Cloud Platform
Contact us

Qualys Policy Compliance

Assess security configurations of IT systems throughout your network.

Next-generation cloud compliance software for continuous risk reduction and compliance with internal policies and external regulations

The solution we had in place could not scale to our growing requirements. We spent more time managing agents than in managing our compliance. Qualys was easy to use, easy to deploy and allows us to focus on what we do best, which is manage risk.

Global IT Security Manager,
Large Financing Company

Reduce risk, and comply with internal policies and external regulations quickly and easily

Qualys Policy Compliance Highlights

Define policies

With PC, you can leverage out-of-the-box library content to fast-track your compliance assessments using industry-recommended best practices such as CIS Benchmarks. PC also provides a centralized, interactive console for specifying the baseline standards required for different sets of hosts. You can quickly create policies based on a previously scanned host.

Assess and remediate

By automating the evaluation of requirements against multiple standards for OSes, network devices and applications, PC lets you identify issues quickly and prevent configuration drift. With PC, you can prioritize and track remediation and exceptions, demonstrating a repeatable auditable process for compliance management focused on the most critical issues first.


PC lets you customize and deliver comprehensive reports to document progress for IT staffers, business executives, risk managers and auditors. With mandate-based reporting you can easily see how you compare against requirements in a variety of overlapping regulatory or industry required control objectives.

Specify controls

PC’s interactive editor organizes controls according to policies’ technologies, while search tools let you find relevant controls according to attributes. While setting up a control, you can immediately test the specified configuration. Select from an extensive controls library for OSes, network devices, databases and apps, and create custom controls without programming.

Interactively set up IT standards for hardening configurations and complying with relevant regulations

Organizations often overlook improperly configured IT assets, underestimating their security and compliance risks. In fact, misconfigurations — like keeping default passwords, improper access control settings, weak encryption configuration, or insecure application deployment — are a major vector for breaches. Qualys PC automates the process of assessing security configurations, starting with configuring policies.

  • Define configuration policies required for different environments and assets
    Specify baseline standards required for different sets of hosts in Qualys’ centralized, interactive console. Hosts discovered and categorized by business function in Qualys VMDR can have hardening policies assessed in Qualys PC
  • Use a previously scanned host as a "golden image"
    Create policies based on a previously scanned host in minutes. Qualys PC selects controls and setting values to match the master machine’s “golden image."
  • Draw from a built-in library of extensively used policies certified by CIS
    Tap Qualys’ library of built-in policies to comply with common security standards and regulations. Qualys provides a wide range of policies, including many certified by CIS, and others based on vendor security guidelines
  • Use SCAP content streams
    Import Security Content Automation Protocol (SCAP) source data stream content to define policies. This simplifies verifying devices for compliance with standards such as the US Government Configuration Baseline (USGCB)
  • Create custom policies via an interactive web-based editor
    Add your own policies with Qualys PC’s web-based policy editor. Choose which technologies to cover, and organize relevant controls into sections. Each control can reference external standards so that automated policies match up with printed requirements documents
  • Leverage custom controls in library policies
    Library policies provided by Qualys may include a new control type called Qualys Custom Control, which can provide users with new controls similar to user-defined controls
Qualys Policy Compliance: Policy Editor Overview | Qualys

Select host & app settings to check for each policy

Qualys PC’s interactive editor automatically organizes controls according to the technologies associated with each policy. Its search engine quickly finds relevant controls according to attributes such as name, category, framework, and others.

  • Test controls immediately without rescanning or reporting
    While setting up a control within Qualys, test the specified configuration, so you don’t have to run a new scan or generate a special report each time you edit a control. Qualys gives you a list of relevant hosts to choose from and shows you what values were gathered

  • Select from a rich library of controls for OSes, network devices, databases & apps
    Qualys’ extensive, continually updated library of more than 15,000 checks spans more than 50 technologies. Controls can be filtered and selected according to multiple attributes, including: description keywords and category

  • Monitor the integrity of files and watch for changes
    Qualys can monitor arbitrary files on Windows and Unix/Linux hosts for changes so that unexpected modifications can be caught quickly

  • Create custom controls without writing code or scripts
    Extend Qualys’ controls easily without programming. On Unix/Linux and Windows hosts, attributes of files and directories can be examined with just a few clicks. On Windows hosts, checks for registry entries, share permissions, and WMI queries can also be added quickly

  • See how controls relate to critical frameworks and regulations
    Qualys provides context information for each built-in control such as the standards frameworks to which the control applies, including: CIS, COBIT, ISO 17799 & 27001, NIST SP800-53, ITIL v2, HIPAA, FFIEC, NERC-CIP

  • Make policies active or inactive
    Every policy in your account is in active or inactive state. Inactive policies will not be scanned or reported on. By default polices are marked active. You may want to hide a new policy while you’re working on it, or an existing one you’re editing, and then publish it at a later time

Qualys Policy Compliance: Policy Editor Overview | Qualys
Qualys Policy Compliance: Scans view  | Qualys

Scan and analyze OS and application configurations on each target host

With Qualys PC, you can scan systems anywhere from the same console. You can select target hosts by IP address, asset group or IP range. After scanning deeply, you can create custom reports for each audience with the appropriate level of detail.

