See Resources

The Qualys Cloud Platform

The industry’s most advanced, scalable & extensible Cloud platform.

Deliver & manage multiple solutions from a single environment

Qualys solutions work—and are managed—together, sharing resources such as user accounts, target host lists, asset groups, authentication records, and scanner appliances. Host assets discovered in Vulnerability Management can easily be audited in Policy Compliance or checked for apps with Web Application Scanning.

Scale up globally, on demand

Qualys is used by global enterprises as well as small- to mid-sized businesses around the globe. It can scale seamlessly from monitoring a few dozen systems to hundreds of thousands.

Keep security data private with encryption & strong access controls

Qualys uses end-to-end encryption, data segregation and strong access controls to protect your configuration and vulnerability information. Users all have their own accounts (which can optionally require 2-factor authentication), roles, and access rights (which can be restricted to an individual business unit).

Deploy from a public or private cloud — fully managed by Qualys

Qualys is delivered as a service from Qualys’s public cloud datacenters around the world or from pre-configured Qualys private cloud appliances deployed by service providers. Both options are fully managed by Qualys 24x7x365.

Centralize discovery of host assets for multiple types of assessments

With Qualys, Policy Compliance and Vulnerability Management can work together to ensure that the same host assets are scanned by both services. This eliminates redundant configuration and ensures that devices discovered by VM are automatically included in PC assessments.

Manage user logins with SAML-based enteprise SSO

You can centrally control users’ access to their Qualys accounts through your enterprise single sign-on (SSO). Qualys supports SAML 2.0-based identity service providers.

Deploy immediately & always be up-to-date

With Qualys, there are no servers to provision, no software to install, and no databases to maintain. You always have the latest Qualys features available through your browser, without setting up special client software or VPN connections.

Organize host asset groups to match the structure of your business

With Qualys, you can arrange hosts into groups that reflect how you manage your business—e.g., by location or region, by business unit or department. Asset groups, which are used across the various assessment services, also give you control over which hosts can scanned by which users.

Integrate with other systems via extensible APIs

With Qualys’ XML-based APIs, you can use the data it gathers in a broad range of security and compliance systems, such as GRC, ticketing systems, SIEM, ERM, IDS and others.

Define Policies

Interactively set up IT standards for hardening configurations and complying with relevant regulations.

Define configuration policies required for different environments & assets

Qualys provides a centralized, interactive console for specifying the baseline standards that are required for different sets of hosts. Asset groups are shared across the Qualys platform, so hosts discovered and categorized by business function in Vulnerability Management can automatically have appropriate hardening policies assessed in Policy Compliance.

Use a previously-scanned host as a “golden image”

With Qualys, you can create policies based on a previously-scanned host in minutes. Qualys automatically selects controls and setting values to match the master machine’s “golden image.”

Draw from a built-in library of extensively-used policies certified by CIS

Qualys’ library of built-in policies makes it easy to comply with commonly-adhered to security standards and regulations. Qualys provides a wide range of policies, including many that have been certified by CIS as well as ones based on security guidelines from vendors such as Microsoft and VMware.

Use SCAP content streams

Qualys can import Security Content Automation Protocol (SCAP) source data stream content to define policies. This simplifies verifying devices for compliance with standards such the US Government Configuration Baseline (USGCB).

Create custom policies via an interactive web-based editor

You can add your own policies quickly with Qualys’ web-based policy editor. Interactively choose which technologies to cover, and organize relevant controls into sections. Each control can reference external standards so that automated policies match up with printed requirements documents.

Import and export policies to share with other subscriptions

Qualys helps you work with partners to enforce common sets of configuration settings. Policies can be exported into XML, given to another Qualys account holder, and then imported.

Specify Controls

Select host & app settings to check for each policy.

Interactively choose which configuration settings to monitor

Qualys’ interactive editor automatically organizes controls according to the technologies associated with each policy. Rich searching tools enable relevant controls to be found quickly according to attributes such as name, category, framework, and others.

Test controls immediately without rescanning or reporting

While setting up a control within Qualys, you can immediately test the configuration you’ve specified. This saves you from having to run a new scan or generate a special report each time you edit a control. Qualys even gives you a list of relevant hosts to choose from and shows you what values were gathered.

Select from a rich library of controls for OSes, network devices, databases & apps

Qualys provides an extensive library of more than 15,000 checks, spanning more than 50 technologies. Controls can be filtered and selected according to a variety of attributes, including: description keywords, framework they implement, and category. This library is continually updated by Qualys, making comprehensive policies easy to build.

Monitor the integrity of files and watch for changes

Qualys can monitor arbitrary files on Windows and Unix/Linux hosts for changes so that unexpected modifications can be caught quickly.

Create custom controls without writing code or scripts

Qualys’ controls are easily extended without resorting to programming. On Unix/Linux and Windows hosts, attributes of files and directories can be examined with just a few clicks. On Windows hosts, checks for registry entries, share permissions, and WMI queries can also be added quickly.

