TTechclick ⚡ XP 0% All lessons
Qualys · Vulnerability Management · Asset InventoryInteractive · L1 / L2 / L3

Qualys Asset Inventory & CSAM — Global AssetView, EASM & EOL Visibility

You cannot secure what you cannot see. Qualys CSAM and Global AssetView give you a single, always-current inventory of every IT, cloud, OT and IoT asset — scanned from the inside by agents and scanners, and from the outside by EASM. This lesson maps the discovery sensors, shows how raw device data is normalised into a queryable record, and explains how software EOL/EOS signals feed the TruRisk score that tells you what to fix first.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live asset demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Qualys CSAM and Global AssetView (2026): asset discovery, normalization, EASM outside-in scanning, software and EOL/EOS visibility — plus TruRisk-based prioritization across IT, cloud, OT and IoT.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

GAV vs CSAM

Which tier, what it includes, and why it matters.

 2

Discovery sensors

Agent, passive sensor, scanner & EASM.

 3

Normalisation & software

Standardised records, catalogue & EOL/EOS.

 4

EASM & TruRisk

Outside-in view, attack surface & risk score.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Is Global AssetView (GAV) a paid add-on or included with VMDR?

Answered in GAV vs CSAM.

2. Which sensor gives Qualys an outside-in view of internet-facing assets?

Answered in Discovery sensors.

3. What does Qualys normalisation do to raw device data?

Answered in Normalisation & software.

Most engineers think…

Most people treat asset inventory as a one-time spreadsheet exercise: run a scan, export a CSV, done. That mental model fails you the moment a developer spins up a cloud instance at 2 AM or a contractor plugs in an unmanaged laptop.

Qualys CSAM and Global AssetView maintain a live, continuous record: Cloud Agents check in constantly, passive sensors see traffic in real time, scanner appliances sweep on schedule, and EASM probes your internet boundary from the outside every day. The asset record is then normalised — raw device strings become standardised manufacturer, product and version entries — and layered with EOL/EOS flags and a TruRisk score so you are always answering the right question: not 'what exists?' but 'what is exposed and how badly does that matter?'

① Global AssetView vs CSAM — the two tiers of Qualys asset visibility

Global AssetView (GAV) is the baseline asset inventory tier included with every Qualys VMDR subscription. It replaced the original AssetView module (retired March 2026) and gives you a refreshed interface, always-current asset records, a Database tab for database instance visibility, and API access for querying your estate. GAV is the foundation every VMDR customer starts from.

CyberSecurity Asset Management (CSAM) is the advanced tier. It adds External Attack Surface Management (EASM) for outside-in internet exposure, risk-based prioritisation using TruRisk, unified visibility across IT, OT, IoT and multi-cloud assets, and richer software EOL/EOS lifecycle management. CSAM is the answer when an interviewer asks how Qualys goes beyond scanning to continuous asset risk management.

The interview line: GAV = live inventory for every VMDR subscriber; CSAM = inventory plus outside-in attack surface plus business-risk context.

Figure 1 — From raw scan to business-risk inventory
Qualys turns four sensor streams into a single normalised asset record, then adds EOL and TruRisk context.From raw scan to business-risk inventoryDiscover4 sensor typesNormalisevendor/product/OSCataloguesoftware + EOL/EOSScoreTruRisk rankPrioritisefix what matters most
Qualys turns four sensor streams into a single normalised asset record, then adds EOL and TruRisk context.
Quick check · Q1 of 10 · Understand

Which Qualys asset tier is included with a standard VMDR subscription?

Correct: b. Global AssetView replaced AssetView classic (retired March 2026) and is included with every VMDR subscription. CSAM is the advanced paid tier that adds EASM, TruRisk prioritisation and richer EOL/EOS management.
👉 So far: GAV = live inventory included with VMDR (replaced classic AssetView, March 2026). CSAM = advanced tier adding EASM, TruRisk prioritisation and full EOL/EOS management.

② Discovery sensors — the four ways Qualys finds assets

Qualys uses four complementary sensors so nothing stays invisible. The Cloud Agent is a lightweight software agent installed on endpoints, servers, containers and cloud instances; it phones home continuously and is the highest-fidelity source for OS, installed software and running processes — no credential or network access needed after install. The Passive Network Sensor (PNS) listens on a SPAN or mirror port and classifies assets purely from traffic metadata, making it ideal for unmanaged devices and OT/IoT devices that cannot run an agent.

The other two sensors

The Scanner Appliance (virtual or physical) performs authenticated and unauthenticated network scans on a schedule, finding devices that neither have an agent nor generate traffic. Finally, EASM is the outside-in sensor: it probes your internet boundary using DNS records, SSL/TLS certificates, WHOIS data, hosting signals and cloud fingerprints to discover domains, subdomains, cloud workloads and APIs that attackers can see — even if your internal tools have never heard of them.

