Web Application Security via the Cloud

world icon

Scale and
Cut Costs

Scale seamlessly from a handful of apps to thousands

Cloud automation, no hardware to deploy

Fast setup, always up-to-date

No specialized expertise required

wasp icon

Identify OWASP Top 10 Risks

Accurately find OWASP vulnerablities and learn how to eliminate them

Scan for SQL Injection, XSS, CSRF, URL redirection, etc.

Qualys is a Premier Corporate Member of OWASP

magnifying glass icon

Find Hidden Malware

Automatically find and eradicate malware infections on your websites

Continuously monitor your websites for new infections with regularly scheduled scans and email alerts

puzzle icon

Protect With Qualys WAF

Find vulnerabilities with WAS, then mitigate with WAF from the same place

Block direct access to app servers

Add security without modifying apps

Free Trial

Subscription Options

We found Qualys WAS ideal for our
need to assess thousands of websites with
limited resources.

Read Case Study


Qualys Web Application Scanning

Qualys Web Application Scanning (WAS) is a cloud service that provides automated crawling and testing of custom web applications to identify vulnerabilities including cross-site scripting (XSS) and SQL injection. The automated service enables regular testing that produces consistent results, reduces false positives, and easily scales to secure a large number of websites. Proactively scans websites for malware infections, sending alerts to website owners to help prevent black listing and brand reputation damage.

Why Qualys WAS?

Built on the world’s leading Cloud security and compliance platform, Qualys WAS frees you from the substantial cost, resource and deployment issues associated with traditional software products. Known for its fast deployment, ease of use, and unparalleled scalability (scan thousands of web applications), Qualys WAS is relied upon by leading companies around the world.

WAS Features


Global Scalability and Manageability.

As part of the award-winning Qualys Cloud Platform, Qualys WAS helps you truly reduce risk by automatically finding the official and “unofficial” apps that may be hiding in your environment.

  • Immediate deployment — no hardware to set up, always up-to-date
  • Global scalability — add more apps anytime, throughout the world
  • Multiple, unified solutions — one console for WAS, WAF, VM and more
  • Centralized management — apply policies consistently across apps
  • XML APIs — publish data to other enterprise systems (e.g., SIEM)

Free Trial

Subscription Options


Automated, Dynamic Deep Scanning.

Application Discovery and Cataloging
Find New and unknown web apps in your network

Web applications can be put onto your network by almost anyone in your organization – and can just as easily be forgotten (large organizations can have hundreds or even thousands of apps). Qualys WAS helps you truly reduce risk by automatically finding the official and “unofficial” apps that may be hiding in your environment.

Customizable Asset Tagging
Organize your data and reports with your own labels

As the number of web apps in your organization grows, keeping them organized is critical to proper security. With Qualys WAS, you can tag your applications with your own labels and then use those labels to control reporting and limit access to scan data.

Free Trial

Subscription Options


Scan applications everywhere (perimeter, internal networks and
Amazon EC2) accurately and efficiently.

Scalable, High-Accuracy Progressive Scanning new
Save time, keep focused on what matters most.

Qualys WAS is designed to reliably find true vulnerabilities without wasting your time with false findings. You can detect OWASP Top 10 risks such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF) and URL redirection – then prioritize them and focus on the issues that will have the most impact. Scans automatically update vulnerability statuses to provide you with key information about what issues are new, ongoing and fixed. And with the new Progressive Scanning option, you will get even better coverage over multiple scans and enable continuous testing of your web applications.

Authenticated Scanning
Automatically login to test like a real user.

Simply specify a username and password; Qualys WAS automatically identifies login forms and authenticates so that scans operate as if they were real users. Multiple web app authentication methods (including Form, HTTP Basic, HTLM and Digest) provide compatibility with a wide range of applications. For advanced authentication, login actions can be recorded and played back through Selenium, the open source browser automation system that is widely used for web app functional testing.

WAS screenshot recurrence
MultiScan, Scheduled & On-Demand Scanning new
Scalable scans scheduled for exactly when you want them.

With MultiScan you can scan hundreds to thousands of scans with a few clicks. You can start scans whenever you want, immediately or schedule them to run at some time in the future. You can even control how long scans are allowed to run so that they fit into allotted maintenance times.

WAS screenshot malware detection
Malware Detection
Find hidden malware before it attacks your users.

Protect your organization’s reputation and your users security by rooting out malicious code and content that’s been hidden in your website or applications. Advanced behavioral analysis helps identify even zero-day malware that eludes anti-virus and anti-spyware packages.

WAS screenshot burp report
Incorporate Penetration Testing Data
Keep web app testing data in one place.

Store your web app testing data in one place, whether it’s from manual penetration testing tools such as Burp Suite or Qualys automated scans. Avoid reinventing your manual tests and get a complete view of vulnerabilities across your applications.

Free Trial

Subscription Options


Identify the highest business risks and take action.

OWASP top 10 detections
Industry Standard Reporting (OWASP)
Zero in on OWASP Top 10 Risks.

The Open Web Application Security Project (OWASP) Top 10 list has become the industry standard for categorizing the most critical risks faced by web apps. Qualys WAS enables you to accurately find these vulnerabilities – including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF) and URL redirection – and learn how to efficiently eliminate them. Qualys is a Premier Corporate Member of OWASP.

WAS Reporting
Highly-Customized Reporting new
Get the big picture and drill into the details.

Take your scan results from data to insights to action in minutes. With Qualys WAS’s highly-customizable, interactive reporting, you can perform powerful analyses of your scans across many applications at once and tailor how the results are presented to different audiences with customized report templates.

WAS catalog
Unified, Interactive Dashboard
Understand the security of your apps at a glance.

See a comprehensive view of completed scans, reports and identified vulnerabilities on a single screen. With Qualys WAS, you can scan applications anywhere – inside your network, hosted on the Internet, or based in the Cloud – and manage the results together.

Free Trial

Subscription Options


Rapidly harden web apps with integrated WAF.

was waf puzzle
Complete Web Security with WAF Integration
Detect with WAS, protect with WAF.

Qualys WAF works together with Qualys Web Application Scanning (WAS) to provide true, integrated web application security. From a single console, you can detect application vulnerabilities with WAS and then rapidly protect them from attack with WAF, even at global scale. The Qualys Cloud Platform keeps everything in sync, avoiding the redundancies and gaps that come with trying to glue together separate, siloed solutions.

Extensive APIs
Integrate scan data into other security systems.

A rich set of APIs lets you use the results of your web application scans as a source of valuable information for your other security and compliance systems. Use Qualys WAS with web application firewalls (WAF), security information and event management (SIEM) and enterprise risk management (ERM) solutions.

Free Trial

Subscription Options

Qualys Cloud Platform

& Integrated Suite of Security & Compliance Applications

Qualys solutions can also be purchased a la carte — as your security needs grow.
There’s nothing to install or maintain.

Collection of Product Badges
Please wait for the image to load.
Qualys Solutions
Qualys Community
Free Trial & Tools
Free Trial

Nothing to install!

1 (800) 745 4355