Qualys Cloud Platform Assessment
Vendor assessment guide for Qualys Cloud Platform.
Continue your mission
Vendor assessment guide for Qualys Cloud Platform.
# Qualys Cloud Platform Assessment
Qualys Cloud Platform is a cloud-native, agent-based and agentless vulnerability management and security posture assessment system that centralizes asset discovery, vulnerability scanning, policy compliance evaluation, and web application security testing within a single SaaS architecture. It exists because distributed enterprise environments, spanning on-premises data centers, hybrid cloud deployments, and remote endpoints, generate more attack surface than traditional point-solution scanners can cover consistently. The platform solves a specific operational problem: security teams need continuous, normalized visibility across every asset class without managing scanner appliances per segment, correlating data across disconnected tools, or tolerating scan windows that leave posture data stale between cycles.
Qualys emerged in 1999 as one of the first software-as-a-service vulnerability scanners, predating the cloud computing boom by nearly a decade. The company recognized early that traditional vulnerability scanners, which required physical appliances in each network segment, could not scale to meet the demands of distributed enterprise networks. Today, the Qualys Cloud Platform serves over 19,000 customers across 130 countries, processing vulnerability data from more than 500 million assets globally. This scale gives Qualys unique visibility into vulnerability trends, exploit patterns, and remediation effectiveness across different industry verticals.
The platform fits into the broader security ecosystem as the foundational layer for vulnerability surface management. While SIEM platforms process event streams and EDR solutions detect active threats, Qualys answers the question of what is exposed in the first place. Without this visibility, incident response teams investigate breaches of assets they did not know existed, and threat hunting exercises miss compromised systems that were never properly inventoried.
Qualys Cloud Platform operates across four functional layers: asset discovery and inventory, vulnerability assessment, prioritization and correlation, and remediation workflow integration. Each layer builds upon the previous one to create a complete vulnerability management lifecycle.
Asset Discovery and Inventory
Discovery begins through three parallel mechanisms. The Qualys Cloud Agent is deployed to endpoints, servers, and cloud instances; once installed, it performs authenticated local scans at configurable intervals, typically every four hours by default, and transmits results to the Qualys backend over an encrypted outbound connection. No inbound firewall rules are required, which makes agent-based scanning practical for remote workforces and cloud instances in private subnets.
For assets where agent deployment is impractical, such as network infrastructure, printers, or unmanaged IoT devices, Qualys virtual scanner appliances perform credentialed and uncredentialed network scans using ICMP, TCP, and UDP discovery probes. A third mechanism, Passive Network Analysis (PNA), mirrors switch traffic to identify devices that neither accept agents nor respond predictably to active probes.
These three streams are reconciled in the Asset Management module using asset correlation logic that merges duplicate records when the same device is seen by multiple sensors. The result is a unified asset inventory with attributes including OS version, installed software, open ports, hardware specifications, cloud metadata tags, and network location.
Vulnerability Assessment
Against each discovered asset, Qualys maps findings to a signature library of over 150,000 QIDs (Qualys vulnerability identifiers), each corresponding to a specific CVE, configuration weakness, or compliance finding. Agent-based assessments run authenticated checks locally on the host, which produces lower false-positive rates than uncredentialed network scanning because the scanner reads installed package versions directly rather than inferring them from banner responses.
For web applications, the WAS (Web Application Scanning) module performs DAST (Dynamic Application Security Testing) by crawling application endpoints and injecting test payloads to detect SQL injection, cross-site scripting, XML external entity injection, and similar classes of vulnerability. The scanner can authenticate to applications using recorded login sequences or API keys, enabling testing of authenticated application functionality that represents the majority of modern web application attack surface.
Container Security (CS) extends vulnerability assessment into containerized environments by scanning container images in registries and running containers in orchestration platforms like Kubernetes. The scanner analyzes both the base OS packages and application dependencies within containers, providing visibility into vulnerabilities that traditional host-based scanning cannot detect in immutable container deployments.
Cloud Security Posture Management (CSPM) assesses cloud infrastructure configurations against security frameworks including CIS Benchmarks, NIST, and SOC 2. This includes evaluating IAM policies, network security group configurations, storage permissions, and encryption settings across AWS, Azure, and Google Cloud Platform.
Prioritization and Correlation
Raw vulnerability counts in large enterprises routinely exceed one million findings. Qualys addresses this through VMDR's TruRisk scoring, which combines the CVSS base score with real-time threat intelligence inputs including active exploitation status in the wild, association with known ransomware families, availability of public exploit code, and asset criticality weighting defined by the organization. The output is a prioritized queue where a CVE with a CVSS score of 7.0 but active ransomware exploitation ranks above a CVSS 9.8 vulnerability in a lab asset with no public exploit.
Qualys TruRisk integrates threat intelligence from multiple sources, including the Qualys Research Team's analysis of exploit kits, dark web marketplace monitoring, and correlation with the CISA Known Exploited Vulnerabilities Catalog. This intelligence layer is updated continuously, meaning that a vulnerability with low initial priority can be elevated automatically when exploit code is published or when the vulnerability is incorporated into active attack campaigns.
Remediation Workflow Integration
Qualys integrates with ITSM platforms including ServiceNow, Jira, and BMC Remedy to create remediation tickets automatically when new vulnerabilities exceed defined thresholds. A concrete scenario illustrates how this works in practice: a financial services organization running Qualys VMDR detects a critical OpenSSL vulnerability across 2,300 Linux hosts following a new CVE disclosure. The VMDR dashboard surfaces the finding within hours of agent check-in. TruRisk identifies 180 of those hosts as internet-facing payment processing servers with active exploitation observed in the wild. An automated ServiceNow ticket is created for each affected CI record with patch guidance, assigned to the server team, and given a 72-hour SLA window. The remaining 2,120 lower-priority hosts are placed in a scheduled patch cycle.
