Qualys
Cloud-native security platform providing vulnerability management, compliance scanning, and risk-based prioritization across hybrid environments.
Continue your mission
Cloud-native security platform providing vulnerability management, compliance scanning, and risk-based prioritization across hybrid environments.
# Qualys
Qualys is a cloud-based security and compliance platform that centralizes vulnerability management, policy compliance, web application scanning, and asset inventory across hybrid enterprise environments. It exists because security teams managing thousands of assets across on-premises networks, cloud workloads, and remote endpoints cannot maintain accurate, real-time visibility using manual methods or siloed point tools. Qualys solves the problem of fragmented asset knowledge by delivering a single, continuously updated dataset of what an organization owns, how it is configured, and where it is exposed. Founded in 1999, it was among the first vendors to deliver vulnerability management as a SaaS offering, removing the need for organizations to build and maintain their own scanning infrastructure. That architectural decision remains central to how the platform operates today.
---
Qualys is a multi-application cloud security platform delivered entirely as SaaS. Its core function is external and internal vulnerability assessment, but the platform extends well beyond simple scanning. The Qualys Cloud Platform hosts more than twenty discrete security and compliance applications, including Vulnerability Management Detection and Response (VMDR), Policy Compliance, Web Application Scanning (WAS), Security Configuration Assessment (SCA), Container Security, Cloud Security Posture Management (CSPM), and Certificate Assessment. All applications share a unified data lake, meaning asset data collected for vulnerability management is the same dataset queried for compliance reporting and risk scoring.
Qualys is not a Security Information and Event Management (SIEM) system. It does not process log streams or correlate security events in real time. It is also not a penetration testing tool. While its scanners identify vulnerabilities and misconfigurations, they do not exploit them or simulate attacker behavior in a chain of steps. It is distinct from endpoint detection and response (EDR) platforms because it does not monitor process behavior or provide incident containment capabilities.
Qualys should also not be confused with agent-based endpoint security suites. The Qualys Cloud Agent is lightweight and purpose-built for asset inventory and vulnerability data collection. It does not provide threat detection, behavioral analysis, or response actions.
The platform operates in three deployment modes: network scanner appliances (physical or virtual), the Qualys Cloud Agent installed on individual endpoints, and agentless API-based connectors for cloud platforms such as AWS, Azure, and Google Cloud. These modes can run simultaneously on the same environment, and Qualys merges the results into unified asset records, eliminating duplicates.
---
Qualys operates through three primary data collection mechanisms that feed a central cloud processing engine. Understanding each mechanism, and how they interact, clarifies both the platform's strengths and its configuration requirements.
Scanner Appliances
Qualys virtual scanner appliances are deployed inside network segments as virtual machines or physical hardware. Each appliance connects outbound to the Qualys Cloud Platform over HTTPS on port 443. The appliance receives scan job instructions from the cloud, executes the scan internally, and returns results to the cloud for processing. This design means no inbound firewall ports need to be opened for scanner communication. Authenticated scans require credentials stored in Qualys's secure credential vault. The scanner uses these credentials to log in to target systems via SSH, WMI, or SNMP, enumerate installed software and patches, read registry values, and check configuration settings. Unauthenticated scans identify open ports and running services but cannot confirm patch states or configuration compliance.
A concrete example: a security team wants to assess patch status across four hundred Windows servers in a data center. They deploy a virtual scanner appliance in the data center VLAN and configure Windows credentials in the Qualys vault. They define an asset group containing the server IP range and launch an authenticated vulnerability scan. The scanner connects to each server, reads the patch registry, and identifies missing patches with known CVEs. Within hours, the Qualys Cloud Platform processes results, correlates CVEs with threat intelligence feeds, and produces a prioritized list ranked by TruRisk score. The security team exports a report filtered to critical and high severity findings and sends it to the server operations team for patching.
Cloud Agent
The Qualys Cloud Agent is a small software installation (typically under 100 MB of memory footprint) deployed on Windows, Linux, or macOS endpoints. It collects asset inventory and vulnerability data continuously, rather than on a scheduled scan cycle. The agent sends data directly to the Qualys Cloud Platform without requiring network scanner access to the endpoint's subnet. This makes it essential for remote workers, laptops that rarely connect to the corporate network, and cloud virtual machines that spin up and down dynamically.
The agent also enables faster detection. Because it runs continuously, a new vulnerability published today can be assessed against all agent-managed endpoints within hours of a new QID (Qualys Vulnerability ID) being released, without waiting for the next scheduled scan window.
Cloud Connectors and CSPM
For cloud environments, Qualys connects via read-only API access to cloud provider APIs. In AWS, this means configuring an IAM role with specific read permissions. Qualys then inventories all resources in the account, checks them against configuration benchmarks such as the CIS AWS Foundations Benchmark, and identifies misconfigurations such as publicly exposed S3 buckets, overly permissive security groups, or logging not enabled on CloudTrail.
