Certificate of Incorporation of
Qualys, Inc.
S-1/A
333-182027
3.3
September 12, 2012
3.2
Amended and Restated Bylaws of Qualys, Inc.
8-K
001-35662
3.1
November 2, 2022
4.1
Form of common stock certificate.
S-1/A
333-182027
4.1
September 12, 2012
4.2
Description of Registrant’s securities
10-K
001-35662
4.2
February 21, 2020
10.1*
2000 Equity Incentive Plan, as amended, and the form of
stock option agreement thereunder.
S-1
333-182027
10.1
June 8, 2012
10.2*
Qualys, Inc. 2012 Equity Incentive Plan, as amended and
restated
8-K
001-35662
10.1
June 13, 2024
10.3*
Qualys, Inc. 2021 Employee Stock Purchase Plan
8-K
001-35662
10.1
June 11, 2021
10.4*
Offer Letter, between Qualys, Inc. and Sumedh S. Thakar,
dated January 20, 2003.
S-1
333-182027
10.5
June 8, 2012
10.5*
Offer Letter, between Qualys, Inc. and Joo Mi Kim, dated
May 21, 2020.
8-K
001-35662
10.1
May 26, 2020
10.6*
Offer Letter, between Qualys, Inc. and Bruce K. Posey,
dated May 8, 2012.
S-1
333-182027
10.9
June 8, 2012
10.7*
Form of Stock Option Agreement under the 2012 Equity
Incentive Plan, as amended and restated
10-Q
001-35662
10.2
August 6, 2024
10.8*
Form of Restricted Stock Unit Agreement under the 2012
Equity Incentive Plan, as amended and restated
10-Q
001-35662
10.3
August 6, 2024
10.9*
Form of Performance-Based Restricted Stock Unit
Agreement for Executives under the 2012 Equity
Incentive Plan, dated October 28, 2021
10-K
001-35662
10.8
February 22, 2022
91
Table of Contents
Incorporated by Reference
Exhibit
Number
Description
Filed
Herewith
Form
File No.
Exhibit
No.
Filing Date
10.10*
Form of director and executive officer indemnification
agreement.
S-1/A
333-182027
10.10
August 10, 2012
10.11*
Qualys, Inc. Executive Performance Bonus Plan.
Schedule
14A,
Appendix
A
001-35662
N/A
April 25, 2016
10.12*#
Qualys, Inc. 2024 Corporate Bonus Plan.
X
10.13*
Qualys, Inc. Non-Employee Director Compensation
Program, as amended on October 30, 2024.
X
10.14
Lease Agreement, between Qualys, Inc. and Hudson
Metro Center, LLC, dated October 14, 2016.
8-K
001-35662
10.1
October 19, 2016
19.1
Qualys Inc. Insider Trading Policy, effective as of
February 24, 2023
X
21.1
List of subsidiaries of Qualys, Inc.
X
23.1
Consent of Grant Thornton LLP, independent registered
public accounting firm.
X
24.1
Power of Attorney (incorporated by reference to the
signature page of this Annual Report on Form 10-K)
X
31.1
Certification of Chief Executive Officer pursuant to Rule
13a-14(a) or Rule 15d-14(a) of the Securities Exchange
Act of 1934, as adopted pursuant to Section 302 of The
Sarbanes-Oxley Act of 2002.
X
31.2
Certification of Chief Financial Officer pursuant to Rule
13a-14(a) or Rule 15d-14(a) of the Securities Exchange
Act of 1934, as adopted pursuant to Section 302 of The
Sarbanes-Oxley Act of 2002.
X
32.1
Certification of Chief Executive Officer pursuant to Rule
13a-14(b) or Rule 15d-14(b) of the Securities Exchange
Act of 1934 and 18 U.S.C. Section 1350 as adopted
pursuant to Section 906 of The Sarbanes-Oxley Act of
2002.
X
92
Table of Contents
Incorporated by Reference
Exhibit
Number
Description
Filed
Herewith
Form
File No.
Exhibit
No.
Filing Date
32.2
Certification of Chief Financial Officer pursuant to Rule
13a-14(b) or Rule 15d-14(b) of the Securities Exchange
Act of 1934 and 18 U.S.C. Section 1350 as adopted
pursuant to Section 906 of The Sarbanes-Oxley Act of
2002.
X
97.1
Qualys Inc. Compensation Recovery Policy, as adopted
on October 26, 2023
10-K
001-35662
97.1
February 22, 2024
101.INS
Inline XBRL Instance Document - the instance document
does not appear in the Interactive Data File because its
XBRL tags are embedded within the Inline XBRL
document.
X
101.SCH
Inline XBRL Taxonomy Extension Schema Document.
X
101.CAL
Inline XBRL Taxonomy Extension Calculation Linkbase
Document.
X
101.DEF
Inline XBRL Taxonomy Extension Definition Linkbase.
X
101.LAB
Inline XBRL Taxonomy Extension Labels Linkbase
Document.
X
101.PRE
Inline XBRL Taxonomy Extension Presentation Linkbase
Document.
X
104
Cover Page Interactive Data File - formatted in Inline
XBRL and included as Exhibit 101.
X
* Indicates a management contract or compensatory plan or
arrangement.
# Portions of the exhibit, marked by brackets, have been
omitted because the omitted information (i) is not material
and (ii) would likely cause competitive harm if publicly
disclosed.
Item 16. Form 10-K Summary
None.
93
Table of Contents
SIGNATURES
Pursuant to the requirements of Section 13 or 15(d) of the Securities Exchange Act of 1934, the registrant has duly caused this Annual Report on Form 10-
K to be signed on its behalf by the undersigned, thereunto duly authorized, in the City of Foster City, State of California on February 21, 2025.
QUALYS, INC.
By:
/s/ SUMEDH S. THAKAR
Sumedh S. Thakar
President and Chief Executive Officer
(principal executive officer)
94
Table of Contents
POWER OF ATTORNEY
KNOW ALL PERSONS BY THESE PRESENTS, that each person whose signature appears below constitutes and appoints Sumedh S. Thakar and Joo Mi
Kim, jointly and severally, his or her attorney-in-fact, with the power of substitution, for him or her in any and all capacities, to sign any amendments to
this Annual Report on Form 10-K and to file the same, with exhibits thereto and other documents in connection therewith, with the Securities and
Exchange Commission, hereby ratifying and confirming all that each of said attorneys-in-fact, or his or her substitute or substitutes, may do or cause to be
done by virtue hereof.
Pursuant to the requirements of the Securities Exchange Act of 1934, this Annual Report on Form 10-K has been signed below by the following persons on
behalf of the Registrant and in the capacities and on the dates indicated.
Signature
Title
Date
/s/ SUMEDH S. THAKAR
Director, President and Chief Executive Officer (principal executive officer)
February 21, 2025
Sumedh S. Thakar
/s/ JOO MI KIM
Chief Financial Officer (principal financial officer and principal accounting officer)
February 21, 2025
Joo Mi Kim
/s/ JEFFREY P. HANK
Chair of the Board of Directors
February 21, 2025
Jeffrey P. Hank
/s/ THOMAS P. BERQUIST
Director
February 21, 2025
Thomas P. Berquist
/s/ WENDY M. PFEIFFER
Director
February 21, 2025
Wendy M. Pfeiffer
/s/ KRISTI M. ROGERS
Director
February 21, 2025
Kristi M. Rogers
/s/ JOHN A. ZANGARDI
Director
February 21, 2025
John A. Zangardi
95
Exhibit 10.12
[***] Certain information in this document has been excluded because it both (i) is not material and (ii) would likely cause competitive harm to
the registrant if publicly disclosed.
