Most engineers think…
Most people picture vulnerability scanning as 'a scanner box pinging hosts on a schedule'. That model fails for cloud instances that spin up and down, laptops that roam off-VPN, and container workloads that live for minutes.
The Qualys Cloud Agent flips this: a small process on each host streams live telemetry to the Qualys Cloud Platform the moment something changes — a new package installed, a patch applied, a config drifted — without any firewall rule, credential vault, or scan window. The two keys to understanding it are the Activation Key (which proves the agent's identity and picks its modules) and the Configuration Profile (which governs how aggressively it collects and uploads). Getting those two controls right is what separates a well-tuned VMDR deployment from one that drowns in findings or misses half the estate.
① What the Qualys Cloud Agent is — continuous telemetry, not a scan window
The Qualys Cloud Agent is a lightweight software process installed on a managed host (Windows, Linux, macOS, container, cloud instance). Unlike a network scanner that pings hosts on a schedule, the agent runs on the host and continuously streams asset metadata and configuration state to the Qualys Cloud Platform over an outbound HTTPS connection — no inbound firewall rule required.
Assessment is event-driven and continuous: the agent detects a new package, a config change, or a patch and pushes the update immediately. The Qualys Cloud Platform correlates that telemetry against the live vulnerability knowledge base and surfaces a finding within minutes — not the next scheduled scan window. This is what Qualys calls real-time continuous assessment.
The agent footprint is deliberately small. It is designed to use minimal CPU and memory, governed by a throttle you set in the Configuration Profile. All heavy computation (correlation against CVE data, severity scoring, compliance benchmarks) happens in the Qualys Cloud Platform, not on the endpoint.
How does the Qualys Cloud Agent deliver real-time assessment without scan windows?
② Activation Keys — bootstrapping identity and module selection
Before an agent can talk to the Qualys Cloud Platform it must authenticate. This is done with an Activation Key. You generate an Activation Key in the Qualys Cloud UI (or via API), embed it in your deployment script or package, and the agent presents it on first check-in alongside your Customer ID.
What an Activation Key controls
Activation Keys are not just passwords — they are module selectors. Each key has checkboxes for VM (Vulnerability Management), PC (Policy Compliance), SCA, EDR, FIM, and other licensed modules. Only modules enabled on the key are active on that agent. For VMDR deployments, ensure VM is enabled; the platform then downloads the purpose-built VMDR detection engine to each host (a small additional payload, roughly 20 MB, needing about 100 MB free disk space).
Keys also carry asset tags: any tag you attach to the key is automatically applied to every host that registers with it. This is how you route assets into the right Configuration Profile from day one — create keys per environment (e.g. prod-linux, dev-windows, cloud-ec2) and tag accordingly.
The token that authenticates the agent to the Qualys platform on first registration. It also sets which modules (VM, PC, EDR, FIM) are active and auto-applies asset tags to every host that uses it.
A named bundle of 30+ parameters (CPU cap, check-in interval, scan frequency, module settings) assigned to asset groups via tags. One profile per environment is best practice.
The agent detects a change (new package, config drift, patch applied) and streams the update to the Qualys Cloud Platform immediately — no scheduled scan window needed.
The SaaS back-end that receives agent telemetry, correlates it against the live CVE knowledge base, scores findings with TruRisk, and surfaces them in the VMDR dashboard.
Create separate Activation Keys for prod, dev, and cloud (e.g. prod-linux, dev-windows, cloud-ec2). Each key carries different tags and potentially different module sets. This gives you instant filter-by-environment in the VMDR dashboard and makes tuning Configuration Profiles much easier.
Which two things does an Activation Key control beyond agent authentication?
③ Configuration Profiles — governing agent behaviour per asset group
A Configuration Profile is a named bundle of 30+ parameters that tells an agent how to behave. You assign a profile to assets using the same tags you set on Activation Keys. Key parameters include:
- CPU throttle — max CPU percentage the agent may consume (e.g. 5–20%), preventing impact on production workloads.
- Check-in interval — how often the agent calls home to check for profile or knowledge-base updates.
- Scan / collection frequency — how often the agent collects a full package inventory and configuration snapshot.
- Module-specific settings — FIM monitored paths, EDR behaviour, patch management options.
- Include / exclude tags — which assets the profile applies to.
Best practice is to create at least two profiles: a relaxed profile for production hosts (low CPU cap, longer intervals to minimise business impact) and an aggressive profile for dev and cloud instances where freshness matters more than performance overhead. Mismatching a prod host to an aggressive profile is the most common tuning mistake in real deployments.
The default or demo Configuration Profile often has a high CPU cap and short scan interval — fine for a lab, catastrophic on a prod database. Always create a dedicated low-throttle profile for production and assign it via tags before the agent starts collecting.
▶ Watch an agent finding reach the VMDR dashboard
A sysadmin installs a vulnerable package on a Linux host. Press Play for the healthy detection path, then Break it to see the classic blind-spot failure.
A prod database server is reporting high CPU spikes during agent collection. What is the correct fix?
