Cloud Platform
Contact us
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
  • Overview
  • Platform Apps

  • Qualys Endpoint Security

    Advanced endpoint threat protection, improved threat context, and alert prioritization

  • Context XDR

    Extend detection and response beyond the endpoint to the enterprise

Cloud Security
This product will be decommissioned on Sep 1, 2024. Contact your TAM to know how you can use your currently purchased WAF licenses. Learn more.

Qualys Web Application Firewall.

Block attacks and patch web application vulnerabilities.


We are excited that Qualys WAF will allow us to act quickly and respond to threats by using the one-click virtual patching feature to remediate active vulnerabilities.

David Cook David Cook Chief Security Officer at Jive Software

Qualys WAF Highlights

True, integrated web app security

Qualys gives you a single, interactive console for web application vulnerability detection (Qualys WAS) u can manage it all from a centralized portal. Security teams can now secure their web apps without having to involve network security teams — lowering operational complexity and costs.

Cloud agility

With no special hardware to buy nor maintain, Qualys WAF’s virtual appliance can be deployed and scaled up quickly on premises using VMware, Hyper-V or Docker; and in public cloud platforms, such as AWS, Azure or Google Cloud Platform. Application traffic stays in your environment to minimize latency and maintain control. Qualys WAF continuously communicates with the Enterprise TruRisk Platform, tracking configuration changes and sending it the latest security events.

Full visibility into firewall operation

Qualys WAF gives you complete visibility into its data for continuous monitoring, risk assessments and remediation plans. A dashboard summarizes website traffic information and security event trends. Detailed threat information lets you assess severity and adjust security settings. Search for suspicious activity and drill down into threat data to gain actionable insights. Qualys WAF continuously indexes security events into your local Elasticsearch or Splunk clusters, making your data instantly discoverable.

Strong rules, flexible control

Qualys WAF protects your web apps using security policies backed by Qualys’ security intelligence, and one-click responses to security events. You can address your own security needs with simple, customizable and reusable policies and rules. Qualys’ out-of-the-box policies are designed for popular platforms such as WordPress, Joomla, Drupal, Outlook Web Application and Sharepoint. It also includes generic templates for unknown applications and frameworks.

Prevent breaches by blocking
attacks on web server

You can’t protect – nor defend yourself from – what you don’t know is in your network, like unapproved devices and unauthorized software. Qualys gives you full horizontal visibility of all hardware and software, scaling up to millions of assets – on premises, in cloud instances and mobile endpoints.

  • Protect cloud apps
    • Quickly and easily protect apps in public or private clouds by deploying Qualys Virtual Firewall Appliances alongside your web apps. No need to buy nor maintain special hardware
    • Add as many applications as necessary as often as you need, as these virtual machines scale seamlessly.
    • Ensure high performance and availability of business-critical web apps thanks to built-in load balancing and application monitoring.
    • Enforce applications’ SSL/TLS layer thanks to Qualys WAF’s offloading capability
  • Adopt a new approach for web app security with Qualys WAF’s adaptive policies, which are always up to date and don’t require specialized expertise, nor complex rulesets to configure and maintain
    • Describe the security level for each application with a few clicks, and Qualys WAF automatically decides what to do in different situations
    • Simplify Qualys WAF configuration with Qualys generic templates, or with built-in security policies for popular platforms such as WordPress, Joomla, Drupal and Outlook Web Application, Sharepoint
  • Defend yourself from current and future threats with customizable protection
    • Block a wide range of attacks such as Cross-Site Scripting (XSS), SQL injection, Remote Command Execution, XXE and more with native protection. As new threats emerge, Qualys’ security experts update Qualys WAF’s rules, which are then downloaded and spotted by the proprietary detection engine.
    • Tailor how Qualys WAF handles different types of threats, from simply logging the event to actively blocking it.
    • Create custom security rules to address specific security needs of your application and reduce the attack surface.
    • Maintain website uptime by complementing network DDoS defenses with controls over applications’ latency.
  • Protect your users against clickjacking, Cross-Site Scripting (XSS), and other browser-based attacks with Qualys WAF’s security features for modern web browsers
  • Integrate Qualys WAF API into your DevOps environment and protect web servers hosting the apps you’re rapidly and iteratively developing and deploying
Qualys Web Application Scanning: Detection Management | Qualys

Benefit from native, deep integration between Qualys WAF and Qualys WAS

Empower security professionals to rapidly discover and mitigate critical security concerns. With the new ScanTrust feature, Qualys WAF combines with Qualys WAS to provide true visibility for your web applications: Detect with Qualys WAS, protect with Qualys WAF and get scalable scanning, false-positive reduction and one-click patching to web apps.

