TTechclick ⚡ XP 0% All lessons
Qualys · Vulnerability Management · Interview Q&AInteractive · L1 / L2 / L3

Qualys VMDR Interview Questions — TruRisk & VMDR Answers & Prep

Whether you are sitting for a Qualys VMDR engineer role or preparing for a vulnerability management interview, interviewers probe the same four clusters: the Qualys Cloud Platform and its sensor types, asset inventory and authenticated vs unauthenticated scanning, the VMDR workflow with TruRisk / QDS scoring and Patch Management, and compliance policy management together with Web Application Scanning and real-world troubleshooting. This lesson works through 16 interview questions — platform and sensors, inventory and scanning, VMDR with TruRisk and patch, and compliance and WAS — with crisp, scenario-led model answers grounded in Qualys 2026 architecture and VMDR 2.11.

📅 2026-06-20 · ⏱ 20 min · 16 interview Q&As · live scenario · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Prepare for a Qualys VMDR engineer interview with 16 real questions and model answers covering the Cloud Platform and sensor types, asset inventory and scanning, VMDR TruRisk and patch management, and compliance, WAS and real-world scenarios — all grounded in 2026 Qualys architecture.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Platform & Sensors

Cloud Platform, Cloud Agent, Scanner, Passive Sensor.

 2

Inventory & Scanning

Asset Tags, auth vs unauth scan, scan profiles.

 3

VMDR, TruRisk & Patch

QDS scoring, EPSS, KEV, Patch Management.

 4

Compliance, WAS & Scenarios

PC module, WAS, dashboards, troubleshooting.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What does the Qualys Cloud Agent do that a Scanner Appliance cannot?

Answered in Platform & Sensors.

2. What does QDS (Qualys Detection Score) add over a raw CVSS score?

Answered in VMDR, TruRisk & Patch.

3. What is the primary difference between Qualys Policy Compliance and Web Application Scanning?

Answered in Compliance, WAS & Scenarios.

Common interview slip

Many candidates confuse the Cloud Agent with the Scanner Appliance, or think CVSS alone is enough to prioritize vulnerabilities in a Qualys VMDR interview.

The Cloud Agent is a lightweight software client installed on the endpoint — it monitors the device continuously from within, uploads findings to the Qualys Cloud Platform whenever connected, and works regardless of whether the asset is on the corporate network, home WiFi, or roaming. The Scanner Appliance is a network-based scan engine that authenticates to targets over the network and runs point-in-time scans — it is the right tool for network infrastructure, devices that cannot run an agent, and unauthenticated discovery. And CVSS alone is not TruRisk: QDS (Qualys Detection Score, 0–100) enriches CVSS base severity with real-world threat intelligence — EPSS exploit probability, CISA Known Exploited Vulnerabilities (KEV), functional exploit code, and active malware campaigns — so you fix what is actively being used against organizations today, not just what has the highest theoretical score. Knowing this distinction is exactly what Qualys interviewers probe.

① Platform & Sensors — the Qualys Cloud Platform and how data gets in

Q: What is the Qualys Cloud Platform and what are its main sensor types?

Model answer: The Qualys Cloud Platform is a multi-tenant SaaS platform that provides a single pane of glass for asset inventory, vulnerability management, compliance, web application scanning, patch management, and threat intelligence. All sensors upload findings to the same cloud backend, giving a unified asset and vulnerability record. The three main sensor types are: the Cloud Agent (software installed on endpoints for continuous inside-out monitoring), the Scanner Appliance (virtual or physical network-based scan engine), and the Passive Network Sensor (traffic tap for agentless asset discovery). Together they cover cloud, on-prem, remote, and OT/IoT assets from a single platform.

Q: What does the Qualys Cloud Agent do, and when should you deploy it instead of a Scanner Appliance?

Model answer: The Cloud Agent is a lightweight software client installed directly on Windows, Linux, or macOS endpoints. It continuously monitors the device from within, capturing configuration state and installed software in near real time, and uploads findings to the Qualys Cloud Platform whenever internet connectivity is available — regardless of whether the device is on the corporate network, a home connection, or roaming. Because it runs on the device, it does not need network-level access or firewall exceptions to reach the target. Deploy Cloud Agents for laptops, remote workers, cloud VMs, and containers where the network location is unpredictable. Use a Scanner Appliance for network infrastructure devices (switches, routers, printers), systems that cannot run an agent, and full-port unauthenticated discovery scans. The two complement each other in a mature program.

