VMDR, TotalCloud, Context XDR, Patch Management, and Enterprise TruRisk Platform. Our benchmark database covers 110+ Qualys enterprise contracts. Here is what the asset-based pricing model costs at scale — including the module bundling decisions that determine total cost of ownership.
Per IP address (asset) per year subscription; modular platform with bundle pricing
1–3 year subscription; 3-year terms receive 8–15% additional discount
25–45% off list; highest in competitive Tenable and Rapid7 evaluations
120 days recommended; Qualys contacts at 90 days typically
Qualys is a cloud-native platform that pioneered the SaaS model for vulnerability management — Qualys has been cloud-delivered since its founding in 1999, making it one of the earliest enterprise security SaaS businesses. The pricing model is built on per-IP-address (asset) annual subscriptions, with the platform organized into discrete modules that can be purchased individually or bundled into the Enterprise TruRisk Platform package.
The core module is VMDR (Vulnerability Management, Detection, and Response), which combines asset discovery, continuous vulnerability scanning, threat intelligence-based prioritization (TruRisk scoring), and automated workflow routing for remediation. On top of VMDR, Qualys offers: Patch Management (automated patch deployment integrated with VMDR findings), Policy Compliance (CIS benchmark, DISA STIG, and custom policy assessment), TotalCloud (CSPM, CWPP, and IaC scanning for cloud environments), Context XDR (extended detection and response integrating VMDR telemetry with endpoint behavioral data), and Web Application Scanning (WAS).
The Enterprise TruRisk Platform bundles VMDR, Patch Management, Policy Compliance, and TotalCloud CSPM into a single per-IP per-year subscription. This platform bundle is Qualys's primary commercial vehicle for large enterprise accounts and is where the most aggressive pricing is available. See the full enterprise cybersecurity pricing guide for how Qualys competes across the vulnerability management and exposure management market.
Our benchmark data across 110+ Qualys enterprise contracts shows that the range between an unprepared buyer's outcome and a well-negotiated deal can exceed 40% on total contract value. Asset-based pricing means that the unit economics matter enormously at scale.
| Product / Module | List Price | Enterprise Benchmark | Achievable Discount |
|---|---|---|---|
| VMDR (per IP/yr) | $20–$40 | $12–$28 | 28–40% |
| Patch Management (per IP/yr) | $12–$22 | $7–$15 | 30–40% |
| Policy Compliance (per IP/yr) | $10–$18 | $6–$12 | 30–38% |
| TotalCloud CSPM (per connector) | $200–$500/yr | $130–$340/yr | 28–38% |
| Enterprise TruRisk Platform | $60–$100/IP/yr | $36–$65/IP/yr | 30–45% |
| Web App Scanning (per app/yr) | $500–$3,000/app/yr | $320–$1,900/app/yr | 30–40% |
Submit your Qualys contract for a full pricing benchmark within 24 hours. Our database covers 110+ Qualys enterprise deals across VMDR, TotalCloud, and Enterprise TruRisk — see exactly where your per-asset pricing stands.
Submit Your Contract →Qualys occupies the number-two position in vulnerability management alongside Tenable, with both vendors engaged in a long-running competitive battle for enterprise accounts. This competitive dynamic creates real discount opportunity for buyers who understand how to leverage it.
Competitive evaluation against Tenable: When Qualys faces a documented evaluation against Tenable.io or Tenable One, discount authorization rises to 35–45% off list. Qualys tracks Tenable's pricing closely and will price to win in head-to-head evaluations. The mechanism is the same: document the competitive evaluation formally, route it to Qualys sales management rather than just the account rep, and provide Tenable's actual quote rather than vague competitive references. The specificity of the competitive threat determines the depth of discount authorization.
Enterprise TruRisk Platform bundle commit: The platform bundle is where Qualys offers its most aggressive per-IP pricing. A 3-year TruRisk Platform commitment for 10,000+ assets on a direct enterprise deal achieves 38–45% below list pricing — the combination of volume, term, and platform breadth creates the highest discount authorization. Compare the all-in TruRisk Platform price against buying VMDR, Patch, Compliance, and TotalCloud separately: the bundle consistently delivers 20–30% better economics than individual module purchases.