Figure 2 — One asset record, four sensor inputs
Every discovery method feeds the same CSAM asset record so coverage gaps from one sensor are filled by another.One asset record, four sensor inputsCSAM Recordnormalised assetCloud AgentPassive SensorScanner ApplianceEASM outside-in
Every discovery method feeds the same CSAM asset record so coverage gaps from one sensor are filled by another.
☁️
Cloud Agent
tap to flip

Lightweight agent on endpoints, servers and cloud instances. Checks in continuously for the highest-fidelity OS, software and process data — no network credential needed after install.

📡
Passive Network Sensor
tap to flip

Listens on a SPAN or mirror port, classifies assets from traffic metadata. Ideal for OT, IoT and unmanaged devices that cannot run an agent.

🔍
EASM
tap to flip

Outside-in sensor: probes DNS, SSL/TLS certs, WHOIS and cloud fingerprints to map every internet-facing asset, including shadow IT and ghost hosts.

⚠️
EOL/EOS Flag
tap to flip

Qualys cross-references every normalised software title against its End-of-Life/End-of-Support date. EOL assets never receive patches, so they receive elevated TruRisk scores.

Name all four sensors in an interview

When asked how Qualys discovers assets, list all four: Cloud Agent (continuous, agent-based), Passive Network Sensor (agentless, traffic metadata), Scanner Appliance (scheduled, network-based) and EASM (outside-in, internet boundary). Naming all four — and which gap each fills — is the answer that gets you shortlisted.

Quick check · Q2 of 10 · Remember

Which Qualys sensor listens on a SPAN/mirror port and requires no agent on the device?

Correct: c. The Passive Network Sensor captures traffic metadata from a SPAN or mirror port and can fingerprint OT, IoT and unmanaged devices without installing anything on them. Cloud Agent requires installation; Scanner requires network access; EASM is outside-in.
👉 So far: Four sensors cover every blind spot: Cloud Agent (managed devices), Passive Sensor (OT/IoT/unmanaged), Scanner Appliance (scheduled sweeps), EASM (internet-facing, outside-in).

③ Normalisation, software catalogue & EOL/EOS lifecycle

Raw device data from four different sensors would be chaos if every vendor spelt their own product name differently. Qualys solves this with normalisation: for every asset record Qualys standardises the manufacturer name, product name, model, software version and OS into a consistent taxonomy. The same Adobe Reader shows up identically whether the record came from a Windows agent, a Linux scanner or a passive-sensor fingerprint.

The software catalogue is the downstream benefit: because every software title is normalised, CSAM can cross-reference every installed package against its EOL/EOS (End-of-Life / End-of-Support) date. An asset running Windows Server 2012 R2 or an old OpenSSL version gets flagged automatically — no manual lookup needed. EOL software is a high-value target because it never receives security patches, so these flags feed directly into the TruRisk score used for prioritisation.

CSAM also tracks software licence and version spread: where is a vulnerable version installed, on how many hosts, and what is the business criticality of those hosts? That combination — normalised data plus lifecycle flags plus criticality — is what makes CSAM useful beyond a raw CVE list.

Figure 3 — Normalisation layers — raw to risk-ready
Qualys stacks four enrichment layers so every asset is queryable and comparable across the estate.Normalisation layers — raw to risk-readyRaw sensor dataagent, scanner, PNS, EASM signalsNormalised recordvendor / product / version / OSSoftware catalogueEOL/EOS flags + licence countRisk contextTruRisk + criticality + threat intel
Qualys stacks four enrichment layers so every asset is queryable and comparable across the estate.
'EOL just means old software' under-sell

EOL/EOS software is not just inconvenient — it is a permanent unpatched attack surface. Because Qualys normalises every software title and cross-references lifecycle dates automatically, you can query all assets running EOL software in one click. Always link EOL findings to TruRisk and patch prioritisation, not just version lists.

▶ Watch an unknown cloud server get discovered and risk-scored

How a forgotten staging server goes from invisible to risk-ranked in CSAM. Press Play for the full EASM-to-TruRisk path, then Break it to see the classic blind spot.

① EASM probeEASM scans the company seed domain using DNS, certificate transparency logs and cloud fingerprints, finding a forgotten subdomain on a cloud IP.
② Ghost assetThe subdomain has no matching record in the internal CSAM inventory — it is flagged as a ghost asset: internet-facing, unmanaged, unscanned.
③ Onboard + scanSecurity team installs a Cloud Agent on the server. CSAM normalises the OS and software — including a flagged EOL component — into a full asset record.
④ TruRisk scoreCSAM assigns a TruRisk score combining the EOL flag, a critical CVE found in scan, and the server internet-facing exposure. It appears at the top of the remediation queue.
Press Play to step through the ghost-asset discovery path. Then press Break it.
Quick check · Q3 of 10 · Apply

A server is still running Windows Server 2012 R2. How does CSAM surface this risk automatically?