2024 CORPORATE BONUS PLAN
1. Purpose. The purpose of this 2024 Corporate Bonus Plan (the “Plan”) is to motivate and encourage the employees of Qualys (the “Company”)
to achieve its stated goals and to assist the Company in attracting, motivating and retaining employees on a competitive basis.
2. Eligibility
(a) An officer or employee of the Company is designated as a participant in the Plan ("Participant") and shall be eligible to participate in the Plan
if the employee is a regular full-time or regular part-time employee (working greater than 20 hours a week) and the employee is not already participating in
a separate Compensation Plan or MBO plan.
(b) New Hires. New employees hired in the first or second month of a quarter will be eligible to participate in the Plan for that quarter, such
participation will be prorated based on the number of working days employed in the quarter.
(c) Termination of Employment. To be eligible for the bonus, the employee must be employed as of the last working day of the quarter.
(d) Absence during Performance Period. If a Participant is absent for a period of more than one-half of the working days in a quarter, for any
reason, the Participant’s bonus payment will be prorated based on the number of working days the Participant actually worked compared to the total
number of working days during that quarter.
3. Bonus Criteria
(a) Bonus Period. The Bonus Plan is effective from January 1, 2024 through December 31, 2024. Each calendar quarter is a separate bonus
period.
(b) Bonus Level. A Participant’s level of participation in the Plan is set based on the corporate bonus level as of the last working day of that
quarter as well as their location and applicable variable plan during the Bonus Period as determined by the Human Resources Department. This will be
applied to the Participant’s base salary to determine the bonus amount.
Effective 1/1/2024
(c) Objective Criteria: The Plan payments will be based on ASV (as defined below), Revenue (as defined below) and Non-GAAP EPS (as
defined below).
(1) ASV. The stated goal is the growth in company-wide bookings as represented by Annual Subscription Value (“ASV”) for the current
quarter over the same quarter of the prior year. ASV is the sum of one year’s worth of subscribed revenues to Qualys for all new, renewal and
upsell subscriptions contracted by customers and channel partners in each quarter. ASV is determined by policies and practices administered by
the Controller and the final quarterly ASV amount is approved by the CFO.
(2) Revenue. The stated goal is the growth in company-wide revenue (as determined in accordance with GAAP and set forth in the
Company’s quarterly and annual financial statements) for the current quarter over the same quarter of the prior year.
(3) Non-GAAP EPS. The stated goal is Non-GAAP earnings per diluted share. Non-GAAP EPS is GAAP net income excluding effects
of stock-based compensation expense, amortization of intangible assets from acquisitions, non-recurring items, and certain tax effects divided by
weighted average shares (diluted) for the applicable quarter.
(d) Payout Calculation. A Participant’s bonus amount will be equal to the aggregate for each of the applicable objective goals as follows: the
payment percentage described below multiplied by the weighted percentage for the applicable goal. ASV Growth, Revenue Growth and Non-GAAP EPS
shall be the 3 goals and shall be equally weighted.
(1) ASV. The payout percentage scales based upon achievement of ASV. [***]
(2) Revenue. The payout percentage scales based upon achievement of Revenue. [***]
(3) Non-GAAP EPS. The payout percentage scales based upon achievement of Non-GAAP EPS. [***]
(e) Bonus Payments. Bonus payments to Participants under this Plan will be made with the first payroll of the second month following the end of
the quarter. Bonus payments are “gross” amounts, meaning that they constitute the full amount and that there will be no other increases (for example, to
cover income taxes). The company will deduct from any payment under the Plan the amount of all applicable income and employment taxes, and any other
amounts required by law to be withheld or deducted from such payment, and any voluntary deductions applicable. None of the payments will be “benefits
bearing” (i.e., the bonus amounts will not be used for purposes of determining any other company-provided benefits or compensation).
Administration. This Plan shall be administered by the Company’s CFO (except with respect to Participants who are the Company’s executive officers, in
which case the Compensation and Talent Committee of the Board of Directors will serve as the administrator), who may make and apply such rules deemed
desirable or necessary to administer the Plan in the best interests of the Company. All questions of interpretation or application of the Plan may be
addressed in writing to the CFO (or as applicable, the Compensation and Talent Committee), who shall review each inquiry in good faith, and each such
determination shall be final and binding. With the approval of the Compensation and Talent Committee, the results with respect to determination of ASV,
Revenue, and Non-GAAP EPS will be adjusted to remove the effects of charges for restructurings, discontinued operations, extraordinary items and all
items of gain, loss or expense determined to be extraordinary or unusual in nature or related to the disposal of a segment of a business or related to a change
in accounting principle, asset write-downs, litigation, claims, judgments or settlements, the effect of changes in tax law or other such laws or provisions
affecting reported results, accruals for reorganization and restructuring programs.
Effective 1/1/2024
Exhibit 10.13
Qualys, Inc.
Non-Employee Director Compensation Program
(as amended on October 30, 2024)
Our Compensation and Talent Committee is responsible for reviewing and making recommendations with respect to the compensation
of our non-employee directors. The committee’s practice is to engage a compensation consultant every year to conduct a full review and
competitive analysis (using the same peer group used to analyze executive compensation) of our non-employee directors’ compensation in
order to ensure that our directors’ compensation is in line with peer companies competing for director talent. Our current non-employee
director compensation program was reviewed and approved in 2024 in connection with input from Compensia, Inc. (“Compensia”), an
independent compensation consultant.
Equity Compensation
Upon joining our board of directors, each newly elected non-employee director will be granted an award of restricted stock units with an
intended “value” (based on the average of the closing prices of our common stock for the 30 trading days ending one week before the
applicable grant date) of $420,000 (the “Initial Award”), which may be different from the award’s actual grant date fair value. An Initial Award
will vest in three equal annual installments on each of the first three anniversaries of the first day of the month following the month that the
director joins our board of directors, subject to continued service to us through each vesting date.
On the date of each annual meeting of stockholders, each non-employee director who has served on our board of directors for at least
six months prior to such date will be granted an award of restricted stock units with an intended “value” (based on the average of the closing
prices of our common stock for the 30 trading days ending one week before the applicable grant date) of $250,000 (the “Annual Award”),
which may be different from the award’s actual grant date fair value. Annual Awards will vest on the earlier of the first anniversary of its grant
date or the day before the next annual meeting of stockholders, subject to continued service to us through the applicable vesting date.
Notwithstanding the vesting schedules described above, the vesting of each Initial Award and each Annual Award will accelerate in full
upon a “change in control” (as defined in our 2012 Equity Incentive Plan) of Qualys.
Cash Compensation
Our non-employee director compensation program provides that each year, each non-employee director will receive a cash retainer of
$35,000 for serving on our board of directors (the “Annual Retainer”). In addition to the Annual Retainer, the non-employee Chair of the
Board is entitled to an additional cash retainer of $50,000. The chairpersons and members of our board’s three standing committees are
entitled to the following cash retainers each year:
Board Committee
Chairperson
Retainer
Member
Retainer
Audit and Risk Committee
$
20,000
$10,000
Compensation and Talent Committee
15,000
7,500
Nominating and ESG Committee
10,000
5,000
Each non-employee director who serves as a committee chair will receive only the additional annual cash fee as the chair of the
committee, and not the additional annual fee as a member of the committee. All retainers in cash are paid in four equal installments on a
quarterly basis at the end of the applicable quarter, provided that the individual served as a non-employee director in the applicable capacity
during the full quarter. If a director did not serve in the applicable capacity for the full quarter, retainers are pro-rated, unless otherwise
approved by the board of directors.
