TTechclick ⚡ XP 0% All lessons
Qualys · Vulnerability Management · PrioritizationInteractive · L1 / L2 / L3

Qualys VMDR TruRisk Prioritization — Lifecycle, QDS & Real-Time Threat Intelligence

Qualys VMDR turns thousands of vulnerability findings into a short, risk-ordered fix list — not by CVSS alone, but by combining a Qualys Detection Score (QDS), real-time threat intelligence (RTIs) and your asset criticality into a single TruRisk number. This lesson walks every stage of the VMDR lifecycle — detect, prioritize, patch, reassess — and shows exactly how TruRisk decides what you fix first.

📅 2026-06-20 · ⏱ 17 min · 5 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master the Qualys VMDR lifecycle (detect, prioritize, patch, reassess) and TruRisk scoring in 2026: QDS, QVS, RTIs, asset criticality, and prioritization reports — with exam-ready tips.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

VMDR lifecycle

Detect, prioritize, patch, reassess — one continuous loop.

 2

TruRisk & QDS

How the risk score is calculated from QDS, QVS and asset data.

 3

RTIs explained

Six threat signals that override CVSS to escalate priority.

 4

Prioritize & patch

Reports, remediation tickets and how to close the loop.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does Qualys VMDR prioritize purely on CVSS score?

Answered in VMDR lifecycle.

2. What does QDS stand for in the Qualys ecosystem?

Answered in TruRisk & QDS.

3. Which signal causes a low-CVSS vulnerability to jump to the top of the fix list?

Answered in RTIs explained.

Most engineers think…

Most people treat Qualys VMDR as a scanner that outputs a list sorted by CVSS. You run it, export the top 50 CVEs, hand them to the patch team, and call it risk management. That mental model gets you fired in a red-team debrief.

VMDR is a four-stage continuous loop: detect, prioritize, patch, reassess. The prioritization stage is powered by TruRisk — a composite score built from QDS (the Qualys Detection Score at the QID level), real-time threat intelligence (RTIs like active exploitation and ransomware correlation), and your asset criticality. A CVE rated 5.0 in CVSS that is actively being exploited by ransomware actors will score higher in TruRisk than a 9.8 CVSS flaw that nobody has a working exploit for. Understanding that difference is what separates an L1 ticket-closer from an L2 analyst who can defend their prioritization decisions in front of management.

① The VMDR lifecycle — detect, prioritize, patch, reassess

Qualys VMDR frames vulnerability management as a four-stage continuous loop rather than a periodic point-in-time scan. The loop runs as fast as your scan schedule (or continuously with cloud agents) and feeds back into itself.

Detect — authenticated network scans and lightweight cloud agents discover every installed package, open port, and configuration weakness across your estate. Prioritize — TruRisk scores each finding against live threat intelligence, exploit data, and the criticality of the host. Patch — Qualys Patch Management (built into VMDR) generates a remediation ticket or directly deploys the patch to the asset. Reassess — a follow-up scan verifies the vulnerability is gone; the TruRisk score drops and the loop closes. Without the reassess step you have no evidence the fix actually worked.

Figure 1 — The VMDR lifecycle loop
Qualys VMDR runs continuously: detect with scans and agents, prioritize with TruRisk, patch via Patch Management, then reassess to close the loop.The VMDR lifecycle loopDetectscans + cloud agentsPrioritizeTruRisk + RTIsPatchPatch ManagementReassessverify & close
Qualys VMDR runs continuously: detect with scans and agents, prioritize with TruRisk, patch via Patch Management, then reassess to close the loop.
Quick check · Q1 of 10 · Understand

What is the correct order of the Qualys VMDR lifecycle?

Correct: b. The VMDR lifecycle runs: Detect (find vulnerabilities with scans and agents) → Prioritize (rank by TruRisk) → Patch (deploy the fix via Patch Management) → Reassess (verify the fix worked). Skipping Reassess means you have no audit evidence of remediation.
👉 So far: VMDR lifecycle = Detect (scans + agents) → Prioritize (TruRisk) → Patch (Patch Management) → Reassess (verify & close). The loop runs continuously, not once a quarter.