Correct: d. Qualys normalises the OS version, cross-references it against EOL/EOS dates, flags the asset in the software catalogue, and feeds that flag into the TruRisk score — surfacing it in the risk-prioritised remediation queue without manual lookup.
👉 So far: Normalisation standardises vendor/product/version across all sensors. The software catalogue cross-references EOL/EOS dates automatically — no manual lookup, direct input to TruRisk.

④ EASM outside-in view & TruRisk prioritisation

EASM flips the discovery model. Instead of scanning from inside the network out, EASM probes like an attacker would: it starts from your organisation name and known seed domains, then expands outward using DNS records, SSL/TLS certificate transparency logs, WHOIS data, hosting fingerprints and cloud provider metadata to map every internet-facing asset — including shadow IT, forgotten test servers and misconfigured cloud buckets that the internal agent estate has never catalogued.

The result is an attack surface inventory: domains, subdomains, open ports, exposed web applications, APIs, cloud workloads and IP ranges. Each finding is correlated back to CSAM internal asset data so that a new internet-facing host is immediately enriched with agent or scanner data if available, and flagged for investigation if completely unknown (a ghost asset).

TruRisk: from inventory to prioritisation

TruRisk is the score that turns the inventory into a decision. It combines vulnerability severity (CVSS base plus temporal), threat intelligence (active exploitation, weaponised exploits), asset criticality (business context tags), EOL/EOS flags and attack surface exposure to produce a risk rank. The interview answer: CSAM does not just tell you what is there; TruRisk tells you what to fix first.

Figure 4 — Inside-out vs outside-in discovery
Internal sensors find what is managed; EASM finds what attackers see — together they close the blind spot.Inside-out vs outside-in discoveryInside-out (GAV/CSAM)Cloud Agent on every managed hostPassive sensor on SPAN/mirror portScanner appliance on scheduleSees managed + semi-managed assetsOutside-in (EASM)DNS, certs, WHOIS, hosting signalsDiscovers shadow IT &Finds ghost assets with noMirrors the attacker view of
Internal sensors find what is managed; EASM finds what attackers see — together they close the blind spot.

Priya at a Pune fintech firm faces this

During an external audit, the assessor finds three internet-facing subdomains serving outdated TLS certificates on forgotten staging servers — none of them appear in Qualys VMDR scan results.

Likely cause

The servers were spun up during a hackathon two years ago, were never added to the scan target list, and were never agent-installed — so internal sensors are completely blind to them.

Diagnosis

Run CSAM EASM discovery using the company seed domains. All three subdomains appear as ghost assets: visible from the internet, no internal asset record, TLS certificates expired.

CSAM ▸ Attack Surface ▸ External Assets ▸ Ghost Assets
Fix

Onboard the servers into CSAM (install Cloud Agents), schedule authenticated scans, assess vulnerabilities, and either patch and move to production or decommission. Add all known seed domains to EASM so future rogue subdomains are caught automatically.

Verify

Re-run EASM: all three hosts now appear as known assets with agent data. Ghost-asset count drops to zero. Audit finding closed.

Prove coverage with the ghost-asset count

After running EASM, look at ghost assets — hosts EASM found that have no internal record. A non-zero count means your internal scanner estate has blind spots. Bring that number to zero by either onboarding or decommissioning each ghost asset. That metric is a clean, auditable proof of inventory completeness.

Quick check · Q4 of 10 · Analyze

EASM finds a subdomain with no matching record in the internal CSAM inventory. What is this called and what must happen next?

Correct: a. A ghost asset is a host visible from the internet that has no internal inventory record, indicating shadow IT or a forgotten server. It must be investigated and either brought into the managed estate (agent installed) or decommissioned to close the blind spot.
👉 So far: EASM maps your attack surface like an attacker sees it. Ghost assets = internet-visible hosts with no internal record. TruRisk = vulnerability severity + threat intel + EOL + asset criticality = what to fix first.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which Qualys module replaced classic AssetView when it was retired in March 2026?

Correct: c. Global AssetView (GAV) replaced classic AssetView, which was retired in March 2026. GAV is included with every VMDR subscription and provides the baseline asset inventory with a refreshed interface and API access.
Q6 · Understand

Which discovery sensor is best suited for OT and IoT devices that cannot run a software agent?

Correct: a. The Passive Network Sensor listens on a SPAN/mirror port and classifies devices from traffic metadata with no agent required, making it the right choice for OT, IoT and unmanaged devices. Cloud Agent requires installation; scanner appliances need network access; EASM is outside-in.
Q7 · Apply

After enabling EASM in CSAM, the ghost-asset count shows 12 unknown internet-facing hosts. What must the security team do?

