Skip to content Skip to site navigation Skip to service navigation

Vulnerability Management (Qualys)

Qualys is a commercial vulnerability and web application scanner. It can be used to proactively locate, identify, and assess vulnerabilities so that they can be prioritized and corrected before they are targeted and exploited by attackers. Stanford uses Qualys to scan all administrative networks on a regular basis for known discoverable vulnerabilities. These scans are performed periodically from hosts within the Stanford network.

Qualys can also be used to scan for vulnerabilities in web applications. The Qualys Web Application Scanner (WAS) focuses on web application vulnerabilities, such as the industry-standard Open Web Application Security Project Top 10 list, to categorize the most critical risks faced by web apps. The Qualys Web Application Scanner finds these vulnerabilities, including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF) and URL redirection. 

Designed for

  • Stanford faculty and staff
  • Can be used for servers and applications


Remediate severity 5 and 4 vulnerabilities within 7 days and severity 3 vulnerabilities within 90 days of discovery.

Data security

Vulnerability management is part of the Stanford Minimum Security Standards and is required for all Data Classifications.


Free of charge

Get started

Qualys scans are performed over the network. You do not need to install any software on your systems to use the service. If you would like to run your own custom scans and generate your own custom reports, request a Qualys account. For network vulnerability scanning, be sure to include the IP address of your machine, or the network that you manage. For web applications, please specify URLs, e.g., You will be required to be listed as either the User or the Admin in NetDB for the respective addresses and/or servers.

If you already have an account, please log in to Qualys using the SAML SSO login page. Sign in using your SUNet ID.

Qualys is a licensed service to Stanford; we'll pay for what we use. You're encouraged to use the service, but as part of our routine system hygiene we purge inactive accounts periodically.

Get help

For assistance, please submit a Help ticket.

Learn more

Last modified November 28, 2018