② TruRisk and QDS — how the risk number is built

TruRisk is an asset-level risk score that ranges from 0 to 1000. It is built from three inputs layered together. First, QDS (Qualys Detection Score) is computed per QID (Qualys ID) and runs from 1 to 100, where 70 and above is Qualys's recommended remediation threshold. Second, QVS (Qualys Vulnerability Score) enriches each CVE with external threat data from more than 300,000 CVEs tracked across 25-plus intelligence feeds. Third, ACS (Asset Criticality Score) weights the finding against how important the affected host is to your business.

QDS vs CVSS — the key interview difference

CVSS is a static, vendor-assigned technical score. QDS is dynamic and Qualys-calculated — it updates when new exploit code is published, when a CVE moves onto the CISA KEV list, or when ransomware actors are observed using the flaw. Cite QDS (or TruRisk) in a Qualys-based prioritization report, not raw CVSS.

Figure 2 — TruRisk score inputs — three layers
Qualys TruRisk (0–1000) is built from QDS per vulnerability, QVS threat intelligence per CVE, and ACS per asset — all three are required.TruRisk score inputs — three layersACS — Asset CriticalityBusiness context: how critical is this host? (1–5)QVS — Qualys Vulnerability ScoreCVE-level: 25+ threat feeds, CISA KEV, exploit maturityQDS — Qualys Detection ScoreQID-level: detection confidence, exploitability (1–100)
Qualys TruRisk (0–1000) is built from QDS per vulnerability, QVS threat intelligence per CVE, and ACS per asset — all three are required.
Figure 3 — CVSS vs QDS — key differences
CVSS is static and vendor-assigned; QDS is dynamic and Qualys-calculated, updating as threat intelligence changes.CVSS vs QDS — key differencesCVSS (static)Vendor-assigned at disclosureDoes not change with exploitsNo asset context baked inUse for compliance baselinesQDS (dynamic)Qualys-calculated per QIDUpdates with new RTI dataFeeds into asset TruRiskUse for fix prioritization
CVSS is static and vendor-assigned; QDS is dynamic and Qualys-calculated, updating as threat intelligence changes.
📊
QDS (Qualys Detection Score)
tap to flip

A per-QID score from 1 to 100 reflecting detection confidence and exploitability. Qualys recommends remediating findings at 70 or above. It is dynamic — it rises when exploit code or ransomware correlation is added.

🧠
TruRisk Score
tap to flip

An asset-level composite score from 0 to 1000 built from QDS, QVS (CVE threat intelligence) and ACS (asset criticality). It is the single number to cite when explaining your fix priority to management.

Real-Time Threat Indicators
tap to flip

Six RTI flags — Active Exploitation, Ransomware, Zero-Day, Wormable, High Lateral Movement and CISA KEV — that escalate a vulnerability in TruRisk regardless of its base CVSS score.

🏷️
ACS (Asset Criticality Score)
tap to flip

Your business-context rating for a host (1–5). A CVSS 7.0 flaw on an ACS-5 internet-facing server will outrank the same flaw on an ACS-1 test box. You set ACS; Qualys uses it to weight TruRisk.

Cite TruRisk, not CVSS, in a Qualys interview

If you are using Qualys VMDR, the correct answer to 'how do you prioritize vulnerabilities?' is TruRisk — not CVSS. Mention QDS at the finding level, QVS as the CVE-level threat layer, and ACS as the business-context weight. CVSS is the baseline; TruRisk is the decision.

Quick check · Q2 of 10 · Remember

QDS (Qualys Detection Score) differs from CVSS mainly because QDS…

Correct: c. CVSS is static and vendor-assigned at disclosure. QDS is Qualys-calculated per QID and updates dynamically as threat intelligence changes — new exploits, ransomware correlation or CISA KEV listing all raise QDS. It also runs from 1 to 100, not 0–10.
👉 So far: TruRisk (0–1000) = QDS per QID × QVS threat intelligence per CVE × ACS per asset. Use QDS 70+ as your remediation threshold; CVSS alone is not enough.

