Q3 FY 2021 Prepared Remarks

Qualys Q3 FY2021 Earnings Prepared Remarks

Foster City, Calif., - November 3, 2021 -Qualys, Inc.(NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today announced financial results for the third quarter ended September 30, 2021.

Blair King, Investor Relations

Good afternoon and welcome to Qualys' third quarter 2021 earnings call.

Joining me today to discuss our results are Sumedh Thakar, our president and CEO, and Joo Mi Kim, our CFO. Before we get started, I would like to remind you that our remarks today will include forward-looking statements that generally relate to future events or our future financial or operating performance. Actual results may differ materially from these statements. Factors that could cause results to differ materially are set forth in today's press release and our filings with the SEC, including our latest Form 10-Q and 10-K. Any forward-looking statements that we make on this call are based on assumptions as of today, and we undertake no obligation to update these statements as a result of new information or future events.

During this call, we will present both GAAP and non-GAAP financial measures. A reconciliation of GAAP to non-GAAP measures is included in today's earnings press release. As a reminder, the press release, prepared remarks and investor presentation are available on the Investor Relations section of our website. With that, I'd like to turn the call over to Sumedh.

Sumedh Thakar, president and CEO

Thanks, Blair, and welcome, everyone, to our third quarter earnings call.

Continuing to build on our momentum, we are pleased to report another solid quarter of financial performance while further advancing our strategic agenda to re-accelerate growth and drive continued platform innovation.

Taking a closer look into Q3, cloud agent subscriptions grew 40% year-over-year to 70 million reflecting steady adoption of our Vulnerability Management, Detection and Response (VMDR®) solution, which is now deployed by 32% of customers worldwide.

Further validating our security solution consolidation approach and the power of a single agent, several of our top new customers not only purchased VMDR, but also made additional Qualys solutions a part of their first purchase.

Highlighting a few of these notable new wins in the quarter, a multi-national bank selected VMDR and Patch Management together to continuously detect and prioritize vulnerabilities and misconfigurations across its hybrid IT environment. The ability of the Qualys Cloud Platform to respond rapidly to remediate and patch assets that are vulnerable, or already compromised, from

1

a single platform with built-in orchestration stood out among several competing solutions. We believe this approach will help them to reduce their risk much faster than siloed point solutions.

Our newly released Cybersecurity Asset Management application received a lot of interest from customers, and we are pleased with the early momentum we are seeing. This early momentum illustrates our ability to understand our customer's evolving pain points, respond quickly with updated roadmap and accelerate our time-to-market with differentiated security solutions that help fuel our growth. A Forbes 2000 company selected VMDR along with Cybersecurity Asset Management over several competing solutions. The ability to provide comprehensive asset discovery across its infrastructure to uniquely add context for security-centric visibility, CMDB sync integration, alerting and response capabilities was a key differentiator compared to other vulnerability detection only solutions in the market.

And, to reduce the number of agents in its network and secure an increasingly remote workforce that could no longer effectively leverage on-prem solutions, a large government agency in the APAC region decided to purchase both VMDR and EDR. Our ability to provide a prioritized risk- based vulnerability and malware detection response with a single agent was a key factor in our win.

Beyond these new customer wins, several large existing enterprise customers significantly expanded their respective breadth of paid applications on our platform, further validating our platform approach.

For example, in the quarter, a Fortune 100 customer selected VMDR, Policy Compliance, Container Security and File Integrity Monitoring to cost effectively consolidate their stack of legacy enterprise security and compliance solutions with a single pane of glass view of all assets spanning on-prem, endpoint and cloud environments.

We believe that these new wins and expansions illustrate that when customers are ready to re- architect and consolidate their security stack, Qualys is the best cloud-native,multi-solution platform to meet their needs.

We are working toward having the right go-to-market motion in place, which includes a strong focus on digital marketing, winning new business, expanding our offerings with existing customers and building out our partner network. To complement our direct and channel sales initiatives with an aligned product focus on security solutions across endpoints, cloud, container, mobile and SaaS environments, we recently hired a seasoned Chief Product Officer. As I mentioned on our prior call, we also brought in a new Chief Marketing Officer to ensure we're top-of-mind as customers around the world look to consolidate their security stacks. And, to continue to improve our business processes, tools, and systems, we recently added a new CIO as well. It's great to have these experienced executives join Qualys as we continue to make investments to accelerate growth and find that right balance with profitability.

As an example of focus on enhancing our channel strategy, I'm pleased to announce that TD SYNNEX has recently selected Qualys as its North American distribution partner. TD SYNNEX is currently offering the Qualys Cloud Platform to its extensive base of resellers in the region, including our game changing VMDR solution and patch management capabilities to help customers simplify security operations and lower compliance costs.

In Q3, we released Zero-Touch Patch as an extension to our Patch Management application to

2

help IT and security teams further automate the remediation of vulnerabilities. Our automated patch management solution enables customers to set up patching in advance with pre-defined policies by leveraging the Qualys Cloud Platform to correlate and prioritize vulnerabilities while bypassing the need for IT and Security team intervention after the fact. In the current environment of rapid exploitation of vulnerabilities, this functionality changes the game in patch management with real-time remediation and significantly reduces the exposure window as well as legacy IT costs. Garnering broad industry attention, we've received positive initial feedback from customers.

