Qualys VMDR API
Qualys VMDR (Vulnerability Management, Detection and Response) is a cloud-based vulnerability and compliance management platform with a dual API surface: a legacy XML-based API v2 and a newer REST API v3. The platform provides network scanning, cloud agent deployment, asset inventory, vulnerability detection with QIDs (Qualys IDs), compliance assessment against CIS/STIG benchmarks, and web application scanning. Agents can query vulnerability data, manage scan schedules, retrieve compliance reports, and export asset and finding data.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Vulnerability management platform. Username + password + subscription. Scan results reveal infrastructure vulnerabilities — highly sensitive. API credentials give access to security data.
⚡ Reliability
Best When
An agent needs to automate vulnerability management workflows in a large enterprise already running Qualys scanners, particularly for compliance reporting and ITSM integration.
Avoid When
Your organization doesn't have Qualys deployed, or you need developer-friendly, lightweight scanning APIs — Qualys is a legacy-heavy enterprise platform.
Use Cases
- • Querying vulnerability findings across enterprise assets for automated remediation workflows
- • Exporting compliance assessment results for audit evidence and regulatory reporting
- • Managing scan schedules and scan targets programmatically across network segments
- • Pulling asset inventory with software and hardware details for CMDB synchronization
- • Integrating vulnerability data into ITSM platforms like ServiceNow for ticket auto-creation
Not For
- • Organizations without a Qualys subscription — no free tier or self-serve API access
- • Cloud-native CSPM for ephemeral infrastructure — Qualys is better suited for persistent assets
- • Real-time threat detection and response — periodic scanning, not continuous monitoring
- • Developer-centric dependency scanning in CI/CD pipelines (use Snyk or Trivy instead)
Interface
Authentication
Legacy XML API v2 uses HTTP Basic Auth (username/password). REST API v3 uses a Bearer token obtained from /auth endpoint using username/password. Tokens expire and must be refreshed. API user accounts must be configured with specific roles and permissions in the Qualys portal. No OAuth or API key generation — credentials tied to user accounts.
Pricing
No public pricing. 30-day trial available but requires sales contact. Annual enterprise contracts. Qualys often bundles multiple modules (VMDR, WAS, Policy Compliance) which affects total cost.
Agent Metadata
Known Gotchas
- ⚠ Legacy XML API v2 returns XML, not JSON — agents must handle dual parsers when using both API versions
- ⚠ API platform URL varies by account region (qualysapi.qualys.com, qualysapi.qg2.apps.qualys.com, etc.) — must configure region-specific endpoint
- ⚠ Large vulnerability exports require chunking via since_datetime and truncation_limit parameters — single requests can time out
- ⚠ Basic auth with username/password (v2 API) means credentials must be stored — no token-only auth flow
- ⚠ Qualys QIDs (internal vulnerability IDs) differ from CVE IDs — agents must map between QID and CVE for external correlation
- ⚠ Scan results are not immediately available after scan completion — processing delay before data appears in API
- ⚠ No official SDK — agents must build HTTP client logic from scratch using documentation examples
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Qualys VMDR API.
Scores are editorial opinions as of 2026-03-06.