③ Real-time threat indicators (RTIs) — the signals that override severity

RTIs are the intelligence layer that makes TruRisk dynamic. There are six RTIs in Qualys VMDR. Active Exploitation — evidence that the vulnerability is being used in live attacks right now. Ransomware Correlation — the CVE is linked to a known ransomware family. Zero-Day — a public exploit exists with no vendor patch yet available. Wormable — the vulnerability can self-propagate across a network without user interaction. High Lateral Movement — the flaw enables attackers to pivot from one host to adjacent systems. CISA KEV Listing — the CVE is on the U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalogue, which carries a federal patch-by deadline.

Any RTI flag escalates the TruRisk contribution of that QDS finding regardless of its base CVSS score. A CVE with CVSS 5.0 that carries an Active Exploitation RTI and a Ransomware RTI will outrank a CVSS 9.5 finding with no threat activity. In prioritization reports you filter by RTI flags first, then by QDS descending, to build your immediate fix list.

Figure 4 — Six RTIs that escalate TruRisk
Any active RTI flag overrides the base CVSS severity and raises the vulnerability in the TruRisk prioritization queue.Six RTIs that escalate TruRiskTruRisk EngineRTI escalationActive ExploitRansomwareZero-DayWormableLateral MoveCISA KEV
Any active RTI flag overrides the base CVSS severity and raises the vulnerability in the TruRisk prioritization queue.
'CVSS above 7 = critical' is the wrong filter

Sorting by CVSS will miss RTI-flagged medium-severity CVEs that are actively being exploited. Ransomware operators specifically target CVSS 5–7 flaws because defenders under-prioritize them. Always check RTI flags before deciding a finding is low priority.

▶ Watch a ransomware-linked CVE get escalated and patched

Follow a CVSS 5.2 vulnerability with Ransomware and Active Exploitation RTIs through the full VMDR lifecycle. Press Play for the healthy path, then Break it to see the classic miss.

① DetectA cloud agent on a critical web server reports CVE-2024-XXXX with CVSS 5.2. It enters the VMDR finding queue.
② Prioritize (TruRisk)TruRisk evaluates QDS, QVS threat feeds (Ransomware + Active Exploitation RTIs present) and ACS-5 for this host. Score elevates to High.
③ PatchA Qualys Patch Management ticket is auto-created with a 72-hour SLA. The patch is deployed and agent-confirmed.
④ ReassessA follow-up agent check confirms the vulnerability is gone. TruRisk score drops; the ticket closes with audit evidence.
Press Play to step through the healthy RTI escalation path. Then press Break it.
Quick check · Q3 of 10 · Apply

A vulnerability has CVSS 4.8 but carries Active Exploitation and Ransomware RTI flags. How should VMDR treat it?

Correct: b. RTIs override base CVSS in TruRisk. Active Exploitation plus Ransomware flags mean the flaw is being actively used by ransomware actors. Waiting for CVSS to change or treating it as medium would leave a live threat unfixed. RTI-flagged findings go to the top of the fix list.
👉 So far: Six RTIs — Active Exploitation, Ransomware, Zero-Day, Wormable, Lateral Movement, CISA KEV — escalate any finding above CVSS-only rankings. RTI-flagged findings go first regardless of base severity.

④ Prioritization reports, patch workflows and closing the loop

Inside Qualys VMDR the Prioritization Report is your main output. It shows vulnerabilities ranked by TruRisk, grouped by asset criticality and RTI flags. The default recommended filter is QDS 70 or higher — this typically cuts a 10,000-finding list to a few hundred genuine priorities without hiding ransomware-linked low-CVSS flaws (because RTIs have already elevated those).

The patch workflow integrates directly with Qualys Patch Management. VMDR creates a remediation ticket per finding group, assigns it to the responsible team and tracks patch deployment status. When the patch lands, a lightweight re-scan or agent check closes the ticket and drops the asset's TruRisk score. The closed loop is what separates VMDR from a plain scanner: you have audit evidence that a specific CVE on a specific host was remediated and verified, not just 'we ran a patch job'.

Practical sizing tip

Do not try to remediate everything at once. Use the TruRisk dashboard to segment: RTI-flagged findings first, ACS 4-5 assets second, QDS 70+ on medium-criticality assets third. Present the prioritization matrix to management — it is defensible because every number in TruRisk is traceable to a data source.