  • From a single console, use Qualys WAS to detect vulnerabilities in web apps, including mobile and IoT apps, and – with one click – mitigate them with Qualys WAF virtual patches

  • Leverage the creation of these virtual patch rules to fine-tune policies, remove false positives, and customize security rules

  • Avoid the redundancies and gaps that come with trying to glue separate, siloed solutions. Reduce operating costs by reducing staff

  • Evaluate and create exceptions to web events to better prioritize and mitigate vulnerabilities by combining Qualys WAF rules and policies with Qualys WAS scan data

  • Integrate web app scan data via a rich, extensive set of APIs into other security and compliance systems, such as firewalls, and SIEM and ERM solutions

Qualys Web Application Scanning: Detection Management | Qualys
Qualys Web Application Scanning: Application Policy Configuration | Qualys

Simplify IT compliance

It’s easier than ever for employees to bypass their IT department and adopt web apps, a trend that generates significant security and compliance risks. Simultaneously, the quantity and complexity of government regulations, industry mandates and internal policies that impact InfoSec technologies and processes continues to grow. Qualys WAF can help you comply.

  • Address mandates such as PCI DSS 6.6 that require app firewalls

  • Comply with policies and regulations that prohibit access to certain web applications or information from particular locations by restricting access from specific countries or network address blocks

  • Prevent transmission of sensitive data by blocking users’ ability to upload or download content or files in unapproved or suspicious formats

Qualys Web Application Scanning: Application Policy Configuration | Qualys
Qualys Web Application Firewall: Dashboard view | Qualys

Visualize and report

You need an easy, intuitive way of understanding the security of all your web applications at once. Qualys WAF gives your security team complete visibility into its data for continuous monitoring, risk assessments and remediation paths. Qualys WAF tools for visualization and reporting include a graphics-rich dashboard, interactive insights and detailed information on each threat and ways to address it.

  • Spot unusual patterns in the dashboard, which shows summarized website traffic information and trends of Qualys WAF security events, including when they occurred and where they originated

  • Quickly assess severity and adjust your security settings for aggressive mitigation or to minimize false positives by leveraging detailed information on each threat detected by Qualys WAF

  • Use extensive filtering and dynamic search capabilities to identify suspicious activity, drill down into threat data and the Qualys KnowledgeBase, and gain actionable insights into the threat landscape

Qualys Web Application Firewall: Dashboard view | Qualys

Powered by Enterprise TruRisk Platform

Single-pane-of-glass UI

See the results in one place, in seconds. With AssetView, security and compliance pros and managers get a complete and continuously updated view of all IT assets — from a single dashboard interface. Its fully customizable and lets you see the big picture, drill down into details, and generate reports for teammates and auditors. Its intuitive and easy-to-build dynamic dashboards to aggregate and correlate all of your IT security and compliance data in one place from all the various Qualys Cloud Apps. With its powerful elastic search clusters, you can now search for any asset – on-premises, endpoints and all clouds – with 2-second visibility.

Centralized & customized

Centralize discovery of host assets for multiple types of assessments. Organize host asset groups to match the structure of your business. Keep security data private with our end-to-end encryption and strong access controls. You can centrally manage users’ access to their Qualys accounts through your enterprise’s single sign-on (SSO). Qualys supports SAML 2.0-based identity service providers.

Easy deployment

Deploy from a public or private cloud — fully managed by Qualys. With Qualys, there are no servers to provision, software to install, or databases to maintain. You always have the latest Qualys features available through your browser, without setting up special client software or VPN connections.

Scalable and extensible

Scale up globally, on demand. Integrate with other systems via extensible XML-based APIs. You can use Qualys with a broad range of security and compliance systems, such as GRC, ticketing systems, SIEM, ERM, and IDS.

See for yourself. Try Qualys for free.

Start your free trial today. No software to download or install. Email us or call us at 1 (800) 745-4355.