Cloud Platform
Contact us
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
  • Overview
  • Platform Apps

  • Qualys Endpoint Security

    Advanced endpoint threat protection, improved threat context, and alert prioritization

  • Context XDR

    Extend detection and response beyond the endpoint to the enterprise

Cloud Security

Get the Most Out of VMDR

Find out in just 4 mins if you're experiencing maximum value!

Customers leveraging all the powerful features and functionality that Qualys VMDR has to offer are enjoying $5.1M total value per year.

Qualys VMDR

Do you know if your instance of VMDR is optimized to its fullest potential? It only takes 4 mins to find out!


Fill in your contact information.


Complete the Qualys VMDR Scorecard below.


Submit to see your results.

You'll receive your comprehensive VMDR Scorecard Report complete with recommendations and immediate actions you can take to speed your organization to maximum ROI.

Something about you

Please fill out your contact information, then scroll down to fill out the survey, and submit for instant results.

By submitting this form, you consent to Qualys' privacy policy.

Section 1: Inventory

You cannot protect what you cannot see. It is therefore imperative that organizations have a comprehensive understanding of their attack surface (both internal and external) and take actions to mitigate and reduce risk.

1/17. Select the Qualys sensors you use to discover and inventory assets in your environment (Check all that apply).

Pro Tip:
You can't protect what you can't see. Therefore, it's essential to incorporate a variety of sensors to get the most comprehensive inventory of all your assets. Leverage Qualys Cloud Agents, discovery scans, connectors with Cloud services, and CMDBs to get the most accurate inventory. Utilize external and perimeter scanning, coupled with External Attack Surface Management, to gain comprehensive insight into assets exposed to the internet. Conduct lightweight vulnerability management scans to enhance visibility into internal assets.

2/17. What percentage of assets are accurately inventoried compared to the assets in CMDB?

Pro Tip:
Similar to the previous question, you can't protect what you can't see. Ensuring that your assets are being inventoried like your CMDB will ensure that you're protecting your entire environment.

3/17. Which statement best describes your organization on how you classify/group assets using Qualys VMDR?

Pro Tip:
Tagging helps to organize assets in your organization. The most powerful use of tags is accomplished by creating a dynamic tag. A dynamic tag automatically assigns tags to the assets based on search criteria in the dynamic tagging rule. It also helps you group tags based on business units, geographic locations, asset types, etc.

4/17. Do you use Qualys' certificate management capability to manage the cyber risk of your digital certificates?

Pro Tip:
Expiring digital certificates could lead to business outages of up to $15 million in loss per outage. Thus, it's critical to have an accurate inventory of your certificates to monitor when they expire and prioritize expiring certificates accordingly.

Section 2: Scanning & Assessment

Optimal scanning/assessment strategies ensure organizations have an accurate assessment of risk, which in turn reduces the risk of exploitation.

5/17. How often are vulnerability assessments performed?

Pro Tip:
Currently, many organizations are no longer relying on periodic vulnerability or compliance assessments, even if performed weekly or daily. Instead, they seek an immediate and continuous grasp of their vulnerability status. Leverage the Cloud Agent to perform real-time vulnerability assessments on agent-supported operating systems. This approach delivers quick results and significantly minimizes network impact by reducing the noise associated with traditional network scans while network scanners cover the remaining infrastructure.

6/17. What percentage of assets (including those with Qualys agent installed) are scanned with successful authentication?

Pro Tip:
Authenticated scans give you the most accurate results and provide the most visibility into the security posture of each system. Instead of solely relying on the software list of installed packages, Qualys' authenticated scanning verifies more on the endpoint. By minimizing potential vulnerabilities and prioritizing confirmed vulnerabilities, authenticated scans save you time and give you the most accurate results. You can use the 'Qualys Subscription Hygiene' dashboards to gain insight into subscription health, including authentication failures, and use those insights to fix them.

7/17. Which statement accurately describes your organization's use of Agentless Tracking with Qualys VMDR?

Pro Tip:
Using the Agentless Tracking Identifier in DHCP environments allows users to uniquely identify and track each host with a distinct ID, preventing multiple entries for the same host with different IP addresses (or DNS/NetBIOS names). This is advantageous for scanning systems with multiple IP addresses, enabling the consolidation of vulnerability data based on a unique host ID.