TruRisk Scoring and Prioritization
Raw vulnerability counts without context produce alert fatigue. Qualys addresses this with the TruRisk score, a composite metric that weighs four inputs: the CVSS score of the vulnerability, the criticality of the affected asset (defined by the asset tag configuration), real-time threat intelligence indicating whether the vulnerability is actively exploited in the wild, and the presence of compensating controls. A critical CVSS vulnerability on an isolated test server with no known active exploitation may score lower than a medium CVSS vulnerability on an internet-facing server that has a published exploit and active threat activity. This forces prioritization toward highest actual risk rather than theoretical severity.
VMDR Workflow
Qualys VMDR integrates four steps into a single workflow: asset discovery (knowing what exists), vulnerability assessment (knowing what is vulnerable), threat prioritization (knowing what to fix first), and response (patching directly through the Qualys Patch Management module or via integration with third-party patching tools). This workflow closes the loop between detection and remediation, which is the most common failure point in vulnerability management programs at scale.
API and Integrations
The Qualys API supports REST and legacy XML-based calls. Security operations teams use the API to pull vulnerability data into ServiceNow for ticket creation, push asset data into CMDBs, or feed prioritized findings into SOAR platforms for automated remediation workflows. The API is essential in mature programs where manual portal interaction does not scale to tens of thousands of assets.
---
Organizations that lack continuous, authenticated vulnerability scanning operate with a critical blind spot. They may have a general sense of their infrastructure but cannot answer the fundamental operational question: which of our assets has an unpatched vulnerability that an attacker can exploit right now?
Without a platform like Qualys, security teams rely on periodic manual scans, vendor patch bulletins read by system owners inconsistently, or compliance-driven annual assessments that are outdated the moment they complete. The gap between when a vulnerability is disclosed and when an attacker uses it in active exploitation has shortened significantly over the past decade. Vulnerability scanning is not a quarterly activity. It is a continuous operational requirement.
The consequences of insufficient vulnerability management are well documented. The 2017 Equifax breach, which exposed personal data of approximately 147 million individuals, resulted from an unpatched Apache Struts vulnerability (CVE-2017-5638). The vulnerability had a patch available. Equifax's scanning processes did not detect the vulnerable system before attackers did. The breach cost Equifax over 1.38 billion dollars in settlements, remediation, and legal fees, and it permanently damaged the company's reputation. The failure was not exotic. It was a missed patch on a known, highly critical vulnerability with a publicly available exploit.
A common misconception about vulnerability management platforms is that deploying the tool solves the problem. The tool creates visibility. Visibility without process, accountability, and remediation SLAs does not reduce risk. Organizations frequently deploy Qualys, generate detailed reports, and then fail to act on the findings within any defined timeframe. The platform's value is only realized when findings are routed to responsible owners with deadlines and tracked to closure.
A second misconception is that unauthenticated scanning provides sufficient coverage. Unauthenticated scans identify open ports and visible services but cannot assess patch levels or configuration compliance. Organizations that run only unauthenticated scans dramatically undercount their actual vulnerability exposure.
Qualys also matters at the regulatory compliance level. PCI DSS Requirement 11.3 mandates quarterly external and internal vulnerability scans and annual penetration tests. HIPAA Security Rule administrative safeguards require organizations to regularly evaluate technical vulnerabilities. Qualys's Policy Compliance module maps scan findings directly to these regulatory frameworks, producing compliance evidence that satisfies auditors and regulators.
---
CDA approaches Qualys within the Vulnerability Surface Domain (VSD) of the Planetary Defense Model (PDM), under the Continuous Surface Reduction (CSR) methodology. The governing principle is direct: every surface you expose is a surface we eliminate. Qualys is the primary instrumentation layer for that work.
In CDA engagements, Qualys is not deployed as a reporting tool. It is deployed as an operational sensor that feeds a continuous reduction cycle. The distinction matters. Many organizations run Qualys and produce monthly reports that sit in a folder. CDA integrates Qualys output directly into a tracked remediation queue with owner assignment, SLA enforcement, and exception governance.
CDA's implementation approach begins with asset completeness. A vulnerability program is only as good as its asset inventory. CDA runs an asset discovery sweep before any vulnerability scanning begins, reconciling Qualys asset data against CMDB records, DNS, and cloud provider inventories. Assets not in Qualys are a blind spot by definition. Closing that gap is the first operational priority.
For prioritization, CDA applies TruRisk scoring with custom asset criticality tags configured to reflect actual business impact rather than generic classifications. An internet-facing authentication server is tagged at maximum criticality. An offline backup archive is tagged low. This configuration work is where most organizations underinvest, and where CDA spends disproportionate early effort.
CDA also enforces authenticated scanning across all in-scope assets. Unauthenticated scan results are flagged as incomplete coverage, not as satisfactory baselines. In environments where credential management is a barrier, CDA works with identity teams to establish service accounts with minimum necessary privileges specifically scoped for Qualys authenticated scanning.
Within the SPH (Security Program Health) and RGA (Risk Governance and Accountability) domains, CDA uses Qualys data to produce Mean Time to Remediate (MTTR) metrics by severity tier, track SLA compliance by business unit, and report residual risk posture to executive stakeholders in terms they can act on. The goal is not a dashboard with green lights. The goal is a continuously shrinking attack surface with documented accountability for every finding that remains open.
---
---
---
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.