See Resources

The Qualys Cloud Platform

The industry’s most advanced, scalable & extensible Cloud platform.

Deliver & manage multiple solutions
from a single environment

Qualys solutions work—and are managed—together, sharing resources such as user accounts, target host lists, asset groups, authentication records, and scanner appliances. Host assets discovered in Vulnerability Management can easily be audited in Policy Compliance or checked for apps with Web Application Scanning.

Scale up globally, on demand

Qualys is used by global enterprises as well as small- to mid-sized businesses around the globe. It can scale seamlessly from monitoring a few dozen systems to hundreds of thousands.

Integrate with other systems
via extensible APIs

With Qualys’ XML-based APIs, you can use the data it gathers in a broad range of security and compliance systems, such as GRC, SIEM, ERM, IDS and others.

Deploy from a public or private cloud —
fully managed by Qualys

Qualys is delivered as a service from Qualys’s public cloud datacenters around the world or from pre-configured Qualys private cloud appliances deployed by service providers. Both options are fully managed by Qualys 24x7x365.

Keep security data private with encryption & strong access controls

Qualys uses end-to-end encryption, data segregation and strong access controls to protect your configuration and vulnerability information. Users all have their own accounts (which can optionally require 2-factor authentication), roles, and access rights (which can be restricted to an individual business unit).

Use immediately & always be up-to-date

With Qualys, there are no servers to provision, no software to install, and no databases to maintain. You always have the latest Qualys features available through your browser, without setting up special clients or VPN connections.

Manage user logins with SAML-based enterprise SSO

You can centrally control users’ access to their Qualys accounts through your enterprise single sign-on (SSO). Qualys supports SAML 2.0-based identity service providers.


Uncover forgotten devices & organize your host assets according to
their role in your business.

Find out what’s really in your network

With Qualys, you can quickly determine what’s actually running in the different parts of your network—from your perimeter and corporate network to virtualized machines and cloud services such as Amazon EC2. Uncover unexpected access points, web servers and other devices that can leave your network open to attack.

Learn more about Qualys’ Cloud Scanning Architecture

Visually map your network

Qualys provides a graphical host map that helps you understand your network at a glance.

Assign a business impact to each asset

In Qualys, you can represent the importance of each asset to your overall business. Such metrics enable you to take a risk-based approach to prioritizing your remediation efforts and fix those vulnerabilities that would impact your business the most.

Identify which OS, ports, services and certificates are on each device

For each device on your network, Qualys identifies the operating system, finds open networks ports, determines what services are active on those ports, and itemizes crucial information about certificates that have been installed.

Organize hosts to match the structure of your business

With Qualys, you can arrange hosts into groups that reflect how you manage your business—e.g., by location or region, by business unit or department. Asset groups also give you control over which hosts can be scanned by which users.

New! Continuously monitor your perimeter for unexpected changes

With the optional Qualys Continuous Monitoring service, Qualys becomes your sentinel in the cloud, watching your perimeter for unexpected changes. You can have the appropriate personnel notified immediately whenever new hosts appear, SSL certificates begin to expire, high-severity vulnerabilities get detected and undesired network ports open up, and more.

Dynamically tag assets to automatically categorize hosts

Qualys’ asset tagging lets you automatically select hosts for scanning or reporting according to a wide range of attributes such as network address, open ports, OS, software installed, vulnerabilities found, and more. You can even provide your own custom logic via a concise scripting language.


Scan for vulnerabilities everywhere (perimeter, internal networks,
Amazon EC2) – accurately and efficiently.

Scan anywhere from a single console

With Qualys, you can scan systems anywhere from the same console: your perimeter, your internal network, and cloud environments (such as Amazon EC2). You can select target hosts by IP address, asset group or asset tag. And, since Qualys separates scanning from reporting, you can scan deeply and then create custom reports showing each audience just the level of detail it needs to see.

Learn more about Qualys’ Cloud Scanning Architecture

Scan on-demand or on a schedule

Qualys gives you the flexibility to scan whenever you want. You can launch scans with a click to manually check desired hosts. Or, schedule recurring scans with specific durations to match your maintenance windows. You can even have scans operate continuously to keep constant watch for changes without overloading your network.

Scan quickly & efficiently

Qualys is designed to work efficiently and unobtrusively in even the largest global networks. You can choose specific groups of systems to scan or dynamically select hosts according to criteria you set using Qualys’ asset tags. Scans of internal network asset groups can be done in parallel using multiple appliances to accelerate assessments and prevent network bottlenecks.

Scan behind your firewall securely with Scanner Appliances managed by Qualys

You can scan your internal networks securely and seamlessly with Qualys Scanner Appliances. These physical devices or virtual machine images (both of which are remotely managed 24x7x365 by Qualys) let you efficiently monitor your internal assets without opening inbound firewall ports or setting up special VPN connections.

New! Handle distributed, overlapping networks seamlessly

As the number of locations and functions in your organizations grows, your network will become more complex. With Qualys, you can handle even complex topologies such as overlapping IP address spaces that can arise from company mergers and the connection of independently-managed private subnets.

Assess deeply with authenticated scans

Qualys can securely use authentication credentials to log in to each host and uncover vulnerabilities lurking below the surface of your network. For added control, Qualys can pull credentials dynamically from a password vault and use privilege escalation systems such as “sudo.”

Scan in Amazon EC2 without filling out request forms

Qualys is pre-authorized by Amazon for scanning instances in EC2 or VPC. There’s no hassling with request forms or waiting for approval. You can launch an instance of our Virtual Scanner Appliance AMI and begin scanning your cloud assets right away.