8/17. Is your subscription set to merge assets for a 'Single Unified View,' and are you using both authenticated and unauthenticated merging capabilities?

Pro Tip:
There are multiple ways to scan an asset, for example, credentialed vs. uncredentialed scans or agent-based vs. agentless. Regardless of the scanning technique, the vulnerability detections must link back to the same asset, even if the key identifiers, like IP address, network card, and so on, have changed over its lifecycle. Merging unauthenticated scans with agent scan results helps provide a better assessment of your risk posture by providing you with an internal and external view of risk. Refer to Agentless tracking and Agent correlation identifierto set up merging for both authenticated and unauthenticated remote scans with Cloud Agent.

9/17. How would you describe your vulnerability scanning process for exploitable vulnerabilities (such as CISA KEV), which requires a combination of Qualys sensors - network (remote) and agent-based scanning?

Pro Tip:
The mantra here is simple: 'Use the agent where you can, scanner where you can't.' Both Qualys Cloud Agents and Scanners offer comprehensive and continuous vulnerability management of the entire attack surface.

10/17. Do you use Security Configuration Assessment (SCA) provided by VMDR to assess configuration hygiene by industry standards like CIS?

Pro Tip:
Hardening your infrastructure through secure configurations minimizes the attack surface, making it more challenging for attackers to compromise systems. According to the Verizon DBIR report, misconfigurations rank among the top three causes of ransomware attacks. Additionally, every regulatory framework mandates that organizations implement robust configuration hygiene management.

11/17. If the PCI (Payment Card Industry) requirement applies to you, are you leveraging PCI ASV scanning of Qualys VMDR?

Pro Tip:
Qualys VMDR includes access to Qualys PCI ASV scanning, which can help you maintain your PCI compliance for your PCI-certified environments. This can be done directly from the Qualys VMDR UI, and results can be imported into the Qualys PCI environment quarterly.

12/17. How do you leverage VMDR to create tickets for your IT teams within their respective ticketing or ITSM solutions?

Pro Tip:
With CMDB Sync, both CMDB and Qualys sync asset metadata, helping you close your vulnerability tickets 60% faster. Ticketing can also help you reduce your Mean Time to Remediate (MTTR) by ensuring critical vulnerabilities are tracked from discovery to remediation.

Section 3: Prioritization & Remediation

Organizations should prioritize vulnerabilities based on risk of exploitation, evidence of exploitation, and likelihood of exploitation rather than simply reducing the volume of vulnerabilities.

13/17. How are you prioritizing vulnerabilities for remediation?

Pro Tip:
Prioritizing based on the risk of exploitation or evidence of exploitation helps you focus on fewer high-risk vulnerabilities and reduce the risks you face. You should also consider using a risk-based approach to minimize risk.

14/17. How are you prioritizing assets for remediation?

Pro Tip:
Qualys VMDR with TruRisk prioritizes critical assets efficiently by considering factors like location, business importance, and advanced threat intelligence from over 25 threat & exploit intelligence sources. Use TruRisk scores to first target the assets that contribute to the highest risk.

15/17. Do you leverage MITRE ATT&CK context for threat-informed prioritization of vulnerabilities & misconfigurations?

Pro Tip:
Integrating the MITRE ATT&CK Framework with Qualys and third-party tools elevates the overall efficacy of managing vulnerabilities and misconfigurations, offers a more profound insight into the threat landscape, facilitates prioritized remediation efforts, and ensures alignment of security practices with industry best standards.

16/17. How do you leverage Qualys VMDR to determine which patches to deploy to remediate vulnerabilities?

Pro Tip:
Through Patch Detection, organizations can identify specific patches (for example, KB5022511) that must be deployed to remediate vulnerabilities. It saves IT teams countless hours by eliminating the need to research which patches to deploy.

Section 4: Purging & Clean Up

Purging is one of a few key maintenance activities you should perform to keep the data in your subscription fresh and ensure that it most accurately reflects your environment. The process involves identifying stale assets and automating their purging.

17/17. How do you leverage purge rules to ensure stale assets are not part of your Qualys VMDR subscription?

Pro Tip:
Eliminating assets that are no longer active helps you maintain healthy asset inventory hygiene. You can find information about purging and how to configure the purge rules as per best practices here : Remove stale assets.

Please answer all the questions to proceed further