Potential is a tricky thing. There's no question that significant growth potential can fuel the valuation on software stocks like Qualys (NASDAQ:QLYS), but failure to execute on that potential can bring about sharp corrections and high levels of volatility. Qualys has had its challenges on the execution front over the years, but the roughly 35% increase in the share price over the last year leads me to think that investors are back to focusing on the potential, as the company looks to leverage sizable ongoing cross-selling opportunities, new product launches, and an improved go-to-market strategy.
While the opportunity is there, at least in terms of dollar volume of addressable market, I think a 5x EV/revenue multiple on 2017 is an ample reflection of that opportunity, particularly for a company that has had something less than a history of seamless execution. While the company's SaaS approach has its advantages and the Internet of Things (or IoT) is a credible opportunity, the valuation is a challenge for a company that I don't see as bringing game-changing technology into the security space.
Securing The Perimeter
Larger companies in the security space like Check Point (NASDAQ:CHKP) and Palo Alto (NYSE:PANW) have generally focused more on markets like enterprise firewalls, intrusion prevention, malware, but there are a lot of worthwhile markets that they don't address. Qualys has been building its business primarily by providing SaaS-based solutions for vulnerability management, and particularly for perimeter devices, and growing share in a market segment that is worth around $2 billion today and growing at a double-digit rate. What's more, the total addressable market for Qualys's product suite is likely closer to $5 billion today, also growing at a double-digit rate.
Vulnerability management has always been the core business for Qualys, and it still generated about 75% of revenue in the last quarter. Vulnerability management tools scan network components (servers, workstations, devices, etc.) looking for potential openings that a hacker could exploit, like firewall ports inadvertently left open, insecure configurations, missing patches, or other flaws. A VM system will then alert system operators to potential problems, offer input into remediation, and then verify whether the remediation step(s) fixed the vulnerability. As enterprise networks are seldom static for very long, new code or configurations can introduce vulnerabilities and so it is necessary to monitor the network on an ongoing basis.
Qualys has generally been strong in the market for VM for perimeter assets (devices with access to the network and the internet), and it has a mid-to-high teens share of the market. Within the overall VM management space, though, legacy players IBM (NYSE:IBM) and Hewlett Packard Enterprise (NYSE:HPE) still have meaningful share. Rapid7 (NASDAQ:RPD) and Tenable are both up-and-comers in the market.
One of the important growth opportunities for Qualys is improving its position in vulnerability management for apps. This market is still about 10%-20% smaller than the device-based VM market, but it is growing at a high-teens to low 20s rate versus the mid-teens growth rate of the device VM market. While the specifics of this market are different (it involves scanning apps for vulnerabilities) the underlying idea and process is basically the same - look for gaps that hackers can exploit, notify the network operators, recommend solutions, and test those solutions.
Many Opportunities To Grow, But Execution Is A Risk Factor
Qualys is not just a vulnerability management solutions provider. The company has also developed tools for policy compliance that collect and analyze configuration and access control information and map it against established internal policies and regulations, as well as tools for Payment Card Industry (or PCI) compliance. Beyond this are tools for web app scanning, a web app firewall, and its Cloud Agents that create minimally intrusive agents that facilitate vulnerability scanning and compliance management in real time without slowing down the system.
Qualys continues to do a good job in its core vulnerability management market, and the 16% growth in the last quarter was likely above market growth. Growing the other parts of the business has been a slower process. The company has seen the percentage of customers using multiple Qualys products climb from 20% in 2012 to over 60%, but the company's Web App Scanning and Policy Compliance platforms have been around for close to a decade and still contribute less than 10% of revenue (each). What's more, there have been some embarrassing setbacks like the initial Web App Firewall that was launched and then pulled from the market (the company has since launched a new version with a different architecture).
Execution on the sales side has also been a challenge. The company has struggled in the past to meet its own guidance with respect to its sales force headcount (though it's unclear if that's due to recruitment, attrition, or both) and there's been an elevated level of turnover in high-level management positions. What's more, while management has said in the past that it wants to generate 70% of its revenue from channel partners (like Dell (NYSE:DVMT), Tata, and Fujitsu (OTCPK:FJTSF)), the contribution from this channel has been more or less stuck around 40%. Qualys likewise has its issues meeting previous ambitious upselling targets. None of this makes Qualys a bad business, but I believe it does argue for being a little skeptical about taking management projections and guidance at face value.
I also think there are meaningful competitive challenges to consider. The company has a slate of meaningful product releases for 2017 including file integrity monitoring, patch management, digital certificates management, passive scanning, and indication of compromise, but in many cases, I expect that the company will find itself trying to dislodge existing solutions at its large enterprise customers (or would-be customers). I'm not convinced at this point that Qualys's solutions are so dramatically better or innovative, and while I think there is a convenience argument for incorporating all of these functions into Qualys's platform, it could still be a long process of winning business and taking share.
In the short term, I expect that Qualys will continue to see pressure on margins from ongoing spending in product development and expanding its sales and marketing efforts. If these efforts can push billings growth back to 20% or more on a consistent basis, it will be money well spent, but billings growth has been erratic recently and year-over-year growth in quarterly revenue has been slowing for some time now. I'd also note that even the sell-side analysts aren't looking for a quick turnaround, as the next two quarters should see that trend of slowing growth continue.
Assuming that Qualys can eventually generate adjusted free cash flow margins in the low-to-mid 20%'s, today's valuation already seems to assume mid-teens long-term revenue growth. Qualys's addressable markets are large enough and growing fast enough to support that, but the company really has to show that it can gain traction outside its core vulnerability management market to make that plausible. At a minimum, I would argue that it doesn't leave much room for disappointment or future execution issues.
The Bottom Line
Qualys is a small player in the security space and I expect that this will remain a high-priority area for IT spending for the foreseeable future. It also, though, a very competitive market. There are a lot of competing priorities (and products) for IT security budgets, and I'm not convinced yet that Qualys can really build a diverse business that addresses multiple market opportunities. Add in the past execution stumbles and what I believe is a pretty healthy valuation today and I don't see enough appeal to go long. That said, with a slate of new products hitting the market and better recent trends in upselling, I'd be cautious about shorting as strong billing numbers could stoke the bull case and drive the shares in the short run.
This article is part of Seeking Alpha PRO. PRO members receive exclusive access to Seeking Alpha's best ideas and professional tools to fully leverage the platform.
Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.
I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.