Specialized Modules and Deployment Options
Qualys External Attack Surface Management (EASM) provides continuous discovery and assessment of internet-facing assets without requiring internal network access. EASM uses passive DNS analysis, certificate transparency logs, and active probing to identify assets that may be unknown to internal IT teams, including forgotten test environments, acquired company infrastructure, and shadow IT deployments.
For organizations in regulated industries, Qualys Policy Compliance (PC) automates compliance assessment against frameworks including PCI-DSS, HIPAA, SOX, and FISMA. PC can generate compliance reports automatically and track compliance posture over time, providing audit trail documentation for regulatory examinations.
The platform supports both cloud-hosted and private cloud deployments. Qualys Private Cloud Platform provides the same functionality as the public SaaS offering but runs within the customer's environment, addressing data sovereignty requirements and air-gapped network constraints common in government and critical infrastructure environments.
Unmanaged vulnerability exposure is the most consistent precondition for successful breach in documented incident data. The 2023 Verizon Data Breach Investigations Report found that exploitation of vulnerabilities accounted for 5% of breaches but 25% of security incidents, indicating that vulnerability exploitation attempts are common even when they do not result in confirmed breaches. The key insight is that these are vulnerabilities with published CVEs, available patches, and established mitigations. Organizations that lack continuous visibility into their asset inventory and patch state are defending against a threat category they theoretically have the tools to address.
Without a platform like Qualys, security teams face several compounding problems. Scan-window-based assessment leaves posture data stale the moment a new asset is provisioned or a configuration changes. Manual spreadsheet-based tracking of patch status does not scale beyond a few hundred assets. Siloed tools for endpoint management, web application scanning, and cloud posture generate disconnected datasets that require manual correlation to form a coherent picture. The absence of continuous assessment means that the gap between vulnerability disclosure and organization-wide awareness can stretch from days to weeks, precisely the window attackers exploit most aggressively.
A specific consequence is illustrated by the 2021 Microsoft Exchange Server exploitation campaign, in which CVE-2021-26855 and related ProxyLogon vulnerabilities were exploited at scale within hours of public disclosure. Organizations that had continuous vulnerability management and rapid asset inventory capabilities were able to identify all exposed Exchange instances and begin emergency patching within the first day. Organizations relying on periodic scan cycles or manual discovery took days longer, and post-incident analysis showed that those with slower detection-to-response timelines suffered substantially higher rates of post-exploitation activity including webshell installation and credential theft.
The business impact extends beyond breach prevention. Regulatory frameworks increasingly require continuous vulnerability management capabilities. PCI-DSS 4.0, effective in 2024, requires organizations to perform vulnerability scans at least quarterly and after any significant infrastructure changes. The European Union's NIS2 Directive mandates vulnerability management as a core requirement for critical infrastructure operators. Organizations without continuous vulnerability assessment capabilities face compliance gaps that can result in regulatory penalties and audit findings.
A common misconception is that vulnerability scanning is primarily a compliance exercise. Many organizations run scans quarterly to satisfy auditor requirements and treat the outputs as checkbox artifacts rather than operational data. This approach produces vulnerability programs that generate reports nobody acts on. The value of a platform like Qualys is not the report; it is the continuous, prioritized, workflow-integrated remediation cycle that transforms vulnerability data into measurable attack surface reduction.
The Cyber Defense Advisors Planetary Defense Model (PDM) places Qualys Cloud Platform squarely within the Vulnerability Surface Dominance (VSD) domain, with secondary application in Security Posture and Hygiene (SPH). CDA's methodology within VSD is Continuous Surface Reduction (CSR), expressed operationally as: every surface you expose is a surface we eliminate. This is not a theoretical aspiration; it is a measurable program construct.
When CDA conducts a Qualys deployment engagement, the starting point is not the Qualys configuration console. It is the asset taxonomy. CDA maps every asset class the organization operates, including cloud instances, on-premises servers, endpoints, OT/ICS systems where applicable, and internet-facing web applications, and defines the criticality weighting schema before a single agent is deployed. This ensures that TruRisk scores reflect organizational reality rather than generic CVSS severity, which is the most common failure mode in Qualys deployments CDA inherits from prior consultancies.
CDA differentiates from standard Qualys implementations in three specific ways. First, CDA integrates CSAM and EASM from the outset, treating external attack surface and internal inventory as a unified problem. Many organizations run VMDR in isolation and are surprised to discover assets the internal scanner cannot reach that are visible from the internet. Second, CDA establishes remediation SLA compliance tracking as a program metric rather than a peripheral report. The question is not "how many vulnerabilities do we have?" but "what percentage of critical findings are closed within SLA, and where does the SLA breach consistently occur?" Third, CDA conducts quarterly posture reviews where the vulnerability data is correlated against threat intelligence relevant to the organization's vertical, identifying which vulnerability classes in the current inventory are actively being weaponized against peer organizations.
The CSR methodology means CDA is not satisfied with a vulnerability program that identifies findings. The program is complete only when the remediation cycle is measurably reducing total exposed surface on a month-over-month basis, with documented SLA performance and trend data that can be presented to executive stakeholders. CDA tracks vulnerability surface reduction as a key performance indicator, measuring not just the number of vulnerabilities found but the rate at which the total exploitable surface area decreases over time.
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.