Correct: d. Ghost assets are real internet-facing hosts with no internal inventory record. Each must be investigated and either brought into the managed estate (agent installed) or decommissioned. Ignoring or deleting them leaves an active blind spot visible to attackers.
Q8 · Analyze

Why does an EOL/EOS software flag raise an asset's TruRisk score?

Correct: c. EOL/EOS software will never receive security patches from the vendor. Any vulnerability discovered after the EOL date is permanent, which materially increases the probability and impact of exploitation — hence the elevated TruRisk score.
Q9 · Evaluate

An interviewer asks how Qualys ensures the same software title appears consistently across agent, scanner and passive-sensor data. Best answer?

Correct: a. Qualys normalisation processes raw strings from all sensor types into a standardised canonical taxonomy — manufacturer, product name, version and OS — so queries and EOL/EOS cross-references work reliably regardless of which sensor supplied the data.
Q10 · Evaluate

What makes TruRisk a better prioritisation signal than CVSS alone for a security team?

Correct: b. TruRisk is a composite score that adds real-world threat intelligence (active exploitation, weaponised exploits), asset criticality tags, EOL/EOS flags and attack surface exposure on top of CVSS. This ranks vulnerabilities by the likelihood and impact of a real breach, not just the theoretical severity score.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does having four discovery sensors matter if you already run authenticated scans on a schedule? Then compare with the expert version.

Expert version: Authenticated scanners only see hosts they are pointed at and only at scan time — a cloud instance spun up between scans, an OT device that cannot run an agent, or a forgotten staging server on the internet boundary are all invisible. Cloud Agents give continuous visibility between scans; the Passive Network Sensor covers agentless OT and IoT; and EASM sees what attackers see from outside, catching ghost assets that the internal estate has never catalogued. Each sensor fills a specific gap; together they give you a live, complete inventory that a scheduler alone never can.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Global AssetView (GAV)
The baseline Qualys asset inventory tier included with VMDR. Replaced classic AssetView (retired March 2026). Provides always-current asset records, software catalogue and API access.
CyberSecurity Asset Management (CSAM)
The advanced Qualys asset tier adding EASM outside-in discovery, TruRisk-based prioritisation, and richer EOL/EOS lifecycle management across IT, OT, IoT and cloud.
EASM
External Attack Surface Management — outside-in discovery using DNS, SSL/TLS certificate transparency, WHOIS and cloud fingerprints to map internet-facing assets including shadow IT and ghost hosts.
Ghost Asset
A host discovered by EASM that has no matching record in the internal CSAM inventory — indicates shadow IT or a forgotten server visible to attackers.
Normalisation
Qualys process that converts raw device strings from all sensors into a standardised taxonomy of manufacturer, product, version and OS for consistent querying and EOL/EOS matching.
EOL/EOS
End-of-Life / End-of-Support status indicating a software or OS version no longer receives security patches. CSAM flags these automatically and elevates their TruRisk score.
TruRisk
Qualys composite risk score combining CVSS severity, active threat intelligence, asset criticality, EOL/EOS flags and internet-facing exposure to rank remediation by business impact.
Passive Network Sensor (PNS)
A Qualys sensor that listens on a SPAN or mirror port, classifying assets from traffic metadata. Requires no agent, ideal for OT, IoT and unmanaged devices.

📚 Sources

  1. Qualys — CyberSecurity Asset Management (CSAM) product page and documentation. docs.qualys.com/en/csam/latest/
  2. Qualys Notifications — AssetView Ends March 2026: Transition to Next-Generation Risk Surface Management. notifications.qualys.com/notifications/2025/11/24/assetview-ends-march-2026
  3. Qualys Docs — CSAM/Global AssetView Release 3.7.1.0 (March 2026): enhanced third-party import, time-based filters, report API. docs.qualys.com/en/csam/release-notes/
  4. Qualys Docs — External Attack Surface Management (EASM): DNS, certs, hosting signals, ghost assets. docs.qualys.com/en/csam/latest/inventory/sensors/easm.htm
  5. Qualys Docs — Get Started with Global AssetView: sensors, normalisation, software catalogue. docs.qualys.com/en/gav/latest/get_started/get_started.htm
  6. Qualys — VMDR: asset discovery, normalisation, EOL/EOS visibility and TruRisk prioritisation. qualys.com/apps/vulnerability-management-detection-response/

What's next?

Got the inventory foundation? Next, go deep on how Qualys VMDR uses that asset context — vulnerability signatures, QIDs, threat intelligence and TruRisk scoring — to turn a raw scan into a prioritised remediation queue.

Next · All interview lessons → Practice on exam.techclick.in →