Q: What is the Qualys Passive Network Sensor, and what gap does it fill?

Model answer: The Passive Network Sensor (also called the Passive Network Analysis sensor) connects to a SPAN port or network TAP and captures and analyses traffic to discover and fingerprint assets without installing anything on them and without sending active scan probes. It fills the gap for OT devices, printers, IoT endpoints, and legacy systems that cannot run an agent and must not be actively scanned. It discovers assets that are invisible to scanner-based approaches, contributing to a complete asset inventory.

Q: What is the Qualys External Attack Surface Management (EASM) and how does it extend the platform?

Model answer: EASM continuously discovers and monitors your internet-facing assets — including shadow IT, forgotten subdomains, cloud buckets, and third-party infrastructure — from an external attacker's perspective, without requiring any internal sensor or credentials. It feeds discovered assets back into the unified Qualys Cloud Platform inventory, so VMDR and PC policies apply to external assets alongside internal ones. The interview point: EASM answers the question 'what does an attacker see on our perimeter that we do not know about?'

Figure 1 — Qualys Cloud Platform sensors
Three sensor types feed the unified Qualys Cloud Platform: Cloud Agent, Scanner Appliance, and Passive Network Sensor.Qualys Cloud Platform sensorsQualys CloudUnified platformCloud AgentScanner AppliancePassive SensorEASM (external)API integrations
Three sensor types feed the unified Qualys Cloud Platform: Cloud Agent, Scanner Appliance, and Passive Network Sensor.
Name all three sensor types in one breath

When asked about Qualys data collection, say it cleanly: 'The Cloud Agent monitors endpoints continuously from inside; the Scanner Appliance runs network-based authenticated and unauthenticated scans on a schedule; the Passive Network Sensor captures traffic from a SPAN port to discover agentless assets like OT and IoT devices.' That single sentence covers all three and shows you understand when to use each.

Quick check · Q1 of 10 · Remember

Which Qualys sensor discovers assets by capturing network traffic from a SPAN port without installing anything on the target devices?

Correct: a. The Passive Network Sensor captures and analyses traffic from a SPAN port or network TAP to fingerprint assets without installing anything on them and without sending active probes — ideal for OT, IoT, and legacy devices. The Scanner Appliance sends active probes; the Cloud Agent runs on the endpoint; EASM is external attack surface discovery.
👉 So far: Qualys Cloud Platform: Cloud Agent (continuous inside-out), Scanner Appliance (network-based point-in-time, auth and unauth), Passive Network Sensor (SPAN/TAP, agentless, for OT/IoT). EASM for external attack surface. All sensors feed a single unified platform.

② Inventory & Scanning — Asset Tags, scan types, and finding everything

Q: How does Asset Tagging work in Qualys VMDR, and why is it important?

Model answer: Asset Tags are labels applied to assets in the Qualys Cloud Platform — manually, by rule (e.g. operating system, cloud provider, asset group, IP range), or via the Cloud Agent's host metadata. Tags drive dynamic asset grouping: a scan option profile, a compliance policy, a patch job, or a dashboard widget can be scoped to all assets carrying a specific tag. This means you can say 'apply this patch scan to all assets tagged Production-Windows' and it automatically includes new assets as they are onboarded and tagged. Tagging is the foundation of scalable, automated vulnerability management in large Qualys deployments — interviewers expect you to name it as the way to scope scans, policies, and reports.

Q: Authenticated vs unauthenticated scanning — what is the difference and why does it matter?

Model answer: An unauthenticated scan probes the target from the network without credentials — it discovers open ports, banner-grabs service versions, and detects network-layer vulnerabilities, but it cannot see installed software, patch levels, or configuration settings inside the OS. An authenticated scan provides credentials (Windows domain, SSH key, or database login) so the scanner logs in and inspects the actual software inventory, registry, file system, and configuration — the result is dramatically more accurate with far fewer false negatives. The rule of thumb: unauthenticated scans detect what is visible from the network; authenticated scans detect what is actually installed and configured. In a mature VMDR programme, authenticated scanning is the standard; unauthenticated discovery scans catch rogue devices and external exposure.

