// Trust & Security Report

    Qualys, Inc. logo

    Qualys, Inc.

    Enterprise cybersecurity risk and compliance platform with vulnerability management (VMDR), cloud security (CNAPP, CDR), threat detection (EDR), compliance automation (Policy Compliance), and agentic AI capabilities integrated across 20+ security and compliance applications.

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II Report available in Qualys compliance fileshare - attestation of controls over security, availability, processing integrity, confidentiality, and privacy

    Verify on success.qualys.com
    ISO 27001
    HELD

    Qualys Cloud Platform holds ISO/IEC 27001 certification for information security management systems

    Verify on success.qualys.com
    ISO 27017
    HELD

    Qualys Cloud Platform has ISO27017 certification applicable to cloud services information security controls

    Verify on success.qualys.com
    FedRAMP High
    HELD

    Qualys Government Platform achieved FedRAMP High Authorization on August 27, 2025, sponsored by the DEA, enforcing over 420 NIST SP 800-53 High Impact technical controls, supporting FISMA, CMMC 2.0, HIPAA, and PCI DSS frameworks from a single authorized platform

    Verify on blog.qualys.com
    FedRAMP Moderate
    HELD

    Qualys Cloud Platform has been FedRAMP Moderate Authorized since November 2, 2016, sponsored by the IRS and FSA; three platform pods (US1, US2, US3) operate at this level

    Verify on qualys.com
    CSA STAR Level 2
    HELD

    Qualys holds STAR Level 2 Certification for ISO/IEC 27001, demonstrating commitment to cloud security governance

    Verify on success.qualys.com
    GDPR
    HELD

    Qualys maintains a Data Privacy Addendum and complies with EU General Data Protection Regulation (GDPR) requirements; operates Secure Operations Center in Amsterdam (EU) for data residency compliance

    Verify on qualys.com
    HIPAA
    HELD

    Qualys Policy Compliance provides automated, agent-less solution for HIPAA policy compliance and supports alignment with HIPAA requirements via the FedRAMP High authorization which covers HIPAA compliance inheritance

    Verify on qualys.com
    PCI DSS
    HELD

    Qualys Policy Compliance supports PCI DSS 4.0 compliance and automated audit-ready reporting; Qualys is a Qualified Security Assessor (QSA) provider with PCI compliance training and playbooks

    Verify on cdn2.qualys.com
    > Show 1 unconfirmed / not-held certifications
    ISO 42001 (AI Management)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification found on Qualys domain; vendor focuses on NIST AI governance and responsible AI principles but no third-party AI management certification documented

    source: qualys.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multiple regions with Secure Operations Centers (SOCs) in San Jose (US), Amsterdam (EU - GDPR compliant), and Pune (India); customers can select region for data residency

    Qualys uses anonymized security signals and aggregated data from its data lake (containing petabytes of anonymized security signals fed by 10-12 databases receiving 45 billion messages per day) for AI/ML model training. The privacy policy explicitly states: 'This Privacy Statement does not apply to our processing of Personal Information or personal data provided by our customers through the contractual provision of our cloud services.' Customer data for service use is governed by separate contractual agreements (Master Cloud Services Agreement, Data Privacy Addendum), not the public privacy statement. No direct training on raw customer scan data or configurations found in documentation.

    // Security controls

    Encryption in transit

    TLS 1.3 enabled across public-facing product URLs (target completion end of 2025); deprecated weak cipher suites as of January 31, 2025; minimum 2048-bit RSA or 224-bit ECDH key exchange

    notifications.qualys.com

    Scanning accuracy

    99.99966% accuracy (Six Sigma standard) for vulnerability scanning and assessment

    qualys.com

    Data processing scale

    9+ trillion indexed data points; 2+ trillion security events per year; 6+ billion IP scans and audits per year; 6+ billion Kafka messages per day

    qualys.com

    Vulnerability detection

    AI-driven zero-day threat detection via Blue Hexagon ML platform; Agentic AI for autonomous remediation validation and continuous monitoring

    blog.qualys.com

    Compliance controls

    FedRAMP High: 420+ NIST SP 800-53 High Impact controls; supports FISMA, CMMC 2.0, HIPAA, PCI DSS, GDPR, ISO 27001 frameworks

    qualys.com

    // Products & data scope

    Enterprise TruRisk PlatformIntegrated Risk Management

    data: Global; multi-cloud (AWS, Azure, GCP), on-premises, hybrid environments

    Unified platform with 20+ integrated apps for asset, vulnerability, compliance, and threat management. FedRAMP High authorized for Government Platform variant.

    Vulnerability Management, Detection and Response (VMDR)Vulnerability Assessment

    data: Global; supports cloud agents, agentless scanning, API integration

    Core scanning engine with Six Sigma accuracy; integrates Blue Hexagon ML for zero-day detection

    Cloud Native Application Protection Platform (CNAPP)Cloud Security

    data: AWS, Azure, GCP; Kubernetes environments

    FedRAMP High authorized as of May 2026; includes Infrastructure as Code (IaC) security and SaaS Security Posture Management (SSPM)

    Cloud Detection and Response (CDR)Threat Detection

    data: Multi-cloud environments

    Deep learning AI for behavioral threat detection; part of FedRAMP High authorization

    Endpoint Detection and Response (EDR)Endpoint Security

    data: Windows, Linux, macOS endpoints

    Integrated threat monitoring and response capability

    Policy Compliance (PC)Compliance Automation

    data: Multi-framework: GDPR, HIPAA, PCI DSS 4.0, NIST, FISMA, CMMC, CIS, ISO, SOX, CCPA, PSD2

    Agent-less policy assessment and continuous compliance monitoring; mandate-based reporting

    External Attack Surface Management (EASM)Attack Surface Management

    data: Internet-facing assets; global scope

    Identifies unknown and unmanaged assets; integrates with CyberSecurity Attack Surface Management (CSAM)

    Agentic AI (Agent Val, TruRisk Eliminate)Autonomous Risk Management

    data: Multi-tool environment; scans, validates, remediates across platform

    Purpose-built AI agents for autonomous exploitability validation, vulnerability elimination, and re-validation; uses anonymized data lake

    // What to watch

    • FedRAMP High is recent (August 2025) for Government Platform variant; ensure current Qualys engagement specifies which platform variant is used
    • Privacy policy explicitly disclaims customer service data coverage; AI/ML usage on customer service data is governed by contractual Data Privacy Addendum (not public), so users should review their contract to confirm no direct customer data training
    • Qualys is a QSA (Qualified Security Assessor) for PCI DSS, meaning they assess others' compliance; verify which products inherit PCI DSS certification vs. which support compliance assessment only
    • ISO 27017 and ISO 27018 mentioned in searches but specific certificate links were unavailable due to portal errors; recommend verifying current status of these certifications directly with Qualys support

    // At a glance

    Pricing model

    SaaS subscription per module or unified platform; usage-based and asset-based pricing tiers

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Qualys, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    success.qualys.com

    > Browse all vendor trust reports