QUALYS, INC. (QLYS) Business

Item 1.     Business

Overview

We are a leading provider of a cloud-based platform delivering information technology (IT), security and compliance solutions. Our integrated suite of IT, security and compliance solutions delivered on Qualys' Enterprise TruRisk Platform enables our customers to: 1) identify and manage their internal and external IT and operational technology (OT) assets across on-premises, endpoints, cloud, containers, and mobile environments; 2) collect and analyze large amounts of IT security data; 3) discover and prioritize vulnerabilities; 4) quantify cyber risk exposure; 5) recommend and implement remediation actions; and 6) verify the implementation of such actions. This helps organizations protect their systems and applications from ever-evolving cyber-attacks and helps achieve compliance with internal policies and external regulations.

Our cloud platform addresses the growing IT, security and compliance complexities and risks that are amplified by the dissolving boundaries between IT infrastructures and web environments, the rapid adoption of cloud computing, containers and serverless IT models, and the proliferation of geographically dispersed IT assets. Organizations use our integrated suite of solutions to cost-effectively obtain a unified view of their internal and external IT and OT asset inventory as well as security and compliance posture across globally-distributed IT infrastructures as our solution offers a single platform for IT, information security, application security, endpoint, developer security and cloud teams.

IT infrastructures are more complex and globally-distributed today than ever before, as organizations of all sizes increasingly rely upon a myriad of interconnected information systems and related assets, such as servers, databases, web applications, routers, switches, desktops, laptops, other physical and virtual infrastructure, and numerous external networks and cloud services. In this environment, new and evolving digital technologies intended to improve organizations’ operations can also increase vulnerability to cyber-attacks, which can expose sensitive data, damage IT and physical infrastructures, and result in serious financial or reputational consequences. In addition, the rapidly increasing amount of data and devices in IT environments makes it more difficult to identify and remediate vulnerabilities in a timely manner. The predominant approach to IT security has been to implement multiple disparate security products that can be costly and difficult to deploy, integrate and manage and may not adequately protect organizations. As a result, we believe there is a large and growing opportunity for comprehensive cloud-based IT, security and compliance solutions that detect, measure, prioritize and remediate cyber risk delivered in a single platform.

We designed our cloud platform to transform the way organizations secure and protect their IT infrastructures and applications. Our cloud platform offers an integrated suite of solutions that automates the lifecycle of asset discovery and management, security and compliance assessments, and remediation for an organization’s IT infrastructure and assets, whether such infrastructure and assets reside inside the organization, on their network perimeter, on endpoints or in the cloud. Since inception, our solutions have been designed to be delivered through the cloud and to be easily and rapidly deployed on a global scale, enabling faster implementation and lower total cost of ownership than traditional on-premise enterprise software products. Our customers, ranging from some of the largest global organizations to small businesses, are served from our globally-distributed cloud platform, enabling us to rapidly deliver new solutions, enhancements and security updates.

We believe that our cloud platform provides our customers with unique advantages, including:

•No hardware to buy or manage. There is no infrastructure or software to buy and maintain thus reducing our customers’ operating costs; all services are accessible in the cloud via web interface. Qualys operates and maintains the platform.

•Real-time visibility in one place, anytime and anywhere. Our customers can conveniently see their security and compliance posture across their global IT and OT asset inventory in one browser window, without plugins or a virtual private network (VPN), whenever and wherever Internet access is available.

•Easy global scanning. Our customers can easily perform scans on geographically distributed and segmented networks at the perimeter, behind the firewall, on dynamic cloud environments and on endpoints.

•Seamless scaling. Our cloud platform is a scalable, comprehensive, and end-to-end solution for the IT, security and compliance needs of our customers. Our customers can seamlessly add new coverage, users and services after they have deployed our platform.

•Up to date resources. Qualys has one of the largest knowledge bases of vulnerability signatures in the industry. All security updates are made in real-time.

•Data stored securely. Data is securely stored and processed in a multi-tiered architecture of load-balanced servers. Our encrypted databases are physically and logically secured.

6

Table of Contents

We were founded and incorporated in December 1999 with a vision of transforming the way organizations secure and protect their IT infrastructure and applications and initially launched our first cloud solution, Vulnerability Management (VM), in 2000. As VM gained acceptance, we introduced additional solutions to help customers manage increasing IT, security and compliance requirements. Today, the suite of solutions that we offer on our cloud platform and refer to as the Qualys Cloud Apps help our customers detect, measure, prioritize and remediate cyber risk spanning a range of assets across on-premises, endpoints, cloud, containers, and mobile environments.

