TTechclick ⚡ XP 0% All lessons
Qualys · Vulnerability Management · ArchitectureInteractive · L1 / L2 / L3

Qualys Cloud Platform & Sensors — SaaS Architecture & Data Flow

Qualys VMDR is one SaaS brain in Qualys data centres plus a fleet of sensors you deploy wherever your assets live — on-prem, cloud, containers, or the network wire. This lesson maps every sensor type (scanner appliance, cloud agent, virtual scanner, passive sensor, container sensor, API and cloud connectors) and shows exactly how each one ships data back to the platform to fuel your risk dashboard.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master the Qualys Cloud Platform architecture (2026): SaaS backbone, scanner appliance, cloud agent, virtual scanner, passive sensor, container sensor and API connectors — plus the full data flow from asset to risk dashboard.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

SaaS backbone

Why Qualys lives in the cloud, not your DC.

 2

Sensor types

Six ways to see your assets.

 3

Data flow

Finding to dashboard, step by step.

 4

Pick the right sensor

On-prem, cloud, container, agentless.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Where does the Qualys VMDR processing engine run?

Answered in SaaS backbone.

2. Which sensor can detect vulnerabilities on an asset without active network scanning?

Answered in Sensor types.

3. Which Qualys sensor analyses network traffic passively to discover unmanaged assets?

Answered in Data flow.

Most engineers think…

Most people picture Qualys as 'a scanner box you put in the DMZ'. That gets you 20% of the picture — and the wrong 20% for a modern hybrid environment.

Qualys VMDR is a SaaS platform with a sensor fleet: one multi-tenant cloud brain (no server for you to manage) and up to six types of lightweight sensors you deploy where your assets live. Each sensor sees a different slice — the scanner appliance does credentialed network scans, the cloud agent monitors from inside the host continuously, the passive sensor listens on the wire to catch unmanaged and IoT devices, the container sensor scans Docker and Kubernetes workloads, and API/cloud connectors pull inventory directly from AWS, Azure and GCP. Understanding which sensor to place where is what separates a production-ready VMDR deployment from a gap-ridden one.

① The Qualys Cloud Platform — SaaS backbone, not a box

The single most important idea: Qualys Cloud Platform is 100% SaaS. Qualys operates the data centres, the processing pipeline, the Knowledge Base (QKB), and the UI. You never patch a Qualys server, never size a database, and never manage HA. You only deploy sensors where your assets live and then consume results from your browser or API.

The platform is multi-tenant with logical isolation per subscription. Your data stays in the region you chose at signup (US, EU, India, etc.). The backend receives raw scan findings from every sensor, normalises them, correlates against the QKB, calculates a QDS, and surfaces VMDR findings in the dashboard within minutes of a sensor reporting.

Figure 1 — SaaS data flow — sensor to dashboard
Every sensor type sends encrypted findings to the Qualys Cloud Platform, which normalises, scores and surfaces them.SaaS data flow — sensor to dashboardSensor detectsscan or agent reportEncrypt + send443 outbound onlyIngest + parseasset metadataDetect + scoreQKB + QDS + RTIDashboardVMDR findings
Every sensor type sends encrypted findings to the Qualys Cloud Platform, which normalises, scores and surfaces them.
Quick check · Q1 of 10 · Understand

Which statement best describes the Qualys Cloud Platform deployment model?

Correct: b. Qualys is 100% SaaS — Qualys operates the data centres, Knowledge Base and processing pipeline. Customers never manage backend infrastructure; they only deploy lightweight sensors.
👉 So far: Qualys Cloud Platform = 100% SaaS in Qualys data centres. You deploy sensors; Qualys manages the backend, QKB, and processing pipeline.