Q: What is a Scan Option Profile and what key settings does it include?

Model answer: A Scan Option Profile is a reusable set of scan settings stored in Qualys that determines how a scan runs. Key settings include: the port list (which ports to probe), detection options (authentication records to use, whether to perform OS detection), performance options (scan intensity, parallel threads, timeouts), and additional scanning flags such as running a safe subset of QIDs, enabling or disabling specific detection categories, and whether to use Cloud Agent data to supplement scanner findings. Naming the scan option profile and its link to authentication records is a strong, practical interview answer.

Q: How does the Qualys CSAM (CyberSecurity Asset Management) module extend basic VMDR inventory?

Model answer: CSAM adds normalised, enriched asset records on top of raw scanner and agent data. It merges multiple sensor views of the same physical or virtual asset into a single de-duplicated record, tracks software end-of-life and EOL operating systems, assigns business criticality (used in TruRisk scoring), and integrates with CMDB / ITSM tools like ServiceNow for bidirectional sync. Where VMDR gives you vulnerability records, CSAM gives you the authoritative asset register. Knowing CSAM exists and what it adds differentiates a senior-level candidate in a Qualys interview.

Figure 2 — Auth vs Unauth scanning
Authenticated scans see inside the OS for patch levels and config; unauthenticated scans see only what is visible from the network.Auth vs Unauth scanningAuthenticated scanLogs in with credentialsSees installed softwareDetects missing patchesChecks OS configurationUnauthenticated scanNo credentials neededPort and banner onlyNetwork-layer vulnsFinds rogue / unknown assets
Authenticated scans see inside the OS for patch levels and config; unauthenticated scans see only what is visible from the network.
🤖
Cloud Agent
tap to flip

Lightweight software installed on endpoints. Continuously monitors from inside the device, uploads to the Qualys Cloud Platform whenever connected — no network exceptions needed. Best for laptops, remote workers, and cloud VMs.

🔍
QDS vs CVSS
tap to flip

CVSS is the vendor severity base score. QDS (0–100) enriches it with real-world threat intel: EPSS probability, CISA KEV listing, functional exploit code, and active malware campaigns. Fix what has a high QDS first, not just a high CVSS.

🔄
VMDR loop
tap to flip

Discover (sensors) → Detect (QIDs from QKB) → Prioritise (QDS / TruRisk score) → Respond (Patch Management closes the loop via Cloud Agent) → Verify (re-scan confirms fix). All in one platform.

📋
PC vs WAS
tap to flip

Policy Compliance (PC) checks configuration controls — CIS Benchmarks, DISA STIGs, PCI DSS. WAS is DAST for web apps — OWASP Top 10, SQL injection, XSS. VMDR finds unpatched CVEs. All three complement each other in a mature programme.

'Zero findings means clean' mistake

A common interview error is accepting zero findings as proof of a secure host. In practice, zero findings on a known-unpatched server almost always means authentication failed — the scanner ran in unauthenticated mode and only saw the network layer. Always check the 'Host Authentication' status in the scan report and verify that your authentication record, local admin rights, and WMI/firewall access are correct before concluding the host is clean.

Quick check · Q2 of 10 · Understand

A scan finishes with zero findings on a Windows server known to be missing critical patches. What is the most likely cause?

Correct: c. Zero findings on an unpatched host almost always mean authentication failed or was not configured. Without credentials the scanner does only network-level probing and misses OS patch-level findings. Check the scan report for 'Host Authentication' status and verify the auth record, local admin rights, and WMI/firewall access.
👉 So far: Asset Tags drive dynamic scoping of scans, policies, patch jobs, and dashboards. Authenticated scans see inside the OS; unauthenticated scans see only network-visible exposure. Zero findings on an unpatched host = check auth record first. CSAM = normalised, deduplicated asset register with EOL and business criticality.

③ VMDR, TruRisk & Patch — scoring, prioritisation, and closing the loop

Q: Walk me through the VMDR workflow from discovery to remediation.