Asset tier crossings: Qualys's volume pricing tiers create step-function per-IP price decreases at threshold crossings — typically 500, 1,000, 2,500, 5,000, 10,000, and 25,000+ IPs. If your asset count sits within 10–15% of a threshold, evaluate whether committing to the higher tier with a growth provision creates better unit economics than renewing at your current tier. Our benchmarks show tier-crossing deals often achieve 8–14% better per-IP pricing than the same asset count just below the threshold.
Fiscal year-end (December 31): Qualys's fiscal year ends December 31. Q4 deals — October through December — achieve the deepest annual discounts. November and December represent the highest discount authority period in the calendar year. Our benchmarks show Q4 Qualys deals achieving 6–14% better pricing than equivalent Q1 or Q2 deals on identical configurations.
VMDR is Qualys's flagship product and the starting point for virtually every enterprise Qualys deployment. The platform provides continuous multi-vector asset discovery (agent-based, network scanning, cloud connector, API), authenticated and unauthenticated vulnerability scanning, CVE-based detection enriched with Qualys's TruRisk scoring (combining CVSS severity with threat intelligence and exploitability data), and workflow automation for routing findings to ITSM tools like ServiceNow, Jira, and Remedy. VMDR at 10,000 IPs list pricing runs approximately $300,000–$400,000 per year; enterprise negotiated pricing brings this to $180,000–$280,000 depending on competitive situation and term.
Qualys Patch Management provides automated patch deployment integrated directly with VMDR vulnerability findings — closing the loop between detection and remediation without requiring a separate SCCM or WSUS workflow. Patching from within the VMDR workflow is Qualys's core differentiation against Tenable, which requires third-party patch management integration. Patch Management is priced per IP per year separately from VMDR; enterprises bundling Patch with VMDR consistently achieve better blended pricing than purchasing each module independently.
Qualys TotalCloud provides CSPM across AWS, Azure, GCP, and OCI cloud environments — assessing security posture against CIS benchmarks, cloud provider security best practices, and custom policies. TotalCloud includes infrastructure-as-code (IaC) scanning (Terraform, CloudFormation, ARM templates) and container security (registry scanning and runtime protection). The TotalCloud pricing model is per cloud connector (per cloud account) for CSPM, and per workload for cloud workload protection. Organizations with large multi-cloud estates should negotiate TotalCloud pricing as part of the Enterprise TruRisk Platform bundle rather than as a standalone add-on.
Context XDR extends VMDR into detection and response by correlating vulnerability data with endpoint behavioral telemetry, network traffic analysis, and log data from SIEM integrations. It provides security operations teams with context-enriched alerts — combining "this endpoint has a critical vulnerability" with "this endpoint is currently exhibiting suspicious behavior" into a single prioritized finding. Context XDR is priced per asset per year as an add-on to VMDR; it competes with XDR offerings from SentinelOne, CrowdStrike, and Palo Alto for budget in security operations center environments.
The TruRisk Platform is Qualys's answer to the enterprise platform consolidation trend — combining VMDR, Patch Management, Policy Compliance, and TotalCloud CSPM into a single per-IP annual subscription. At list pricing of $60–$100 per IP per year, it appears expensive compared to VMDR alone, but the blended cost of buying all four modules separately is consistently 25–40% higher than the platform bundle. For organizations that genuinely need all four capabilities, the TruRisk Platform is the most economically rational purchase — and the most aggressively discounted Qualys product in competitive situations against full-platform alternatives.
110+ Qualys enterprise contracts in our benchmark database. Know your position before your next VMDR renewal or TruRisk Platform evaluation. Get your benchmark in 24 hours.
Submit Your Contract →Qualys's asset-based pricing creates specific mechanisms that inflate costs for organizations that do not manage their contracts actively. Our analysis of 110+ contracts identifies these recurring patterns.
IP discovery versus contracted IP count: Qualys counts all IP addresses discovered by the scanner during any scan — including transient cloud instances, VPN-connected remote devices, and network infrastructure that may not be actively managed. The "discovered IP" count in quarterly Qualys platform reports routinely exceeds the contracted IP count for large enterprise deployments. Without an explicit contractual definition of "licensed IP" (managed, persistent assets) versus "discoverable IP" (everything the scanner can reach), renewal quotes embed the expanded discovered count as the new baseline.
Module add-on pricing at list mid-term: Qualys consistently quotes add-on modules (Patch Management, Policy Compliance, WAS) at list pricing when added to an existing VMDR contract mid-term, regardless of the discount received on the original VMDR purchase. A master agreement provision specifying that any add-on modules are priced at the contracted VMDR discount rate is essential for large enterprise accounts.