② Sensor types — six ways to see your assets

Qualys gives you six sensor options; most enterprise deployments use three or more together. The Scanner Appliance (physical or virtual) sits inside a network segment and performs active, credentialed scans over the network — the classic approach, best for on-prem servers you cannot install an agent on. The Cloud Agent is a lightweight binary installed directly on the host (Windows, Linux, macOS); it runs continuously, reports every few hours, and never requires open firewall ports inbound — ideal for laptops and cloud VMs. The Virtual Scanner Appliance is the same scanner packaged as a cloud-marketplace image (AWS AMI, Azure VM, GCP instance) so you get network scanning without shipping a physical box.

The three agentless options

The Passive Sensor (a physical or virtual probe receiving a SPAN/mirror port) listens on network traffic and profiles every device it sees — no credentials, no agent, so perfect for printers, cameras, OT, and IoT. CAPS (Cloud Agent as Passive Sensor) extends this capability by letting a deployed cloud agent listen passively on its local subnet, removing the need for a dedicated passive appliance. The Container Sensor deploys as a DaemonSet on each Kubernetes node (or as a Docker container) and scans all images and running containers for vulnerabilities. Finally, Cloud Connectors and API Connectors use provider APIs (AWS, Azure, GCP, GitHub, etc.) to pull cloud account inventory — no sensor deployed at all, just OAuth or IAM credentials.

Figure 2 — One platform, six sensor types
All six sensor types feed findings to the same Qualys Cloud Platform, creating one unified asset and risk view.One platform, six sensor typesQualys PlatformSaaS · QKB · QDSScanner ApplianceCloud AgentVirtual ScannerPassive SensorContainer SensorAPI/Cloud Connector
All six sensor types feed findings to the same Qualys Cloud Platform, creating one unified asset and risk view.
Figure 3 — Active scanning vs cloud agent
Scanner appliance and cloud agent both produce VMDR findings but differ in deployment model and visibility window.Active scanning vs cloud agentScanner ApplianceNetwork-based active scanNeeds credentials + open portsPeriodic scan windowsBest for agentless assetsCloud AgentOn-host continuous detectionNo inbound ports neededReports every few hoursBest for servers and laptops
Scanner appliance and cloud agent both produce VMDR findings but differ in deployment model and visibility window.
🖥️
Scanner Appliance
tap to flip

Physical or virtual probe deployed inside a network segment. Performs active, credentialed scans and sends findings to the Qualys Cloud Platform. Best for on-prem servers where an agent cannot be installed.

🤖
Cloud Agent
tap to flip

Lightweight binary on the host (Windows/Linux/macOS). Runs continuously, detects vulnerabilities without inbound ports, and syncs to the platform every few hours. Covers laptops, cloud VMs, and off-network assets.

👁️
Passive Sensor (CAPS)
tap to flip

Listens on a SPAN/mirror port (or via a cloud agent's NIC in CAPS mode) to profile every device on the wire — no credentials, no agent. Discovers IoT, printers, and unmanaged devices invisibly.

📦
Container Sensor
tap to flip

Deployed as a DaemonSet on every Kubernetes node (or as a Docker container). Scans all images and running containers for vulnerabilities, feeding findings back to the Qualys Cloud Platform.

Name the sensor, not just 'the scanner'

In a Qualys VMDR interview, never just say 'we use scanners'. Name the sensor type and justify it: cloud agent for managed hosts (continuous, no inbound ports), scanner appliance for agentless on-prem, virtual scanner for cloud VPCs, passive sensor for IoT, container sensor for Kubernetes. That specificity signals production experience.

Quick check · Q2 of 10 · Remember

Which sensor deploys as a DaemonSet on every Kubernetes node to scan container workloads?

Correct: d. The Container Sensor is specifically designed for Docker and Kubernetes environments, deploying as a DaemonSet on each node to scan all images and running containers.
👉 So far: Six sensor types: scanner appliance (active, credentialed), cloud agent (on-host, continuous), virtual scanner (cloud-hosted appliance), passive sensor/CAPS (agentless wire listening), container sensor (Docker/K8s DaemonSet), cloud/API connector (pull-based inventory).