We provide our solutions through a software-as-a-service model, primarily with renewable annual subscriptions. These subscriptions require customers to pay a fee in order to access each of our cloud solutions. We generally invoice our customers for the entire subscription amount at the start of the subscription term, and the invoiced amounts are treated as deferred revenues and are recognized ratably over the term of each subscription. We continue to experience revenue growth from our existing customers as they renew and purchase additional subscriptions, as well as from the addition of new customers to our cloud platform.

Our cloud platform is currently used by over 10,000 customers worldwide, including a majority of the Forbes Global 100. Our revenues increased to $669.1 million in 2025 from $607.6 million in 2024 and $554.5 million in 2023.

Our Platform

Our cloud platform consists of a suite of IT security, compliance, web application security, asset management and cloud security solutions, which we refer to as the Qualys Cloud Apps, that leverage our shared and extensible core services and our highly scalable multi-tenant cloud infrastructure. We also provide open application program interfaces, or APIs, and other developer tools that allow third parties to embed our technology into their solutions and build applications on our platform.

Our cloud platform utilizes physical and virtual sensors, and cloud agents that provide our customers with continuous visibility enabling customers to respond to threats immediately. Customers can extend visibility to all known IT infrastructure using our Out-of-Band Configuration Assessment sensor for systems that are air-gapped or otherwise difficult to assess.

Our cloud platform automatically gathers and analyzes security and compliance data in a scalable, state-of-the-art backend. The technology underlying our cloud infrastructure enables us to ingest, process, analyze and store a high volume of sensor data coming from our agents, scanners and passive analyzers, and correlate information at very high speeds in a distributed manner for millions of devices.

7

Table of Contents

Our cloud platform is delivered to our customers via our 15 global shared cloud platforms, or via our private platform offering, Qualys Private Cloud Platform (PCP), for customers or partners that want the platform to reside within the customer's shared cloud platform. The PCP is a standalone version of our multi-layer, multi-tenant services architecture and is a fully integrated turnkey solution, making it more scalable, cost effective and faster to deploy within a customer's shared cloud platform. Solutions delivered through our PCP are typically on the same subscription basis as solutions delivered through our shared platform. Our PCP utilizes hardware and software owned by us and is physically located on the customer's premises. The customer is not permitted to take possession of the software or access the software code. We also offer our PCP as a subscription-based platform services to the customer using a virtual version of our software. This virtualized PCP allows us to extend our security and compliance solutions without the complexity and cost associated with deploying traditional enterprise software.

Qualys Core Services

Our core services enable customers to detect vulnerabilities, measure and remediate cyber risk through integrated workflows, and deliver real-time analysis and reporting across on-premises environments, network perimeters, endpoints, and cloud deployments.

Our core services constitute dynamic and customizable dashboards and centrally managed, self-updating integrated Cloud Apps, through a natively integrated unified platform. Our interactive, dynamic dashboards and cloud platform allow our customers to aggregate and correlate all of their IT, security and compliance data in one place, drill down into details, and generate reports customized for different audiences. Our cloud platform’s powerful Elasticsearch clusters enable customers to instantly find detailed data on any asset.

Our core services include:

•Asset Tagging and Management. Enables customers to easily identify, categorize and manage large numbers of assets in highly dynamic IT and OT environments and automates the process of inventory management and hierarchical organization of all internal and external assets. Built on top of this core service is the Qualys GAV framework, which is a global asset inventory service enabling our customers to search for information on any asset, scaling to millions of assets for customers of all sizes, helping IT and security personnel to search assets and maintain an up-to-date inventory on a continuous basis.

•Reporting and Dashboards. A highly configurable reporting engine that provides customers with reports and dashboards based on their roles and access privileges.

•Questionnaires and Collaboration. A configurable workflow engine that enables customers to easily build questionnaires and capture existing business processes and workflows to evaluate controls and gather evidence to validate and document compliance.

•Remediation and Workflow. An integrated workflow engine that allows customers to automatically generate helpdesk tickets for remediation to manage compliance exceptions based on customer-defined policies, enabling subsequent review, commentary, tracking and escalation. This engine automatically distributes remediation tasks to IT administrators upon scan completion, tracks remediation progress and closes open tickets once patches or other mitigating actions are applied and remediation is verified in subsequent scans.

