Cloud Platform
Contact us
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
  • Overview
  • Platform Apps

  • Qualys Endpoint Security

    Advanced endpoint threat protection, improved threat context, and alert prioritization

  • Context XDR

    Extend detection and response beyond the endpoint to the enterprise

Cloud Security

Qualys Security Configuration Assessment (SCA)

Automate configuration assessment of global IT assets.

Cloud solution for expanding VM programs with configuration scanning and simplified workflows to address configuration issues


Both vulnerability assessment and security control assessment capabilities are critical because many regulations prescribe technical control assessments (which drives SCA) and also explicitly prescribe vulnerability assessments.

Randy Barr Anton Chuvakin Research Vice President & Distinguished Analyst, Gartner

Qualys SCA Highlights

Broad coverage

Qualys SCA is an add-on for Qualys Vulnerability Management, Detection and Response that lets you assess, report, monitor and remediate security-related configuration issues based on the Center for Internet Security (CIS) Benchmarks. It supports the latest out-of-the-box CIS benchmark releases of operating systems, databases, applications and network devices.

Accountability for controls

Qualys SCA controls are developed and validated in-house by Qualys security experts and certified by CIS. The controls are optimized for performance, scalability, and accuracy. Qualys SCA can be used in IT environments of any size, from small ones to the largest.

Ease of use

SCA’s CIS assessments are provided via a web-based user interface and delivered from the Enterprise TruRisk Platform, enabling centralized management with minimal deployment overhead. CIS controls can be selected and customized according to an organization’s security policies. This eliminates the cost, resource and deployment issues associated with traditional software point products for configuration management.

Reports and dashboards

SCA users can schedule assessments, automatically create downloadable reports of configuration issues, and view dashboards for improving their security posture. This brings full circle Qualys SCA’s automation of security best practices behind leading benchmarks, and lets InfoSec teams take a proactive approach towards digital business security.

Qualys Security Configuration Assessment: CIS Benchmark for Windows 7 example | Qualys

Augment your Qualys VMDR cloud service

Configuration assessment is an essential part of a comprehensive vulnerability management program. However, our competitors either combine lightweight vulnerability and configuration assessment, or offer the functionalities in separate products that aren’t integrated. Qualys gives you the best of both worlds. Qualys Vulnerability Management, Detection, and Response (VMDR) continuously scans and identifies vulnerabilities with Six Sigma (99.99966%) accuracy, protecting IT assets on premises, in the cloud and mobile endpoints. Qualys SCA, designed to work natively with Qualys VMDR, can be added seamlessly to your account with one click. Qualys SCA complements Qualys VMDR’s capabilities for detecting IT asset flaws with capabilities for assessment and reporting of configuration settings in 4 easy steps:

  • DEFINE: Import the applicable CIS policies in your subscription, and then customize the control values in the policy or policies per your security standards, or select/deselect the controls, all using Qualys SCA’s simple, web-based UI

  • ASSESS: Scan your IT assets and map the asset to the right CIS policy.

  • REPORT: Generate the report showing your control posture against the CIS Benchmarks, Qualys-provided remediation information, and the evidence for failure or passing, as well as the references to compliance standards. You can activate and deactivate controls as necessary for reporting purposes.

  • REMEDIATE: Remediate the failed controls, using Qualys-provided control remediation information.

Qualys Security Configuration Assessment: CIS Benchmark for Windows 7 example | Qualys
Qualys Security Configuration Assessment: Windows Update example | Qualys

Perform configuration assessments quickly and comprehensively

Improperly configured IT assets put your organization at an increased risk for breaches. However, it’s common for organizations to rush systems into production with default settings and without basic hardening. Addressing these issues is key for data protection, regulatory compliance, and secure digital transformation initiatives.

With Qualys SCA, you’ll be able to automatically and continuously check that your IT assets — on premises, in clouds and on mobile endpoints — are configured securely according to CIS guidelines. This will give your organization a solid foundation not only for security but also for compliance with most regulations like HIPAA and with industry mandates like PCI-DSS.