③ Data flow — from sensor to VMDR dashboard

Every sensor type converges on the same Qualys Cloud Platform endpoint. After a scan or continuous detection cycle, the sensor compresses and encrypts the raw result payload and sends it outbound to the Qualys Platform (443/HTTPS — no inbound ports required). The platform's ingestion layer dequeues the payload, parses asset metadata (IP, hostname, OS, installed software, registry keys) and queues it for the Detection Engine.

The Detection Engine matches the asset manifest against the QKB, assigns a QID to each vulnerability, looks up the CVSS score, and computes the QDS using asset criticality and threat intelligence (RTIs — Real-Time Threat Indicators such as active exploitation, ransomware association, known malware). Within minutes the finding appears in the VMDR dashboard tagged to the asset, with a remediation patch or workaround linked. The data flow is the same whether the data came from an on-prem scanner appliance, a cloud agent on a laptop, or a container sensor on a Kubernetes node — the platform normalises everything into one unified view.

Figure 4 — Qualys VMDR detection layers
Each layer adds context as raw sensor data becomes a prioritised, actionable VMDR finding.Qualys VMDR detection layersSensor LayerAgent, appliance, passive, container, connectorIngestion LayerCompress, encrypt, send to platformDetection EngineQKB match, CVSS, QDS, RTI scoringVMDR DashboardUnified asset risk view + patch workflow
Each layer adds context as raw sensor data becomes a prioritised, actionable VMDR finding.
'Qualys is just a scanner' under-sell

Treating Qualys as a pure network scanner misses CAPS, cloud connectors, and the container sensor — the very sensors that close visibility gaps on IoT, cloud accounts, and ephemeral containers. An interviewer testing VMDR architecture will probe exactly those three gaps.

▶ Watch a cloud agent finding reach the VMDR dashboard

How vulnerability data flows from an on-host cloud agent to a prioritised VMDR finding. Press Play for the healthy path, then Break it to see the classic failure.

① Agent detectsThe cloud agent on a Linux VM detects a vulnerable OpenSSL version by comparing installed packages against its local QKB manifest.
② Encrypt + sendThe agent compresses and encrypts the finding payload and sends it outbound to the Qualys Cloud Platform on port 443 — no inbound firewall rules needed.
③ Detect + scoreThe Detection Engine matches the OpenSSL version to QID 105544, pulls the CVSS 9.8 score, marks an active-exploitation RTI, and computes a high QDS.
④ VMDR dashboardThe finding appears in VMDR within minutes: asset tagged, severity Critical, patch linked, and the asset's overall risk score updated.
Press Play to step through the healthy cloud agent detection path. Then press Break it.
Quick check · Q3 of 10 · Apply

An asset sends a finding to the Qualys Cloud Platform. What happens before the finding appears in the VMDR dashboard?

Correct: c. The Detection Engine automatically matches findings to the QKB, assigns QIDs, calculates QDS using CVSS and RTIs (active exploitation, ransomware association), and surfaces the result — no manual step required.
👉 So far: Every sensor sends encrypted findings outbound on 443 to the Qualys Platform. The Detection Engine matches findings to the QKB, assigns QIDs, computes QDS with RTIs, and surfaces results in the VMDR dashboard — no manual step.

④ Picking the right sensor — matching asset type to method

The interview question you will definitely get: 'How would you deploy Qualys in a hybrid environment?' The answer is sensor selection by asset type. For on-prem servers and VMs where you can install software, prefer the cloud agent — continuous, no open inbound ports. For servers you cannot install an agent on, deploy a scanner appliance in the same VLAN and scan with credentials. For cloud accounts, start with a cloud connector (free, instant inventory) and add cloud agents or virtual scanners for deep vulnerability data. For containers and Kubernetes, deploy the container sensor as a DaemonSet. For unmanaged and IoT devices, deploy a passive sensor or enable CAPS on agents already on that subnet.

Common mistake to avoid

Relying on network scanning alone leaves you blind to laptops that are off-network, containers that spin up and disappear between scan windows, and cloud workloads that block ICMP. The cloud agent + passive sensor (CAPS) combination closes those gaps. In a VMDR interview, stating that combination — and why — is what separates a senior answer from a junior one.