•Big Data Correlation and Analytics Engine. Provides Elasticsearch capabilities for indexing, searching and correlating large amounts of security and compliance data with other security incidents and third-party security intelligence data. Embedded workflows enable customers to quickly assess risk and access information for remediation, incident analysis and forensic investigations.

•Alerts and Notifications. Creates email notifications to alert customers of new vulnerabilities, malware infections, scan completion, open trouble tickets and system updates.

Qualys Cloud Apps

Many organizations have an array of heterogeneous point tools that do not interoperate well and are difficult and costly to maintain and integrate, making it difficult for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to obtain a single, unified view of their organization’s security and compliance posture. Qualys’ Enterprise TruRisk Platform and its Cloud Apps help organizations escape this tool-fragmentation dilemma by drastically simplifying their security stacks and regaining unimpeded visibility across their on-premises, endpoints, cloud, container, and mobile environments.

The Cloud Apps are self-updating, centrally managed and tightly integrated, and cover a broad range of functionality in areas such as asset management, vulnerability and configuration management, risk remediation, threat detection and response, compliance and cloud security solutions. Qualys' TruRisk scoring capabilities are embedded in many of our Cloud Apps, providing

8

Table of Contents

our customers with a quantitative metric of risk to help prioritize cybersecurity threats based on a combination of severity, exploitability, asset criticality, threat intelligence, and business context.

We believe that our applications are easy to use and provide our customers with a high level of control because our applications are part of one platform, share a common user interface, utilize the same scanners and agent, access the same collected data, and leverage the same user permissions.

Our customers can subscribe to one or more of our 20+ Cloud Apps based on their initial needs and expand their subscriptions over time to new areas within their organization or to additional Qualys solutions to develop a more complete understanding of their respective environment's IT, security and compliance posture and remediate cybersecurity risk. Many of our customers use multiple Cloud Apps, some of which are noted below:

Asset Management

Cybersecurity Asset Management (CSAM): CSAM is an all-in-one solution that leverages the power of our cloud platform with its multiple native sensors and CMDB synchronization to continuously inventory known and unknown assets, discover installed applications, and overlay business and risk context to establish asset criticality. It identifies unauthorized or end-of-life and end-of-service software and the absence of required security tools, and assesses the health of the attack surface. Further, CSAM enables response options with threat alerts and software removal and delivers regulatory reporting in support of the Federal Risk and Authorization Management Program (FedRAMP), Payment Card Industry Data Security Standard (PCI-DSS) and other mandates. CSAM includes External Attack Surface Management (EASM), which allows discovery of internet facing unknown assets.

Enterprise TruRisk Management (ETM): ETM provides a unified view of cyber risk across an organization’s entire attack surface, including on-premises infrastructure, cloud environments, and applications, through a consolidated inventory of assets. The solution ingests and analyzes security telemetry from Qualys and third-party sensors, applying normalization, deduplication, and correlation of threat signals across more than 25 threat intelligence feeds to enhance risk severity and exploitability assessment. Leveraging the Qualys TruRisk score, ETM incorporates configurable business and risk parameters to quantify cyber risk in financial terms specific to an organization’s risk tolerance, supporting risk-based prioritization and decision-making. ETM further enables automated remediation through policy-based response rules and AI-driven workflows that integrate with Qualys’ TruRisk Eliminate solutions, IT service management platforms, and other third-party systems. These capabilities provide organizations with a vendor-agnostic solution to holistically centralize their response to cyber risk.

Vulnerability and Configuration Management

Vulnerability Management, Detection and Response (VMDR): VMDR enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets. VMDR continuously assesses these assets for the latest vulnerabilities and applies the latest threat intel analysis to prioritize actively exploitable vulnerabilities. VMDR automatically detects the latest superseding patch for the vulnerable asset and easily deploys it for remediation. Finally, VMDR quantifies risk across vulnerabilities, assets and groups of assets helping organizations proactively reduce cyber risk exposure and track cyber risk reduction over time. By delivering all this in a single app workflow, VMDR automates the entire process and significantly accelerates an organization’s ability to respond to threats, thus preventing possible exploitation across on-premises, endpoints, cloud, containers, and mobile environments.

Total Application Security (TotalAppSec, TAS): TAS continuously discovers and catalogs web applications and APIs – including new and unknown ones – and detects vulnerabilities and misconfigurations in web apps and APIs. Scaling to thousands of scans, it conducts incisive, thorough and precise testing of browser-based web apps, mobile app backends, and APIs. TAS' powerful API enables integration with other systems and allows teams to detect issues within DevOps environments early in the application development process. Bundled malware detection capability with TAS uses reputational, behavioral, antivirus, and heuristic analyses to identify and alert on malware infecting a user's websites. By Integrating TAS with manual testing tools and bug bounty solutions, customers can build a comprehensive application security testing program.

