Qualys VMDR
Qualys VMDR (Vulnerability Management, Detection and Response) is a cloud-based vulnerability management platform. In Invicti ASPM, the integration connects to your Qualys subscription to import vulnerability scan results into your projects, with support for binding to existing scans, fetching historical results, or launching new scans.
Prerequisites
| Field | Description |
|---|---|
| Username | Qualys account username |
| Password | Qualys account password |
| URL | the base URL of your Qualys platform API (e.g., https://qualysapi.qualys.com) |
Get credentials (on Qualys side)
- Log in to the Qualys console.
- Use your Qualys **username **and **password **for the integration.
- Obtain the correct API URL for your Qualys subscription from the Qualys support documentation or your account page. The API endpoint differs by region (e.g., US, EU, India).
TIP
The API URL format is
https://qualysapi.<region>.qualys.com— check your Qualys account settings to confirm the correct regional endpoint.
Step 1: Navigate to Integrations
From the left sidebar menu, click Integrations.
Step 2: Select the Infra tab
On the Integrations > Scanners page, click the **Infra **tab.
Step 3: Find and activate Qualys VMDR
Scroll through the list of Infra scanners to find Qualys VMDR.
If Qualys VMDR is not activated, click **Activate ** to enable the integration.
Step 4: Configure connection settings
Click the gear icon on the Qualys VMDR card to open the settings panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| Username | Qualys account username | Yes |
| Password | Qualys account password | Yes |
| URL | base URL of the Qualys API for your subscription | Yes |
| Insecure | skip TLS certificate verification (use only for self-signed certificates) | No |
Step 5: Test the connection
Click Test Connection. A green Connection successful message confirms that Invicti Aspm can authenticate with the Qualys API.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the Infra tab |
| 3 | Activate Qualys VMDR |
| 4 | Enter Username, Password, and URL |
| 5 | Test the connection |
Create a scan
Navigate to project scanners
- Open a project in Invicti Aspm.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Qualys VMDR scanner
- Select Infra as the scanner type.
- Choose Qualys VMDR from the scanner list.
- Click Add to open the scan configuration drawer.
Scan configuration fields
The Qualys VMDR scan drawer offers three trigger modes:
| Trigger mode | Description |
|---|---|
| Bind to a Qualys VMDR Scan | link to an existing Qualys scan and import its latest results |
| Get Existing Scan Results | fetch results from a completed Qualys scan without triggering a new one |
| Create New Scan | launch a new Qualys scan using a specified option profile and target IP |
Common fields
| Field | Description | Required |
|---|---|---|
| Profile Name | a name to identify this scan configuration | Yes |
| Meta Data | additional metadata to tag the scan | Yes |
| Scan Tag | free-text tag to identify or group scans | No |
| Severity+ | increase severity of imported findings by one level | No |
| Severity- | decrease severity of imported findings by one level | No |
Fields for "Bind to" and "Get Existing Scan Results"
| Field | Description | Required |
|---|---|---|
| Bind to | select the existing Qualys scan to bind to or fetch results from | Yes |
Fields for "Create New Scan"
| Field | Description | Required |
|---|---|---|
| Option Profiles | select the Qualys option profile to use for the new scan | Yes |
| IP | target IP address or hostname for the new scan | Yes |
| Scan Title | a title for the newly created Qualys scan | Yes |
NOTE
Severity+ and Severity- are mutually exclusive — only one can be enabled at a time.
Scheduler
Enable the Scheduler toggle to automatically run Qualys VMDR scans on a recurring schedule.
Webhook (optional)
Add a webhook URL to receive scan completion notifications.
KDT command
kdt scan -p <project_name> -t qualysinfra -b -Troubleshooting
Connection fails
| Issue | Resolution |
|---|---|
| Invalid username or password | verify the credentials in the Qualys console. Ensure the account is active and has API access enabled. |
| URL unreachable | confirm you're using the correct regional API URL for your Qualys subscription. |
| API access not enabled | Qualys API access must be explicitly enabled for the account in the Qualys admin settings. |
| TLS certificate error | if using a proxy with a self-signed certificate, enable the **Insecure **option in the connection settings. |
Scan issues
| Issue | Resolution |
|---|---|
| No scans in Bind to dropdown | ensure at least one scan exists in your Qualys subscription and the account has access to it. |
| New scan fails to start | verify that the target IP is within a subscribed Qualys scan scope and the selected option profile is compatible. |
| Scan shows no findings | the bound scan may have no active vulnerabilities, or the scan may not have completed successfully. Check the Qualys console. |
| Scan results are outdated | use Get Existing Scan Results to force a fetch, or enable the Scheduler to pull results automatically. |
Best practices
- Use a dedicated Qualys account for Invicti Aspm with the minimum required API permissions.
- Use the Bind to a Qualys VMDR Scan trigger mode when your scan schedule is managed in Qualys — this avoids creating duplicate scans.
- Use Create New Scan only when you need Invicti Aspm to own the scan lifecycle.
- Rotate Qualys credentials periodically and update the integration settings in Invicti Aspm accordingly.
Limitations
- Qualys VMDR in Invicti Aspm doesn't support scanner appliance management — appliances must be configured in the Qualys console.
- Only scans and option profiles accessible via the provided credentials are available for selection.
- Creating new scans via Invicti Aspm consumes Qualys scan credits — monitor usage in the Qualys console.
Updated about 8 hours ago