Search

See Resources

Qualys FAQ




What does Qualys offer?

Qualys is an award-winning cloud security and compliance solution. It helps businesses simplify IT security operations and lower the cost of compliance by delivering critical security intelligence on demand and automates the full spectrum of auditing, compliance and protection for Internet perimeter systems, internal networks, and web applications.


The Qualys Cloud Platform and its integrated suite of security and compliance solutions provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of websites.


What is Vulnerability Management?

Qualys VM is a cloud service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously secure your IT infrastructure and comply with internal policies and external regulations. Qualys VM checks your servers, computers and other devices for vulnerabilities and helps you identify the patches you need to download to fix them. It keeps track of the security problems it finds for each system, and provides graphical reports that tell you which patches to use on which systems so that you can get the most improvement in security for the least effort.


What is Vulnerability Assessment?

Vulnerability Assessment (VA) is an integral component of vulnerability management. VA is the process of identifying network and device vulnerabilities before hackers can exploit them.


What is Continuous Monitoring?

Qualys Continuous Monitoring (CM) is a next-generation cloud service that gives you the ability to identify threats and unexpected changes in your Internet perimeter before they turn into breaches with realtime scanning. With CM you can track what happens within Internet-facing devices throughout your DMZs and cloud environments – anywhere in the world. It detects changes in your perimeter that could be exploited and immediately notifies the IT staff responsible for the affected assets so they can take appropriate action. It lets you easily configure rules and alerts so you can know and react as soon as something changes on your network.


What is Web Application Scanning?

Qualys Web Application Scanning (WAS) is a cloud service that provides automated crawling and testing of custom web applications to identify vulnerabilities including cross-site scripting (XSS) and SQL injection. The automated service enables regular testing that produces consistent results, reduces false positives, and easily scales to secure large number of websites. Proactively scans websites for malware infections, sending alerts to website owners to help prevent black listing and brand reputation damage.


What is Policy Compliance?

Qualys Policy compliance (PC) is a cloud service that performs automated security configuration assessments on IT systems throughout your network. It helps you to reduce risk and continuously comply with internal policies and external regulations by providing proof of compliance demanded by auditors across multiple compliance initiatives. Qualys Policy Compliance automates the collection of technical controls from information assets within the enterprise; and provides compliance reporting by leveraging a comprehensive knowledgebase that is mapped to prevalent security regulations, industry standards and compliance frameworks.


What is PCI?

Qualys PCI Compliance (PCI) provides businesses, online merchants and Member Service Providers the easiest, most cost-effective and highly-automated way to achieve compliance with the Payment Card Industry Data Security Standard. Known as PCI DSS, the standard provides organizations the guidance they need to ensure that credit cardholder information is kept secure from possible security breaches.


Is Qualys a software product or a service?

Qualys' Software-as-a-Service (SaaS) delivery model, allows users to access Qualys from any Web browser. This unique SaaS platform enables organizations to assess and manage its security exposures freeing them from the substantial cost, resource and deployment issues associated with traditional software products. Qualys is capable of managing Internet exposed vulnerabilities as well as vulnerabilities found on hosts that are not directly accessible from the Internet.


For those entities that want an on-premise solution, Qualys offers MSSPs, enterprises and government agencies our award-winning security and compliance solutions as a private cloud from your own data center where you retain full control of all the underlying security data. The Private Cloud Platform combines the virtualized Qualys software with a self-contained, internally-redundant cloud appliance. The platform comes pre-configured for your environment, for fast deployment. Because it runs in the cloud, we can scale Qualys as your needs grow. We just add more capacity to meet the scanning, analysis and reporting needs of your business.


Is Qualys host-based or network-based?

Qualys is a cloud-based solution that detects vulnerabilities on all networked assets, including servers, network devices (e.g. routers, switches, firewalls, etc.), peripherals (such as IP-based printers or fax machines) and workstations. Qualys can assess any device that has an IP address. Qualys works both from the Internet to assess perimeter devices as well as from the inside of your network, to assess risk from an internal perspective, using secure, hardened Qualys Scanner Appliances.


My company already deployed firewalls, Intrusion Detection Systems (IDS), and other security solutions. Why do we need vulnerability management?