Scan accurately

With the industry’s leading vulnerability KnowledgeBase and its thousands of unique checks, the Qualys Cloud Platform performs approximately 3 billion scans per year. Its vulnerability scans, the most difficult type, consistently exceed Six Sigma accuracy, the industry benchmark for high quality. Reliable results free you from chasing after false positives or worrying that you’ll miss important vulnerabilities.

Store configuration information offsite with secure audit trails

As a cloud service, Qualys provides a trusted, independent location for securely storing critical vulnerability information and tamper-resistant audit trails. Qualys automatically flags vulnerabilities that affect PCI compliance and Qualys is an Approved Scanning Vendor for PCI.


Identify the highest business risks using trend analysis, Zero-Day and
Patch impact predictions.

Track vulnerabilities as they appear, are fixed, or reappear

Qualys uses the data in each scan to track vulnerabilities over time—when they appear and are fixed, as well as whether they reappear later.

Monitor certificates deployed throughout your network

Qualys finds and tracks certificates that are deployed in your network. You can see in one place which certs are about to expire, which hosts they are used on, what their key size is, and whether or not they are associated with any vulnerabilities. With the optional Qualys Continuous Monitoring, you can even have appropriate personnel notified automatically whenever certificates on your critical perimeter devices approach their expiration so that you can prevent any loss of service.

Put critical issues into context with the industry’s leading KnowledgeBase

Qualys separates reporting from scanning, enabling you to use a wide range of filters to explore your vulnerability findings. You can look for specific types of vulnerabilities and use criteria from Qualys’s KnowledgeBase such as severity, business risk, CVSS scores, existence of exploits or malware, and whether patches are available.

See which hosts need updates after Patch Tuesday

With Qualys’ constantly-updated KnowledgeBase, you can quickly determine which hosts will need which patches when vendors release updates each month.

Spot trends, see what’s changed

With Qualys, instead of looking at a single snapshot of your network, you can look at how vulnerabilities have impacted your systems over time and where things are headed. You can look at what’s changed through differential analysis, or drill into different sets of assets, all without having to re-scan.

Predict which hosts are at risk for Zero-Day Attacks

With the optional Qualys Zero-Day Risk Analyzer, you can immediately know which systems are at risk when new Zero-Day threats emerge. Up-to-the-minute intelligence from VeriSign iDefense enables Qualys to alert you even before patches are publicly available so that you can take appropriate mitigating action.


Monitor vulnerabilities over time, assign tickets, and manage exceptions.

Keep track of vulnerabilities and actions taken

Qualys tracks the disposition of each vulnerability on each host over time. This helps you document the actions taken in response to each vulnerability and monitor the effectiveness of your remediation efforts.

Automatically assign remediation tickets

With Qualys’ remediation ticketing, you can have tickets generated automatically whenever vulnerabilities are found. You can set criteria for assigning tickets, with deadlines, to the appropriate personnel. Comprehensive ticket-tracking reports provide the history of each ticket as well as a holistic view across sets of tickets.

Create per-host patch lists

Qualys’s Patch Report gives you a consolidated list of which hosts need which patches. It also identifies where to get vendors’ official patches so that you can keep your systems up-to-date and know where to apply your resources.

Integrate with existing IT ticketing systems

Qualys can automatically create and close tickets in select 3rd-party IT ticketing systems.

Manage exceptions

For times when a vulnerability might be riskier to fix than to leave alone, Qualys allows you to suspend reporting on particular vulnerabilities to avoid distracting you from more serious threats. Exceptions can be set to automatically expire after a period of time so that deferred vulnerabilities don’t get lost and can be reviewed later.


Customize comprehensive reports to document progress for IT,
business executives and auditors.

Report anytime, anywhere — without rescanning

Qualys’ ability to track vulnerability data across hosts and time lets you use reports interactively to better understand the security of your network. You can draw from a library of built-in reports, change what’s shown, how data is presented, and choose different sets of assets—all without having to rescan.

Create different reports for different audiences

One size does not fit all. With Qualys, you can create custom report templates that communicate the right level of detail for each recipient. Present scorecards to executives, connecting security results to business goals. Give patch reports to Operations staff, telling them exactly which hosts need which updates. Provide detailed drill-downs to IT teams who are researching particular issues.

Verify, document and share status and results automatically

With Qualys, you can easily record and share the results of your vulnerability management program. Reports can be generated on-demand or scheduled automatically and then shared with the appropriate recipients online, in PDF or CSV.

Provide context & insight, not just data

Qualys helps you understand the impact that each vulnerability could have on your network. Its extensive KnowledgeBase provides information and context about each vulnerability (such as CVSS scores, relevance to PCI, threat details, active exploits and potential solutions). Trends and predictions allow you to see beyond individual data points, and patch reports let you focus on the most important actions.

Show ongoing progress against vulnerability management objectives

Best practices in security go beyond looking at simple counts of open vulnerabilities because the rates at which new vulnerabilities are found and patches are released are constantly changing. Qualys helps you meaningfully track progress over time with metrics such as the number of fixable vulnerabilities that remain unpatched for more than 90 days.

Share data with other security & compliance systems

Qualys can provide valuable data programmatically to other applications through a comprehensive set of XML-based APIs. Your GRC, SIEM, ERM, IDS and other security and compliance systems can obtain up-to-the-minute data about each of your host assets, initiate scans, and perform a variety of other tasks.

Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Free Trial & Tools
Popular Topics