Risk Remediation

Patch Management (PM): PM provides automated patch deployment capabilities for Windows, Linux, Mac and third party software by correlating vulnerabilities and the right set of remediation including patches and configuration fixes. It continuously gathers and uploads telemetry about installed software, open vulnerabilities and missing patches to our cloud platform. The resulting shared visibility of assets and their posture enables IT and security teams to collaborate using common vulnerability-

9

Table of Contents

centric terminology and provides a consistent data set to analyze, prioritize, deploy and verify patches more efficiently. Patch Management is a component of Qualys' TruRisk Eliminate suite of remediation solutions. TruRisk Eliminate encompasses a broad range of remediation capabilities for organizations when patches are not yet available or feasible to deploy.

Custom Assessment and Remediation (CAR): CAR enables security architects to create custom scripts in popular scripting languages, user-defined controls and automation, all seamlessly integrated within existing programs to quickly assess, respond to and remediate threats across global hybrid environments.

Threat Detection and Response

Multi-Vector Endpoint Detection and Response (EDR): Traditional endpoint detection and response solutions focus only on endpoint activity to detect attacks. As a result, they lack the full context to analyze attacks accurately. This leads to an incomplete picture and a high rate of false positives and negatives, requiring organizations to use multiple point solutions and large incident response teams. Our highly scalable platform fills the gaps by bringing a new multi-vector approach and the unifying power to EDR, providing vital context and comprehensive visibility to the entire attack chain, from prevention to detection to response. EDR unifies different context vectors like asset discovery, rich normalized software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, in-depth endpoint telemetry, and network reachability with a powerful backend to correlate it all for accurate assessment, detection and response.

Compliance

Policy Audit (PA): PA automates security configuration assessments across IT systems spanning on-premises, cloud, and hybrid environments. PA provides real-time visibility into compliance status and helps prevent configuration drift by continuously monitoring against multiple standards for operating systems, network devices, databases, and server applications. PA includes a robust library of 900+ pre-built policies, 20,000 controls, and 350 supported technologies, covering over 90 regulations and frameworks such as PCI DSS, HIPAA, SOX, and NIST. With built-in CIS 18 management and actionable remediation guidance, Qualys’ PA solution simplifies compliance by enabling organizations to identify security issues, prioritize fixes, and track exceptions from a single, unified workflow. By leveraging industry-recommended best practices and a repeatable, auditable process, Qualys’ PA empowers organizations to reduce risk, automate compliance assessments, and ensure adherence to both internal policies and external regulations.

File Integrity Monitoring (FIM): FIM logs and centrally tracks file change events on common enterprise operating systems in organizations of all sizes. FIM provides customers with a simple way to achieve centralized cloud-based visibility of activity resulting from normal patching and administrative tasks, change control exceptions or violations, or malicious activity - then reports on that system activity as part of compliance mandates. FIM collects the critical details needed to quickly identify changes and root out activity that violates policy or is potentially malicious. FIM helps customers to comply with change control policy enforcement and change monitoring requirements.

Cloud Security

TotalCloud (TC): TC is a Cloud-Native Application Protection Platform (CNAPP), which provides an integrated suite of security capabilities designed for multi-cloud environments. It provides complete visibility and cyber-risk exposure assessment across cloud assets, enabling continuous discovery and monitoring of the cloud landscape to identify risks and maintain compliance. With its FlexScan technology, TC offers comprehensive assessment features that include no-touch, agentless, API, and snapshot-based scanning, along with agent and network-based scanning for thorough vulnerability detection. The TruRisk component allows for a unified risk view, correlating vulnerabilities, security controls, and compliance across resources to prioritize and reduce cyber risks effectively. For real-time defense, TC's InstaProtect continuously monitors all cloud assets to detect and protect against evolving and unknown threats. Remediation is streamlined through our QFlow technology, which provides no-code, drag-and-drop workflows for efficient vulnerability management. TC provides organizations with an all-encompassing solution, delivering fast, agentless, real-time security and compliance across a variety of use cases, including Cloud Workload Protection (CWP), Cloud Detection and Response (CDR), Cloud Security Posture Management (CSPM), Infrastructure as Code (IaC), SaaS Security Posture Management (SSPM), Cloud Infrastructure and Entitlement Management (CIEM), and

10

Table of Contents

Kubernetes and Container Security (KCS) to offer organizations a single unified solution for comprehensively securing their cloud and hybrid-cloud environments.

