// Trust & Security Report
Qualys, Inc.
Enterprise cybersecurity risk and compliance platform with vulnerability management (VMDR), cloud security (CNAPP, CDR), threat detection (EDR), compliance automation (Policy Compliance), and agentic AI capabilities integrated across 20+ security and compliance applications.
Certifications held
9
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on success.qualys.com“SOC 2 Type II Report available in Qualys compliance fileshare - attestation of controls over security, availability, processing integrity, confidentiality, and privacy”
Verify on success.qualys.com“Qualys Cloud Platform holds ISO/IEC 27001 certification for information security management systems”
Verify on success.qualys.com“Qualys Cloud Platform has ISO27017 certification applicable to cloud services information security controls”
Verify on blog.qualys.com“Qualys Government Platform achieved FedRAMP High Authorization on August 27, 2025, sponsored by the DEA, enforcing over 420 NIST SP 800-53 High Impact technical controls, supporting FISMA, CMMC 2.0, HIPAA, and PCI DSS frameworks from a single authorized platform”
Verify on qualys.com“Qualys Cloud Platform has been FedRAMP Moderate Authorized since November 2, 2016, sponsored by the IRS and FSA; three platform pods (US1, US2, US3) operate at this level”
Verify on success.qualys.com“Qualys holds STAR Level 2 Certification for ISO/IEC 27001, demonstrating commitment to cloud security governance”
Verify on qualys.com“Qualys maintains a Data Privacy Addendum and complies with EU General Data Protection Regulation (GDPR) requirements; operates Secure Operations Center in Amsterdam (EU) for data residency compliance”
Verify on qualys.com“Qualys Policy Compliance provides automated, agent-less solution for HIPAA policy compliance and supports alignment with HIPAA requirements via the FedRAMP High authorization which covers HIPAA compliance inheritance”
Verify on cdn2.qualys.com“Qualys Policy Compliance supports PCI DSS 4.0 compliance and automated audit-ready reporting; Qualys is a Qualified Security Assessor (QSA) provider with PCI compliance training and playbooks”
> Show 1 unconfirmed / not-held certifications
source: qualys.comNo public evidence of ISO/IEC 42001 certification found on Qualys domain; vendor focuses on NIST AI governance and responsible AI principles but no third-party AI management certification documented
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multiple regions with Secure Operations Centers (SOCs) in San Jose (US), Amsterdam (EU - GDPR compliant), and Pune (India); customers can select region for data residency
Qualys uses anonymized security signals and aggregated data from its data lake (containing petabytes of anonymized security signals fed by 10-12 databases receiving 45 billion messages per day) for AI/ML model training. The privacy policy explicitly states: 'This Privacy Statement does not apply to our processing of Personal Information or personal data provided by our customers through the contractual provision of our cloud services.' Customer data for service use is governed by separate contractual agreements (Master Cloud Services Agreement, Data Privacy Addendum), not the public privacy statement. No direct training on raw customer scan data or configurations found in documentation.
// Security controls
Encryption in transit
TLS 1.3 enabled across public-facing product URLs (target completion end of 2025); deprecated weak cipher suites as of January 31, 2025; minimum 2048-bit RSA or 224-bit ECDH key exchange
notifications.qualys.comScanning accuracy
99.99966% accuracy (Six Sigma standard) for vulnerability scanning and assessment
qualys.comData processing scale
9+ trillion indexed data points; 2+ trillion security events per year; 6+ billion IP scans and audits per year; 6+ billion Kafka messages per day
qualys.comVulnerability detection
AI-driven zero-day threat detection via Blue Hexagon ML platform; Agentic AI for autonomous remediation validation and continuous monitoring
blog.qualys.comCompliance controls
FedRAMP High: 420+ NIST SP 800-53 High Impact controls; supports FISMA, CMMC 2.0, HIPAA, PCI DSS, GDPR, ISO 27001 frameworks
qualys.com// Products & data scope
data: Global; multi-cloud (AWS, Azure, GCP), on-premises, hybrid environments
Unified platform with 20+ integrated apps for asset, vulnerability, compliance, and threat management. FedRAMP High authorized for Government Platform variant.
data: Global; supports cloud agents, agentless scanning, API integration
Core scanning engine with Six Sigma accuracy; integrates Blue Hexagon ML for zero-day detection
data: AWS, Azure, GCP; Kubernetes environments
FedRAMP High authorized as of May 2026; includes Infrastructure as Code (IaC) security and SaaS Security Posture Management (SSPM)
data: Multi-cloud environments
Deep learning AI for behavioral threat detection; part of FedRAMP High authorization
data: Windows, Linux, macOS endpoints
Integrated threat monitoring and response capability
data: Multi-framework: GDPR, HIPAA, PCI DSS 4.0, NIST, FISMA, CMMC, CIS, ISO, SOX, CCPA, PSD2
Agent-less policy assessment and continuous compliance monitoring; mandate-based reporting
data: Internet-facing assets; global scope
Identifies unknown and unmanaged assets; integrates with CyberSecurity Attack Surface Management (CSAM)
data: Multi-tool environment; scans, validates, remediates across platform
Purpose-built AI agents for autonomous exploitability validation, vulnerability elimination, and re-validation; uses anonymized data lake
// What to watch
- FedRAMP High is recent (August 2025) for Government Platform variant; ensure current Qualys engagement specifies which platform variant is used
- Privacy policy explicitly disclaims customer service data coverage; AI/ML usage on customer service data is governed by contractual Data Privacy Addendum (not public), so users should review their contract to confirm no direct customer data training
- Qualys is a QSA (Qualified Security Assessor) for PCI DSS, meaning they assess others' compliance; verify which products inherit PCI DSS certification vs. which support compliance assessment only
- ISO 27017 and ISO 27018 mentioned in searches but specific certificate links were unavailable due to portal errors; recommend verifying current status of these certifications directly with Qualys support
// At a glance
Pricing model
SaaS subscription per module or unified platform; usage-based and asset-based pricing tiers
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Qualys, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
success.qualys.com