Exhibit 19.1
QUALYS, INC.
________________
INSIDER TRADING POLICY
and
Guidelines with Respect to Certain Transactions in Securities
________________
Effective as of February 24, 2023
TABLE OF CONTENTS
Page
INTRODUCTION
1
Legal prohibitions on insider trading
1
Detection and prosecution of insider trading
1
Penalties for violation of insider trading laws and this Policy
1
Reporting violations
2
Personal responsibility
2
PERSONS AND TRANSACTIONS COVERED BY THIS POLICY
3
Persons covered by this Policy
3
Types of transactions covered by this Policy
3
Responsibilities regarding the nonpublic information of other companies
3
Applicability of this Policy after your departure
3
No exceptions based on personal circumstances
3
MATERIAL NONPUBLIC INFORMATION
4
“Material” information
4
“Nonpublic” information
5
POLICIES REGARDING MATERIAL NONPUBLIC INFORMATION
6
Confidentiality of nonpublic information
6
No trading on material nonpublic information
6
No disclosing material nonpublic information for the benefit of others
6
Obligation to disclose material nonpublic information to the Company
7
Responding to outside inquiries for information
7
TRADING BLACKOUT PERIODS
8
Quarterly blackout periods
8
Special blackout periods
8
Regulation BTR blackouts
8
No “safe harbors”
9
PRE-CLEARANCE OF TRADES
10
ADDITIONAL RESTRICTIONS AND GUIDANCE
11
Short sales
11
Derivative securities and hedging transactions
11
Using Company securities as collateral for loans
11
Holding Company securities in margin accounts
12
Placing open orders with brokers
12
LIMITED EXCEPTIONS
13
Transactions pursuant to a trading plan that complies with SEC rules
13
Receipt and vesting of stock options, restricted stock and stock appreciation rights
13
Exercise of stock options for cash; net share withholding
14
Purchases from the employee stock purchase plan
14
Stock splits, stock dividends and similar transactions
14
TABLE OF CONTENTS
(Continued)
Page
Certain Transfers by Will and for Tax Planning Purposes
14
Other exceptions
14
COMPLIANCE WITH SECTION 16 OF THE SECURITIES EXCHANGE ACT
15
Obligations under Section 16
15
Notification requirements to facilitate Section 16 reporting
15
Personal responsibility
15
ADDITIONAL INFORMATION
16
Delivery of Policy
16
Protected Activity Not Prohibited
16
Amendments
16
Qualys, Inc. – Insider Trading Policy
- ii -
INTRODUCTION
Qualys, Inc. (together with its subsidiaries, the “Company”) forbids the unauthorized disclosure of any nonpublic information
acquired in the course of your service with the Company and the misuse of material nonpublic information in securities trading. Any
such actions will be deemed violations of this Insider Trading Policy (the “Policy”). In furtherance of the Policy’s goals, the Company
will not transact in its own securities except in compliance with securities laws.
Legal prohibitions on insider trading
The antifraud provisions of U.S. federal securities laws prohibit directors, officers, employees and other individuals who possess
material nonpublic information from trading on the basis of that information. Transactions will be considered “on the basis of”
material nonpublic information if the person engaged in the transaction was aware of the material nonpublic information at the time of
the transaction. It is not a defense that the person did not “use” the information for purposes of the transaction.
Disclosing material nonpublic information directly or indirectly to others who then trade based on that information or making
recommendations or expressing opinions as to transactions in securities while aware of material nonpublic information (which is
sometime referred to as “tipping”) is also illegal. Both the person who provides the information, recommendation or opinion and the
person who trades based on it may be liable.
These illegal activities are commonly referred to as “insider trading”. State securities laws and securities laws of other
jurisdictions also impose restrictions on insider trading.
In addition, a company, as well as individual directors, officers and other supervisory personnel, may be subject to liability as
“controlling persons” for failure to take appropriate steps to prevent insider trading by those under their supervision, influence or
control. The Insider Trading and Securities Fraud Enforcement Act of 1988, for example, mandates that “[e]very person who, directly
or indirectly, controls any person liable [for insider trading] shall also be liable jointly and severally with and to the same extent as
such controlled person…unless the controlling person acted in good faith and did not directly or indirectly induce the act or acts
constituting the violation or cause of action.”
Detection and prosecution of insider trading
The U.S. Securities and Exchange Commission (the “SEC”), the Financial Industry Regulatory Authority (“FINRA”) and The
Nasdaq Stock Market use sophisticated electronic surveillance techniques to investigate and detect insider trading, and the SEC and
the U.S. Department of Justice pursue insider trading violations vigorously. Cases involving trading through foreign accounts, trading
by family members and friends and trading involving only a small number of shares have been successfully prosecuted.
Penalties for violation of insider trading laws and this Policy
Civil and criminal penalties. As of the effective date of this Policy, potential penalties for insider trading violations under U.S. federal
securities laws include:
•
damages in a private lawsuit;
•
disgorging any profits made or losses avoided;
•
imprisonment for up to 20 years;
Qualys, Inc. – Insider Trading Policy
- 1 -
•
criminal fines of up to $5 million for individuals and $25 million for entities;
•
civil fines of up to three times the profit gained or loss avoided;
•
a bar against serving as an officer or director of a public company; and
•
an injunction against future violations.
Civil and criminal penalties also apply to tipping. The SEC has imposed large penalties in tipping cases even when the disclosing
person did not trade or gain any benefit from another person’s trading.
Controlling person liability. U.S. Securities laws mandates that “[e]very person who, directly or indirectly, controls any person
liable [for insider trading] shall also be liable jointly and severally with and to the same extent as such controlled person…unless the
controlling person acted in good faith and did not directly or indirectly induce the act or acts constituting the violation or cause of
action.” As of the effective date of this Policy, the penalty for “controlling person” liability is a civil fine of up to the greater of $2.5
million or three times the profit gained or loss avoided as a result of the insider trading violations, as well as potential criminal fines
and imprisonment.
Company disciplinary actions. If the Company has a reasonable basis to conclude that you have failed to comply with this Policy,
you may be subject to disciplinary action by the Company, up to and including termination of your employment, regardless of whether
or not your failure to comply with this Policy results in a violation of law. It is not necessary for the Company to wait for the filing or
conclusion of any civil or criminal action against an alleged violator before taking disciplinary action. In addition, the Company may
give stop transfer and other instructions to the Company’s transfer agent to enforce compliance with this Policy.
Reporting violations
It is your responsibility to help enforce this Policy. The General Counsel and Legal Department are generally responsible for the
administration of this Policy. You should be alert to possible violations and promptly report violations or suspected violations of this
Policy to the General Counsel at 650-801-6252, 919 East Hillsdale Boulevard, Foster City, CA 94404, ATTENTION: General
Counsel, or bposey@qualys.com. If the General Counsel is implicated in your report, then you should report such possible violations
or suspected violations in accordance with the Company’s Whistleblower Policy. If your situation requires that your identity be kept
secret, your anonymity will be preserved to the greatest extent reasonably possible, or otherwise permitted by law. If you wish to
remain anonymous, send a letter addressed to the General Counsel at 919 East Hillsdale Boulevard, Foster City, CA 94404,
ATTENTION: General Counsel or the Audit Committee of the Board of Directors at 919 East Hillsdale Boulevard, Foster City, CA
94404, ATTENTION: Audit Committee, or contact the Qualys Confidential and Anonymous Financial Concern Hotline at
QLYS@openboard.info or 866-528-2457. If you make an anonymous report, please provide as much detail as possible, including any
evidence that you believe may be relevant to the issue.