Figure 5 — From TruRisk score to closed ticket
The prioritization-to-patch flow: TruRisk ranks findings, Patch Management deploys the fix, reassessment verifies and closes the audit trail.From TruRisk score to closed ticketTruRisk rankRTI + QDS + ACSRemediation ticketassigned to ownerPatch deployedPatch ManagementRescanagent or scan jobClosedTruRisk score drops
The prioritization-to-patch flow: TruRisk ranks findings, Patch Management deploys the fix, reassessment verifies and closes the audit trail.

Priya at a Mumbai fintech firm faces this

After a VMDR scan, the security team exports 12,000 findings sorted by CVSS and hands the list to the patch team. Two weeks later the firm is hit by ransomware exploiting a CVE that was CVSS 5.2 and sat at position 8,000 in the list.

Likely cause

The team sorted purely by CVSS and never checked RTI flags. The CVE carried Ransomware and Active Exploitation RTIs that would have moved it to the top of any TruRisk-sorted list.

Diagnosis

Open the VMDR Prioritization Report, filter by RTI = Ransomware or Active Exploitation. The missed CVE appears in the top 20 findings, far above the CVSS-9 theoretical vulnerabilities that had no threat activity.

VMDR ▸ Prioritization Report ▸ Filter RTI ▸ QDS descending
Fix

Rebuild the fix workflow: always sort by TruRisk and filter RTIs first. Add an SLA — RTI-flagged findings patched within 72 hours, QDS 70+ within 14 days. Integrate with Qualys Patch Management so tickets auto-open and track status.

Verify

Re-run the prioritization report after patching. The RTI-flagged CVE should no longer appear in open findings, and the asset TruRisk score should have dropped. Screenshot both states for the audit trail.

Close the loop with a reassessment scan

Deploying a patch is not the same as verifying it. Always schedule a reassessment scan or rely on cloud agent re-reporting before closing the ticket. The TruRisk score should drop for the affected asset; if it does not, the patch did not apply correctly or the finding was misidentified.

Quick check · Q4 of 10 · Analyze

What is the purpose of the Reassess stage in the VMDR lifecycle?

Correct: c. Reassess is the verification step: a follow-up scan or agent check confirms the vulnerability is gone, drops the asset TruRisk score, and closes the remediation ticket with audit evidence. Without it you have a patch job with no proof of effect.
👉 So far: Prioritization Report + Patch Management + Reassessment = a closed, auditable loop. Filter RTI flags first, then QDS 70+, assign SLAs, and verify with a follow-up scan.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which Qualys score is computed at the QID level and runs from 1 to 100?

Correct: d. QDS (Qualys Detection Score) is the per-QID score ranging from 1 to 100. CVSS runs from 0 to 10 and is vendor-assigned. TruRisk runs from 0 to 1000 and is asset-level. ACS is a 1–5 business-context rating you assign to hosts.
Q6 · Understand

What is the role of the Asset Criticality Score (ACS) in TruRisk?

Correct: a. ACS (1–5) is the business-context weight that tells TruRisk how important a host is. A CVSS 7 finding on an ACS-5 internet-facing server outranks the same finding on an ACS-1 dev box. You set ACS; Qualys does not auto-assign it from IP ranges.
Q7 · Apply

You have a finding with CVSS 5.0 and a 'Wormable' RTI flag. What is the correct action?

Correct: d. Wormable means the vulnerability can self-propagate with no user interaction — that is a P1 escalation in any reasonable policy. RTI flags override CVSS base score in TruRisk. Waiting for a quarterly cycle or a CVSS update is a remediation failure waiting to happen.
Q8 · Analyze

A VMDR prioritization report shows 10,000 open findings. What is the recommended first filter to build a defensible fix list?

Correct: d. The Qualys recommended workflow: filter RTI-flagged findings first (immediate SLA), then QDS 70+ on ACS 4–5 assets (short SLA), then remaining QDS 70+ lower criticality. Sorting by CVSS or age ignores live threat intelligence and misses ransomware-linked medium CVEs.
Q9 · Evaluate

What is the strongest argument for using TruRisk over raw CVSS for executive reporting?

Correct: b. TruRisk gives executives a number that reflects actual risk today — combining what attackers are doing right now (RTIs), how important the asset is (ACS) and how detectable the flaw is (QDS). CVSS only reflects technical severity at disclosure; it does not change as the threat landscape evolves.
Q10 · Evaluate

Which action completes the VMDR lifecycle and provides audit evidence of remediation?

