In 2025, markets decided the software industry was essentially finished. The word SaaSpocalypse started circulating. AI models, the argument went, would tear apart established business models. The Sector ETF IGV told the story in numbers: down more than 37% from its all-time high to the correction low in April, followed by a recovery of around 45%. It has since pulled back again, a sign that not all the worry has been worked through. The challenges from the AI boom are real. But there will be winners too. I already wrote about Paychex as one of them. Last week I took another look at the sector and found a second one.

Qualys (QLYS) helps companies scan their IT infrastructure for vulnerabilities, prioritize risks, and close security gaps. The core question it answers for its customers: where are we exposed, and what do we fix first? A modern company runs servers, laptops, mobile devices, and software applications by the dozens. Add hundreds or thousands of simultaneous cloud and internet connections, depending on size. Qualys scans all of it continuously with a lightweight agent sitting on every device, and ranks the vulnerabilities by severity.

The business model is straightforward: 100% SaaS, 100% subscriptions, no hardware, customers pay upfront. The client base includes more than 10,000 companies worldwide, among them banks, insurers, Cisco, Microsoft, and Oracle. Qualys is embedded in some of the most security-sensitive IT environments on the planet. Revenue and net income have grown at an average of 15% and 29% per year over the past decade. The margins are equally strong. Gross margin has exceeded 80% in recent years. Operating margin recently came in above 33%, net margin just below 30%. Competitors like Rapid7, Tenable, and CrowdStrike fall well short of those numbers and are running at a loss.

The biggest pressure comes not from AI but from consolidation in the cybersecurity market. Palo Alto Networks and CrowdStrike are building comprehensive security platforms that include vulnerability management as one function among many. A company running those platforms everywhere theoretically no longer needs a separate Qualys deployment.

But security software is among the last things a company swaps out carelessly. Qualys is deeply embedded in customer workflows: as a compliance tool, an audit instrument, a daily decision-making layer. It is also a comparatively affordable specialist solution. As long as Qualys delivers, customers will not cancel it just because a new vendor offers similar functionality, especially when switching carries its own substantial costs. Even Cisco, a direct competitor to Palo Alto in network security, runs on Qualys. That says everything.

The AI boom is, in my view, actually working in Qualys's favor. More artificial intelligence inside companies means more code, more connected systems, more attack surface. At the same time, Qualys is evolving from a pure vulnerability scanner into a broader risk management platform. A customer scanning only IT infrastructure today can tomorrow add cloud workloads, web applications, and external attack surfaces through the same platform. That grows revenue per customer without winning a single new account. That convinces me. Add a P/CF ratio of 13, well below the historical average of 24, and that holds even after a nearly 50% rally from the April low. A nearly debt-free balance sheet completes my bullish case.

Is Qualys a buy? At current prices, I consider Qualys a buy for investors who want cybersecurity exposure without paying a premium valuation. The stock trades at a price-to-cash-flow ratio of 13, well below its historical average of 24, with a net margin of nearly 30% and a nearly debt-free balance sheet. The main risk is consolidation pressure from platform providers like Palo Alto Networks and CrowdStrike, which are integrating vulnerability management into broader security suites. I consider that risk real but manageable, given Qualys's deep customer integration and comparatively low switching costs.

Disclaimer: This newsletter is for informational purposes only and does not constitute investment advice. I am not a financial advisor. Always do your own research before making any investment decision.

Disclosure: I may hold direct or indirect positions (including options) in any securities mentioned in this newsletter. My opinions are my own and always honest.