By Ayushman Baruah
Nasdaq-listed cyber security company Qualys is on a fast growth trajectory, globally as well as in India, one of its fastest growing markets. In a rapidly shifting cyber landscape where attack surfaces are expanding and threats are accelerating faster than businesses can respond, Qualys is positioning itself at the intersection of technical security and business risk. Sumedh Thakar, President and CEO, Qualys talks about the company focus areas, role of AI, and cyber security trends, in this exclusive conversation with Ayushman Baruah.
What is Qualys’ USP compared with other players in the market?
Initially, when we started, vulnerability management was the key part of risk to reduce risk of an attack. Over the years, what we have evolved into is how do we tie cyber security related technical issues with the business side of it. Because, today the attack surface is too large – every machine, every computer, is an attack surface. Businesses don’t have that kind of investment in cyber security that they can fix every single thing all the time. So, the focus for us is, how do we tie the risk management from cyber security to the way the business looks at potential loss and its quantum. Because that defines how much loss they could have which in turn defines how much they will spend to reduce the loss. So instead of just trying to fix anything and everything, we focus on how do we balance it from a business perspective.
Overall, when you speak to CISOs, what are the biggest pain points that they come up with?
The biggest pain point for CISOs is regulations. Second, it is communication of what they do to the board and trying to explain to the board what they do in a way the board understands. For example, communicating to the CFO on return on investment (ROI) on cyber security. And then the third is working with the rest of the organization, the IT team, to make sure that the organization is secure and safe, because at the end, the business is mainly focusing on visibility, but if the issue is not fixed and if your users keep clicking phishing emails, then you can have a high level of breach. So, the focus really is, how do we help the CSOs have the communication with the board that talks in terms of ROI from cybersecurity. And how do we then help them make sure that they are meeting all the compliance regulations or requirements.
Where is your market spread out?
We are pretty well spread out across the world with US being the largest market contributing to about 60 per cent of our revenues. Apart from that, we have clients in Europe, APAC (mainly Singapore, India), Australia, Middle East, and now we have expanded to Africa as well.
How big is the India market and what is your focus here?
I think what we have seen in the India market in over last 10 years, is that not just private companies but even the government has significantly invested in technology as a way to uplift people out of financial exclusion and things like that. And now with artificial intelligence (AI) coming up, we see that India market has the exact same challenges that the US market has, because the technology is the same or better here. So, attackers are following the same path as they are in other parts of the world. Regulations from the Reserve Bank of India (RBI) are driving a lot of focus on cybersecurity and the government is also very focused on it because a lot of the warfare in conflict is also moving to the cyber world. The opportunity in the India market is big.
What is the role of AI and agentic AI both in the offense and defense side?
The attackers are using a lot of AI so that they can go faster. The attackers are now exploiting key vulnerabilities where the time to exploit is minus one day. What that means is attackers are using AI to exploit vulnerabilities a day before a patch is released on an average. When that is happening, as a defender, you cannot show up there with a process that is going to take two weeks to fix something after approvals and signatures. As defenders, we don’t have a choice anymore. In the next couple of years, there is going to be a major focus on automated remediation. People are afraid of remediation because they fear the system may go down. But on the other hand, attackers are attacking the system faster and faster. As part our strategy to address this, we launched AI agents as part of our platform, so customers can actually use an AI agent to triage through tons of data to find exactly what is going to be attacked by the attacker. The agent thinks like an attacker and then fixes it for you without having to wait for manual efforts.
What are the top cyber security trends you expect to see in 2026?
As we enter 2026, we are going to see CISOs increasing their cyber security focus on the business side of it – ROI, etc. Then, we are going to see a trend towards automated remediation leveraging AI. We are going to fix issues with automation, and some of the fear that people had about remediation is not going to be optional. And Qualys came up with the ability to deploy patches with our solution. In the last 12 months alone, Qualys agents have deployed 140 million matches across all our customers. Finally, automation in remediation is going to be an absolute necessity in 2026 because with AI, we don’t have a choice.