The number of cyberattacks globally cost companies an estimated $3 trillion in 2015 and this is forecasted to increase to an eye-watering $10.5 trillion by 2025. Therefore it is no surprise that the Cybersecurity industry is forecast to grow at a solid 13.4% compounded annual growth rate [CAGR] and be worth $376 billion by 2029. A key player which will benefit from this growth trend is Qualys (NASDAQ:QLYS) a leading cybersecurity and compliance solutions provider. The company boasts over 66% of the Forbes Global 50 as customers and 46% of the Global 500. Notable customers include Apple, Amazon, Cisco, Netflix, Visa, Mastercard, and many more. Qualys has reported strong financials for the third quarter of 2022, beating both top and bottom-line growth estimates. In this post, I’m going to break down the business model, financials, and valuation for Qualys, let’s dive in.
Business Model Recap
In my previous post on Qualys I covered its business model in great detail, here is a quick recap. Qualys provides a unified cybersecurity and compliance platform. Historically, many companies use multiple single-point solutions for their cybersecurity tech stack, this can be complex to manage and costly. Qualys solves this problem with its consolidated platform that combines over 20 IT, security, and compliance products. This includes applications across five main pillars; Asset Management, I.T Security, Compliance, Cloud/Container Security and Web App Security.
Its most popular platform is the Vulnerability Management Detection and Response [VMDR] solution. This enables users to track their assets, get “preemptive” attack alerts, and even set up automated remediation with a no-code dashboard.
The company’s VMDR is highly rated with 4.4 out of 5 stars, according to Gartner reviews. In addition, the company estimates a $51 billion expanding market opportunity across all its solutions by 2025.
Qualys continues to report strong financial results for the third quarter of 2022. Revenue was $125.56 million which increased by 19.7% year over year and beat analyst estimates by $1.01 million. Year to date (up to Q3,22) revenue was $359 million up 19% year over year.
Top-line growth was driven by the continued adoption of its VMDR product. Notable customer wins include a larger government agency that entered into lucrative seven-figure upsell agreement to expand its number of assets using the VMDR and patch management solution.
A key driving factor in this customer’s decision was the fact that Qualys is the “only” security and compliance stack platform that has FedRAMP authorization and is unified. From my own research, I have discovered other platforms such as CrowdStrike (CRWD) which has FedRAMP authorization, but this platform is mainly for endpoint security and not compliance. The company also expanded its contract with a Fortune 100 company that signed a six-figure upsell agreement. In addition, various Fortune 1000 companies signed new contract agreements. These wins have been part of the company’s strategy to “grow upmarket” which now includes 151 customers who are spending over $500,000 or more in Annual Recurring revenue, up 26% year over year.
Customer penetration for its VMDR platform increased from 32% last year to 45% this year on the back of its surge in popularity. In addition, customers have increased their adoption of its newest Patch Management and Cybersecurity Asset Management product. In the trailing 12 months, both of these applications have grown by over 50% year over year and contributed to 15% of new bookings. Qualys has also increased its average deal size by 18% as the company continues to upsell solutions.
Profitability and Expenses
The company reported earnings per share [EPS] of $0.71 which beat analyst estimates by $0.14 per share. On a Non-GAAP basis, EPS was $0.94 which beat analyst expectations by $0.08. Its operating margin has hovered between 19% and 30%, which is fantastic given the average for the software industry is 23%.
The company also reported solid Adjusted EBITDA of $54.9 million at a 44% margin. The “year to date” figures prior to the third quarter of 2022, indicate a 46% Adjusted EBITDA margin which is higher than the 43% in 2019 and level with 2021 figures.
The company’s main expenses can be divided into three main line items, R&D, S&M and G&A. Research and Development expenses were $25.5 million, up 19.7% year over year. Overall I don’t deem this to be a bad sign given the company must continually innovate to stay ahead in the fast-paced world of cybersecurity. Sales & Marketing expenses were $25 million or ~20% of revenue. This metric increased by a substantial 34% year over year and increased as a portion of revenue from the 17.6% in the prior year. I believe this was mainly driven by new product rollouts and the aggressive growth of its VMDR platform. Over time, I would like to see this metric, reducing as a portion of total revenue as the business scales. General and Administrative expenses were $15.7 million or 12.5% of revenue in Q3,22. This metric increased by an eye-watering 48% year over year from the $10.6 million in the prior year. Again, I would like to see this metric decreasing as a portion of revenue overtime as the company benefits from the operating leverage and improved efficiencies.
The company’s strategy is to invest its cash flow back into the business. In Q3,22, Qualys invested $1.2 million in Capex and utilized $95 million to buy back 684,000 shares which was a positive sign.
Qualys has a solid balance sheet with $385.3 million in cash and short-term investments. In addition to minimal debt of just $39.9 million in total.
Moving forward, management is optimistic given cybersecurity budgets remain “largely unchanged” and look to be “recession-proof” up to now. The company plans to continue to scale its partner program and invest in digital marketing initiatives. For the full year, management is expected revenue in the range of between $488.6 million and $489.6 million, which would represent a 19% growth rate.
In order to value Qualys I have plugged the latest financials into my advanced valuation model. I have forecasted 19% revenue growth for next year and for the next 2 to 5 years. This is based upon an extrapolation of management guidance, although we could see a little more growth in years 2 to 5, as economic conditions are likely to improve by then.
I have capitalized the company’s R&D expenses which has increased its operating income slightly. In addition, I have forecasted the operating margin to increase to 33% over the next 7 years, as the company continues to cross sell its customers solutions.
Given these factors I get a fair value of $130 per share, the stock is trading at $118 per share at the time of writing and thus is ~11% undervalued.
As an extra data point, Qualys trades at a Price to sales ratio = 9.14 which is 16% cheaper than 5-year average. Relative to other cybersecurity companies, Qualys is trading at the low end of valuation multiples.
The cybersecurity industry is extremely competitive with many players in the space from the rapidly growing CrowdStrike (CRWD), which specializes in endpoint security. To SentinelOne (S), Zscaler (ZS), Okta (OKTA) and more. Qualys does offer a unified solution that is fairly unique in the market and could give it an advantage in the short term at least. The high inflation and rising interest rate environment, cannot be ignored. Although this doesn’t seem to be affecting cybersecurity budgets just yet, it is still a factor that may delay spending and cause longer sales cycles.
Qualys is a tremendous cybersecurity technology company that has been growing its revenue and earnings at a consistent rate. The company is poised to benefit from the growth in the cybersecurity industry and vendor tech stack consolidation. The stock is currently undervalued intrinsically and relative to historic multiples so it could be a great long-term investment.