Arjun at a Mumbai financial services firm faces this

VMDR shows thousands of assets discovered but only 30% have any vulnerability data. Scanners are running but most cloud VMs, laptops, and containers appear as 'host alive, no vuln data'.

Likely cause

The deployment relies entirely on network scanner appliances. Cloud VMs are in private subnets the scanner cannot reach, laptops are off-network most of the time, and the container estate was never onboarded.

Diagnosis

Check asset coverage in VMDR: filter by 'last scanned date' — the majority show scan attempts but zero findings due to network unreachability or missing credentials. Cloud and container assets show no sensor type at all.

VMDR ▸ Assets ▸ Asset Coverage ▸ Sensor Type filter
Fix

Deploy cloud agents on all VMs and laptops (covers both on-prem and cloud VMs in private subnets). Add cloud connectors for AWS/Azure accounts for immediate cloud inventory. Deploy the container sensor as a DaemonSet on each Kubernetes node. Enable CAPS on agents in subnets containing unmanaged devices.

Verify

After 24 hours, re-check asset coverage: cloud agents report continuously, cloud connectors pull account inventory, container sensor findings appear under the Container Security module, and asset coverage climbs above 90%.

Confirm coverage before claiming it

After deploying any new sensor, check VMDR ▸ Assets and filter by sensor type. Confirm the expected asset count is visible and that findings are flowing. A sensor that deployed but cannot reach the platform (blocked proxy, wrong activation key) looks silent — always verify inbound findings, not just sensor deployment.

Quick check · Q4 of 10 · Analyze

A company has 500 on-prem servers it can install software on, plus 200 printers and IP cameras it cannot. Which sensor combination covers both groups best?

Correct: b. The cloud agent covers managed servers (continuous, no inbound ports). The passive sensor or CAPS covers unmanaged IoT and printers without credentials or agents — exactly the two-sensor model Qualys recommends for mixed environments.
👉 So far: Match sensor to asset type: cloud agent for managed servers and laptops, passive sensor/CAPS for IoT and unmanaged, container sensor for Kubernetes, cloud connector for cloud accounts. Sensor combination = coverage.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which Qualys sensor requires no agent, no credentials, and no active probing — it only needs a SPAN/mirror port?

Correct: c. The passive sensor (physical or virtual) listens on a mirrored network port, extracting device metadata from passing traffic. It requires no credentials, no agent, and no active probing — making it the only option for truly agentless, zero-touch asset discovery of IoT and unmanaged devices.
Q6 · Understand

Why does the Qualys cloud agent not require inbound firewall rules?

Correct: b. The cloud agent initiates outbound connections to the Qualys Platform on port 443 only. No inbound ports are opened, which is why it works for laptops behind NAT, off-VPN remote workers, and cloud VMs in private subnets.
Q7 · Apply

A VMDR deployment shows strong coverage for on-prem Windows servers but zero findings for containers in a Kubernetes cluster. What is the most likely gap?

Correct: c. Container visibility in Qualys VMDR requires the container sensor deployed as a DaemonSet on each Kubernetes node. Without it, the platform has no mechanism to scan container images or running workloads — cloud connectors pull metadata only, not container vulnerability data.
Q8 · Analyze

Why does relying on scanner appliances alone leave visibility gaps in a modern hybrid environment?

Correct: b. Scanner appliances only see assets reachable during the scan window with valid credentials. Laptops off-network, ephemeral containers, IoT devices without credential support, and cloud VMs in private subnets all fall through. A multi-sensor approach (agent + passive + container) is required for full coverage.
Q9 · Evaluate

An interviewer asks: 'How would you achieve full asset coverage in a hybrid environment with on-prem servers, AWS cloud VMs, Kubernetes clusters, laptops, and IP cameras?' What is the strongest answer?