Model answer: VMDR integrates four stages in a continuous loop. Discover: sensors (Cloud Agents, Scanner Appliances, Passive Sensors) feed asset and configuration data into the Qualys Cloud Platform, building a complete, continuously updated inventory. Detect: Qualys runs detection logic against asset data to identify QIDs (vulnerabilities and misconfigurations) matched to the asset's installed software, patch levels, and configuration. Prioritise: each detected vulnerability receives a QDS (Qualys Detection Score) calculated from CVSS base severity plus real-world threat intelligence — EPSS exploit probability, CISA KEV listing, functional exploit code availability, and active malware campaign association. Respond: Qualys Patch Management receives prioritised findings and can deploy patches directly to Cloud Agent-managed endpoints, closing the loop without leaving the platform. The key interview line: VMDR = Discover, Detect, Prioritise with TruRisk / QDS, and Respond with Patch Management in one unified platform.

Q: What is QDS and how does TruRisk differ from a plain CVSS score?

Model answer: QDS (Qualys Detection Score) is Qualys's risk score for each detected vulnerability, ranging from 0 to 100. It starts with the CVSS base score but enriches it with four threat-intelligence signals from Qualys's 25+ source threat intel feed: EPSS (the probability that the vulnerability will be exploited in the wild within 30 days), whether the CVE appears in the CISA Known Exploited Vulnerabilities (KEV) catalog, the presence and maturity of functional exploit code in public repositories, and whether the CVE is linked to active malware campaigns or threat actor toolkits. A CVE with a moderate CVSS score can jump to a high QDS if it is actively exploited in the wild. TruRisk is the broader Qualys framework that aggregates QDS across all vulnerabilities on an asset (or across the whole organisation) weighted by asset criticality (from CSAM) to produce an organisation-wide risk score — one number that a CISO can track and report to the board. The distinction: QDS is per vulnerability, TruRisk is the aggregated organisational risk posture.

Q: How does Qualys Patch Management integrate with VMDR, and what is a patch job?

Model answer: Qualys Patch Management (PM) is a module within the Qualys Cloud Platform that deploys patches to Cloud Agent-managed endpoints directly from the platform — no separate patch server or third-party tool required. The integration with VMDR means you can select vulnerabilities or QIDs from your VMDR dashboard and launch a patch job that targets the assets with those vulnerabilities. A patch job defines: the target assets (by tag or asset list), the patches to deploy (by QID, CVE, or vendor bulletin), the schedule (immediate, maintenance window, or staged rollout), and the rollback option. The Cloud Agent on each endpoint downloads and installs the patch, reports status back to the platform, and VMDR re-verifies that the vulnerability is closed. The one-liner: PM closes the vulnerability loop inside Qualys without leaving the platform — select vulns, define a patch job, deploy via Cloud Agent, verify in VMDR.

Q: What is the Qualys knowledgebase (QKB) and how do QIDs work?

Model answer: The Qualys KnowledgeBase (QKB) is the continuously updated library of QIDs (Qualys IDs) — every vulnerability, misconfiguration, or security check that Qualys can detect has a unique QID with metadata including CVE mapping, CVSS score, QDS score, affected software / versions, and remediation guidance. When a scan runs, the detection engine matches the asset's fingerprint against the QKB and returns a list of QIDs. Because the QKB is maintained centrally on the Qualys Cloud Platform, new QIDs appear automatically without updating the scanner software — this is one of the advantages of a SaaS platform model. Naming the QKB and QIDs, and explaining how new detection content arrives automatically, is a strong answer in a Qualys platform interview.

Figure 3 — VMDR end-to-end workflow
VMDR runs as a continuous loop: Discover assets, Detect vulnerabilities via QIDs, Prioritise with QDS / TruRisk, and Respond with Patch Management.VMDR end-to-end workflowDiscoverAgent/Scanner/PassiveDetectQIDs from QKBPrioritiseQDS + TruRiskRespondPatch ManagementVerifyRe-scan confirms fix
VMDR runs as a continuous loop: Discover assets, Detect vulnerabilities via QIDs, Prioritise with QDS / TruRisk, and Respond with Patch Management.
Figure 4 — QDS scoring layers
QDS enriches CVSS base severity with four real-world threat intelligence signals to surface what is actively being exploited.QDS scoring layersCISA KEV listingknown exploited in the wildActive exploits & malwarefunctional code in campaignsEPSS scoreprobability of exploitationCVSS base severityNVD vendor foundation score
QDS enriches CVSS base severity with four real-world threat intelligence signals to surface what is actively being exploited.
CVSS is not TruRisk — say this in every interview