TotalCloud connector scope creep: TotalCloud pricing per cloud connector (per cloud account) can expand rapidly as organizations add cloud accounts, sub-accounts, and organization units in AWS, Azure, and GCP hierarchies. An enterprise managing 50 AWS accounts may discover it needs 50 TotalCloud connectors — not the 10 or 15 scoped in the initial conversation. Negotiate connector pricing on a per-organization or per-enterprise basis rather than strictly per-account to manage this exposure.
WAS app count definition: Web Application Scanning is priced per web application. The definition of "web application" in Qualys's standard terms is sufficiently broad to encompass each subdomain, API endpoint collection, or separately authenticated web property. An enterprise with a complex web presence can face a WAS quote covering 200+ "applications" when its IT team considers itself to have 20–30 primary web applications. Negotiate a clear WAS application definition in the master agreement before purchase.
Qualys renewal mechanics follow the same pattern as other enterprise SaaS businesses with entrenched accounts: the initial renewal quote comes in above prior-year levels, the account team cites expanded feature sets, and timing pressure is applied as the renewal date approaches. Understanding this pattern is prerequisite to countering it.
What changes at renewal without active management: per-IP pricing increases 5–8% year-over-year; if asset discovery has identified new IPs beyond the contracted count, the renewal quote incorporates the expanded count at new (often higher per-IP) pricing; TruRisk Platform pricing may reset toward list if the original deal was deeply discounted in a competitive situation. What you can hold or improve: per-IP pricing can be held or improved with Tenable competitive evidence; IP count can be renegotiated based on actual managed asset count (excluding discovered-only IPs); multi-year commitment can lock pricing for 3 years.
The renewal leverage point most Qualys customers underutilize: the Tenable comparison. Request current Tenable.io pricing for your asset count from a Tenable account team or reseller. Present this pricing to Qualys with a statement that you are conducting a formal renewal evaluation that includes a Tenable migration assessment. Qualys's response to credible Tenable competitive pressure is predictable — discount authorization rises immediately. The cost of the evaluation process (time to obtain a Tenable quote) is consistently worth the 15–25 additional discount points it unlocks on the Qualys renewal.
Qualys VMDR runs $20–$40 per IP per year list. Enterprise TruRisk Platform (VMDR + Patch + Compliance + TotalCloud) runs $60–$100 per IP per year list. Enterprises with 10,000+ assets commonly spend $400K–$2M+ annually. Negotiated enterprise pricing achieves 25–45% below list, with the deepest discounts at large asset counts in competitive Tenable evaluations.
Qualys enterprise discounts range from 25–45% off list. Competitive evaluations against Tenable and Rapid7 achieve 35–45% discounts. Multi-year commitments (3-year) add 8–15%. Qualys's fiscal year ends December 31 — Q4 deals achieve the deepest discounts. Platform bundle deals (TruRisk Platform) tend to achieve higher percentage discounts than individual module purchases.
Qualys VMDR includes asset inventory and discovery, continuous vulnerability scanning across IT assets (on-premises, cloud, containers), threat intelligence-based TruRisk scoring for prioritization, workflow automation for remediation routing, and dashboard/reporting. It does not include patch management, cloud security posture management, policy compliance, or web application scanning — these are separate Qualys modules or bundle components.
TotalCloud is Qualys's CSPM and cloud workload protection platform for AWS, Azure, GCP, and OCI. It includes security posture assessment against CIS benchmarks, IaC scanning, and container security. Pricing runs $200–$500 per cloud connector per year for CSPM. Organizations bundle TotalCloud with VMDR in the TruRisk Platform at significant package discounts versus standalone pricing.
Qualys VMDR is typically 5–15% below Tenable.io at list pricing for comparable asset counts. At negotiated enterprise pricing, both are within 5–10% of each other. Qualys's advantage is a broader integrated platform (VMDR + Patch + Compliance + TotalCloud) at competitive pricing; Tenable's advantage is stronger OT/ICS coverage and scanning accuracy. Both vendors will match each other's pricing when presented with credible competitive alternatives.
Our benchmark database covers 110+ Qualys enterprise contracts. Submit your current VMDR or TruRisk Platform proposal and receive a full analysis within 24 hours — including per-IP benchmarks, contract risk flags, and negotiation recommendations.