Personal responsibility
The ultimate responsibility for complying with this Policy and applicable laws and regulations rests with you. You should use your
best judgment at all times and consult with your legal and financial advisors, as needed. We advise you to seek assistance if you have
any questions at all. The rules relating to insider trading can be complex, and a violation of insider trading laws can carry severe
consequences.
Qualys, Inc. – Insider Trading Policy
- 2 -
PERSONS AND TRANSACTIONS COVERED BY THIS POLICY
Persons covered by this Policy
This Policy applies to all directors, officers, employees and advisors (such as consultants and contractors) of the Company.
References in this Policy to “you” (as well as general references to directors, officers, employees and advisors of the Company) should
also be understood to include members of your immediate family, persons with whom you share a household, persons that are your
economic dependents and any other individuals or entities whose transactions in securities you influence, direct or control (including,
for example, a venture or other investment fund, if you influence, direct or control transactions by the fund). You are responsible for
making sure that these other individuals and entities comply with this Policy.
Types of transactions covered by this Policy
Except as discussed in the section entitled “Limited Exceptions”, this Policy applies to all transactions involving the securities of
the Company or the securities of other companies as to which you possess material nonpublic information obtained in the course of
your service with the Company. This Policy therefore applies to purchases, sales, gifts and other transfers of common stock, options,
warrants, preferred stock, debt securities (such as debentures, bonds and notes) and other securities. This Policy also applies to any
arrangements that affect economic exposure to changes in the prices of these securities. These arrangements may include, among other
things, transactions in derivative securities (such as exchange-traded put or call options), hedging transactions, short sales and certain
decisions with respect to participation in benefit plans. This Policy further applies to any distribution to holders of interests in an entity
if the entity is subject to this Policy. This Policy also applies to any offers with respect to the transactions discussed above. You should
note that there are no exceptions from insider trading laws or this Policy based on the size of the transaction.
Responsibilities regarding the nonpublic information of other companies
This Policy prohibits the unauthorized disclosure or other misuse of any nonpublic information of other companies, such as the
Company’s distributors, vendors, customers, collaborators, suppliers and competitors. This Policy also prohibits insider trading and
tipping based on the material nonpublic information of other companies.
Applicability of this Policy after your departure
You are expected to comply with this Policy until such time as you are no longer affiliated with the Company and you no longer
possess any material nonpublic information subject to this Policy. In addition, if you are subject to a trading blackout under this Policy
at the time you cease to be affiliated with the Company, you are expected to abide by the applicable trading restrictions until at least
the end of the relevant blackout period.
No exceptions based on personal circumstances
There may be instances where you suffer financial harm or other hardship or are otherwise required to forego a planned transaction
because of the restrictions imposed by this Policy. Personal financial emergency or other personal circumstances are not mitigating
factors under securities laws and will not excuse a failure to comply with this Policy.
Qualys, Inc. – Insider Trading Policy
- 3 -
MATERIAL NONPUBLIC INFORMATION
“Material” information
Information should be regarded as material if there is a substantial likelihood that a reasonable investor would consider it
important in deciding whether to buy, hold or sell securities or would view the information as significantly altering the total mix of
information in the marketplace about the issuer of the security. In general, any information that could reasonably be expected to affect
the market price of a security is likely to be material. Either positive or negative information may be material.
It is not possible to define all categories of “material” information. However, some examples of information that would often be
regarded as material include information with respect to:
•
Financial results, financial condition, earnings pre-announcements, guidance, projections or forecasts, particularly if
inconsistent with the expectations of the investment community;
•
Restatements of financial results, or material impairments, write-offs or restructurings;
•
Changes in independent auditors, or notification that the Company may no longer rely on an audit report;
•
Business plans or budgets;
•
Creation of significant financial obligations, or any significant default under or acceleration of any financial
obligation;
•
Impending bankruptcy or financial liquidity problems;
•
Significant developments involving business relationships, including execution, modification or termination of
significant agreements or orders with customers, suppliers, distributors, manufacturers or other business partners;
•
Product introductions, modifications, defects or recalls or significant pricing changes or other product announcements
of a significant nature;
•
Significant developments in research and development or relating to intellectual property;
•
Significant legal or regulatory developments, whether actual or threatened;
•
Major events involving the Company’s securities, including calls of securities for redemption, adoption of stock
repurchase programs, option repricings, stock splits, changes in dividend policies, public or private securities
offerings, modification to the rights of security holders or notice of delisting;
•
Significant corporate events, such as a pending or proposed merger, joint venture or tender offer, a significant
investment, the acquisition or disposition of a significant business or asset or a change in control of the company; and
•
Major personnel changes, such as changes in senior management or lay-offs.
If you have any questions as to whether information should be considered “material”, you should consult with the General
Counsel. In general, it is advisable to resolve any close questions as to the materiality of any information by assuming that the
information is material.
Qualys, Inc. – Insider Trading Policy
- 4 -
“Nonpublic” information
Information is considered nonpublic if the information has not been broadly disseminated to the public for a sufficient period to be
reflected in the price of the security. As a general rule, information should be considered nonpublic until at least two full trading days
have elapsed after the information is broadly distributed to the public in a press release, a public filing with the SEC, a pre-announced
public webcast or another broad, non-exclusionary form of public communication. However, depending upon the form of the
announcement and the nature of the information, it is possible that information may not be fully absorbed by the marketplace until a
later time. Any questions as to whether information is nonpublic should be directed to the General Counsel.
The term “trading day” means a day on which national stock exchanges and the National Association of Securities Dealers, Inc.
Automated Quotation System are open for trading. A “full” trading day has elapsed when, after the public disclosure, trading in the
relevant security has opened and then closed.
Qualys, Inc. – Insider Trading Policy
- 5 -
POLICIES REGARDING MATERIAL NONPUBLIC INFORMATION
Confidentiality of nonpublic information
The unauthorized use or disclosure of nonpublic information relating to the Company or other companies is prohibited. All
nonpublic information you acquire in the course of your service with the Company may only be used for legitimate Company business
purposes. In addition, nonpublic information of others should be handled in accordance with the terms of any relevant nondisclosure
agreements, and the use of any such nonpublic information should be limited to the purpose for which it was disclosed.
You must use all reasonable efforts to safeguard nonpublic information in the Company’s possession. You may not disclose
nonpublic information about the Company or any other company, unless required by law, or unless (i) disclosure is required for
legitimate Company business purposes, (ii) you are authorized to disclose the information and (iii) appropriate steps have been taken to
prevent misuse of that information (including entering an appropriate nondisclosure agreement that restricts the disclosure and use of
the information, if applicable). This restriction also applies to internal communications within the Company and to communications
with advisors of the Company. In cases where disclosing nonpublic information to third parties is required, you should coordinate with
the Legal Department.
All directors, officers, employees and advisors of the Company are required to sign and comply with an At Will Employment,
Confidential Information, Invention Assignment, and Arbitration Agreement.
No trading on material nonpublic information
Except as discussed in the section entitled “Limited Exceptions”, you may not, directly or indirectly through others, engage in
any transaction involving the Company’s securities while aware of material nonpublic information relating to the Company. It is not an
excuse that you did not “use” the information in your transaction.