  • Scan quickly & efficiently
    Qualys PC works unobtrusively in even the largest networks. Use your existing asset groups to select systems to scan. Do internal network scans in parallel using multiple appliances to accelerate scanning and prevent network bottlenecks

  • Scan behind your firewall securely with Scanner Appliances managed by Qualys
    Scan your internal networks seamlessly with physical and virtual Qualys Scanner Appliances. Efficiently monitor internal hosts, network devices, databases and other assets without opening inbound firewall ports or setting up special VPN connections

  • Store configuration information offsite with secure audit trails
    As a cloud service, Qualys provides a trusted, independent location for securely storing critical configuration information and tamper-resistant audit trails

  • Scan on demand or on a schedule
    Qualys gives you the flexibility to scan whenever you want. You can launch scans with a click to manually check desired hosts, or schedule recurring scans with specific durations to match your maintenance windows

  • Assess deeply with authentication scans
    Qualys can securely use authentication credentials to log in to each host, database or web server. For added control, Qualys can pull passwords dynamically from 3rd-party credential management systems and use privilege escalation systems such as “sudo”

  • Do continuous compliance with Qualys Cloud Agents
    Turn Qualys PC into a real-time compliance assessment solution with the groundbreaking Cloud Agents. These lightweight agents are always up to date and require no credential management nor complex remote access through the firewall. They monitor assets around the clock, even if they’re offline

Qualys Policy Compliance: Scans view  | Qualys
Qualys Policy Compliance: Dashboard view  | Qualys

Fix violations and configuration "drift" early – before audits – and manage exceptions centrally

Qualys PC automates the labor-intensive process of checking settings on each machine in your network. By helping you address violations quickly, before they get too far out of hand, Qualys PC makes remediation efforts more predictable and avoids last-minute emergencies during audits.

  • Manage exceptions via a documented approvals process
    By eliminating configuration fire drills, Qualys PC shifts the focus of your efforts to managing exceptions for specific hosts and situations. Qualys provides a documented, repeatable workflow for requesting, evaluating and approving exceptions. Approvals can be temporary, allowing issues to be automatically revisited after a specified length of time.

  • Know that audits will show compliance, not uncover violations
    Know whether your IT systems are compliant with configuration mandates. Issues can be resolved early, reducing or eliminating the chances for failed IT audits. Instead, with Qualys PC audits validate that you are following the kinds of best practices that reassure auditors.

Qualys Policy Compliance: Dashboard view  | Qualys

Customize comprehensive reports
to document progress

It’s essential to collect and analyze compliance data in order to evaluate and fine-tune IT security controls. Qualys PC gives you comprehensive compliance data so you can prioritize remediation and maintain all different stakeholders informed, including IT, business executives, risk managers and auditors.

  • Report anytime, any way – without rescanning
    Qualys tracks configuration data across hosts and time, letting you use reports to better understand the security of your network. Draw from a library of built-in reports, change what’s shown or choose different sets of assets — all without having to rescan. Reports can be generated on demand or scheduled automatically and then shared with the appropriate recipients online, in PDF or CSV.
  • Compare compliance rates across policies, technologies and assets
    Qualys helps you consolidate compliance results in different ways for clear, concise presentation to executives. Its graphical Scorecard reports allow you to examine multiple policies at once and see how compliance varied across different technologies and groups of assets. It also highlights changes over time, allowing you to track and compare different teams’ progress quickly.
  • Document that policies are followed & lapses get fixed
    Qualys provides a systematic way to document that IT security policies have been defined and implemented. Auditors can quickly see that best practices are being followed and that violations are being found and fixed.
  • Create different reports for different audiences
    Create custom report templates that communicate the right level of detail in the right way. Present scorecards to executives, connecting security results to business goals. Provide detailed drill-downs to IT teams who are checking into issues.
  • Enable data-driven risk & compliance management
    With Qualys PC, decisions about risk and compliance management can be based on facts and data rather than guesses and instinct. It provides a continuously up-to-date view of how IT system configurations measure up to requirements and defined baselines.
  • Share data with GRC systems & other enterprise applications
    Qualys provides valuable data programmatically to other systems. Through a comprehensive set of XML-based APIs, your GRC and other compliance applications can obtain data about each host asset, initiate scans, and perform various other tasks.
  • Generate Mandate Based Reports to View Compliance Posture
    View your compliance posture in terms of the underlying security baseline against selected mandates by launching a mandate-based report. Use mandate-based report templates to create harmonized reports on compliance policies and mandates.
  • View Remediation Information in Reports
    Include remediation information for control technologies in compliance reports. For system defined controls, reports display remediation information set by Qualys. For user defined controls, remediation information you set is displayed in the reports.

Powered by Qualys Cloud Platform

Single-pane-of-glass UI

See the results in one place, in seconds. With AssetView, security and compliance pros and managers get a complete and continuously updated view of all IT assets — from a single dashboard interface. Its fully customizable and lets you see the big picture, drill down into details, and generate reports for teammates and auditors. Its intuitive and easy-to-build dynamic dashboards to aggregate and correlate all of your IT security and compliance data in one place from all the various Qualys Cloud Apps. With its powerful elastic search clusters, you can now search for any asset – on-premises, endpoints and all clouds – with 2-second visibility.

Centralized & customized

Centralize discovery of host assets for multiple types of assessments. Organize host asset groups to match the structure of your business. Keep security data private with our end-to-end encryption and strong access controls. You can centrally manage users’ access to their Qualys accounts through your enterprise’s single sign-on (SSO). Qualys supports SAML 2.0-based identity service providers.

Easy deployment

Deploy from a public or private cloud — fully managed by Qualys. With Qualys, there are no servers to provision, software to install, or databases to maintain. You always have the latest Qualys features available through your browser, without setting up special client software or VPN connections.

Scalable and extensible

Scale up globally, on demand. Integrate with other systems via extensible XML-based APIs. You can use Qualys with a broad range of security and compliance systems, such as GRC, ticketing systems, SIEM, ERM, and IDS.

See for yourself. Try Qualys PC for free.

Start your free trial today. No software to download or install. Email us or call us at 1 (800) 745-4355.