Scans enterprise IT systems from its own cloud data centers and turns the results into ranked risk scores.
- Depends onDownstream position: depends on 18 industries, supplies 5
- ScaleMarket cap is above the global median
Scans enterprise IT systems from its own cloud data centers and turns the results into ranked risk scores.
Qualys scans enterprise IT environments — servers, devices, cloud assets — from its own data centers over persistent encrypted connections, then feeds those raw results into its TruRisk platform, which combines each vulnerability with how critical the affected asset is and with live threat intelligence to produce a single numerical risk score. Because those scores flow directly into customer workflow tools like ServiceNow through pre-built connectors, and because Qualys agents are physically installed across thousands of customer endpoints, switching to a competitor means reconfiguring every downstream remediation workflow and physically replacing software on every device — not just swapping a scanner. That connector dependency is only worth tolerating as long as the risk scores stay accurate, which requires the threat intelligence feeds Qualys ingests from external providers to remain current and correctly formatted; if a provider changes its feed format and breaks the ingestion pipeline, the scores degrade, the prioritisation logic breaks, and the main reason customers absorb the switching cost disappears. Expanding into new regions compounds the pressure, because data residency laws like GDPR require Qualys to build dedicated scanning infrastructure inside each jurisdiction before it can sign a single customer there, so every new compliance boundary demands a capital investment before any revenue can follow.
How does this company make money?
Customers pay an annual subscription fee based on how many assets are under continuous monitoring. The price is tied to the number of IP addresses, web applications, or cloud workloads enrolled in the Qualys Cloud platform. Subscriptions renew each year, so revenue grows as customers add more assets to their monitored estate.
What makes this company hard to replace?
The Vulnerability Management and Policy Compliance modules connect directly into tools like ServiceNow through pre-built connectors. Switching vendors means reconfiguring every one of those workflows from scratch, not just swapping a scanner. On top of that, Multi-Vector Endpoint Detection and Response agents are physically installed on devices across the customer's entire environment, so a migration requires a coordinated rollout across potentially thousands of endpoints.
What limits this company?
Qualys cannot share scanning compute resources across different customers because of security isolation rules, so every new customer network requires its own dedicated processing power. When large enterprise customers all run scans at the same time, the queue backs up — and while a scan is waiting, the vulnerabilities it would have caught remain open.
What does this company depend on?
Qualys relies on Amazon Web Services and Microsoft Azure to host the Qualys Cloud platform. It depends on SSL/TLS certificates to keep scanning connections encrypted. Vulnerability intelligence feeds from security research organizations supply the raw threat data that TruRisk scores are built on. API access to major cloud providers is required to scan cloud workloads. Federal Information Processing Standards certification is needed to serve government customers.
Who depends on this company?
Enterprise IT security teams rely on TruRisk scores to decide which vulnerabilities to patch first. If scanning is delayed or unavailable during an active attack campaign, those teams are left with blind spots at exactly the wrong moment. Cloud DevOps teams use Qualys Container Security to validate the security of Infrastructure as Code before deployment. If that scanning goes down, automated security checks break and teams must review code manually, slowing down every deployment.
How does this company scale?
Once Qualys builds a new vulnerability signature or updates the TruRisk algorithm, that improvement reaches every customer instantly at no additional cost — the engineering work is done once and spreads across the entire customer base. What does not scale cheaply is the scanning infrastructure itself: each new customer network requires its own dedicated compute capacity, and that cost grows in direct proportion to the number of customers and assets being monitored.
What external forces can significantly affect this company?
GDPR and European Union data residency rules require Qualys to build and maintain separate infrastructure inside the EU before it can sign a European customer — each new compliance boundary means a capital investment before revenue can follow. Executive Order 14028 pushes U.S. government agencies toward continuous vulnerability monitoring with specific reporting requirements, which shapes what Qualys must support to compete for federal contracts. Cryptocurrency mining operations compete for the same cloud computing capacity Qualys needs, pushing up the cost of running compute-intensive scanning workloads.
Where is this company structurally vulnerable?
If the external security research organizations that supply Qualys with vulnerability intelligence change their feed formats, the ingestion pipeline that feeds TruRisk breaks. Without accurate, up-to-date inputs, the risk scores become unreliable. Once the scores are unreliable, the ServiceNow connectors and remediation workflows built on top of them stop making sense — and the main reason customers tolerate the cost of staying on the platform disappears.
Sign in to view price data.
Sign inStructural observations derived from financial data, industry benchmarks, and supply chain position.
Companies that share the same coordination system — how they create, deliver, or capture value.
Companies that share active interpretations — structural patterns currently present in both stocks.