Similarly, you may not engage in transactions involving the securities of any other company if you are aware of material nonpublic
information about that company (except to the extent the transactions are analogous to those presented in the section entitled “Limited
Exceptions”). For example, you may be involved in a proposed transaction involving a prospective business relationship or transaction
with another company. If information about that transaction constitutes material nonpublic information for that other company, you
would be prohibited from engaging in transactions involving the securities of that other company (as well as transactions involving
Company securities, if that information is material to the Company). It is important to note that “materiality” is different for different
companies. Information that is not material to the Company may be material to another company. You should note that the Company’s
Code of Business Conduct and Ethics prohibits you from acquiring financial investments in other companies if your ownership would
constitute a conflict of interests.
No disclosing material nonpublic information for the benefit of others
You may not disclose material nonpublic information concerning the Company or any other company to friends, family members
or any other person or entity not authorized to receive such information where such person or entity may benefit by trading on the
basis of such information. In addition, you may not make recommendations or express opinions on the basis of material nonpublic
information as to trading in the securities of companies to which such information relates. You are prohibited from engaging in these
actions whether or not you derive any profit or personal benefit from doing so.
Qualys, Inc. – Insider Trading Policy
- 6 -
Obligation to disclose material nonpublic information to the Company
You may not enter into any transaction, including those discussed in the section entitled “Limited Exceptions”, unless you have
disclosed any material nonpublic information that you become aware of in the course of your service with the Company, and that
senior management is not aware of, to the General Counsel. If you are a member of senior management, the information must be
disclosed to the Chief Executive Officer, and if you are the Chief Executive Officer or a director, you must disclose the information to
the board of directors, before any transaction is permissible.
Responding to outside inquiries for information
In the event you receive an inquiry from someone outside of the Company, such as a stock analyst, for information, you should
refer the inquiry to the Chief Financial Officer. The Company is required under Regulation FD (Fair Disclosure) of the U.S. federal
securities laws to avoid the selective disclosure of material nonpublic information. In general, the regulation provides that when a
public company discloses material nonpublic information, it must provide broad, non-exclusionary access to the information.
Violations of this regulation can subject the company to SEC enforcement actions, which may result in injunctions and severe
monetary penalties. The Company has established procedures for releasing material information in a manner that is designed to
achieve broad public dissemination of the information immediately upon its release in compliance with applicable law. Please consult
the Company’s External Communications Policy for more details.
Qualys, Inc. – Insider Trading Policy
- 7 -
TRADING BLACKOUT PERIODS
To limit the likelihood of trading at times when there is a significant risk of insider trading exposure, the Company has instituted
quarterly trading blackout periods and may institute special trading blackout periods from time to time. In addition, to comply with
applicable legal requirements, the Company may also institute blackout periods that prevent directors and officers from trading in
Company securities at a time when employees are prevented from trading Company securities in the Company’s 401(k) plan.
It is important to note that whether or not you are subject to blackout periods, you remain subject to the prohibitions on trading on
the basis of material nonpublic information and any other applicable restrictions in this Policy.
Quarterly blackout periods
Except as discussed in the section entitled “Limited Exceptions”, directors, executive officers and other employees and advisors
identified by the Company must refrain from conducting transactions involving the Company’s securities during quarterly blackout
periods. Even if you are not specifically identified as being subject to quarterly blackout periods, you should exercise caution when
engaging in transactions during quarterly blackout periods because of the heightened risk of insider trading exposure.
Quarterly blackout periods begin at the end of the last trading day of the second month of each fiscal quarter and end at the start of
the second full trading day following the date of public disclosure of the financial results for that fiscal quarter. This period is a
particularly sensitive time for transactions involving the Company’s securities from the perspective of compliance with applicable
securities laws due to the fact that, during this period, individuals may often possess or have access to material nonpublic information
relevant to the expected financial results for the quarter.
Individuals subject to quarterly blackout periods are listed on a schedule maintained by the General Counsel. From time to time,
the Company may identify other persons who should be subject to quarterly blackout periods, and the General Counsel may update
and revise the schedule as appropriate.
Special blackout periods
From time to time, the Company may also prohibit directors, officers, employees and advisors from engaging in transactions
involving the Company’s securities when, in the judgment of the General Counsel, a trading blackout is warranted. The Company will
generally impose special blackout periods when there are material developments known to the Company that have not yet been
disclosed to the public. For example, the Company may impose a special blackout period in anticipation of announcing interim
earnings guidance or a significant transaction or business development. However, special blackout periods may be declared for any
reason.
The Company will notify those persons subject a special blackout period. Each person who has been so identified and notified by
the Company may not engage in any transaction involving the Company’s securities until instructed otherwise by the General Counsel,
and should not disclose to others the fact of such suspension of trading.
Regulation BTR blackouts
Directors and executive officers may also be subject to trading blackouts pursuant to Regulation Blackout Trading Restriction, or
Regulation BTR, under U.S. federal securities laws. In general, Regulation BTR prohibits any director or executive officer from
engaging in certain transactions
Qualys, Inc. – Insider Trading Policy
- 8 -
involving Company securities during periods when 401(k) plan participants are prevented from purchasing, selling or otherwise
acquiring or transferring an interest in certain securities held in individual account plans. Any profits realized from a transaction that
violates Regulation BTR are recoverable by the Company, regardless of the intentions of the director or officer effecting the
transaction. In addition, individuals who engage in such transactions are subject to sanction by the SEC as well as potential criminal
liability. The Company has provided, or will provide, separate memoranda and other appropriate materials to its directors and
executive officers regarding compliance with Regulation BTR.
The Company will notify directors and officers if they are subject to a blackout trading restriction under Regulation BTR. Failure
to comply with an applicable trading blackout in accordance with Regulation BTR is a violation of law and this Policy.
No “safe harbors”
There are no unconditional “safe harbors” for trades made at particular times, and all persons subject to this Policy should exercise
good judgment at all times. Even when a quarterly blackout period is not in effect, you may be prohibited from engaging in
transactions involving the Company’s securities because you possess material nonpublic information, are subject to a special blackout
period or are otherwise restricted under this Policy.
Qualys, Inc. – Insider Trading Policy
- 9 -
PRE-CLEARANCE OF TRADES
Except as discussed in the section entitled “Limited Exceptions”, directors and executive officers should refrain from engaging in
any transaction involving the Company’s securities without first obtaining pre-clearance of the transaction from the General Counsel.
In addition, the Company has determined that certain other employees and advisors of the Company that may have regular or special
access to material nonpublic information should refrain from engaging in any transaction involving the Company’s securities without
first obtaining pre-clearance of the transaction from the General Counsel. The General Counsel may not engage in a transaction
involving the Company’s securities unless the Chief Financial Officer has pre-cleared the transaction. Individuals subject to pre-
clearance requirements are listed on a schedule maintained by the General Counsel. From time to time, the Company may identify
other persons who should be subject to the pre-clearance requirements set forth above, and the General Counsel may update and revise
the schedule as appropriate.
These pre-clearance procedures are intended to decrease insider trading risks associated with transactions by individuals with
regular or special access to material nonpublic information. In addition, requiring pre-clearance of transactions by directors and
officers facilitates compliance with Rule 144 resale restrictions under the Securities Act, the liability and reporting provisions of
Section 16 under the Exchange Act and Regulation BTR. Pre-clearance of a trade, however, is not a defense to a claim of insider
trading and does not excuse you from otherwise complying with insider trading laws or this Policy.
The General Counsel and Chief Financial Officer are under no obligation to approve a transaction submitted for pre-clearance, and
may determine not to permit the transaction.
