Back to Learning Center

Qualys Pricing for VMDR, WAS, Patch Management & More

Overview of Qualys Products and Pricing 

Qualys provides a suite of cloud-based security and compliance tools designed to protect hybrid IT environments. Its core offerings include vulnerability management, web application scanning, patch management, and compliance assessment. 

Pricing varies by product, typically based on the number of assets or applications, with some starting around $1,500 to $2,000 per year for entry-level plans. Larger deployments and enterprise-grade features require custom quotes, often influenced by contract length, asset volume, and selected modules.

Below is a brief summary of the main Qualys offerings and their pricing. Each offering is described in more detail below.

Qualys VMDR

  • Unified platform for asset discovery, vulnerability detection, and remediation
  • Pricing on AWS Marketplace starts around $596/month for 128 hosts

Qualys WAS

  • Scans web apps and APIs for vulnerabilities, supports DevOps workflows
  • Starts at ~$1,995/year for 25 apps

Qualys Patch Management

  • Automates patch discovery, prioritization, and deployment
  • Custom pricing; older rates suggest ~$30/asset/year

Qualys Compliance Solutions

  • Offers policy compliance audits, file monitoring, and continuous security assessments
  • Starts at ~$1,500/year, with custom pricing for advanced needs

Note: Qualys does not publicly share its pricing. Pricing in this article is based on publicly available information. Contact Qualys for full and up-to-date pricing.

Qualys Vulnerability Management, Detection, and Response (VMDR)

Key Capabilities

Qualys VMDR is a unified cloud-based platform that provides end-to-end visibility into vulnerabilities across hybrid IT environments. It combines asset discovery, continuous vulnerability assessment, threat prioritization, and remediation tracking in a single workflow. The tool helps organizations reduce security risks and prevent breaches by streamlining security operations across both on-premises and cloud environments.

Key features include:

  • Integrated discovery and assessment: Automatically identifies all assets in your environment and evaluates their vulnerability posture in real time.
  • Real-time detection and prioritization: Uses threat intelligence and business context to rank vulnerabilities based on actual risk.
  • Response and remediation: Provides actionable insights and automation options to remediate issues quickly.
  • Cloud-ready: Includes a pre-approved scanner for AWS EC2 and integrates with AWS EC2 Cloud Connector for cloud asset tracking.
  • Scalability and coverage: Offers coverage from a single platform, whether you’re managing a few hundred hosts or several thousand.

Pricing

Qualys VMDR is available on AWS Marketplace through monthly or annual subscription plans. Pricing varies based on the number of hosts and the contract duration.

Monthly pricing examples:

  • 128 hosts: $596/month
  • 512 hosts: $1,489/month
  • 1024 hosts: $2,352/month
  • 4096 hosts: $5,878/month
  • 5120 hosts: $6,805/month

Annual pricing examples (with up to 17% discount):

  • 128 hosts: $5,964/year
  • 512 hosts: $14,889/year
  • 1024 hosts: $23,521/year
  • 4096 hosts: $58,778/year
  • 5120 hosts: $68,045/year

Contracts include entitlements for a set number of hosts for the duration of the agreement. Access to these entitlements ends if the contract is not renewed. Note that additional AWS infrastructure charges may apply and can be estimated using the AWS Pricing Calculator.

Qualys WAS (Web Application Scanning)

Key Capabilities

Qualys WAS (Web Application Scanning) is a cloud security tool from Qualys that 

automatically finds vulnerabilities in web applications and APIs. It helps organizations identify and manage vulnerabilities in web applications and APIs through deep integration with Qualys CyberSecurity Asset Management (CSAM). 

Key features include:

  • Integrated web asset discovery: Identifies potential web assets automatically and displays them in a centralized view, making it easier to activate WAS scans on relevant assets.
  • Search and filtering: Allows users to search for web assets using Qualys Query Language (QQL), predefined time-based filters, or custom WebServer Queries. Assets can also be filtered by tags, operating systems, or hardware.
  • Web application inventory: Lists discovered web applications along with associated host assets, including key attributes such as application name, URLs, and detected vulnerabilities from WAS scans.
  • Asset grouping and classification: Supports grouping of assets based on manufacturer, operating system, hardware type, and custom tags for better organization and reporting.
  • Host asset details: Provides detailed inventory, security, compliance, and source information for each host asset associated with a web application.
  • Saved queries and recent searches: Lets users save frequently used search queries and access a history of recent searches, simplifying repetitive investigation workflows.
  • Activation and management of scans: Enables activation, deactivation, and editing of WAS on discovered web assets directly from the interface.

Pricing

Qualys WAS pricing starts at approximately $1,995 per year for 25 web apps, with other pricing tiers and custom quotes available for larger-scale or enterprise needs. The final cost can vary significantly based on factors like the number of applications, the required features, and the overall Qualys Enterprise TruRisk Platform package being purchased.