Free Services

We also offer organizations of all sizes free security and compliance services based on our cloud platform:

•Qualys Global AssetView app automatically creates a continuous, real-time inventory of known and unknown assets throughout a user's global IT footprint across on-premises, endpoints, cloud, containers, and mobile environments. The app also automatically normalizes and categorizes assets to ensure clean, reliable, and consistent data. In-depth asset details provide fine-grained visibility on the system, services, installed software, network, and users. It also detects any device that connects to a user's networks, via passive scanning technology. Upon an unknown device detection, users can install a light-weight Qualys self-updating agent (3MB) to turn the device into a managed device or launch a vulnerability scan.

•Qualys Certificate Inventory inventories and assesses all Internet-facing certificates to generate SSL/TLS configuration grades, identifies the certificate issuer and tracks certificate expirations to help stop expired and expiring certificates from interrupting critical business functions.

Our Growth Strategy

We intend to strengthen our leadership position as a trusted provider of cloud-based IT, security and compliance solutions. The key elements of our growth strategy are:

•Continue to innovate and enhance our cloud platform and suite of solutions. We intend to continue to make significant investments in research and development to extend our cloud platform’s functionality by developing new security solutions and capabilities and further enhancing our existing suite of solutions.

•Expand the use of our suite of solutions by our large and diverse customer base. With more than 10,000 customers, across many industries and geographies, we believe we have a significant opportunity to sell additional solutions to our customers and expand their use of our suite of solutions. Because our customers typically initially deploy one or two of our solutions in select parts of their IT infrastructures, our existing customers serve as a strong source of new sales as they expand their scope and increase their subscriptions or choose to adopt additional solutions from our integrated suite of IT, security and compliance offerings. In this regard, we continue to enhance our sales execution and marketing functions to increase adoption of our newly developed solutions among our existing customers.

•Drive new customer growth and broaden our global reach. We are pursuing new customers by targeting key accounts, releasing free IT, security and compliance services and enhancing both our sales and marketing organization and network of channel partners. We will continue to seek to make significant investments to encourage organizations to replace their existing security products with our cloud solutions. We intend to enhance our relationships with key security consulting organizations, leading cloud service providers, managed security service providers, leading cloud providers and value-added resellers to accelerate the adoption of our cloud platform. We seek to strengthen existing relationships as well as establish new relationships to increase the distribution and market awareness of our cloud platform and target new geographic regions. We also plan to partner with such security providers that can host our private cloud offering within their shared cloud platforms, helping us expand our reach in new markets and new geographies.

•Selectively pursue technology acquisitions to bolster our capabilities and leadership position. We may explore acquisitions that are complementary to and can expand the functionality of our cloud platform. We may also seek to acquire development teams to supplement our own personnel and acquire technology to increase the breadth of our cloud-based IT, security and compliance solutions, deep learning AI, and machine learning (ML) technologies to uncover behavior patterns including active vulnerability exploitation, identification of advanced network threats, and adaptive risk mitigation across all assets and applications.

Our Customers

We market and sell our solutions to enterprises, government entities and small and medium-sized businesses across a broad range of industries, including education, financial services, government, healthcare, insurance, manufacturing, media, retail, technology and utilities. As of December 31, 2025, we had over 10,000 customers worldwide, including a majority of the Forbes Global 100. In each of 2025, 2024 and 2023, no one customer accounted for more than 10% of our revenues. In 2025, 2024 and 2023, 56%, 58% and 60%, respectively, of our revenues were derived from customers in the United States based on our customers' billing addresses. We sell our solutions to enterprises and government entities primarily through our field sales force and to small and medium-sized businesses through our inside sales force. We generate a significant portion of sales through our channel

11

Table of Contents

partners, including managed security service providers, value-added resellers and consulting firms in the United States and internationally.

Sales and Marketing

Sales

We market and sell our IT, security and compliance solutions to customers directly through our sales teams as well as indirectly through our network of channel partners.

Our global sales force is organized into a field sales team, which focuses on enterprises, generally including organizations with more than 5,000 employees, and an inside sales team, which focuses on small to medium-sized businesses, which generally include organizations with less than 5,000 employees. Both our field and inside sales teams are divided into three geographic regions, the Americas; Europe, Middle East and Africa; and Asia-Pacific. We also further assign each of our sales teams into groups that focus on adding new customers or managing relationships with existing customers.