Qualys, Inc. – Insider Trading Policy
- 10 -
ADDITIONAL RESTRICTIONS AND GUIDANCE
This section addresses certain types of transactions that may expose you and the Company to significant risks. You should
understand that, even though a transaction may not be expressly prohibited by this section, you are responsible for ensuring that the
transaction otherwise complies with other provisions in this Policy that may apply to the transaction, such as the general prohibition
against insider trading as well as pre-clearance procedures and blackout periods, to the extent applicable.
Short sales
Short sales (i.e., the sale of a security that must be borrowed to make delivery) and “selling short against the box” (i.e., a sale with
a delayed delivery) with respect to Company securities are prohibited under this Policy. Short sales may signal to the market possible
bad news about the Company or a general lack of confidence in the Company’s prospects, and an expectation that the value of the
Company’s securities will decline. In addition, short sales are effectively a bet against the Company’s success and may reduce the
seller’s incentive to improve the Company’s performance. Short sales may also create a suspicion that the seller is engaged in insider
trading.
Derivative securities and hedging transactions
If you are required to comply with Section 16 of the Securities Exchange Act or the blackout periods or pre-clearance
requirements under this Policy, you are prohibited from engaging in transactions in publicly-traded options, such as puts and calls, and
other derivative securities with respect to the Company’s securities. This prohibition extends to any hedging or similar transaction
designed to decrease the risks associated with holding Company securities. Stock options, stock appreciation rights and other securities
issued pursuant to Company benefit plans or other compensatory arrangements with the Company are not subject to this prohibition.
Even if you are not prohibited from engaging in derivatives transactions, you should exercise caution when doing so. Transactions
in derivative securities may reflect a short-term and speculative interest in the Company’s securities and may create the appearance of
impropriety, even where a transaction does not involve trading on inside information. Trading in derivatives may also focus attention
on short-term performance at the expense of the Company’s long-term objectives. In addition, the application of securities laws to
derivatives transactions can be complex, and persons engaging in derivatives transactions run an increased risk of violating securities
laws if not careful.
Using Company securities as collateral for loans
If you are required to comply with Section 16 of the Securities Exchange Act or the blackout periods or pre-clearance
requirements under this Policy, you may not pledge Company securities as collateral for loans. If you default on the loan, the lender
may sell the pledged securities as collateral in a foreclosure sale. The sale, even though not initiated at your request, is still considered
a sale for your benefit and, if made at a time when you are aware of material nonpublic information or otherwise are not permitted to
trade in Company securities, may result in inadvertent insider trading violations, Section 16 and Reg. BTR violations (for officers and
directors), violations of this Policy and unfavorable publicity for you and the Company. For these same reasons, even if you are not
prohibited from pledging Company securities as collateral for loans, you should exercise caution when doing so.
Qualys, Inc. – Insider Trading Policy
- 11 -
Holding Company securities in margin accounts
If you are required to comply with Section 16 of the Securities Exchange Act or the blackout periods or pre-clearance
requirements under this Policy, you may not hold Company securities in margin accounts. Under typical margin arrangements, if you
fail to meet a margin call, the broker may be entitled to sell securities held in the margin account without your consent. The sale, even
though not initiated at your request, is still considered a sale for your benefit and, if made at a time when you are aware of material
nonpublic information or are otherwise not permitted to trade, may result in inadvertent insider trading violations, Section 16 and Reg.
BTR violations (for officers and directors), violations of this Policy and unfavorable publicity for you and the Company. For these
same reasons, even if you are not prohibited from holding Company securities in margin accounts, you should exercise caution when
doing so.
Placing open orders with brokers
Except in accordance with an approved trading plan (as discussed below), you should exercise caution when placing open orders,
such as limit orders or stop orders, with brokers, particularly where the order is likely to remain outstanding for an extended period of
time. Open orders may result in the execution of a trade at a time when you are aware of material nonpublic information or otherwise
are not permitted to trade in Company securities, which may result in inadvertent insider trading violations, Section 16 and Reg. BTR
violations (for officers and directors), violations of this Policy and unfavorable publicity for you and the Company. If you are subject
to blackout periods or pre-clearance requirements, you should so inform any broker with whom you place any open order at the time it
is placed.
Qualys, Inc. – Insider Trading Policy
- 12 -
LIMITED EXCEPTIONS
The following are certain limited exceptions to the restrictions imposed by the Company under this Policy. Please be aware that
even if a transaction is subject to an exception to this Policy, you will need to separately assess whether the transaction complies with
applicable law. For example, even if a transaction is indicated as exempt from this Policy, you may need to comply with the “short-
swing” trading restrictions under Section 16 of the Exchange Act, to the extent applicable. You are responsible for complying with
applicable law at all times.
Transactions pursuant to a trading plan that complies with SEC rules
The SEC has enacted rules that provide an affirmative defense against alleged violations of U.S. federal insider trading laws for
transactions pursuant to trading plans that meet certain requirements. In general, these rules, as set forth in Rule 10b5-1 under the
Securities Exchange Act, provide for an affirmative defense if you enter into a contract, provide instructions or adopt a written plan for
trading securities when you are not aware of material nonpublic information. The contract, instructions or plan must (i) specify the
amount, price and date of the transaction, (ii) specify an objective method for determining the amount, price and date of the transaction
and/or (iii) place any subsequent discretion for determining the amount, price and date of the transaction in another person who is not,
at the time of the transaction, aware of material nonpublic information.
Transactions made pursuant to a written trading plan that (i) complies with the affirmative defense set forth in Rule 10b5-1 and (ii)
is approved by the General Counsel, are not subject to the restrictions in this Policy against trades made while aware of material
nonpublic information or to the pre-clearance procedures or blackout periods established under this Policy. In approving a trading plan,
the General Counsel may, in furtherance of the objectives expressed in this Policy, impose criteria in addition to those set forth in Rule
10b5-1. You should therefore confer with the General Counsel prior to entering into any trading plan.
The SEC rules regarding trading plans are complex and must be complied with completely to be effective. The description
provided above is only a summary, and the Company strongly advises that you consult with your legal advisor if you intend to adopt a
trading plan. While trading plans are subject to review and approval by the Company, the individual adopting the trading plan is
ultimately responsible for compliance with Rule 10b5-1 and ensuring that the trading plan complies with this Policy.
Trading plans must (1) be submitted to the General Counsel for approval, and (2) comply with the requirements set forth in the
policy entitled “Requirements for Trading Plans” as established by the Company and as may be updated from time to time. If the
General Counsel is the requester, then the Chief Financial Officer must approve the written 10b5-1 trading plan. The Company may
publicly disclose information regarding trading plans that you may enter.
Receipt and vesting of stock options, restricted stock and stock appreciation rights
The trading restrictions under this Policy do not apply to the acceptance or purchase of stock options, restricted stock or stock
appreciation rights issued or offered by the Company. The trading restrictions under this Policy also do not apply to the vesting,
cancellation or forfeiture of stock options, restricted stock or stock appreciation rights in accordance with applicable plans and
agreements.
Qualys, Inc. – Insider Trading Policy
- 13 -
Exercise of stock options for cash; net share withholding
The trading restrictions under this Policy do not apply to the exercise of stock options, where the purchase price of such stock
options is paid in cash or in a stock-for-stock exercise, and there is no other associated market activity. Likewise, the trading
restrictions under this Policy do not apply to net share withholding to cover tax obligations in connection with an option exercise or an
RSU vesting event, (x) as required by either the Board of Directors (or a committee thereof) or the award agreement governing such
equity award or (y) as you elect, if permitted by the Company, so long as that election is irrevocable and made in writing at a time
when a trading blackout is not in place and you are not in possession of material nonpublic information. However, the trading
restrictions under this Policy do apply to (i) the sale of any securities issued upon the exercise of a stock option or upon an RSU
vesting event, (ii) a cashless exercise of a stock option through a broker, since this involves selling a portion of the underlying shares to
cover the costs of exercise, and (iii) any other market sale for the purpose of generating the cash needed to pay the exercise price of an
option.
