The following segment is taken from this funding letter.
Qualys (NASDAQ: QLYS): Cybersecurity leader with renewed focus on product development and growing sales capability
Summary of the thesis
- Portfolio of cyber defense-critical cybersecurity software well positioned to take advantage of an increasingly open-architecture computer network.
- Acceleration of revenue growth through the deployment of new products combined with increased investment in sales and marketing.
- Overall, the cybersecurity industry benefits from an increased threat environment.
- Multiple expansion in line with peers as revenue growth accelerates. Multiple support for private equity appetite if revenue growth does not pick up.
QLYS was founded in 1999 and provides vulnerability management software to SMBs and enterprises. Vulnerability management software provides a continuous view of security and compliance across all enterprise assets, including on-premises, endpoints, cloud, and mobile devices. The easiest way to think of QLYS’ original VM solution is that it provided a dashboard that monitored all potential threats on a network and helped IT departments prioritize the highest risk vulnerabilities.
QLYS was a pioneer in the industry as they were one of the first companies to offer a cloud-based software-as-a-service (SAAS) solution, as opposed to traditional licensing offerings that were proliferating at the time. . Although QLYS’ VM software has always provided a state-of-the-art dashboard to monitor weaknesses, it has provided limited functionality to address these vulnerabilities. Most recently, QLYS increased the functionality of its software with the deployment of detection and response capabilities (VMDR) and extended detection and response capabilities (XDR) in late 2021.
Overview of the cybersecurity industry
The cybersecurity space has been marked by a customer preference for point solution expertise as opposed to a win-win solution. This market structure is driven by the complex nature of the assets that need to be protected, the dynamic nature of security threats, and the critical nature of cybersecurity, which leads to a customer preference for quality over cost. Historically, cybersecurity was best served by firewalls, which provided a fence around assets physically located on a network.
Firewalls are becoming increasingly obsolete in the world of cybersecurity as the network perimeter has effectively disappeared due to the increasing adoption of SaaS solutions and new connected devices connecting to the network from multiple new terminals. This trend has only accelerated following COVID. As more devices and software tools connect from outside the traditional firewall perimeter, the importance of security monitoring tools such as VM, VMDR and XDR has increased.
In many ways, vulnerability management is the foundation of cybersecurity because it provides the dashboard to monitor all potential security breaches. QLYS software can provide critical data on assets exposed to specific threats and can increasingly help IT departments prioritize and remediate these vulnerabilities.
Acceleration of revenue growth
Understanding QLYS’ history is important to gaining confidence in QLYS’ ability to sustain revenue growth in the future. QLYS was almost perfectly positioned at the start of this decade to take advantage of both the software market’s transition from licensing to SaaS solutions as well as the trend in cybersecurity away from firewalls, with devices outgrowing increasingly a physical perimeter. Considering the large TAM, industry tailwinds and a market-leading product, QLYS was able to grow revenue at a CAGR of +20% from 2012 to 2018.
Even more impressively, QLYS was able to achieve this growth with limited investments in R&D or its sales force. R&D as a percentage of revenue fell from 22% in 2012 to 16% in 2018, while S&M fell from 40% in 2012 to 22% in 2018. As a result, QLYS operates with one of the highest EBITDA margins high in the sector, at 45%. QLYS’ ability to post such consistent revenue growth despite underinvestment in product development and sales is proof of the strong competitive positioning of QLYS’ software and the critical nature of the product.
However, QLYS’ focus on profitability eventually caught up with the company as revenue growth slowed to 15% in 2019 and 13% in 2020. Over time, the cybersecurity market has become more competitive. QLYS saw increased competition from its 2 main competitors as Tenable (TENB) made the transition to a SaaS solution and Rapid7 (RPD) used the IPO proceeds to aggressively pursue growth .
Additionally, customers began to expect a more comprehensive security offering beyond just vulnerability management as this solution matured. It was no longer enough to provide only a dashboard of potential vulnerabilities, customers now expected products that detected, prioritized and responded to these threats.
QLYS’ VM product continued to be well positioned in the market, it just needed to be enhanced with detection and response (VMDR) capabilities. QLYS also recognized the need to offer Expanded Detection and Response (XDR), which ingests data from all QLYS endpoints to provide better analytics for network threat prevention. QLYS started reinvesting in R&D in 2019 and R&D as a percentage of sales increased from 16% in 2018 to 18% in 2022.
QLYS’ VMDR solution was deployed in early 2020 and the XDR solution was introduced in late 2021. With the addition of new products to the portfolio, QLYS planned to invest heavily in growing its sales force in 2020. However, COVID delayed this investment, but the company remains focused on growing its sales force in 2021 and 2022.
With product development completed and increased investment in the sales force, QLYS revenue growth accelerated from +13% in 2020 to +18% in 2022. QLYS is expected to be able to sustain at least a mid-teen growth rate as a broader product portfolio. enables cross-selling to existing customers and investment in sales and marketing supports the acquisition of new customers.
QLYS also maintains a net cash balance and continues to generate strong free cash flow given industry leading margins and minimal CAPEX. Historically, management has not been aggressive with capital deployment, but there are signs that this is changing. QLYS’ new CEO made its first acquisition in Q3 2021 and said he intends to make more targeted acquisitions in the future. Inorganic growth can serve as an additional tool to accelerate revenue growth, as the business can acquire businesses with additional functionality that can be sold on top of the core VMDR solution.
I expect QLYS to grow FCF at a low teenage rate over the next 5 years as revenue growth is partially offset by margin compression due to the investments discussed above. Given QLYS’ healthy cash balance and strong free cash flow generation, FCF per share growth could exceed this rate if management uses cash for share acquisitions or buybacks (the buyback also provides a good safety net for equities in case of market weakness).
I believe QLYS should trade at a 10% premium to the market given its competitive positioning and attractive growth prospects. Based on these assumptions, QLYS is expected to compound investor capital at a CAGR of +14% over the next 5 years.
To the extent that my growth expectations at QLYS are overstated, a healthy private equity appetite for software assets with strong cash flow could be another way for shareholders to benefit. The acquisition of Proofpoint by Thoma Bravo in April 2021 provides a near-perfect mix for QLYS and the potential private equity supply. PFPT provides email security software and, like QLYS, has seen its stock price lag the broader tech sector as revenue growth slowed and its multiple narrowed as the market viewed email security as a mature industry.
Assuming similar multiples for QLYS implies a private equity offering that could represent a 70% upside. I do not expect QLYS to pursue a private equity transaction in the near term as I believe management is confident in accelerating revenue growth through new products and sales force investments . However, the appetite for private equity offers good downside protection.
Summary of investments
QLYS is selling a competitively advantageous cybersecurity offering that can continue to maintain its market leadership given the company’s renewed emphasis on R&D. Combined with growing investment in the company’s sales force, revenue growth is expected to remain in the 1950s bracket. Additionally, the company’s cybersecurity end market is expected to see continued strong growth as businesses are prioritizing cybersecurity spending in an increasingly hostile threat environment.
FCF is expected to grow at a CAGR of +12% over the next 5 years, with accelerating revenue growth being offset by investments in sales and marketing. A fortress balance sheet with a large cash balance provides an option for mergers and acquisitions and/or share buybacks to increase FCF/share at an even faster rate. Unlike many other software companies that trade based on earnings multiples, QLYS has valuation support based on public and private market free cash flow multiples. To the extent that revenue growth does not materialize as expected, an active private equity appetite for software assets could be an attractive exit for shareholders.
Editor’s note: The summary bullet points for this article were chosen by the Seeking Alpha editors.