Interviewers at organisations using Qualys specifically listen for whether you rely on CVSS alone. The answer they want: 'CVSS is the theoretical base severity from the vendor; QDS enriches it with real-world signals — EPSS, CISA KEV, functional exploit code, and malware campaigns — so I prioritise by QDS and TruRisk, not raw CVSS, because a CVSS 5 that is actively being exploited is more dangerous than a CVSS 9 that has no exploit in the wild.' That answer wins the interview.

▶ Watch a vulnerability get found, scored, patched, and verified

Step through how VMDR handles a missing Windows patch from Cloud Agent detection to closed finding. Press Play for the healthy path, then Break it to see what happens when authentication fails.

① Cloud AgentThe Qualys Cloud Agent on a Windows server streams its software inventory and patch state to the Qualys Cloud Platform in near real time.
② QID detectionThe Qualys detection engine matches the missing patch against the QKB and raises a QID with a QDS of 90 — the CVE is listed in the CISA KEV catalog.
③ Patch jobThe security team creates a Patch Management job targeting the QID on all Production-tagged assets. The Cloud Agent downloads and installs the patch.
④ Verify & closeAfter patching, the Cloud Agent re-streams the updated patch state. VMDR re-evaluates and closes the QID. The TruRisk score drops on the dashboard.
Press Play to step through how VMDR finds, scores, patches, and verifies a missing Windows patch. Then press Break it.
Quick check · Q3 of 10 · Apply

You must prioritise which vulnerabilities to patch first. A CVE has a CVSS score of 5.0 but a QDS of 95. Why might you patch it before a CVE with a CVSS of 9.0 and a QDS of 30?

Correct: b. QDS enriches CVSS with real-world threat intelligence. A QDS of 95 signals the vulnerability is actively exploited (CISA KEV, functional exploit code, malware campaigns), so it poses immediate risk even if the CVSS base score is moderate. A CVSS 9.0 with a QDS of 30 may have no known exploits in the wild and is less urgent despite the high theoretical severity.
👉 So far: VMDR = Discover → Detect (QIDs from QKB) → Prioritise (QDS 0–100 = CVSS + EPSS + CISA KEV + exploits + malware) → Respond (Patch Management via Cloud Agent) → Verify. TruRisk = org-wide risk score aggregating QDS weighted by asset criticality. QKB auto-updates — no scanner software upgrade needed.

④ Compliance, WAS & Scenarios — policies, web app scanning, and troubleshooting

Q: What is the Qualys Policy Compliance (PC) module, and how does it differ from VMDR?

Model answer: Policy Compliance (PC) audits whether systems meet defined configuration controls — checking registry settings, file permissions, service configurations, password policies, and other OS or middleware hardening controls against frameworks like CIS Benchmarks, DISA STIGs, PCI DSS, and ISO 27001. VMDR detects known vulnerabilities (software bugs, unpatched CVEs). PC checks configuration correctness. Both use QIDs and the same sensor infrastructure, but they answer different questions: VMDR says 'you are missing a patch for CVE-XXXX'; PC says 'your password complexity setting does not meet the CIS Level 1 benchmark'. In a mature programme, VMDR and PC run together to cover both vulnerability and misconfiguration risk. The Cloud Agent can deliver both VMDR and PC findings from a single installed agent — an interviewer favourite point.

Q: What is Qualys WAS (Web Application Scanning), and what class of vulnerabilities does it find?

Model answer: Qualys WAS is a dynamic application security testing (DAST) module that crawls and probes web applications to find application-layer vulnerabilities — the OWASP Top 10 class: SQL injection, cross-site scripting (XSS), insecure direct object references, broken authentication, sensitive data exposure, and others. Unlike VMDR (which scans OS and software at the host level) or PC (which checks host configuration controls), WAS sends crafted HTTP requests into the web application and analyses the responses. It supports authenticated scanning of web apps (Selenium scripts or recorded login sequences), can scan APIs, and integrates findings back into the Qualys Cloud Platform so you can tag, prioritize, and report on web vulnerabilities alongside host vulnerabilities. The key distinction: WAS finds bugs in application logic and code; VMDR finds unpatched OS and software vulnerabilities.