Purchases from the employee stock purchase plan
The trading restrictions in this Policy do not apply to elections with respect to participation in any employee stock purchase plan of
the Company or to purchases of securities under any such plan. However, the trading restrictions do apply to any subsequent sales of
any such securities.
Stock splits, stock dividends and similar transactions
The trading restrictions under this Policy do not apply to a change in the number of securities held as a result of a stock split or
stock dividend applying equally to all securities of a class, or similar transactions.
Certain Transfers by Will and for Tax Planning Purposes
The trading restrictions in this Policy do not apply to transfers by will or the laws of descent or distribution and, provided that prior
written notice is provided to the General Counsel, distributions or transfers (such as certain tax planning or estate planning transfers)
that effect only a change in the form of beneficial interest without changing your pecuniary interest in the Company’s securities.
Other exceptions
Any other exception from this Policy must be approved by the General Counsel, in consultation with the Board of Directors or an
independent committee of the Board of Directors.
Qualys, Inc. – Insider Trading Policy
- 14 -
COMPLIANCE WITH SECTION 16 OF THE SECURITIES EXCHANGE ACT
Obligations under Section 16
Section 16 of the Securities Exchange Act of 1934, and the related rules and regulations, set forth
(i) reporting obligations, (ii) limitations on “short-swing” transactions and (iii) limitations on short sales and other transactions
applicable to directors, officers, large shareholders and certain other persons. The Company has provided, or will provide, memoranda
and other materials addressing these matters.
The Company has determined those persons who are required to comply with Section 16 of the Securities Exchange Act of 1934,
and the related rules and regulations, because of their positions with the Company. The General Counsel maintains a Section 16
schedule and may amend it from time to time as appropriate to reflect the election of new officers or directors, any change in the
responsibilities of officers or other employees and any promotions, demotions, resignations or departures. Section 16 persons are
informed of their status as such.
Notification requirements to facilitate Section 16 reporting
To facilitate timely reporting of transactions pursuant to Section 16 requirements, each person subject to Section 16 reporting
requirements must provide, or must ensure that his or her broker provides, the Company with detailed information (e.g., trade date,
number of shares, exact price, etc.) regarding his or her transactions involving the Company’s securities, including gifts, transfers,
pledges and transactions pursuant to a trading plan, both prior to (to confirm compliance with pre-clearance procedures, if applicable)
and promptly following execution.
Personal responsibility
The obligation to file Section 16 reports, and to otherwise comply with Section 16, is personal. The Company is not responsible
for the failure to comply with Section 16 requirements.
Qualys, Inc. – Insider Trading Policy
- 15 -
ADDITIONAL INFORMATION
Delivery of Policy
This Policy will be delivered to all directors, officers, employees and advisors of the Company when they commence service with
the Company. In addition, this Policy (or a summary of this Policy) will be circulated periodically. Each director, officer, employee and
agent of the Company is required to acknowledge that he or she understands, and agrees to comply with, this Policy.
Protected Activity Not Prohibited
Nothing in this Policy, or any related guidelines or other documents or information provided in connection with this Policy, shall in
any way limit or prohibit you from engaging in any of the protected activities set forth in the Company’s Whistleblower Policy, as
amended from time to time.
Amendments
We are committed to continuously reviewing and updating our policies and procedures. The Company therefore reserves the right
to amend, alter or terminate this Policy at any time and for any reason, subject to applicable law. Unless otherwise permitted by this
Policy, any amendments must be approved by the Board of Directors. A current copy of the Company’s policies regarding insider
trading may be obtained by contacting the General Counsel.
* * *
Nothing in this Insider Trading Policy creates or implies an employment contract or term of employment. Employment at the
Company is employment at-will. Employment at-will may be terminated with or without cause and with or without notice at any time
by the employee or the Company. Nothing in this Insider Trading Policy shall limit the right to terminate employment at-will. No
employee of the Company has any authority to enter into any agreement for employment for a specified period of time or to make any
agreement or representation contrary to the Company’s policy of employment at-will. Only the Chief Executive Officer of the Company
has the authority to make any such agreement, which must be in writing.
The policies in this Insider Trading Policy do not constitute a complete list of Company policies or a complete list of the types of
conduct that can result in discipline, up to and including discharge.
Qualys, Inc. – Insider Trading Policy
- 16 -
QUALYS, INC.
REQUIREMENTS FOR TRADING PLANS
(Effective as of February 24, 2023)
For transactions under a trading plan to be exempt from (i) the prohibitions in the company’s insider trading policy with respect to
transactions made while aware of material nonpublic information and (ii) the pre-clearance procedures and blackout periods established
under the insider trading policy, the trading plan must comply with the affirmative defense set forth in Exchange Act Rule 10b5-1 and must
meet the following requirements:
1.
The trading plan must be in writing and signed by the person adopting the trading plan.
2.
The trading plan must be adopted at a time when:
•
the person adopting the trading plan is not aware of any material nonpublic information; and
•
there is no quarterly, special or other trading blackout in effect with respect to the person adopting the plan.
3.
The trading plan must be entered in good faith and not as part of a plan or scheme to evade the prohibitions of Rule 10b5-1, and
the person adopting the trading plan must act in good faith with respect to the trading plan.
4.
The trading plan must include representations that, on the date of adoption of the trading plan, the person adopting the trading
plan:
•
is not aware of material nonpublic information about the securities or the company; and
•
is adopting the trading plan in good faith and not as part of a plan or scheme to evade the prohibitions of Rule 10b5-1.
5.
The person adopting the trading plan may not have entered into or altered a corresponding or hedging transaction or position with
respect to the securities subject to the trading plan and must agree not to enter into any such transaction while the trading plan is in
effect.
6.
The first trade under the trading plan may not occur until the expiration of a cooling-off period consisting of the later of (a) 90
calendar days after the adoption of the trading plan and (b) two business days after the filing by the company of its financial results
in a Form 10-Q or Form 10-K for the completed fiscal quarter in which the trading plan was adopted (but, in any event, this
required cooling-off period is subject to a maximum of 120 days after adoption of the trading plan).
7.
The trading plan must have a minimum term of one year (starting from the date of adoption of the trading plan).
8.
All transactions during the term of the trading plan (except for the other “Limited Exceptions” identified in the company’s insider
trading policy) must be conducted through the trading plan. In addition, the person adopting the trading plan may not have an
outstanding (and may not subsequently enter into any additional) trading plan except as permitted by Rule 10b5-1.
9.
Any modification or change to the amount, price or timing of transactions under the trading plan is deemed the termination of the
trading plan, and the adoption of a new trading plan (a “Modification”). Therefore, a Modification is subject to the same
conditions as a new trading plan as set forth in Sections 1 through 8 herein.
10. Within the one year period preceding the adoption or a Modification of a trading plan, a person may not have otherwise modified
or adopted or had a Modification to a plan more than once.
11. A person may adopt a trading plan designed to cover a single trade only once in any consecutive 12- month period except as
permitted by Rule 10b5-1.
12. If the person that adopted the trading plan terminates the plan prior to its stated duration, he or she may not trade in the company’s
securities until after the expiration of 30 calendar days following termination, subject to and in accordance with the company’s
insider trading policy. Termination of the existing trading plan prior to its scheduled termination date may impact the timing of the
first trade or the availability of the affirmative defense for a new trading plan; therefore, persons adopting a new trading plan are
advised to exercise caution and consult with the General Counsel prior to the early termination of an existing trading plan.
