Qualys WAS 2026: Enterprise Cloud DAST with TruRisk Scoring

Qualys Web Application Scanning (WAS) is an enterprise cloud DAST platform built for organizations with large application portfolios. It has scanned 370,000+ web applications and APIs, detecting 25+ million vulnerabilities across its customer base.

Qualys WAS web application inventory dashboard showing discovered assets and risk scores

The platform is part of the Qualys Cloud Platform, which means web application findings correlate with infrastructure vulnerabilities, asset inventory, and policy compliance data in a single console.

Feature	Details
Deployment	Cloud SaaS (scanner appliances for internal apps)
Apps scanned	370,000+
Vulnerabilities found	25M+
AI detection rate	96%
Scan time reduction	Up to 80% with AI optimization
Coverage	OWASP Top 10, API Security Top 10
API testing	REST, SOAP, OpenAPI v3 import
Risk scoring	TruRisk (business context)
Malware detection	Deep learning behavioral analysis
PII detection	GDPR, HIPAA, PCI DSS sensitive data

What is Qualys WAS?

Qualys WAS crawls web applications and APIs, sends crafted requests to probe for vulnerabilities, and reports findings with risk-based prioritization through TruRisk scoring. SQL injection, XSS, authentication flaws, misconfigurations — the standard DAST tool detection set.

What separates it from standalone DAST products is the platform integration. Qualys WAS findings sit alongside network vulnerability data, cloud security posture, and asset inventory information. For enterprise security teams that already use Qualys for infrastructure scanning, adding WAS means one fewer console to manage.

For external applications, scanning runs entirely from the cloud. For internal applications behind firewalls, Qualys provides scanner appliances that execute locally and report back to the cloud platform.

Qualys WAS continuous monitoring dashboard showing scan status and vulnerability trends

Platform Play

Qualys WAS is strongest when used alongside other Qualys modules. If you are not already in the Qualys ecosystem, the platform integration advantage disappears. Standalone DAST tools may offer better value for teams that only need web application scanning.

Key features

AI Scan Optimization

Machine learning adapts crawling behavior to each application’s architecture. Qualys reports 96% detection rate and up to 80% reduction in scan times compared to traditional sequential scanning.

TruRisk Scoring

Risk scores that factor in vulnerability severity, exploitability, asset criticality, active exploitation data, and remediation complexity. Prioritizes by business impact rather than raw CVSS numbers.

API Security Testing

Tests REST and SOAP APIs. Imports OpenAPI v3 specs to map all documented endpoints. Checks for OWASP API Security Top 10 including broken object-level authorization and excessive data exposure. Detects spec drift.

Malware Detection

Behavioral analysis using deep learning identifies compromised websites serving malicious content. Catches zero-day threats that signature-based scanners miss. Alerts before search engines blacklist infected sites.

PII Exposure Detection

Scans for exposed personally identifiable information relevant to GDPR, HIPAA, and PCI DSS. Flags sensitive data in application responses that should not be publicly accessible.

Application Discovery

Automatically finds web applications across your environment that the security team may not know about. Scans external-facing apps, internal apps via scanner appliances, and cloud-hosted apps in AWS, Azure, and GCP.

Authentication support

Qualys WAS supports multiple authentication methods for testing protected applications:

Form-based — Record login sequences for web applications
HTTP Basic/Digest — Direct credential injection
OAuth 2.0 — Configure OAuth flows for API testing
Client certificates — Mutual TLS for certificate-based auth
Custom headers — API keys, bearer tokens, and custom auth schemes

Qualys WAS remediation workflow showing vulnerability prioritization and fix tracking

Integrations

CI/CD

Jenkins

Azure DevOps

GitHub Actions

Bamboo

Ticketing & SIEM

ServiceNow

Jira

Splunk

Manual Testing Import

Burp Suite

ZAP

BugCrowd

Scan Consolidation

Qualys WAS can import manual testing results from Burp Suite, ZAP, and BugCrowd. This lets you combine automated DAST findings with manual pentest data in a single view.