See how controls relate to critical frameworks and regulations

Qualys provides context information for each built-in control such as the standards frameworks to which the control applies, including: CIS, COBIT, ISO 17799 & 27001, NIST SP800-53, ITIL v2, HIPAA, FFIEC, NERC-CIP.


Scan and analyze OS and application configurations on each target host.

Scan anywhere from a single console

With Qualys, you can scan systems anywhere from the same console: your perimeter, your internal network, and hosted systems. You can select target hosts by IP address, asset group or IP range. And, since Qualys separates scanning from reporting, you can scan deeply and then create custom reports for each audience the appropriate level of detail.

Learn more about Qualys’ Cloud Scanning Architecture

Scan quickly & efficiently

Qualys is designed to work efficiently and unobtrusively in even the largest global networks. You can use your existing asset groups to select which systems to scan. Internal network scans can be done in parallel using multiple appliances to accelerate scanning and prevent network bottlenecks.

Scan behind your firewall securely with Scanner Appliances managed by Qualys

You can scan your internal networks securely and seamlessly with Qualys Scanner Appliances. These physical devices or virtual machine images (both of which are remotely managed 24x7x365 by Qualys) let you efficiently monitor your internal hosts, network devices, databases and other assets without opening inbound firewall ports or setting up special VPN connections. Qualys even handles complex networks with overlapping private IP address spaces.

Store configuration information offsite with secure audit trails

As a cloud service, Qualys provides a trusted, independent location for securely storing critical configuration information and tamper-resistant audit trails.

Scan on-demand or on a schedule

Qualys gives you the flexibility to scan whenever you want. You can launch scans with a click to manually check desired hosts. Or, schedule recurring scans with specific durations to match your maintenance windows.

Assess deeply with authentication scans

Qualys can securely use authentication credentials to log in to each host, database or web server. For added control, Qualys can pull passwords dynamically from 3rd-party credential management systems and use privilege escalation systems such as “sudo.”


Fix violations and configuration “drift” early — before audits — and manage exceptions centrally.

Catch configuration “drift” while it’s easy to fix

Qualys automates the labor-intensive process of checking settings on each machine in your network. Security configuration assessments that otherwise could only be done quarterly can now be done monthly or weekly. By helping you address violations quickly, before they get too far out of hand, Qualys makes remediation efforts more predictable and avoids last-minute emergencies during audits.

Manage exceptions via a documented approvals process

By eliminating configuration firedrills, Qualys shifts the focus of your efforts to managing exceptions for specific hosts and situations. Qualys provides a documented, repeatable workflow for requesting, evaluating and approving exceptions. Approvals can be temporary, allowing issues to be automatically revisited after a specified length of time.

Know that audits will show compliance, not uncover violations

With Qualys, you can know at any time whether your IT systems are in compliance with configuration mandates. Issues can be resolved early, reducing or eliminating the chances for failed IT audits that could lead to more-intrusive audits in the future or even penalties. Instead, with Qualys, audits validate that you are following the kinds of best practices that reassure auditors.


Customize comprehensive reports to document progress for IT, business executives, risk managers and auditors.

Report anytime, any way — without rescanning

Qualys tracks configuration data across hosts and time, enabling you to use reports to better understand the security of your network. You can draw from a library of built-in reports, change what’s shown or choose different sets of assets — all without having to rescan. Reports can be generated on-demand or scheduled automatically and then shared with the appropriate recipients online, in PDF or CSV.

Compare compliance rates across policies, technologies and assets

Qualys helps you consolidate compliance results in different ways for clear, concise executives. Its graphical Scorecard reports allow you to examine multiple policies at once and see how compliance varied across different technologies and groups of assets. It also highlights changes over time, allowing you to track and compare different teams’ progress quickly.

Document that policies are followed & lapses get fixed

Qualys provides a systematic way to document that IT security policies have been defined and implemented. Auditors can quickly see that best practices are being followed and that violations are being found and fixed.

Create different reports for different audiences

Once size does not fit all. With Qualys, you can create custom report templates that communicate the right level of detail in the right way. Present scorecards to executives, connecting security results to business goals. Provide detailed drill-downs to IT teams who are checking into issues.

Enable data-driven risk & compliance management

With Qualys, decisions about risk and compliance management can be based on facts and data rather than guesses and instinct. It provides a continuously up-to-date view of how IT system configurations measure up to requirements and defined baselines.

Share data with GRC systems & other enterprise applications

In addition to helping you share the state of your compliance efforts with other people, Qualys can also provide valuable data programmatically to other systems. Through a comprehensive set of XML-based APIs, your GRC and other compliance applications can obtain up-to-the-minute data about each of your host assets, initiate scans, and perform a variety of other tasks.

Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Free Trial & Tools
Popular Topics