Q: A Qualys scan is completing but finding zero vulnerabilities on a Windows server that you know is unpatched. What do you check?

Model answer: A zero-finding result on a known-unpatched host almost always means authentication failed. First, check whether the scan used an authentication record: without credentials the scanner can only do a network-level unauthenticated scan and will miss OS-level patch findings. Look in the scan report for a 'Host Authentication' status — Qualys flags hosts where auth succeeded, failed, or was not attempted. If auth failed, verify the Windows authentication record (domain account, local admin, or use the Windows Qualys local account), ensure the account has local administrator rights, and confirm that File and Printer Sharing and Windows Management Instrumentation (WMI) are accessible (usually means checking Windows Firewall rules). If the Cloud Agent is installed, check agent status in the Qualys portal — a disconnected or inactive agent produces no findings. Second, check the Scan Option Profile to confirm authenticated checking is enabled and the correct auth record is linked. The quick-check checklist: auth record linked, auth succeeded in the scan report, agent active (if used), and correct option profile applied.

Q: How do you present TruRisk findings to a non-technical leadership team, and what dashboards does Qualys provide?

Model answer: Qualys provides Executive Dashboards in the VMDR and TruRisk Platform with pre-built and customisable widgets showing the TruRisk score trend over time, top assets by risk, vulnerability age (mean time to remediation), patch SLA compliance, and threat intelligence coverage (how many KEV-listed CVEs are present, trending, and patched). For leadership, you frame the story around TruRisk score movement — 'our organisation-wide TruRisk score went from X to Y this quarter as we patched 87% of KEV-listed CVEs in our environment' — rather than raw CVE counts. You can also export to PDF or CSV, schedule report delivery, and integrate Qualys data into ServiceNow, Jira, or ITSM workflows via APIs. The interview point: know that Qualys provides a board-ready TruRisk score number, executive dashboards, and API-driven ITSM integration — not just a CSV of CVEs.

Figure 5 — VMDR vs PC vs WAS
VMDR finds unpatched CVEs, PC checks configuration controls, WAS scans web application logic — together they cover the full risk surface.VMDR vs PC vs WASVMDR + PCUnpatched CVEs and QIDsCIS / STIG config controlsHost-level OS and softwareAgent and scanner deliveryWAS (web apps)OWASP Top 10 app vulnsSQL injection, XSS, authCrawls HTTP application logicAuthenticated DAST scanning
VMDR finds unpatched CVEs, PC checks configuration controls, WAS scans web application logic — together they cover the full risk surface.

Priya at FinSecure India in Bengaluru faces this

FinSecure's VMDR dashboard shows 2,400 open vulnerabilities, but the CISO wants to know which 20 to fix this week. The security team has been exporting raw CVSS scores to Excel, but leadership says the list is too long to act on and does not know what is actually being exploited right now.

Likely cause

The team is prioritising by CVSS base score alone, which does not factor in whether vulnerabilities are actively exploited, in the CISA KEV catalog, or linked to malware campaigns. A CVSS 9.0 from 2019 with no exploit in the wild looks identical to a CVSS 7.0 being used in ransomware campaigns today.

Diagnosis

In the Qualys VMDR dashboard, filter the vulnerability list by QDS >= 85 and add a second filter for CISA KEV = Yes. The list immediately drops to 18 critical findings. Cross-reference with Asset Tags to scope to Production assets only. The CISO now has a ranked, defensible list of the highest-real-world-risk items.

VMDR Dashboard ▸ Vulnerabilities ▸ Filter: QDS >= 85 + CISA KEV = Yes + Tag: Production
Fix

Create a TruRisk dashboard widget showing KEV-listed CVEs by asset criticality. Launch a Patch Management job targeting those 18 QIDs on Production-tagged Cloud Agent hosts. Schedule the patch job in the weekend maintenance window and set auto-verify to re-scan after patching.

Verify

After the patch job completes, re-open the VMDR dashboard filtered on the same QDS >= 85 and CISA KEV criteria. The 18 findings should clear as Cloud Agents report the patches applied and VMDR re-verifies. The CISO can see the TruRisk score drop on the executive dashboard.

