Qualys Cloud Agent Application Release 2.5
November 06, 2025 (Updated November 18, 2025)
With this release of Cloud Agent application, we are introducing the following new features and enhancements.
New Feature — Manifest Version Control
We are introducing a new feature — Manifest Version Control (MVC) for the Cloud Agent application. Manifest Version Control (MVC) gives organizations greater control over the Vulnerability Management (VM) manifests used by Cloud Agents. With this feature, you can delay or prevent the automatic assignment of newly published manifests, allowing time for validation in test environments before assigning them to production systems.
The MVC also displays the VM Scan Manifest version details for Windows and Linux Assets. This helps you take an informed decision about whether to use or delay the implementation of the newly available manifest.
This MVC reduces the risk of operational disruptions caused by unforeseen issues in newly released manifests and supports more controlled and reliable security operations at scale.
To create or edit an MVC profile, navigate to the Manifest Version Control tab at Configuration > Version Control Profiles.
The Manifest Version Control feature is not enabled by default. Contact Qualys Support to get it enabled for your account.
Order QIDs based on QDS Score
The Manifest Versions option in the Manifest Version Control tab displays the Vulnerability Management (VM) Manifest details, such as release date, version, delta information, QID count, and change log.
When you click the QID count, the QID window displays all the QIDs detected for the manifest version. Earlier, the detected QIDs were listed randomly. Now, we list the QIDs with descending QDS score. With this enhancement, the QIDs with high risk are displayed at the top of the list to help you prioritize the vulnerability management for new manifests.
To view the QIDs detected for VM Manifest, navigate to Version Control Profiles > Manifest Version Control. Click Manifest Versions > QID Count to view the list of QIDs detected for the selected manifest version.
To learn more about MVC, refer to Manifest Version Control in Cloud Agent Online Help.
New Feature — CPU Limit for Patch Management
In the Qualys Patch Management application, the provision to control CPU utilization is not available. Due to this limitation, Patch Management may cause high CPU utilization, extended scan times, or patch job timeouts.
We have introduced an option to apply the CPU Limit specified for Windows Cloud Agent to Patch Management application. With this enhancement, you can control the resource utilization of the host assets and ensure a smooth patching experience with minimal job timeouts.
You can enable this feature from the Application Configuration window while creating a new configuration profile or editing an existing profile. Select the Enable CPU Limit checkbox in the Application Configuration > Patch Management section.
The CPU Limit defined in the Cloud Agent configuration profile is applied to Patch Management. Using low CPU Limit values may result in higher scan times or patch job timeout.
This feature is not enabled by default. Contact Qualys Support to get it enabled for your account.
To learn more about this feature, refer to Cloud Agent Online Help.
| Required Application Version | Patch Management - 3.7.0 |
Upload Client Certificates to Vault Connections
We have updated the Vault Connections for database authentication to support uploading the client certificates while creating or editing a CCP connection profile. Uploading the certificate files for the CCP Vault Connection profile gives an extra layer of security to the database credentials and ensures that the databases are accessed only by the certified users.
To add a certificate file to a CCP Vault Connection profile, navigate to the Configuration > Vault tab. You can add the certificates in .pfx format while creating or editing a vault connection profile.
This feature is not enabled by default. Contact Qualys Support to get it enabled for your account.
To learn more about Vault Connection profiles, refer to Cloud Agent Online Help.
| Required Application Version | Cloud Agent for Windows 6.4.0 Cloud Agent for Linux Intel 7.3.0 |
Install FedRamp Compliant Cloud Agent
We have introduced a new variable in the Cloud Agent installation command to select a FedRamp-compliant package while installing the Cloud Agent. You can select the FEDRAMP={true|false} to install the FedRamp-compliant package for Windows Cloud Agents. This feature provides better control over FedRamp-compliant Cloud Agent deployment.
Sample Installation Command for installing FedRamp-compliant Cloud Agent:
QualysCloudAgent.exe ACTIVATIONID={xxxxxxx-xxxx-xxxx-xxxxxx} CUSTOMERID={xxxxx-xxx-xxx-xxx-xxx-xxxxx} WEBSERVICEURI=<qualys_platform_url>/CloudAgent/ FEDRAMP=true
Where,
- FEDRAMP=true: FedRamp-compliant Cloud Agent installation. Setting this parameter to true enables the Hash-based Message Authentication (HMAC).
- FEDRAMP=false: Normal Cloud Agent installation
- <qualys_platform_url>: Placeholder for Qualys Platform URL
This feature is available only for the FEDRAMP HIGH Cloud Platform (https://qualysguard.gov1.qualys.us) to ensure the highest level of data security practices are being adopted.
Enable Static and Runtime Analysis for SwCA Scans
We have introduced new options in the SwCA Configuration profile to specify the Software Composition Analysis Setting. With this option, you can specify whether to execute Runtime Analysis or Static Analysis during the SwCA scans.
In the Runtime analysis, SwCA scans application components in production or containerized environments, which are detected during the scan execution. In the Static analysis, SwCA scans the application components that are under development.
To define the Software Composition Analysis Settings, select the Runtime or Static checkbox.
You must select the Runtime checkbox to enable the Static analysis for the SwCA Configuration profile.
| Required Application Version | Cloud Agent for Linux Intel 7.3.0 |
QQL Token Changes
We have renamed the following QQL tokens in the Activation Keys tab to align with the standard token naming convention.
| Old Token Name | New Token Name |
|---|---|
| activationKey.datePurchased | activationKey.purchasedDate |
| activationKey.expireDate | activationKey.expiryDate |
Issues Addressed
There are no notable and important issues for this release.