Further extending our value proposition in the market of risk-based vulnerability management, we recently launched our 60-day free Ransomware Risk Assessment Service. CISOs are looking for something actionable and measurable when it comes to ransomware. Powered by VMDR and our award-winning research on curated ransomware-specific vulnerabilities, this service includes comprehensive asset inventory, prioritized vulnerability and misconfiguration detection, and remote patching of ransomware vulnerabilities in a single unified workflow along with executive dashboards, enabling enterprises to track risks in a measurable way.

We continue to evolve the capabilities of our container security solution. Recently in collaboration with Red Hat, we have containerized the Qualys Cloud Agent to extend security visibility into its operating system. Qualys is the first solution to scan Red Hat Enterprise Linux CoreOS on Red Hat OpenShift to reduce risk. Qualys Container Security delivers comprehensive visibility from the host operating system through to images and containers running on OpenShift and other container platforms.

Looking ahead, as the industry continues to move toward cloud native solutions, misconfigured resources have evolved into the number one reason for threat incidents. We're currently in beta with our Infrastructure-as-Code (IAC) assessment capabilities, which will enable customers to catch cloud security issues from the time code is written to the time it is deployed. With this extension to our Cloud Security Posture Management, CloudView solution, customers will have complete visibility into both DevOps pipeline and runtime security posture.

We look forward to our Extended Detection and Response (XDR) solution going to GA by the end of this year. XDR is our next generation security analytics and incident response application, which natively integrates and correlates asset inventory, risk-based vulnerability management, patching, EDR and FIM security telemetry with additional third-party data integration to provide high-fidelity detection and response.

We will showcase these and other new solutions at our upcoming Qualys Security Conference (QSC). I encourage you to attend this conference, which will be a four day live and virtual event from November 15th to the 18th and will have many informative product sessions as well as customer presentations. We already have over 3,000 people registered to attend. You can access the agenda and register for the conference at qualys.com/qsc/2021/las-vegas.

Big picture, our market position is strong. We're focused on executing on our immediate opportunities with prioritized Go-to-Market investments while advancing new product initiatives that create further competitive differentiation and will ultimately expand our addressable market.

With that, I'll turn the call over to Joo Mi to discuss our third quarter financial results and outlook for the fourth quarter and full year 2021.

Joo Mi Kim, Chief Financial Officer

3

Thanks, Sumedh, and good afternoon. Before I start, I'd like to note that, except for revenue, all financial figures are non-GAAP and growth rates are based on comparisons to the prior year period, unless stated otherwise.

We're pleased to report continued growth acceleration in LTM calculated current billings with another quarter of solid revenue growth and profitability as reflected in the following financial and operational highlights:

• Our quarterly revenue surpassed $100 million for the first time, growing 13% to $104.9 million. With our Q3 LTM calculated current billings growth at 16%, up from 13% in Q2, and 8% in Q1, we believe that we've crossed that growth inflection point and are on track to accelerate revenue growth;
• Paid Cloud Agent subscriptions increased to 70 million over the last twelve months, up from 64 million for the 12 months ended in Q2 2021; and
• We're excited by the continued adoption of VMDR with the total customer penetration now at 32%, up from 28% in Q2 and 12% a year ago.

Our scalable platform model continues to drive superior margins and generate significant cash flow:

• Adjusted EBITDA for the third quarter of 2021 was $50.3 million, representing a 48% margin, in line with last year;
• Non-GAAPEPS for the third quarter of 2021 was $0.86, up from $0.77 last year; and
• Our free cash flow for the third quarter of 2021 was $41.3 million, representing a 39% margin versus 52% last year; YTD free cash flow margin was 47% versus 44% for the same period last year.

In Q3, we continued to invest the cash we generated from operations back into Qualys including:

• $7.2 million on capital expenditures; and
• $31.7 million to repurchase 290 thousand of our outstanding shares. We're pleased to announce that our Board has authorized a $200 million increase to our share repurchase program, which allows us to mitigate our share dilution and drive shareholder value. Including $107 million remaining as of Q3, this provides approximately $307 million in share repurchase capacity. The weighted average diluted shares outstanding in Q3 was 39.9 million, down from 40.8 million last year

We remain confident in our business model and believe that we're well-positioned to drive growth given the traction we're seeing in the overall business. We are delighted to be raising our full year 2021 guidance for both revenues and earnings:

• We are raising the bottom and top end of our revenue guidance for the full year to now be in the range of $409.5 to $410.1 million from the prior range of $406.0 to $407.5 million;
• We are raising our full year non-GAAP EPS guidance to now be in the range of $3.16 to $3.18 from the prior range of $3.02 to $3.07; and
• For the fourth quarter, we expect revenue to be in the range of $108.1 million to $108.7 million, which represents a range of 14% to 15% growth. We expect non-

4

GAAP EPS to be in the range of $0.78 to $0.80. Q4 capital expenditures are expected to be in the range of $4 million to $5 million.

With that, Sumedh and I are happy to answer any of your questions.

Closing Remarks

Thank you all for joining us today. We believe that we are well positioned to capitalize on the move in the market towards a consolidated security platform solution. We look forward to sharing continued progress in coming quarters.

Thanks again,

Sumedh

5