Our channel partners maintain relationships with their customers throughout the territories in which they operate and provide their customers with services and third-party solutions to help meet those customers’ evolving security and compliance requirements. As such, these partners offer our IT, security and compliance solutions in conjunction with one or more of their own products or services and act as a conduit through which we can connect with these prospective customers to offer our solutions. Our channel partners include security consulting organizations, leading cloud providers, managed service providers and resellers.

For sales involving a channel partner, the channel partner engages with the prospective customer directly and involves our sales team as needed to assist in developing and closing an order. When a channel partner secures a sale, we sell the associated subscription to the channel partner who in turn resells the subscription to the customer, with the channel partner retaining the margin between the price they purchase from us and the price they sell to the end user. Once the order is completed, we provide these customers with direct access to our solutions and other associated back-office applications, enabling us to establish a direct relationship as part of ensuring customer satisfaction with our solutions. At the end of the subscription term, the channel partner engages with the customer to execute a renewal order, with our sales team providing assistance as required. In 2025, 2024 and 2023, 49%, 46% and 43%, respectively, of our revenues were generated by channel partners.

Marketing

Our marketing programs include a variety of online marketing, advertising, conferences, events, public relations activities and web-based seminar campaigns targeted at key decision makers within our prospective customers.

We have a number of marketing initiatives to build awareness and encourage customer adoption of our solutions. We offer free trials and services to allow prospective customers to experience the quality of our solutions, to learn in detail about the features and functionality of our cloud platform, and to quantify the potential benefits of our solutions.

Customer Support

Qualys Support delivers 24x7x365 day customer technical support from global centers located in Foster City, California; Raleigh, North Carolina; and Pune, India. We recruit senior level technical personnel and trained subject matter experts who work closely with engineering and operations personnel to resolve issues quickly. Our IT, security and compliance solutions can be deployed easily and are designed to be implemented and operated without the need for significant professional services. We also offer various training programs as part of our subscriptions to all of our customers. In addition, we leverage the insights drawn from our customers to further improve the functionality of our IT, security and compliance solutions. Our mission is to ensure customer satisfaction and play a critical role in retaining and expanding our customer base.

Research and Development and Operations

We devote significant resources to maintain, enhance and add new functionality to our cloud platform and the integrated suite of solutions that we offer. Our development organization consists of agile engineering teams with substantial security expertise in specific areas of our solutions. In addition to our development teams, we also built a sophisticated research team focused on identifying threats and developing signatures for vulnerabilities and compliance checks so that we can provide our customers with daily updates and enable them to scan their assets for the latest threats. We conduct our research and development

12

Table of Contents

in the United States, France and India, which gives us access to some of the best research and engineering talent in the world. Our focus remains to attract engineering talent as we continue to add new solutions and improve existing ones.

Our development team works closely with our customers and partners to gain valuable insights into their environments and gather feedback for threat research, product development and innovations. We typically release updates to our solutions, including enhancements and new features multiple times a year, and we measure the quality of our scan results on a frequent basis in an effort to maintain the highest level of scan accuracy.

The modular architecture of our cloud platform enables our engineering teams to simultaneously work on different features, accelerating the delivery of new functionalities to customers. Our research and development team also works collaboratively with our technical support team to ensure customer satisfaction and with our sales team to accelerate the adoption of our solutions.

Shared Cloud Platform Agreements

Our shared cloud platform operations are provided by large third-party vendors and are located in the United States, Canada, Switzerland, the Netherlands, United Arab Emirates, Australia, United Kingdom, Italy, the Kingdom of Saudi Arabia and India. Our shared cloud platform agreements have varying terms through 2030.

Competition

The expanding capabilities of our IT, security and compliance solutions have enabled us to address a growing array of opportunities in the cloud IT, security and compliance market. We compete with a large and broad array of established and emerging vulnerability management vendors, compliance vendors and data security vendors in a highly fragmented and competitive environment.

We compete with large and small public companies, such as CrowdStrike, Palo Alto Networks, Rapid7, and Tenable Holdings, as well as privately held security providers including Invicti, Tanium, and Wiz (which has announced a pending acquisition by Google). We also seek to replace IT, security and compliance solutions that organizations have developed internally. As we continue to extend our cloud platform’s functionality by further developing IT, security and compliance solutions, such as Cybersecurity Asset Management, Patch Management, and Enterprise TruRisk Management, we expect to face additional competition in these new markets. Our competitors may also attempt to further expand their presence in the IT, security and compliance market and compete more directly against one or more of our solutions.