  • Starting price: The entry-level annual plan is about $1,995 for up to 25 web applications.
  • Varying costs: Pricing can increase for more extensive scanning needs. The third-party reseller CDW lists a price of $1,369.99, but this may reflect a specific promotion.
  • Enterprise plans: For large enterprises, pricing is typically custom and depends on specific requirements, with options for unlimited IPs, scanners, and other features through the Enterprise plan.

Qualys Patch Management

Key Capabilities 

Qualys Patch Management is a cloud-based solution from Qualys that helps organizations identify, prioritize, deploy, and track software patches across their IT environment from a single platform. 

Key features include:

  • Centralized patch deployment: Patches Windows, Linux, and macOS systems, along with third-party applications, from a unified dashboard using the same agent as VMDR.
  • Automated risk-based remediation: Automatically maps detected vulnerabilities to the correct patches or configuration changes and deploys them with minimal operational risk.
  • Targeted patch automation: Deploys relevant patches to specific assets based on detected threats, such as ransomware or CISA-listed vulnerabilities.
  • Smart scheduling and emergency patching: Allows scheduling of regular patch jobs by asset type or urgent deployment of high-priority patches as needed.
  • End-user messaging: Supports communication with end-users during deployments to improve patch adoption and transparency.
  • Integration with IT tools: Offers bidirectional integration with CMDB and ITSM platforms, enabling faster ticket closure and smoother coordination between IT and security teams.
  • Zero-touch patching: Reduces manual effort by automating patching of prioritized vulnerabilities, helping to meet SLAs and reduce mean time to remediation.
  • SCCM augmentation: Can be used alongside Microsoft SCCM or other existing solutions to enhance vulnerability remediation workflows.
  • TruRisk prioritization: Leverages the Enterprise TruRisk Platform to identify and deploy patches that provide the greatest reduction in risk.

Pricing

Qualys Patch Management pricing is not publicly listed and depends on factors like contract length and the number of assets. Some publicly-available pricing information suggest costs start from $30 per asset per year. A one-year subscription for one license is listed at $578.99 on CDW and $30.99 on Insight Enterprises (these may reflect different packages or promotions).

Factors influencing pricing:

  • Contract length: Longer contracts may offer a discount.
  • Number of assets: Pricing tiers are based on the number of assets included in the package.
  • Qualys Cloud Platform Apps: The specific applications you select will affect the final cost.
  • License type: The type of license, such as a subscription or perpetual license, will affect the price.

Qualys Compliance Solutions

Services Offered

Qualys Compliance Solutions deliver a set of tools to help organizations meet regulatory requirements, reduce misconfiguration risks, and improve audit readiness across hybrid environments. 

Core services include:

  • Policy Compliance (PA): Automates assessment against security policies using a robust library of prebuilt controls. Supports compliance with standards like PCI DSS, HIPAA, ISO 27001, and more.
  • File Integrity Monitoring (FIM): Monitors critical systems for unauthorized changes with “low-noise” alerts, helping reduce false positives and ensuring integrity of sensitive environments.
  • Security Assessment Questionnaire (SAQ): Enables self-assessments for regulations like PCI and DORA by enabling organizations to document and demonstrate their security controls.
  • Custom Assessment and Remediation (CAR): Supports tailored compliance workflows by detecting and remediating misconfigurations and vulnerabilities specific to an organization’s environment.
  • CyberSecurity Asset Management (CSAM): Enhances compliance by discovering and classifying in-scope assets, including middleware and databases, with improved visibility and business context.
  • PCI Approved Scanning Vendor (ASV): Performs the required external PCI DSS 4.0 scans using Qualys’ ASV-certified tools, helping organizations maintain quarterly compliance.
  • Cloud Application Compliance Dashboards: Provides prebuilt templates and profiles for tracking compliance gaps and visualizing risk across cloud applications.

Pricing

Qualys Compliance Solutions uses a custom pricing model that adjusts based on the size of the business, number of assets, and specific compliance requirements. While general pricing details are not publicly standardized, publicly available information suggests the basic plan starts at $1,500 per year.

The basic plan includes automated compliance assessments, continuous monitoring, and access to pre-built templates. These capabilities support businesses in maintaining compliance with common standards like SOC 2, ISO 27001, PCI DSS, and HIPAA.

Organizations with more complex cloud security and compliance needs, such as broader asset coverage or advanced reporting, can request a custom quote.

Qualys vs. CyCognito 

While both Qualys and CyCognito offer tools for attack surface management, their approaches differ significantly in terms of automation, asset discovery, testing depth, and overall ease of use.

