Skip to content

Qualys

Scope

This file covers Qualys platform architecture and design including VMDR (Vulnerability Management, Detection, and Response), Qualys Cloud Agent deployment, CyberSecurity Asset Management (CSAM), Policy Compliance (PC), Web Application Scanning (WAS), Container Security (CS), CloudView CSPM, TotalCloud CNAPP, Qualys TruRisk scoring, Qualys Gateway Service (QGS) for air-gapped environments, scanner appliance deployment models, and licensing (asset-based vs. IP-based vs. unlimited). It does not cover general vulnerability management processes; for that, see general/security.md.

Checklist

  • [Critical] Choose between agent-based and scanner-based vulnerability assessment and document the rationale — Cloud Agents provide continuous assessment without scan windows but require deployment to every asset; scanner appliances cover network-reachable assets without agent installation but only assess during scan windows
  • [Critical] Deploy Qualys Cloud Agents on all endpoints and servers for continuous vulnerability visibility — scanner-only approaches miss assets that are offline during scan windows or behind NAT; agents report vulnerabilities within minutes of detection
  • [Critical] Configure VMDR TruRisk scoring and use it to prioritize remediation — raw CVSS scores do not account for exploit availability, active exploitation in the wild, or asset criticality; TruRisk combines these factors into an actionable risk score
  • [Critical] Size the Qualys subscription for the actual asset count, not just production servers — Cloud Agents on laptops, dev/test VMs, and cloud instances count toward licensing; underestimation causes mid-term true-ups
  • [Critical] Deploy scanner appliances inside every network segment that contains assets without Cloud Agents — scanners cannot assess assets across firewalls that block scanning ports; place appliances in each VLAN/segment
  • [Recommended] Integrate VMDR with the patching workflow (VMDR patch management module or third-party WSUS/SCCM/Intune) — detection without remediation creates vulnerability report fatigue; close the loop with automated or tracked patching
  • [Recommended] Configure Cloud Agent activation keys with appropriate module activation — each agent can run VM, PC, EDR, FIM, and other modules; activate only required modules to manage agent resource consumption on endpoints
  • [Recommended] Deploy Qualys Container Security in CI/CD pipelines to scan images before deployment — scanning only running containers misses vulnerabilities introduced at build time; shift-left with registry and pipeline scanning
  • [Recommended] Configure TotalCloud or CloudView connectors for all cloud accounts (AWS, Azure, GCP) — cloud CSPM scanning requires API-level access via IAM roles/service principals; incomplete connector coverage creates blind spots
  • [Recommended] Establish scan window schedules that accommodate maintenance windows and business-critical periods — authenticated scans can cause service disruption on fragile legacy systems; coordinate with application owners
  • [Recommended] Enable Qualys CyberSecurity Asset Management (CSAM) for asset inventory normalization — CSAM deduplicates assets discovered by agents, scanners, and cloud connectors into a single authoritative inventory
  • [Recommended] Deploy Qualys Gateway Service (QGS) for environments with restricted internet access — QGS proxies agent-to-cloud communication through a single egress point, avoiding per-host firewall rules
  • [Optional] Evaluate Qualys Web Application Scanning (WAS) for DAST coverage of web applications — WAS provides authenticated and unauthenticated dynamic scanning but requires careful scope configuration to avoid scanning production during peak hours
  • [Optional] Enable Qualys Policy Compliance (PC) module for CIS benchmark and STIG compliance assessment — PC maps scan results to compliance frameworks and generates audit-ready reports
  • [Optional] Evaluate Qualys TotalCloud for unified CNAPP coverage — combines CSPM, CWPP, container security, and IaC scanning in a single platform with the same agent and cloud connector infrastructure
  • [Optional] Configure Qualys API integration for automated reporting and ticket creation — the Qualys API v2 supports bulk data export; use it to feed vulnerability data into ServiceNow, Jira, or custom dashboards

Why This Matters

Qualys is one of the longest-established vulnerability management platforms and is deeply embedded in enterprise security programs, compliance audits, and regulatory reporting. Its strength is breadth: a single platform covers vulnerability scanning, policy compliance, web application scanning, container security, and cloud security posture management. However, this breadth creates complexity in deployment architecture.