Correct: c. Full coverage requires matching sensor to asset type: cloud agent for managed servers and laptops, virtual scanner for cloud VPCs, container sensor for K8s, cloud connectors for cloud accounts, and passive sensor/CAPS for unmanaged IoT. One sensor type cannot cover all these scenarios.
Q10 · Evaluate

What is the role of the Qualys Knowledge Base (QKB) in the VMDR data flow?

Correct: a. The QKB is a Qualys-maintained vulnerability signature library. The Detection Engine matches asset manifests from every sensor against the QKB to assign QIDs, look up CVSS scores, and apply RTIs (active exploitation, ransomware association). It is managed entirely by Qualys, not the customer.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the difference between a Qualys cloud agent and a passive sensor, and when would you use each? Then compare with the expert version.

Expert version: The cloud agent is a lightweight binary installed on a managed host that continuously detects vulnerabilities from inside the OS (no inbound ports, reports every few hours) — use it on servers, laptops and cloud VMs you control. The passive sensor (or CAPS) is agentless: it listens on network traffic via a SPAN port or a cloud agent's NIC and profiles every device it sees without credentials — use it for IoT, printers, OT, and any asset you cannot install software on. In a full VMDR deployment you use both: agents for managed assets, passive sensor to catch everything else.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Qualys Cloud Platform
The 100% SaaS backend operated by Qualys — hosts the Knowledge Base, Detection Engine, QDS scoring, and VMDR dashboard. Customers deploy only sensors.
Scanner Appliance
Physical or virtual probe deployed inside a network segment that performs active credentialed scans and sends findings to the Qualys Cloud Platform.
Cloud Agent
Lightweight binary installed on a host (Windows/Linux/macOS) that continuously detects vulnerabilities and reports outbound on 443 — no inbound ports needed.
Passive Sensor / CAPS
Listens to network traffic via a SPAN port (or a cloud agent's NIC in CAPS mode) to discover and profile unmanaged assets — no credentials or agents required.
Container Sensor
Deployed as a Kubernetes DaemonSet or Docker container; scans all images and running containers on each node for known vulnerabilities.
Cloud Connector
API-based integration with AWS, Azure, or GCP that pulls cloud account inventory into the Qualys Platform without deploying any sensor inside the cloud account.
QKB (Qualys Knowledge Base)
Qualys-maintained library of vulnerability signatures (QIDs) with CVE mappings, CVSS scores, remediation guidance, and Real-Time Threat Indicators.
QDS (Qualys Detection Score)
A Qualys-proprietary 1–100 risk score combining CVSS base, exploit maturity, active-exploitation RTIs, and asset criticality to prioritise remediation.

📚 Sources

  1. Qualys Documentation — Get Started with VM/VMDR: scanner appliances, cloud agents and sensor architecture. docs.qualys.com/en/vm/latest/welcome_to_vm.htm
  2. Qualys Support — Cloud Agents or Scanner Appliances: when to use each sensor type. success.qualys.com/support/s/article/000008349
  3. Qualys Blog — Qualys CAPS: Cloud Agent as Passive Sensor — closing visibility gaps on IoT and unmanaged assets (2023). blog.qualys.com/product-tech/2023/11/26/closing-the-visibility-gap-how-qualys-cloud-agent-passive-sensor-caps-eliminates-blind-spots
  4. Qualys Documentation — About Network Passive Sensor: SPAN port setup and asset profiling. qualysguard.qg2.apps.qualys.com/ps/help/get_started/get_started.htm
  5. Qualys Documentation — Cloud Agent as Passive Sensor (CAPS). docs.qualys.com/en/ca/latest/ca_home/caps_home.htm
  6. Proppa Security — Qualys Architecture: Network Requirements and Communication Flows. proppasecurity.com/blog/qualys-vmdr-architecture

What's next?

Got the platform and sensors? Next, go deep on Qualys VMDR detection logic — how the QID Knowledge Base, CVSS scores, QDS (Qualys Detection Score) and RTIs (Real-Time Threat Indicators) combine to prioritise which vulnerabilities you fix first.

Next · All interview lessons → Practice on exam.techclick.in →