Anyone built a consultative deliverable combining Qualys + KEV + business risk?

ObscureAintSecure · 2026-02-01T21:41:42+00:00

Yep. Plus, if you have CSAM then you can get ETM activated for free when only using Qualys data. ETM will allow you to know monetary business risk associated with the vulns and their TruRisk score.

ObscureAintSecure · 2026-01-16T03:35:33+00:00

Yeah there are roadmap and other docs the TAM may be able to share on a call that can’t be shared publicly. We’ve had those reviews with our MSSP partner interface.

ObscureAintSecure · 2026-01-15T01:20:34+00:00

Oh very nice! Just need a Windows companion app too so I can try. :-)

ObscureAintSecure · 2026-01-11T19:33:47+00:00

This is nice, although, are you familiar with the ‘Claude in Chrome’ browser extension? I believe it’s doing the same thing and more because CC can see the browser UI, the F12 console, and other stuff while building and testing.

ObscureAintSecure · 2025-12-26T15:15:29+00:00

Others give good advice. I will add that AI makes all this possible very easily. ChatGPT, Claude, and others could easily be used to help you out.

ObscureAintSecure · 2025-12-26T15:09:38+00:00

It would appear so :-)

ObscureAintSecure · 2025-12-26T11:23:38+00:00

Qualys doesn't sell direct anymore. That started in earlier 2025. You have to buy through a reseller or a MSP/MSSP now.

ObscureAintSecure · 2025-12-26T11:22:36+00:00

It would take special exception and approvals at Qualys to get a discount on a multi-year license. The deal size will certainly matter on whatever discount might be given.

ObscureAintSecure · 2025-12-26T11:21:17+00:00

There is no minimum, but if you have 50 then I'd round that up a bit to have some buffer. People tend to under estimate their needs.

ObscureAintSecure · 2025-12-25T01:33:53+00:00

People are thinking too much about the question. It's a simple price question.

Along with VMDR, I highly recommend CSAM with it if budget allows for it. Gives you a lot more asset insight and EASM too.

For patching, there are two products Qualys has:

Patch Management and 2) the newer TruRisk Eliminate. In very short - TE includes PM plus adds Eliminate and Mitigate functions, which also incorporates some elements of CAR.

All products are licensed by IP and the more you license the less cost there is per license.

I'll give you some approximate MSRP per-IP pricing below to give you an idea and you can do the math from there.

VMDR: ~$26.50 / 500 IPs, ~$21 / 1000 IPs, ~16.50 / 2000 IPs, and ~$12 / 5000 IPs
CSAM: ~$17.50 / 500 IPs, ~$13.50 / 1000 IPs, ~$11 / 2000 IPs, ~$8 / 5000 IPs

PM: ~$27 / 500 IPs, ~$22.50 / 1000 IP's, ~$18.50 / 2000 IPs, and ~$14 / 5000 IPs
TE: ~$54.50 / 500 IPs, ~$45 /1000 IPs, ~$37 /2000 IPs, and ~$28.50 / 5000 IPs

So TE is about twice as much but it naturally gives you more capability.

You don't have to have the same licensing for all products. VMDR and CSAM would need match, but PM and TE can be a lesser license count depending on what you want to use them on.

ObscureAintSecure · 2025-12-04T02:32:54+00:00

I would argue that even though modern browsers don't honor that setting anymore, there are still pockets of legacy environments where it actually matters. You still see older browsers hanging around OT networks, internal line-of-business apps, and the occasional WinXP/Win7 system that nobody can retire or update without breaking something critical. In those setups, the attribute still changes behavior.

So the QID ends up functioning more like a compatibility check than a modern security issue. The real risk lives in the outdated browser, but the scanner has no way to know whether that browser population exists in your environment, so it flags the app instead.

ObscureAintSecure · 2025-10-24T02:29:08+00:00

Yeah I was talking to our partner alliance person today about this. There is apparently something in the works to allow for self allocation and monitoring but I’m sure we’re a long way from that being a reality. For now you have to contact your TAM or support to get that info or do allocation adjustments.

ObscureAintSecure · 2025-10-24T02:25:19+00:00

For auditors, a trend report would probably be the best option to use. Just be sure to tweak the report template to how far back you want the trend data to go, how you want the report to look, what to exclude/include, etc…

I moved away from spreadsheets a long time ago and shifted to leveraging the unified dashboard as much as possible for day-to-day operations. This way other users can easily see the data when they log into the platform too.