Quick check · Q4 of 10 · Analyze

What is the key difference between Qualys Policy Compliance (PC) and Web Application Scanning (WAS)?

Correct: c. Policy Compliance checks whether systems meet defined configuration controls (registry settings, service configs, password policy against CIS, STIG, PCI DSS). WAS is dynamic application security testing that crawls and probes web application logic for OWASP Top 10 vulnerabilities like SQL injection and XSS. Both use the Qualys Cloud Platform but answer different questions.
👉 So far: Policy Compliance (PC) = config controls audit (CIS, STIG, PCI DSS). WAS = DAST for web apps (OWASP Top 10, SQL injection, XSS). VMDR + PC + WAS together cover host vulns, config risk, and app-layer risk. TruRisk executive dashboard = board-ready single score with KEV trend, MTTR, and patch SLA compliance.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which Qualys module performs dynamic application security testing (DAST) to find OWASP Top 10 vulnerabilities in web application logic?

Correct: a. WAS (Web Application Scanning) is Qualys's DAST module — it crawls and probes web applications with crafted HTTP requests to find OWASP Top 10 vulnerabilities such as SQL injection, XSS, and broken authentication. PC audits configuration controls, VMDR finds OS/software CVEs, and CSAM is the asset management module.
Q6 · Understand

Why can a Cloud Agent detect vulnerabilities on a remote worker's laptop that a Scanner Appliance cannot reach?

Correct: b. The Cloud Agent is installed on the endpoint and monitors it continuously from inside, uploading findings whenever internet-connected — no network-level access from a scan engine is needed. The Scanner Appliance needs to reach the target over the network and requires firewall rules and VPN access for remote endpoints. The two sensors are complementary, not duplicates.
Q7 · Apply

You want to automatically include all new cloud VMs tagged 'Production-Linux' in your weekly authenticated scan and in the CISA KEV patch job. What is the most scalable way to do this in Qualys?

Correct: b. Asset Tags drive dynamic scoping in Qualys. By scoping both the scan profile and the patch job to the 'Production-Linux' tag, any new VM that receives that tag is automatically included without manual list updates. This is the standard, scalable approach for cloud environments where assets are created and destroyed frequently.
Q8 · Analyze

A CVE has CVSS 6.0 but a Qualys QDS of 88. A second CVE has CVSS 9.8 but a QDS of 22. Which should you fix first, and why?

Correct: c. QDS of 88 indicates real-world threat intelligence: the CVE is likely in the CISA KEV catalog, has functional exploit code, or is linked to active malware campaigns, making exploitation likely in the near term despite the lower theoretical CVSS. A CVSS 9.8 with QDS 22 has no active exploits in the wild and is less urgent. TruRisk methodology prioritises QDS over CVSS base score.
Q9 · Evaluate

Your CISO wants a single number to report quarterly board risk to the board comparing this quarter to last quarter. Which Qualys metric and dashboard feature is designed for this?

Correct: b. TruRisk aggregates QDS across all vulnerabilities weighted by asset criticality into a single organisation-wide risk score. The Qualys Executive Dashboard shows TruRisk score trends over time, top risky assets, CISA KEV coverage, and MTTR — exactly the board-ready metrics a CISO needs. Raw CVE counts or scan config numbers are operational data, not board-level risk metrics.
Q10 · Evaluate

Which Qualys module would you use to verify that all Windows servers comply with the CIS Level 1 Benchmark — specifically checking registry settings, password complexity, and service configurations?

Correct: d. Policy Compliance (PC) is specifically designed to audit configuration controls — registry settings, password complexity, service states, and file permissions — against benchmark frameworks like CIS, DISA STIG, and PCI DSS. VMDR finds unpatched CVEs but does not check configuration correctness; WAS scans web applications; EASM is for external attack surface discovery.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is QDS, and how does TruRisk differ from a plain CVSS score? Then compare with the expert version.