We believe that the principal competitive factors affecting our markets include product functionality, breadth of offerings, flexibility of delivery models, ease of deployment and use, total cost of ownership, scalability and performance, customer support and the extensibility of our platform. We believe that our suite of solutions generally competes favorably with respect to these factors. However, many of our primary competitors have greater name recognition, longer operating histories, more established customer relationships, larger marketing budgets and significantly greater resources than we do.

Intellectual Property

We rely on a combination of trade secrets, copyrights, patents and trademarks, as well as contractual protections, to establish and protect our intellectual property rights and protect our proprietary technology. As of December 31, 2025, we have 52 issued patents, which expire from 2029 to 2044, several pending U.S. patent applications and an exclusive license to four U.S. patents. The inbound license remains in effect until the licensed patents are no longer enforceable, unless the applicable license agreement is first terminated by us or terminated by the licensor for a breach of the agreement or if we undergo certain bankruptcy events. These exclusive licenses are subject to the licensor’s reservation of certain rights in the patents and subject to the U.S. government’s reserved rights in the technology. We have a number of registered and unregistered trademarks. We require our employees, consultants and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation and other proprietary information. We view our trade secrets and know-how as a significant component of our intellectual property assets, as we have spent years designing and developing our cloud platform, which we believe differentiates us from our competitors.

We expect that software and other solutions in our industry may be subject to third-party infringement claims as the number of competitors grows and the functionality of products in different industry segments overlaps. Any of these third parties might make a claim of infringement against us at any time.

13

Table of Contents

Human Capital Resources

We take a holistic approach to our human capital management strategy, striving to create a culture where talented people want to come to work, develop their careers, become leaders, and make a difference for all our stakeholders and communities. Doing the right thing for our people, our communities and our environment upholds the trust of our customers, partners, employees, and stockholders, enabling us to grow our business profitably and meet the diverse needs of our constituents. As of December 31, 2025, we had 2,625 full-time employees, including 1,262 in research and development, 524 in sales and marketing, 592 in operations and customer support, and 247 in general and administrative. As of December 31, 2025, approximately 78% of our employees were located outside of the United States, with 70% of our employees located in India. None of our U.S. employees are covered by collective bargaining agreements. Employees in certain European countries and Brazil have collective bargaining arrangements at the national level. We believe our employee relations are good, and we have not experienced any work stoppages.

Compensation and Benefits

Our Competitive Compensation and Benefits Policy. We understand that providing competitive compensation and benefits plays a critical role in attracting and retaining the best available personnel. That is why we offer robust compensation and benefits to our employees, including competitive base salaries, variable pay and equity awards, and generous benefits packages. To support the health and wellness of our workforce, Qualys offers premium health coverage with minimal out-of-pocket contributions for our employees.

Corporate Governance. Qualys maintains a Compensation and Talent Committee of the Board of Directors to oversee our compensation policies, plans and benefits programs, and overall compensation philosophy. The Committee approves CEO and executive officers’ compensation plans, and reviews, approves, and administers various employee benefit plans, among other duties. As part of its ongoing review of the performance criteria and compensation of designated key executives, the Compensation and Talent Committee also meets annually with the CEO, our principal human resources executive, and any other corporate officers as it deems appropriate.

Supporting our Team and Community

Talent Development and Safety. We take a holistic approach to our social strategy, striving to create a culture where talented people want to come to work, develop their careers, become leaders, and make a difference for all our stakeholders and communities. We believe every employee makes a difference, so we empower them in their roles and support them for professional growth. We assist employees in achieving their career goals by helping them improve their skillsets and transition to increasingly challenging roles.

Diversity and Inclusion. We take pride in our cultural diversity with offices and employees all over the world. Our objective is to continue to improve our hiring, development, advancement, and retention of diverse talent and to foster an inclusive environment. In addition to having more than 50% of the executive team from underrepresented communities, we are also continuing to improve diversity among our growing workforce, with over half of our US-based employees from underrepresented communities.

Qualys searches the globe for top talent in an effort to recruit and hire diverse individuals with a variety of skills, experiences, and backgrounds. Our company holiday calendar includes events and festivals from many regions and religions, and we include diverse cultural initiatives throughout the year.

Promoting a Healthy Work-life Balance. Qualys aims to maintain a healthy work-life balance and provide resources to support our employees’ well-being. During 2022, our workforce gradually transitioned into a hybrid work schedule, which resulted in a significant portion of our workforce working either in-person on a part-time basis, or remotely. During 2025, we continued to offer this hybrid work schedule to our workforce. Our top priority remains providing support for our employees, partners, and customers.