④ Agent vs Agentless — trade-offs and the hybrid best practice
Qualys supports both models and most enterprise deployments use both. The right mental model is: agents and agentless scanning fill different gaps, not the same gap.
Agent advantages: Real-time continuous data; works for roaming laptops off-VPN; survives ephemeral cloud instances; no firewall holes needed; no credential vault for scan auth; immediate detection of package changes or config drift. Agent disadvantages: Must install and maintain software on every host; not practical for network devices, printers, or short-lived containers; requires outbound HTTPS access to Qualys platform URLs.
Agentless advantages: No software on the host; ideal for legacy systems, network infrastructure, IoT, and any host where you cannot install software; broad coverage with minimal prep. Agentless disadvantages: Requires network reachability and credentials (or cloud-API access for cloud-native agentless); results only available after a scan window runs; roaming and offline hosts are missed.
The hybrid pattern: deploy agents on all manageable hosts (servers, workstations, cloud instances), and use agentless scanning (scanner appliances or cloud connectors) for everything else. The Qualys platform deduplicates findings and shows a unified asset view regardless of which data source contributed.
Priya at a Mumbai fintech faces this
After deploying Qualys Cloud Agents across 500 EC2 instances, the VMDR dashboard shows no findings for 200 of them even though they have known-vulnerable packages.
The Activation Key used for those 200 instances does not have the VM module enabled — only PC (Policy Compliance) is ticked.
Open Assets ▸ Cloud Agents and filter by those instances. Check the Activation Key column. Navigate to CA ▸ Activation Keys and inspect the key — VM checkbox is unchecked.
Cloud Agent ▸ Activation Keys ▸ [key name] ▸ ModulesEdit the Activation Key, enable the VM module, and save. Agents will receive the updated permissions on their next check-in and download the VMDR detection engine. Findings appear within minutes of the next collection cycle.
Refresh the VMDR dashboard after 15–30 minutes — all 200 previously blank agents now report findings, and TruRisk scores are populated.
After deployment, check Cloud Agent ▸ Agent Health for any agents stuck in 'Inactive' or 'Not Checked In' states. An agent that has not checked in for 24+ hours is not sending telemetry — investigate outbound HTTPS connectivity to Qualys platform URLs or check if the host was decommissioned.
Your estate includes 2 000 managed servers, 300 roaming laptops, and 50 legacy network switches. What is the best assessment strategy?
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: why does the Qualys Cloud Agent deliver findings faster than a network scanner, and what governs how hard it works on the host? Then compare with the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- Cloud Agent
- A lightweight Qualys software process installed on a managed host that continuously streams asset metadata and configuration state to the Qualys Cloud Platform for real-time vulnerability and compliance assessment.
- Activation Key
- A token generated in the Qualys portal that authenticates the agent on first registration and controls which modules (VM, PC, SCA, EDR, FIM) are active, plus auto-applies asset tags.
- Configuration Profile
- A named bundle of 30+ agent behaviour parameters (CPU throttle, check-in interval, scan frequency, module-specific settings) assigned to asset groups via tags.
- Real-time continuous assessment
- Event-driven vulnerability assessment where the agent detects changes on the host and immediately streams telemetry to the platform — no scheduled scan window required.
- TruRisk
- Qualys's proprietary risk scoring model that combines CVE severity, exploit maturity, asset criticality and threat intelligence into a single prioritised risk score.
- Agentless scanning
- Vulnerability assessment performed by an external scanner appliance or cloud connector — no software installed on the host; requires network reachability and credentials or cloud API access.
- Asset tag
- A label applied to a host in the Qualys platform (manually or automatically via Activation Key) used to route assets into Configuration Profiles and filter VMDR dashboards.
- Agent Health
- The Qualys Cloud Agent dashboard view showing each agent's check-in status, last seen time, and active modules — the first place to look when an agent stops sending telemetry.
📚 Sources
- Qualys — Cloud Agent product page: continuous assessment, lightweight design and platform integration. qualys.com/cloud-agent
- Qualys Docs — VMDR Getting Started Guide: installing Cloud Agents, Activation Keys and module requirements. qualys.com/docs/qualys-vmdr-getting-started-guide.pdf
- Qualys Docs — Cloud Agent configuration reference: Configuration Profiles, CPU throttle, check-in interval and module parameters. docs.qualys.com/en/vm/latest
- Qualys Blog — Performance Tuning Series: Qualys Cloud Agent Configuration Best Practice (2023). blog.qualys.com/product-tech/2023/07/06
- Qualys Success Community — Cloud Agent vs. Authenticated Scan detection: when to use agents and when to use appliance scans. success.qualys.com/support/s/article/000003574
- Qualys Blog — What is Cloud Scanning and Why Does It Matter? (2025). blog.qualys.com/qualys-insights/2025/02/11
What's next?
Covered the Cloud Agent? Next, go deep on how VMDR prioritises findings — TruRisk score, CVE severity, exploit maturity, and business criticality tags — so you know which vulnerabilities to fix first and why.