Getting started

Provision Qualys WAS — Activate WAS within the Qualys Cloud Platform. No on-premises infrastructure needed for external scanning.

Add web applications — Specify URLs and authentication details. Use the API or web console to create web application records.

Configure scan profiles — Set scan scope, authentication, crawl limits, and scheduling. Assign TruRisk asset criticality levels for risk-based prioritization.

Run scans — Execute manually, on schedule, or trigger via CI/CD integration. For internal apps, deploy a Qualys scanner appliance inside your network.

Review with TruRisk — Findings are scored by business risk, not just CVSS. Use the Qualys platform to correlate web app vulnerabilities with infrastructure findings.

API usage

# Create a web application
curl -X POST "https://qualysapi.qualys.com/qps/rest/3.0/create/was/webapp" \
  -H "Authorization: Basic ${QUALYS_CREDENTIALS}" \
  -H "Content-Type: application/xml" \
  -d '<?xml version="1.0" encoding="UTF-8"?>
      <ServiceRequest>
        <data>
          <WebApp>
            <name>Production App</name>
            <url>https://app.example.com</url>
          </WebApp>
        </data>
      </ServiceRequest>'

# Launch a vulnerability scan
curl -X POST "https://qualysapi.qualys.com/qps/rest/3.0/launch/was/wasscan" \
  -H "Authorization: Basic ${QUALYS_CREDENTIALS}" \
  -H "Content-Type: application/xml" \
  -d '<?xml version="1.0" encoding="UTF-8"?>
      <ServiceRequest>
        <data>
          <WasScan>
            <name>Weekly Scan</name>
            <type>VULNERABILITY</type>
            <target>
              <webApp><id>67890</id></webApp>
            </target>
          </WasScan>
        </data>
      </ServiceRequest>'

Qualys TruRisk platform dashboard showing risk scores across web applications

When to use Qualys WAS

Qualys WAS makes sense for enterprises already on the Qualys Cloud Platform. The unified view across web apps, infrastructure, and cloud posture is its main differentiator. TruRisk scoring adds business context that raw CVSS numbers lack.

It is also a reasonable choice for organizations with large application portfolios (hundreds or thousands of apps) that need automated discovery and scheduled scanning at scale.

For smaller teams or those not in the Qualys ecosystem, the platform may be more than you need. Standalone DAST tools like StackHawk or Nuclei offer lower entry points and can be more practical for teams scanning a handful of applications.

Frequently Asked Questions

What is Qualys WAS?

Qualys Web Application Scanning is an enterprise cloud DAST platform that tests web applications and APIs for security vulnerabilities. It has scanned 370,000+ web apps and APIs, detecting 25+ million vulnerabilities. Part of the broader Qualys Cloud Platform for unified vulnerability management.

How does Qualys WAS use AI?

Qualys WAS uses machine learning to optimize scan patterns, achieving a 96% detection rate while reducing scan times by up to 80% on large applications. The AI adapts crawling behavior based on application architecture and prioritizes likely vulnerability patterns.

What is TruRisk scoring in Qualys WAS?

TruRisk is Qualys’s risk quantification system. It factors in vulnerability severity, exploitability, asset criticality, active threat intelligence, and remediation complexity to produce a business-context risk score rather than a raw CVSS number.

Does Qualys WAS test APIs?

Yes. Qualys WAS tests REST and SOAP APIs, imports OpenAPI v3 specifications to map endpoints, and checks for OWASP API Security Top 10 vulnerabilities including broken object-level authorization and excessive data exposure. It also detects API specification drift.

What CI/CD integrations does Qualys WAS support?

Qualys WAS integrates with Jenkins, Azure DevOps, GitHub Actions, TeamCity, and Bamboo for CI/CD. It also connects to ServiceNow, Jira, and Splunk for ticketing and SIEM, and can ingest manual testing data from Burp Suite, ZAP, and BugCrowd.