Community Engagement. We value the communities that support our operations and have several company and employee-led initiatives to support the communities in which we operate. In 2025, our efforts were centered on advancing education, technology, local communities, and environmental initiatives. For example, we provided training, mobility solutions, and job placements for people with disabilities, established a Clinic on Wheels program and brought doctors, medicines, and essential care to areas where access is limited, partnered with nonprofit organizations to provide back-to-school backpacks and computer cyber labs to educate youth in our community, supported by a coursework developed by our own employees, and donated to food drives and holiday fundraisers to support local families in need, among other initiatives. Our employees further participated in environmental

14

Table of Contents

initiatives such as World Environment Day that encourage awareness and action for the protection of the environment, in addition to taking part in local clean-up activities across the world.

Training and Development

Employee Training. We require our employees and managers to participate in myriad training programs directed at maintaining a harassment-free, diverse, and secure workplace. With our diverse employee population, we uphold the rights to work in an environment that promotes equal opportunity and prohibits discriminatory practices against race, color, national origin, ancestry, medical condition, religious creed (including religious dress and grooming practices), marital status, registered domestic partner status, sex, sexual orientation, gender identity and expression, genetic characteristics and information, age, veteran status, or any other protected characteristic. Creating a respectful workplace and preventing harassment to our employees remain our on-going commitment.

Employee Development. Investing in employees is critical to our success. Qualys employees participate in an onboarding program to integrate new hires into role-specific functions and company culture. Qualys offers managers and employees various training courses as needed. To support career growth inside and outside Qualys, we offer free self-paced and instructor-led certified training on core Qualys topics, giving employees and non-employees an opportunity to achieve certifications and job-related courses free of charge.

To allow for open dialogue between employees and managers, we conduct formal employee reviews each year. Corrective action plans are developed for employees who may be struggling to meet his or her job responsibilities. Employee performance is considered during compensation reviews. In addition to formal reviews, our Human Resources team regularly meets with managers to check in with teams and conducts exit interviews globally.

Sustainable Business Operations

Our Sustainable Solutions. Qualys products, delivered via our multi-tenant cloud platform, enable improved environmental sustainability for our customers. In particular, our cloud-based solutions minimize the number of physical servers our customers have to deploy within their own environments, reducing energy consumption on their end. Qualys Cloud Apps, delivering rich content and dashboards visible on any device, also reduce paper and printing costs for our customers.

Our Eco-Friendly Operations. Our environmental, health and safety systems, processes and tools in place across our footprint enable Qualys to meet or exceed governmental and industry requirements. We strive to consistently improve how we operate our platforms in energy-efficient networks and data centers as well as pursue sustainability initiatives that reduce energy, waste and materials consumption. We have 15 multi-tenant platforms across the world, six of which are in collocated facilities. The others are hosted in public cloud environments. Though data centers are inherently energy-intensive, utilizing collocated facilities allows us to leverage economies of scale for power and cooling. In addition, most of our third-party providers continue to advance their own sustainability programs to reduce their environmental impact.

Environmental Standards Within Supply Chain. We are committed to advancing supply chain responsibility and strive to enhance transparency and promote greater accountability in our own operations and with our suppliers. Qualys outsources product manufacturing and recycling to suppliers and vendors that follow the highest environmental standards in the industry, such as ISO 14001. We also seek to prohibit our suppliers from profiting from the sale of tantalum, tin, tungsten, and gold (also known as “conflict minerals”) that funds conflict in the Democratic Republic of the Congo (DRC) and adjoining countries, and we seek to require that our suppliers source these minerals from socially responsible suppliers.

Available Information

Our principal executive offices are located at 919 E. Hillsdale Blvd., 4th Floor, Foster City, California 94404. The telephone number of our principal executive offices is (650) 801-6100, and our main corporate website is www.qualys.com. Information contained on, or that can be accessed through, our website, does not constitute part of this Annual Report on Form 10-K and inclusion of our website address in this Annual Report on Form 10-K is an inactive textual reference only.

We make available our Annual Reports on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to those reports filed or furnished pursuant to Section 13(a) or Section 15(d) of the Securities Exchange Act of 1934, as amended, free of charge on our website, www.qualys.com as soon as reasonably practicable after they are electronically filed with or furnished to the SEC. Additionally, copies of materials filed by us with the SEC may be accessed at the SEC's website, www.sec.gov.