The most common failure mode is incomplete coverage. Organizations deploy scanner appliances in the data center but miss cloud workloads, remote laptops, and container environments. Cloud Agents solve the coverage problem but introduce licensing and resource management challenges. Each agent module (VM, PC, FIM, EDR) consumes CPU and memory on the endpoint; activating all modules on every agent without testing causes performance complaints and agent removal requests from application teams.

TruRisk scoring is Qualys's answer to the vulnerability prioritization problem. Organizations with tens of thousands of vulnerabilities cannot remediate all of them. CVSS alone does not distinguish between a theoretical vulnerability and one being actively exploited. TruRisk incorporates exploit maturity, active exploitation intelligence, asset criticality, and compensating controls to produce a prioritized remediation list. Organizations that do not configure TruRisk (or an equivalent prioritization framework) drown in vulnerability data without reducing actual risk.

Common Decisions (ADR Triggers)

ADR: Agent-Based vs. Scanner-Based Assessment

Context: Qualys supports both continuous agent-based assessment and periodic network scanner-based assessment.

Options:

Criterion Cloud Agent Scanner Appliance Hybrid (Both)
Coverage Assets with agent installed Network-reachable assets Maximum coverage
Frequency Continuous (4-6 hour intervals) Scheduled (weekly/monthly) Continuous + scheduled
Network impact Minimal (agent reports out) High during scan window Moderate overall
Deployment effort Per-asset agent install Per-segment appliance Both required
Best for Endpoints, cloud, remote Legacy, OT, unmanaged Enterprise-wide

ADR: Qualys Module Selection

Context: Qualys offers modular licensing; each module activates additional functionality on the same agent and platform.

Decision factors: VMDR is the foundation (vulnerability detection and response); Policy Compliance adds CIS/STIG benchmarking; WAS adds web application DAST scanning; Container Security adds image and runtime scanning; TotalCloud adds CSPM/CWPP. Each module adds cost per asset. Evaluate which gaps the existing security tooling leaves and fill them with Qualys modules vs. best-of-breed alternatives.

ADR: TotalCloud CNAPP vs. Point Solutions

Context: TotalCloud consolidates CSPM, CWPP, container security, and IaC scanning into the Qualys platform vs. using separate tools (Wiz, Prisma Cloud, etc.).

Decision factors: Existing Qualys investment and agent deployment, multi-cloud coverage requirements, team familiarity with Qualys console, depth of cloud-native features compared to cloud-native-first competitors, and contract consolidation benefits.

ADR: Qualys Gateway Service for Restricted Networks

Context: Environments with limited internet connectivity (air-gapped, classified, regulated) need a proxy mechanism for Cloud Agent communication.

Decision factors: Number of restricted network segments, bandwidth available for agent communication, QGS high availability requirements, and whether full air-gap (on-premises Qualys Private Cloud Platform) is required instead.

AI and GenAI Capabilities

Qualys TruRisk AI -- Machine learning-driven risk scoring that goes beyond CVSS by incorporating exploit prediction, active threat intelligence, asset business context, and compensating control effectiveness. Automatically adjusts vulnerability priority as threat landscape changes.

Qualys CyberSecurity Asset Management (CSAM) AI -- Uses ML to deduplicate, normalize, and classify assets discovered across multiple data sources (agents, scanners, cloud APIs, passive network monitoring). Identifies unmanaged and shadow IT assets.

See Also

  • general/security.md -- Security architecture, hardening, compliance frameworks
  • providers/wiz/cloud-security.md -- Alternative/complementary CNAPP for cloud security posture
  • providers/crowdstrike/endpoint-security.md -- EDR/XDR (complementary to vulnerability management)
  • general/compliance-automation.md -- Compliance automation strategies using scanning data