Discovery and Coverage

CyCognito uses zero-input discovery, requiring no configuration, seeds, or agents to begin mapping an organization’s external attack surface. It applies OSINT techniques and advanced attribution to uncover unknown assets across subsidiaries, cloud services, partners, and more. Qualys’ discovery relies on predefined seed data, manual tagging, and integrations such as CMDBs. The platform imposes limits such as a 1,000-asset discovery cap and requires user input to identify and categorize assets, often missing untracked systems.

Automated Testing

CyCognito performs unauthenticated, automated security testing using over 90,000 testing modules. It covers CVEs, OWASP Top 10 issues, data breaches, and more without needing additional tools or agents. Qualys lacks native unauthenticated testing in its EASM module and requires separate products like VMDR and WAS to scan externally exposed assets, typically using agent-based or passive methods.

Business Context and Mapping

CyCognito builds a full organizational map using machine learning and NLP, identifying subsidiaries and external entities without user input. Qualys does not generate an organizational map or automatically discover business units, leading to gaps in visibility, especially for M&A activity or distributed environments.

Prioritization and Risk Focus

CyCognito focuses on the top 0.01% of critical issues by factoring in exploitability, attacker interest, and business impact. Its prioritization model reduces noise and cuts mean time to remediation by over 60%. Qualys prioritization depends on passive from threat intelligence and lacks visibility into attacker behavior or asset attractiveness, which can delay remediation.

Remediation and Validation

CyCognito includes remediation validation tools to confirm fixes and generates step-by-step remediation plans. Qualys EASM lacks these features, often requiring manual follow-up to validate remediations or coordinate fixes.

Summary

CyCognito offers broader visibility, deeper automation, and more actionable risk insights out of the box. Qualys requires a combination of modules, configurations, and integrations to deliver similar outcomes, and still may miss unknown assets or fail to validate remediation actions. For organizations focused on uncovering shadow IT and prioritizing real-world security risks with minimal manual effort, CyCognito delivers a more autonomous and scalable solution.

Explore all guides

API Security

API Security

APIs, the unseen connections powering modern apps, can be vulnerable entry points for attackers. Weak API security exposes sensitive data and critical functions, potentially leading to breaches and disruptions.

Learn More about API Security
Application Security

Application Security

Application security (AppSec) involves safeguarding applications against threats throughout their lifecycle. This encompasses the entire process from design to deployment, ensuring that applications remain resilient against cyber threats.

Learn More about Application Security
Attack Surface

Attack Surface

In cybersecurity, a surface attack, or more commonly, attack surface, refers to all the potential vulnerabilities and entry points within a system or network that an attacker could exploit to gain unauthorized access or cause harm. It encompasses all possible avenues for attack.

Learn More about Attack Surface
Cloud Security

Cloud Security

Cloud security refers to the discipline of protecting cloud-based infrastructure, applications, and data from internal and external threats.

Learn More about Cloud Security
Cyber Attack

Cyber Attack

A cyber attack is an attempt by hackers to damage or disrupt a computer network or system.

Learn More about Cyber Attack
DRPS

DRPS

A digital risk protection service (DRPS) offers visibility and defense against cybersecurity threats to an organization’s digital attack surfaces.

Learn More about DRPS
Exposure Management

Exposure Management

Exposure management is a set of processes which allow organizations to assess the visibility, accessibility, and risk factors of their digital assets.

Learn More about Exposure Management
Penetration Testing

Penetration Testing

Penetration testing, often called pentesting, is a simulated cyberattack on a computer system, network, or application to identify vulnerabilities.

Learn More about Penetration Testing
Red Teaming

Red Teaming

Red teaming is a security assessment method where a team simulates a real-world cyberattack on an organization to identify vulnerabilities and weaknesses in their defenses. This helps organizations improve their security posture by revealing potential attack vectors and response inefficiencies.

Learn More about Red Teaming
Threat Hunting

Threat Hunting

Threat hunting is a proactive cybersecurity practice where security teams search for and isolate advanced threats that have bypassed traditional security measures. It involves actively searching for malicious activity within a network, rather than just responding to alerts from security systems.

Learn More about Threat Hunting
Threat Intelligence

Threat Intelligence

Threat intelligence is the process of gathering, analyzing, and interpreting information about potential or actual cyber threats to an organization. It’s a proactive approach that helps organizations understand the threat landscape, identify risks, and implement effective security measures.

Learn More about Threat Intelligence
Vulnerability Assessment

Vulnerability Assessment

Vulnerability assessment is the process of identifying, quantifying, and prioritizing vulnerabilities in a system.

Learn More about Vulnerability Assessment
Vulnerability Management

Vulnerability Management

Vulnerability management is a comprehensive approach to identifying and reporting on security vulnerabilities in systems and the software they run.

Learn More about Vulnerability Management