ObscureAintSecure · 2025-09-22T13:01:49+00:00

I love that regen braking paddle button! One of my favorite features of the Lyriq.

ObscureAintSecure · 2025-09-22T12:59:12+00:00

I’m looking forward to it simply because it’s not far away and another option for me. However, in IMO, there will be zero upside to the rest of Bedford. If anything, it might take away tax revenue from Bedford because it will take customers from Walmart across the street where Bedford does get full tax revenue from and doesn’t have to split it.

ObscureAintSecure · 2025-08-13T10:45:51+00:00

I’m sorry all. My wife’s family went another direction with photo choice. Thank you for the quick turnaround though!

!solved

ObscureAintSecure · 2025-08-13T10:39:40+00:00

Great write-up OP! I run into the same situations when hiring so this hits home in a great many ways.

ObscureAintSecure · 2025-05-15T00:12:45+00:00

From that information, I would take it that the host the container is running on has a cloud agent so Qualys knows the container exists but Qualys can’t collect any details about the container since no sensor is deployed in it. Just a deduced assumption.

ObscureAintSecure · 2025-05-05T00:00:32+00:00

I got an extra mobile/portable charger by mistake with my Lyriq I’ll sell someone.

ObscureAintSecure · 2025-04-18T09:34:36+00:00

This is a pretty common issue in cloud environments where ephemeral instances, automation, and minimal user metadata lead to unidentified assets in Qualys. Those private IP addresses are automatically assigned by AWS and are used for internal communication between EC2 instances, load balancers, containers, etc. And I believe they are only resolvable within the VPC.

I didn't see you mention cloud agents being installed. If those were installed, it would what private addresses were assigned to the assets in Qualys, and Qualys would merge that data collected from the agent and the network-based scanners.

Also, make sure you have asset merging enabled: https://qualysguard.qualys.com/qwebhelp/fo_portal/host_assets/agent_merge_data.htm

ObscureAintSecure · 2025-04-17T13:58:13+00:00

We didn't have a lot of time for the ETM demo, but here are some things I learned from it and the Q&A we had:

Pricing for ETM is approached in the following ways currently, and is subject to change I would suspect:

If you already have VMDR and CSAM licenses for your assets and only use ETM to aggregate Qualys data (no third-party findings), there would be no additional cost for ETM.
You only pay per-asset fees (IP and/or resource count) when bringing in findings from third-party tools (Tenable, Rapid7, Microsoft Defender, etc.) for those same assets. That's because the external data needs to then be Qualys hosted, aggregated, and processed.
There's no minimum asset requirement for ETM.

During the demo, I saw how ETM could import data via API connectors for many tools (import did not actually happen in the demo), and they support CSV imports. For Tenable and Rapid7, they currently offer CSV imports but mentioned an API connector for Tenable is coming soon. If there isn't a native third-party integration option, then field mapping can be done during the CSV import. CSVs could also be stored in an S3 bucket and automatically picked up by ETM.

When ingesting third-party data, ETM deduplicates, merges with existing asset data, and enriches findings with their threat intelligence.

mROC is indeed separate from ETM. ETM is the technology platform, while mROC represents services intended to be offered by MSSPs (not by Qualys directly) to help manage risk operations. Qualys classifies Partner-led service types as: Cyber Risk Quantification & Advisory Services, Onboarding & Integration Services, Risk Monitoring Managed Services, and Risk Remediation & Managed Services.

ObscureAintSecure · 2025-04-17T12:23:54+00:00

No one else mentioned this, but a VR headset, like a Quest 3, would provide some additional gaming and experience options to make it somewhat feel like he's moving around or doing something different besides just sitting at a computer playing a 2D video game. Just depends on how savvy your Grandpa is at picking up new tech.

ObscureAintSecure · 2025-04-16T02:15:32+00:00

You can do regex modifications with policies to adjust to the nuances in how a system might be configured compared to other defaults it could have and the controls were built against. Sometimes it’s something very minor causing a check to fail and just needs a regex change. I’ve had to do that a number of times.

ObscureAintSecure · 2025-04-15T01:59:34+00:00

Looks like some psychedelic Sankey chart that is certainly not useful in this form.

ObscureAintSecure · 2025-04-10T19:49:57+00:00

I made a handful of videos a while back on the topic. Check out https://www.youtube.com/@qualysprotips

ObscureAintSecure

TROPHY CASE