Correct: c. The Reassess stage — a follow-up scan or agent check — is what closes the loop. It confirms the vulnerability is gone, drops the asset TruRisk score, and closes the ticket with timestamped evidence. Manually closing a change ticket or exporting a report does not prove the vulnerability was actually fixed.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does Qualys VMDR use TruRisk instead of CVSS alone for prioritization? Then compare with the expert version.

Expert version: Because CVSS only captures technical severity at disclosure time and never updates. TruRisk layers three dynamic inputs — QDS (Qualys Detection Score, 1–100, updated as exploits emerge), QVS (CVE-level threat intelligence from 25+ feeds including CISA KEV and ransomware correlation), and ACS (your business-context rating for the host) — into a single 0–1000 asset risk score that reflects today's threat landscape. RTI flags like Active Exploitation and Ransomware mean a CVSS 5 flaw can legitimately outrank a CVSS 9.5 finding that has no known exploits in the wild. That is what makes a TruRisk-based fix list defensible in a board review or post-incident debrief.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

VMDR
Vulnerability Management, Detection and Response — Qualys's unified platform that covers the full lifecycle: detect, prioritize, patch and reassess, all in one continuous loop.
TruRisk Score
An asset-level composite risk score from 0 to 1000, combining QDS (per-QID), QVS (per-CVE threat intelligence) and ACS (per-asset business criticality). The primary number to use in Qualys-based prioritization.
QDS (Qualys Detection Score)
A per-QID score from 1 to 100 reflecting detection confidence and exploitability. Dynamic — updates when new exploit data or RTI signals arrive. Qualys recommends fixing QDS 70+ as a baseline.
QVS (Qualys Vulnerability Score)
A CVE-level score drawing on 25+ threat intelligence feeds, tracking exploit maturity, CISA KEV status, ransomware and malware correlation. Enriches QDS within the TruRisk formula.
ACS (Asset Criticality Score)
A 1–5 business-context rating you assign to each asset. Tells TruRisk how badly a compromise on that host would hurt the organization. Must be configured — Qualys does not auto-assign it.
RTI (Real-Time Threat Indicator)
One of six dynamic threat signals — Active Exploitation, Ransomware, Zero-Day, Wormable, High Lateral Movement, CISA KEV — that escalate a vulnerability's TruRisk contribution regardless of its CVSS score.
CISA KEV
The U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalogue. Listing on KEV is one of the six VMDR RTI flags and carries a federal patch-by deadline for government agencies.
Reassessment
The fourth stage of the VMDR lifecycle: a follow-up scan or cloud agent re-report that confirms a patched vulnerability is closed, drops the asset TruRisk score, and closes the remediation ticket with audit evidence.

📚 Sources

  1. Qualys — Prioritize Vulnerabilities using Qualys TruRisk. docs.qualys.com/en/vmdr/latest/mergedProjects/prioritize_your_vulnerabilities/threat/qualys_trurisk.htm
  2. Qualys — Calculating Asset Risk Score in Qualys VMDR. docs.qualys.com/en/vmdr/latest/mergedProjects/search_in_vmdr/threat/calculating_asset_risk_score.htm
  3. Qualys Blog — In-Depth Look into Data-Driven Science Behind Qualys TruRisk: QDS vs CVSS & EPSS Vulnerability Scoring. blog.qualys.com, Oct 2022
  4. Qualys Blog — A Deep Dive into VMDR 2.0 with Qualys TruRisk. blog.qualys.com, Aug 2022
  5. Qualys — VMDR TruRisk Packages Playbook. cdn2.qualys.com/docs/qualys-vmdr-trurisk-packages-playbook.pdf
  6. Qualys Blog — What's New in Qualys VMDR 2024: Features & Benefits. blog.qualys.com, Dec 2024

What's next?

Got TruRisk prioritization? Next, go deep on Qualys VMDR scanning modes — authenticated vs agent-based vs passive — and how sensor coverage gaps can hide critical findings from the lifecycle entirely.

Next · All interview lessons → Practice on exam.techclick.in →