Providing the industry’s widest coverage for CIS Benchmark technologies, Qualys SCA assesses the configuration of elements such as:

  • Operating systems

  • Server software

  • Cloud providers

  • Network devices

  • Desktop software

Qualys Security Configuration Assessment: Windows Update example | Qualys
Qualys Security Configuration Assessment: Create a New Policy view | Qualys

Leverage the knowledge of industry experts

Qualys SCA operationalizes the non-profit Center for Internet Security’s (CIS) Benchmarks by supporting them out of the box and automating the assessment of critical configuration settings on your IT assets against these guidelines.

The CIS Benchmarks , applicable to over 100 technologies and platforms, are unbiased and not motivated by profit considerations, and created via consensus by a community of international cybersecurity experts, including experts from Qualys.

Qualys Security Configuration Assessment: Create a New Policy view | Qualys

Conduct remote scanning and auto-discovery of assets

Qualys SCA uses the same data collection technologies as Qualys VMDR, allowing for agent or agentless data collection, so that customers can comprehensively detect and better safeguard global endpoints, on-premises systems and cloud assets against today’s evolving cyber threats. Qualys data collection tools and processes cover all your bases and include:

  • Physical and virtual appliances that scan IT assets located on-premises, in private clouds, or in virtualized environments
  • Cloud appliances that remotely scan your infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) instances in commercial cloud computing platforms
  • Lightweight, all-purpose, self-updating cloud agents that reside on the IT assets they continuously monitor, with minimal network impact and no need for scan windows, credentials, nor firewall changes, with no need for the device to be on-line during your scheduled scanning windows.

Sharpen, simplify configuration assessments

With its benchmark-based guidance, simplified workflows for scanning and reporting, and cloud-based deployment, Qualys SCA provides a variety of advantages over competing products, especially legacy point solutions installed on premises:

  • Lower cost of ownership because as a cloud service there’s no software to install nor maintain
  • Improved protection of hybrid IT environments through the highly-scalable, extensible and centrally-managed Enterprise TruRisk Platform
  • Consistent maintenance of a standard configuration throughout the enterprise via baseline configuration standards that can be applied prior to assets’ deployment
  • Increased compliance and business effectiveness and efficiency, as well as stronger security posture
  • Protection of the infrastructure and operations underpinning your organization’s key digital transformation efforts

Powered by Enterprise TruRisk Platform

Single-pane-of-glass UI

See the results in one place, in seconds. With AssetView, security and compliance pros and managers get a complete and continuously updated view of all IT assets — from a single dashboard interface. Its fully customizable and lets you see the big picture, drill down into details, and generate reports for teammates and auditors. Its intuitive and easy-to-build dynamic dashboards to aggregate and correlate all of your IT security and compliance data in one place from all the various Qualys Cloud Apps. With its powerful elastic search clusters, you can now search for any asset – on-premises, endpoints and all clouds – with 2-second visibility.

Centralized & customized

Centralize discovery of host assets for multiple types of assessments. Organize host asset groups to match the structure of your business. Keep security data private with our end-to-end encryption and strong access controls. You can centrally manage users’ access to their Qualys accounts through your enterprise’s single sign-on (SSO). Qualys supports SAML 2.0-based identity service providers.

Easy deployment

Deploy from a public or private cloud — fully managed by Qualys. With Qualys, there are no servers to provision, software to install, or databases to maintain. You always have the latest Qualys features available through your browser, without setting up special client software or VPN connections.

Scalable and extensible

Scale up globally, on demand. Integrate with other systems via extensible XML-based APIs. You can use Qualys with a broad range of security and compliance systems, such as GRC, ticketing systems, SIEM, ERM, and IDS.

See for yourself. Try Qualys for free.

Start your free trial today. No software to download or install. Email us or call us at 1 (800) 745-4355.