Qualys complements your firewalls, intrusion detection, antivirus, and other security solutions by providing a proactive, preventive approach to network security. Firewalls often permit threats and vulnerabilities, such as worms and viruses, to traverse un-trusted networks, such as the Internet, to your internal network. As worms get more intelligent, we will continue to see firewalls become an antiquated defense. Intrusion detection systems have already been deemed "yesterday's security tool," as they are reactive, "after the fact" technologies, much like antivirus solutions.


Qualys is a proactive solution, which informs you of known vulnerabilities in your infrastructure. Qualys can even tell you if you are vulnerable to a new exposure before you perform a scan!


My company recently performed an annual security audit with the help of a consulting firm. Why do I need Qualys?

In the past, scanning your networks once a year or once a quarter was sufficient. However, with the average time between vulnerability detection and exploitation diminishing each year, annual audits are no longer frequent enough. With Qualys you can fully automate security assessments and reduce the time between audits from yearly or quarterly, to monthly, weekly or, even daily. You can decide how often a vulnerability assessment is required; varying from device to device, from network to network. Scans can be scheduled or performed on demand. Also, with the Qualys subscription, customers are entitled to an unlimited number of scans. Most customers schedule weekly scans and conduct on demand scans after a security policy change, or on a new device before it is deployed into a production environment.


How often is the vulnerability database updated?

Qualys updates its vulnerability database with multiple vulnerability checks each day, as new vulnerabilities emerge. An average of 20 new signature updates are delivered each week. We maintain the industry's largest, most comprehensive and up-to-date Vulnerability Knowledge Base. Our CVE-compliant Knowledge Base contains more than 20,000 checks (as of November 2014).


How do I know that the vulnerability database is up-to-date?

Qualys engineers develop vulnerability signatures every day in response to emerging threats. As soon as these signatures pass rigorous testing in the Qualys Quality Assurance Lab they are automatically made available to you for your next scheduled or on demand scan. No user action is required. In addition, as a part of the Qualys service, you can sign up to receive daily or weekly vulnerability signature update emails, detailing the new vulnerabilities Qualys is capable of detecting.


What is the service availability for Qualys?

Qualys is available 24x7x365 and can be accessed anytime from anywhere through a Web browser. Qualys consistently maintains 99% availability. The service is constantly updated transparently, without any interruption to users, and is only taken off-line once a quarter for maintenance and updates. This process usually lasts a few hours in duration.


What does Qualys do to protect my data?

Stored data is kept in an encrypted format. Qualys encrypts each users' data uniquely, so that only the user who created the data can access it. Qualys has no insight into customer data. In fact, Qualys does not have access to the encryption key, so Qualys has no ability to decrypt the stored data.


The Qualys Cloud Platform resides behind network-based, redundant, highly-available firewalls and intrusion monitoring solutions. In addition, each host runs a localized firewall on top of the customized, hardened Linux distribution, which is unique to Qualys.


The Qualys Cloud Platform is hosted in a data center that is subject to at least an annual SSAE 16 or industry standard alternative audit by an internationally-recognized accounting firm. All Qualys devices are located in physically secure, dedicated, locked cabinets protected by multiple-factor authentication, including biometrics.

More information


Our company is expanding internationally. Is Qualys restricted to the U.S. only?

Qualys is a global company and our users are capable of assessing any network or system anywhere in the world. If the device resides on the Internet, Qualys uses the Security Operations Center (SOC) that is geographically closest to the device, in order to minimize latency and congestion. Organizations can choose to deploy secure, hardened Qualys scanner appliances throughout their enterprise in any country in the world. We currently support 3 SOCs – in the United States and Europe.


Additionally, Qualys has support staff in the U.S., EMEA, India and Japan as well as sales staff around the world to help service global enterprises 24x7x365.


What happens if my network experiences rapid growth, for example through an acquisition?

Qualys scales virtually infinitely with an organization's network growth. You can easily add or remove IP addresses to your account by contacting your account manager or Qualys Support.


What type of company is typically in need of Qualys?

Qualys, via its unique Software-as-a-Service (SaaS) model, addresses the security scanning needs of customers across multiple segments, including the majority of the Fortune 500 and Forbes Global 2000 as well as, small to medium businesses, consultants and managed service providers. Regardless of the environment, the scalable, secure end-to-end solution is unchanged.


Can I use Qualys and pay as I go?

Yes. There are "pay per scan" packages available for Qualys. It is recommended, however, that any organization that is setting out to secure their enterprise choose the annual subscription service.


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics