TTechclick ⚡ XP 0% All lessons
Qualys · Vulnerability Management · ScanningInteractive · L1 / L2 / L3

Qualys VMDR Vulnerability Scanning — Profiles, QIDs, Scheduling & Scanner Placement

Qualys VMDR turns vulnerability scanning into a repeatable, policy-driven process. This lesson maps every moving part — authenticated vs unauthenticated scans, option profiles, scan profiles, QIDs, scheduling windows, where to place scanner appliances, and how asset tags and groups control scope — so you can configure scans confidently and answer every VMDR interview question.

📅 2026-06-20 · ⏱ 17 min · 5 infographics · live scan demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Qualys VMDR vulnerability scanning in 2026: authenticated vs unauthenticated scans, option and scan profiles, QIDs, scheduling, scanner placement, asset tags and groups explained with real scenarios.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Scan types

Authenticated vs unauthenticated — what each finds.

 2

Profiles

Option profiles, scan profiles, key settings.

 3

QIDs & scheduling

KnowledgeBase IDs, search lists, scan windows.

 4

Scanner & scoping

Appliance placement, asset tags, asset groups.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does an unauthenticated scan log into the target host?

Answered in Scan types.

2. What controls which ports and QIDs a scan checks?

Answered in Profiles.

3. Which scanner type do you use to scan hosts inside a private network?

Answered in Scanner & scoping.

Most engineers think…

Most people assume vulnerability scanning is just 'point a tool at IPs and get a list of CVEs'. That works for a demo, but it fails in production and in interviews.

Qualys VMDR scanning is a policy-driven pipeline: you define what to check (option profile — ports, QIDs, authentication), what to scan (asset tags and groups), where the scanner sits (internal appliance vs cloud), and when it runs (scheduled windows). Understanding every knob in that pipeline is what separates engineers who get clean, actionable results from engineers who drown the SOC in noise — or miss half the estate because they forgot to place a scanner inside the DMZ.

① Authenticated vs unauthenticated scanning — the coverage gap

Every Qualys VMDR scan is either authenticated or unauthenticated. An unauthenticated scan (also called an external or network scan) probes the host purely from the outside — it checks open ports, service banners and responses without logging in. It finds exposed services and some network-visible vulnerabilities, but it cannot see what software versions are installed inside the OS, what patches are missing, or what misconfigurations exist at the system level.

An authenticated scan uses stored credentials — Windows domain credentials, SSH keys, or local accounts — to actually log into the target. Once inside, Qualys checks the OS patch level, installed software, registry keys, file permissions, running services and configuration settings. Authenticated scans typically find three to ten times more vulnerabilities than an unauthenticated scan on the same host, because the overwhelming majority of CVEs require local access to detect.

Qualys also supports agent-based scanning through the Qualys Cloud Agent, which runs continuously on the endpoint and eliminates the need for credentials altogether — useful for laptops, remote workers and assets that are rarely on the corporate network during scan windows.

Figure 1 — Authenticated vs unauthenticated scanning
Authenticated scans log into the host and find patch-level and config issues invisible to unauthenticated probes.Authenticated vs unauthenticated scanningUnauthenticatedNetwork-visible banners onlyOpen ports and servicesNo OS patch-level viewFewer findings, wider noiseAuthenticatedLogs in with credentials or keysChecks patches, registry, configFinds far more CVEs per hostAccurate severity and risk scoring
Authenticated scans log into the host and find patch-level and config issues invisible to unauthenticated probes.
Quick check · Q1 of 10 · Understand

Why does an authenticated scan find significantly more vulnerabilities than an unauthenticated scan?

Correct: a. The authentication gap is the key insight: unauthenticated scans see only network-exposed banners and ports. Authenticated scans log in and inspect OS patch level, installed software, registry and config — where the overwhelming majority of CVEs actually live.
👉 So far: Authenticated scans log in and check patch level and config — finding the majority of CVEs. Unauthenticated scans see only what is network-visible. Cloud Agent removes the credential dependency for endpoints.

② Option profiles and scan profiles — the control panel

A scan profile in Qualys VMDR is a saved scan job template that bundles a title, target scope, scanner selection and an option profile. The option profile is the granular control panel: it specifies which ports to probe (standard, full 1–65535, or custom), how many parallel hosts and checks to run simultaneously (performance throttle), which authentication records to attach, and the vulnerability detection mode (basic versus comprehensive).

Key option profile tabs

The Scan tab sets ports, performance and detection mode. The Authentication tab links the stored credential records for Windows, Unix/Linux, databases and network devices. The Compliance tab adds policy compliance checks if licensed. A single option profile can be reused across many scan schedules — change it once and every scan that references it inherits the update, which is the main reason you invest in clean profile hygiene rather than copying profiles ad-hoc.

Figure 2 — How a scan job is assembled
A scan job links a scope, an option profile and a scanner — get any leg wrong and results are incomplete.How a scan job is assembledScopetags or asset groupOption Profileports, QIDs, credsScannerappliance or cloudScan Jobscheduled or on-demandResultsQID findings +severity
A scan job links a scope, an option profile and a scanner — get any leg wrong and results are incomplete.
🔑
Authenticated scan
tap to flip

Logs into the host with stored credentials or SSH keys. Checks patch level, registry, config and installed software — finds the vast majority of real CVEs.

🌐
Unauthenticated scan
tap to flip

Probes only what is network-visible — open ports, banners, service responses. Faster but finds far fewer vulnerabilities than an authenticated scan.

⚙️
Option profile
tap to flip

The reusable control panel for a scan: ports, parallel hosts, authentication records, detection mode and compliance checks. Referenced by scan jobs and schedules.

🏷️
Asset tag
tap to flip

A flexible label (e.g. Location:Mumbai, Criticality:High) applied manually or by dynamic rules. Supports parent/child hierarchy; tag-scoped scans auto-include new matching assets.

Reuse one option profile per scan tier

Create one option profile per scanning tier (e.g. External-Unauth, Internal-Auth-Standard, Internal-Auth-Comprehensive) and reference them from all scan schedules. When you tune a port list or update credentials, every scan that references that profile inherits the change automatically — no need to edit dozens of individual scan jobs.

Quick check · Q2 of 10 · Remember

Which Qualys object defines the ports to probe, the authentication records to use and the parallel-scan performance settings?

Correct: c. The option profile is the control panel for every scan parameter — ports, performance throttle, authentication records and detection mode. The schedule controls timing; the asset group controls scope; the search list filters QIDs.
👉 So far: The option profile is the control panel: ports, performance, authentication records, detection mode. A scan profile bundles a scope, an option profile and a scanner into a reusable job.

③ QIDs and the KnowledgeBase — what gets checked and when

Every Qualys vulnerability check is identified by a QID (Qualys ID) — a numeric identifier assigned by Qualys in its KnowledgeBase. QIDs cover CVEs, configuration findings and informational checks. When you run a complete scan the scanner applies every QID that is applicable to the detected OS and services. When you run a custom scan you attach search lists — saved lists of QIDs — to scope the option profile to only the checks you care about (e.g. only critical-severity QIDs, or only checks for a specific CVE campaign).

Scheduling in Qualys VMDR lets you set recurring scan windows — daily, weekly, monthly — with a start time, time-zone and a scan duration limit so a slow scan does not bleed into business hours. You can also set a notification email when a scan completes or fails. Scans can be launched on-demand as well, which is useful after emergency patching to confirm remediation before the next scheduled window.

Figure 3 — QID detection modes — complete vs custom
A complete scan applies every applicable QID; a custom scan limits checks to a saved search list for speed or focus.QID detection modes — complete vs customComplete scanAll KnowledgeBase QIDs for detected OS and servicesCustom scanOnly QIDs in attached search list — targeted or scopedSearch listSaved QID set — by severity, CVE campaign or product
A complete scan applies every applicable QID; a custom scan limits checks to a saved search list for speed or focus.
Never skip scheduling time-zone and duration limits

Qualys scan schedules default to UTC. If your assets are in IST (+5:30) and you schedule without adjusting the time-zone, scans run during peak business hours. Set the correct time-zone and a scan duration limit so a slow scan cannot bleed into the next business day or trigger IDS alerts.

▶ Watch an authenticated scan find a critical missing patch

How a single scan job runs end-to-end. Press Play for the healthy path, then Break it to see the classic scanner placement failure.

① Scope resolvedThe scan schedule fires. Qualys resolves the asset tag 'Env:Production-Linux' to 47 host IPs and routes the job to the internal scanner appliance in the server VLAN.
② Auth + connectThe scanner appliance connects to each host on port 22, authenticates with the stored SSH key from the authentication record, and logs in as the scan-service account.
③ QID checksWith OS access confirmed, the scanner runs applicable QIDs — checks patch level, installed packages, kernel version and service config. It finds QID 237765: a critical kernel CVE unpatched on 12 hosts.
④ Results uploadedFindings are transmitted to the Qualys Cloud Platform. Severity 5 (critical) vulnerabilities appear in the VMDR dashboard with asset lists, CVSS scores and remediation guidance.
Press Play to step through the authenticated scan path. Then press Break it.
Quick check · Q3 of 10 · Apply

Your security team needs to scan only for critical-severity vulnerabilities related to a new CVE campaign. What is the correct approach?

Correct: d. A custom scan with a targeted QID search list limits checking to exactly those vulnerabilities, reducing scan time and result noise. Filtering afterwards wastes scan resources; the KnowledgeBase is read-only; a separate subscription is unnecessary.
👉 So far: QIDs are Qualys KnowledgeBase identifiers for every vulnerability check. Custom scans restrict checking to a QID search list. Schedule with the correct time-zone and a duration limit to protect business hours.

④ Scanner placement, asset tags and asset groups

Scanner appliances are virtual or physical Qualys-supplied probes deployed inside your network segments. The Qualys Cloud Scanner (external) probes internet-facing assets from Qualys infrastructure — you do not control it. For internal assets — servers, workstations and devices behind the firewall — you must deploy one or more internal scanner appliances. The rule: a scanner can only reach hosts it has routed, layer-3 access to. DMZs and isolated VLANs each typically need their own scanner.

Asset groups are administrator-defined collections of IP addresses or IP ranges. When you scope a scan to an asset group, only those IPs are targeted; you can also assign a default scanner to an asset group so scans always route to the right appliance automatically.

Asset tags are flexible key-value labels (e.g. Location:Mumbai, Criticality:High, OS:Linux) that you apply to hosts manually, via dynamic rules, or through cloud connector imports. Tags support parent/child hierarchies — tagging a parent (e.g. Region:India) applies to all child tags beneath it. Scoping a scan to a tag dynamically includes any new asset that earns that tag, making tag-based scanning far more maintainable than managing static IP lists.

Figure 4 — Scanner placement by network zone
Each isolated network zone needs its own internal scanner — the cloud scanner only reaches internet-facing assets.Scanner placement by network zoneQualys PlatformCloud consoleCloud ScannerCorp LAN scannerDMZ scannerData centre scanCloud VPC scanOT/IoT scanner
Each isolated network zone needs its own internal scanner — the cloud scanner only reaches internet-facing assets.
Figure 5 — Asset tag scoping flow
Dynamic tags mean new assets are automatically included in the next scan without touching IP lists.Asset tag scoping flowAsset joinsdiscovered or importedTag rule firesdynamic tag assignedScan scopetag-based filterScan runsonly tagged assetsNew asset?auto-included next run
Dynamic tags mean new assets are automatically included in the next scan without touching IP lists.

Priya at a Pune fintech firm faces this

The weekly Qualys VMDR scan reports zero vulnerabilities on a new batch of Linux servers in the internal DMZ, but the security team knows unpatched packages exist.

Likely cause

The scan is routed through the corporate LAN scanner appliance, which has no layer-3 route to the DMZ VLAN. The scan job completes in seconds because no hosts are reached.

Diagnosis

Check the scan results — hosts show as 0 found or not reachable. The scan history confirms a near-instant completion time, confirming the scanner never reached those IPs.

VMDR ▸ Scans ▸ Scan History ▸ [Scan Name] ▸ Host Details
Fix

Deploy a new Qualys virtual scanner appliance inside the DMZ VLAN. Assign it as the default scanner for the DMZ asset group. Update the scan schedule to use the DMZ appliance and attach an authentication record with SSH keys for the Linux hosts.

Verify

Re-run the scan — the host count now matches the known DMZ inventory, authenticated findings appear (patching backlog confirmed), and the scan duration is realistic rather than near-instant.

Prove scanner reach before trusting zero-vuln results

A scan that returns zero vulnerabilities is suspicious, not good news. Always check the scan history for realistic host counts and scan durations. A near-instant scan completion or a host count of zero almost always means the scanner appliance cannot route to those targets — not that the hosts are clean.

Quick check · Q4 of 10 · Analyze

A Qualys scan misses all hosts in a newly created server VLAN that is isolated from the rest of the network. What is the most likely cause?

Correct: b. Scanner appliances can only reach hosts they have routed, layer-3 network access to. An isolated VLAN requires its own scanner appliance deployed within that segment or a routed path to an existing scanner. Missing credentials would produce partial findings, not zero hosts.
👉 So far: Internal scanner appliances must have layer-3 access to the segment they scan. Asset groups scope scans to IP ranges; asset tags scope dynamically and auto-include new matching hosts.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which scan type requires storing credentials in Qualys to log into target hosts?

Correct: c. Authenticated scans use stored credential records (Windows, SSH, local) to log into hosts. Unauthenticated scans probe only what is network-visible and need no credentials.
Q6 · Understand

An option profile in Qualys VMDR is best described as…

Correct: b. An option profile bundles all the scan control parameters — ports, parallel settings, authentication records, vulnerability detection mode and optionally compliance settings. It is reusable across many scan schedules.
Q7 · Apply

You need to scan a new isolated cloud VPC where no Qualys scanner currently exists. What should you do first?

Correct: c. Scanner appliances only reach hosts they have layer-3 access to. A cloud VPC requires a virtual scanner deployed inside that VPC. The Cloud Scanner only covers internet-facing assets, not private cloud segments.
Q8 · Analyze

Why is tag-based scan scoping generally preferable to static IP-list asset groups for large dynamic environments?

Correct: d. Dynamic tags auto-include any new asset that earns the tag — no manual IP list edits needed. Static asset groups require the admin to add new IPs by hand, which creates gaps in large, fast-growing environments. Options a, b and c are incorrect: scanner reach is determined by appliance placement, not tag type; and asset groups do not auto-import cloud assets.
Q9 · Evaluate

A Qualys scan completes in under two minutes for a target group of 500 hosts and reports zero vulnerabilities. What is the most likely explanation?

Correct: c. A realistic authenticated scan of 500 hosts takes significant time. Near-instant completion with zero findings almost always means the scanner has no routed path to those hosts and the scan job never made contact. Verify host counts in the scan history before trusting a zero result.
Q10 · Evaluate

What is the correct approach to scope a Qualys scan only to critical-severity checks for a specific CVE campaign?

Correct: b. A custom scan with a targeted QID search list restricts scanning to exactly those checks — reducing scan time, network load and result noise. Running a complete scan and filtering wastes resources; a separate instance is unnecessary; authentication records control access, not QID scope.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the single biggest mistake engineers make when setting up Qualys VMDR scanning for the first time? Then compare with the expert version.

Expert version: The single biggest mistake is deploying one scanner in the corporate LAN and assuming it reaches every asset — then trusting near-instant zero-vulnerability results as a clean bill of health. The second mistake is launching with an unauthenticated scan only and wondering why VMDR finds so little. The right setup: deploy a scanner appliance in every isolated network segment, configure authenticated scans with proper credential records, and verify host counts match your known asset inventory before interpreting any results.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

QID (Qualys ID)
A unique numeric identifier for a specific vulnerability or information-gathered check in the Qualys KnowledgeBase. Each QID maps to one or more CVEs and carries a severity rating from 1 to 5.
KnowledgeBase
Qualys's continuously updated library of all vulnerability checks, each identified by a QID, including detection logic, severity, CVE mappings and remediation guidance.
Option profile
A reusable set of scan parameters — ports, parallel performance, authentication records and detection mode — referenced by scan schedules and on-demand jobs.
Scan profile
A saved scan job template bundling a title, target scope, scanner selection and an option profile for quick reuse.
Authenticated scan
A scan that logs into the target host using stored credentials or SSH keys, enabling OS-level inspection of patches, software and configuration.
Scanner appliance
A virtual or physical Qualys probe deployed inside a network segment to scan internal hosts. Each isolated segment needs its own appliance with layer-3 access to targets.
Asset tag
A flexible key-value label applied to hosts manually or by dynamic rules, supporting parent/child hierarchies. Tag-based scan scoping auto-includes new matching hosts.
Asset group
An administrator-defined static collection of IP addresses or ranges used to scope scan jobs and assign a default scanner appliance.
Search list
A saved list of QIDs used to restrict a custom scan to specific vulnerability checks — useful for targeted CVE campaigns or severity-filtered scans.
Cloud Agent
A lightweight Qualys agent installed on endpoints that performs continuous local scanning without credentials, uploading findings to the Qualys Cloud Platform.

📚 Sources

  1. Qualys Documentation — Scanning: The Basics (for VM/VMDR Scans). docs.qualys.com/en/vm/latest/scans/scanning_basics.htm
  2. Qualys Documentation — VM Option Profile: Scan tab — ports, performance, authentication and detection settings. docs.qualys.com/en/vm/latest/option_profiles/op_scan_tab.htm
  3. Qualys Documentation — Create/Edit Option Profile for VM/VMDR. docs.qualys.com/en/vm/latest/option_profiles/win_option_profile.htm
  4. Qualys Documentation — Choosing a scanner appliance — internal vs cloud scanner placement. docs.qualys.com/en/vm/latest/scanner_appliances/choosing_scanner_appliance.htm
  5. Qualys Blog — Unified vulnerability view of unauthenticated and agent scans. blog.qualys.com/product-tech/2021/01/21/unified-vulnerability-view-of-unauthenticated-and-agent-scans
  6. Qualys — Vulnerability Management, Detection and Response (VMDR) product overview. qualys.com/apps/vulnerability-management-detection-response

What's next?

Got scanning down? Next, go deep on VMDR remediation workflows — how detections become tickets, how patch orchestration closes the loop, and how to measure time-to-remediate across your asset estate.

Next · All interview lessons → Practice on exam.techclick.in →