Expert version: QDS (Qualys Detection Score, 0–100) is the per-vulnerability risk score that enriches the CVSS base severity with four real-world threat intelligence signals from Qualys's 25+ source feed: EPSS (probability of exploitation in the next 30 days), CISA KEV listing (is it actively exploited?), functional exploit code availability, and active malware campaign association — so a CVSS 5 being used in ransomware today can score a QDS of 95 while a CVSS 9 with no known exploit scores a QDS of 20. TruRisk is the broader framework that aggregates QDS across all vulnerabilities on all assets, weighted by asset criticality from CSAM, into a single organisation-wide risk score that a CISO can track and report to the board — QDS is per-vulnerability, TruRisk is the organisation's total risk posture.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Cloud Agent
Lightweight Qualys software installed on endpoints. Continuously monitors the device from inside and streams findings to the Qualys Cloud Platform regardless of network location — no firewall exceptions to the scanner needed.
Scanner Appliance
Virtual or physical Qualys network scan engine that runs authenticated and unauthenticated point-in-time scans against targets over the network. Required for infrastructure devices and hosts that cannot run an agent.
Passive Network Sensor
Qualys sensor connected to a SPAN port or network TAP that discovers and fingerprints assets from traffic analysis — no active probes and nothing installed on targets. Ideal for OT, IoT, and legacy systems.
QID (Qualys ID)
Unique identifier for each vulnerability or misconfiguration check in the Qualys KnowledgeBase (QKB). Every detectable issue has a QID with CVE mapping, CVSS score, QDS score, and remediation guidance. New QIDs arrive automatically via the cloud platform.
QDS (Qualys Detection Score)
Per-vulnerability risk score from 0 to 100 that enriches CVSS base severity with real-world threat intelligence: EPSS exploit probability, CISA KEV listing, functional exploit code availability, and active malware campaign association. Drives VMDR prioritisation.
TruRisk
Qualys's organisation-wide risk framework. Aggregates QDS across all vulnerabilities on all assets weighted by asset criticality (from CSAM) into a single risk score for board and CISO reporting. QDS is per-vulnerability; TruRisk is the organisational risk posture.
Asset Tags
Labels applied to assets in the Qualys Cloud Platform — manually, by rule, or automatically. Tags drive dynamic scoping of scans, policies, patch jobs, and dashboards. New assets receiving a tag are automatically included in all scoped jobs.
Policy Compliance (PC)
Qualys module that audits OS and middleware configuration controls against frameworks like CIS Benchmarks, DISA STIGs, and PCI DSS. Checks registry settings, service configs, and password policies — distinct from VMDR's CVE detection.
WAS (Web Application Scanning)
Qualys DAST module that crawls and probes web applications with crafted HTTP requests to find OWASP Top 10 vulnerabilities: SQL injection, XSS, broken authentication, and similar application-logic flaws.
CISA KEV
CISA Known Exploited Vulnerabilities catalog — a US government list of CVEs actively exploited in the wild. Inclusion in KEV is one of the four QDS threat intelligence signals and dramatically raises a vulnerability's remediation priority in VMDR.

📚 Sources

  1. Qualys — VMDR: Vulnerability Management, Detection and Response — platform overview and sensor architecture. qualys.com/apps/vulnerability-management-detection-response
  2. Qualys — VMDR TruRisk datasheet — QDS scoring methodology, EPSS, CISA KEV integration, and TruRisk aggregation. qualys.com/docs/qualys-vmdr-trurisk-datasheet.pdf
  3. Qualys — Cloud Agent: continuous endpoint monitoring, deployment models, and VMDR/PC delivery. qualysguard.qualys.com/portal-help/en/vm/assets/cloud_agent.htm
  4. Qualys — VMDR and Patch Management: closing the vulnerability loop with one-click patching via Cloud Agent. docs.qualys.com/en/vm/latest
  5. Qualys — Policy Compliance and Web Application Scanning: configuration auditing and DAST in the Qualys Enterprise TruRisk Platform 3.24. qualys.com/documentation
  6. Qualys blog — Vulnerability Detection Sources in VMDR and handling the vulnerability surge in the post-Mythos era (2026). blog.qualys.com/product-tech/2026/05/01/handling-the-vulnerability-surge-in-the-post-mythos-era

What's next?

Done with the interview prep? Go deeper on Qualys architecture — the Cloud Agent deployment models, TruRisk scoring methodology, Patch Management workflows, and building compliance dashboards in the Qualys Enterprise TruRisk Platform.

Next · All interview lessons → Practice on exam.techclick.in →