13. The company must be promptly notified of any Modification or termination of the trading plan, including any suspension of
trading under the trading plan.
14. The company must have authority to require the suspension or cancellation of the trading plan at any time.
15. If the trading plan grants discretion to a stockbroker or other person with respect to the execution of trades under the trading plan:
•
trades made under the trading plan must be executed by someone other than the stockbroker or other person that executes
trades in other securities for the person adopting the trading plan;
•
the person adopting the trading plan may not confer with the person administering the trading plan regarding the company
or its securities; and
•
the person administering the trading plan must provide prompt notice to the company of the execution of a transaction
pursuant to the plan.
16. All transactions under the trading plan must be in accordance with applicable law.
17. The trading plan (including any Modification) must meet such other requirements as the Legal Department may determine.
18. Any trading plans adopted or modified prior to February 27, 2023 (the “Effective Date”) are permitted to continue in place until all
trades are executed thereunder or they expire by their terms (“Grandfathered Plans”). If the person undertakes a Modification of a
Grandfathered Plan on or after the Effective Date, then the Modification must meet all of the requirements set forth herein.
Qualys, Inc. – Requirements for Trading Plans
- 2 -
Exhibit 21.1
List of subsidiaries of Qualys, Inc.*
Name of Subsidiary
Jurisdiction of Incorporation or
Organization
Qualys International, Inc.
Delaware
Blue Jay Acquisition Sub, Inc.
Delaware
Qualys Brazil Desenvolvimento de Produtos e Consultoria de Tecnologias de Seguranca LTDA.
Brazil
Qualys Canada, Ltd.
Canada
Qualys Technologies, S.A.
France
Qualys Italy S.R.L.
Italy
Qualys GmbH
Germany
Qualys Hong Kong Limited
Hong Kong
Qualys Security TechServices Private Ltd.
India
Qualys Japan K.K.
Japan
Qualys Singapore Pte. Ltd.
Singapore
Qualys Middle East FZE
United Arab Emirates
Qualys Ltd.
United Kingdom
Qualys Australia Pty Ltd.
Australia
Qualys Switzerland Sarl
Switzerland
Qualys Colombia S.A.S.
Colombia
Qualys South Africa Proprietary Limited
South Africa
Qualys Netherlands B.V.
The Netherlands
* Inclusion on the list above is not an admission that any of the above entities, individually or in the aggregate, constitutes a significant subsidiary within
the meaning of Rule 1-02(w) of Regulation S-X and Item 601(b)(21)(ii) of Regulation S-K.
Exhibit 23.1
CONSENT OF INDEPENDENT REGISTERED PUBLIC ACCOUNTING FIRM
We have issued our reports dated February 21, 2025, with respect to the consolidated financial statements and internal control over financial reporting
included in the Annual Report of Qualys, Inc. on Form 10-K for the year ended December 31, 2024. We consent to the incorporation by reference of said
reports in the Registration Statements of Qualys, Inc. on Forms S-8 (File Nos. 333-184394, 333-193576, 333-202587, 333-209735, 333-216232, 333-
223192, 333-229908, 333-236576, 333-253373, 333-257657, 333-262912 and 333-281316).
/s/ GRANT THORNTON LLP
San Francisco, California
February 21, 2025
Exhibit 31.1
CERTIFICATION OF CHIEF EXECUTIVE OFFICER
PURSUANT TO RULE 13a-14(a) OR RULE 15d-14(a)
OF THE SECURITIES EXCHANGE ACT OF 1934
I, Sumedh S. Thakar, certify that:
1.
I have reviewed this annual report on Form 10-K of Qualys, Inc.;
2.
Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the
statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this
report;
3.
Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the
financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;
4.
The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in
Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-
15(f)) for the registrant and have:
(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to
ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those
entities, particularly during the period in which this report is being prepared;
(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our
supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for
external purposes in accordance with generally accepted accounting principles;
(c) Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the
effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
(d) Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent
fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to
materially affect, the registrant’s internal control over financial reporting; and
5.
The registrant's other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the
registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably
likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and
(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control
over financial reporting.
Date:
February 21, 2025
By:
/s/ SUMEDH S. THAKAR
Sumedh S. Thakar
President and Chief Executive Officer
(principal executive officer)
Qualys, Inc.
Exhibit 31.2
CERTIFICATION OF CHIEF FINANCIAL OFFICER
PURSUANT TO RULE 13a-14(a) OR RULE 15d-14(a)
OF THE SECURITIES EXCHANGE ACT OF 1934
I, Joo Mi Kim, certify that:
1.
I have reviewed this annual report on Form 10-K of Qualys, Inc.;
2.
Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the
statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this
report;
3.
Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the
financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;
4.
The registrant's other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in
Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-
15(f)) for the registrant and have:
(a) Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to
ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those
entities, particularly during the period in which this report is being prepared;
(b) Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our
supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for
external purposes in accordance with generally accepted accounting principles;
(c) Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the
effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
(d) Disclosed in this report any change in the registrant’s internal control over financial reporting that occurred during the registrant’s most recent
fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to
materially affect, the registrant’s internal control over financial reporting; and
5.
The registrant's other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the
registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):
(a) All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably
likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and
(b) Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control
over financial reporting.
Date:
February 21, 2025
By:
/s/ JOO MI KIM
Joo Mi Kim
Chief Financial Officer
(principal financial and accounting officer)
Qualys, Inc.
Exhibit 32.1
CERTIFICATION OF CHIEF EXECUTIVE OFFICER
PURSUANT TO RULE 13a-14(b) OR RULE 15d-14(b)
OF THE SECURITIES EXCHANGE ACT OF 1934 AND 18 U.S.C. SECTION 1350
In connection with the Annual Report of Qualys, Inc. (the “Company”) on Form 10-K for the year ended December 31, 2024, as filed with the Securities
and Exchange Commission on the date hereof (the “Report”), I, Sumedh S. Thakar, Chief Executive Officer of the Company, certify, pursuant to 18 U.S.C.
§ 1350, as adopted pursuant to § 906 of the Sarbanes-Oxley Act of 2002, that, to the best of my knowledge:
(1) The Report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and
(2) The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of the
Company.
Date:
February 21, 2025
By:
/s/ SUMEDH S. THAKAR
Sumedh S. Thakar
President and Chief Executive Officer
(principal executive officer)
Qualys, Inc.
Exhibit 32.2
CERTIFICATION OF CHIEF FINANCIAL OFFICER
PURSUANT TO RULE 13a-14(b) OR RULE 15d-14(b)
OF THE SECURITIES EXCHANGE ACT OF 1934 AND 18 U.S.C. SECTION 1350
In connection with the Annual Report of Qualys, Inc. (the “Company”) on Form 10-K for the year ended December 31, 2024, as filed with the Securities
and Exchange Commission on the date hereof (the “Report”), I, Joo Mi Kim, Chief Financial Officer of the Company, certify, pursuant to 18 U.S.C. §
1350, as adopted pursuant to § 906 of the Sarbanes-Oxley Act of 2002, that, to the best of my knowledge:
(1) The Report fully complies with the requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934; and
(2) The information contained in the Report fairly presents, in all material respects, the financial condition and results of operations of the
Company.
Date:
February 21, 2025
By:
/s/ JOO MI KIM
Joo Mi Kim
Chief Financial Officer
(principal financial and accounting officer)
Qualys, Inc.