Manage and Run FlexScan for Cloud Security Assessments

FlexScan is a unified, zero-touch scanning framework in Qualys TotalCloud that automates cloud asset discovery and vulnerability assessment. It integrates multiple scanning technologies, both agent-based and agentless, to deliver comprehensive, continuous visibility into your cloud environments.

FlexScan enables security teams to assess cloud workloads without manual setup, ensuring that new and existing assets remain continuously evaluated for vulnerabilities and compliance risks.

Before proceeding with the configurations, review the Prerequisites for FlexScan.

FlexScan Overview

FlexScan supports multiple assessment types, each suited for specific use cases. You can select one or more scan types depending on your cloud architecture and security requirements.

API-Based Assessment

API-based assessment uses cloud provider APIs, such as AWS APIs, to collect OS package inventory data from workloads for vulnerability analysis. This agentless method identifies vulnerabilities that may arise between agent scan intervals. When combined with agent-based scanning, API-based assessments provide complete coverage by securing newly deployed or short-lived workloads.

API-based scans run automatically on assets discovered through connector runs or EventBridge alerts. You can configure API-based assessments on connectors in CloudView or AssetView.

See Configure Zero-Touch API-Based Assessment for setup instructions.

Snapshot-Based Assessment

Snapshot-based assessment performs large-scale vulnerability analysis on workload snapshots without affecting live environments. This agentless method evaluates vulnerabilities, risk posture, and compliance for virtual machines and compute instances.

After you configure service and target accounts in your AWS console using the required CloudFormation templates, you can include multiple accounts in one assessment.

See Configure Zero-Touch Snapshot-Based Assessment for AWS or Configure Zero-Touch Snapshot-Based Assessment for Azure for detailed configuration steps.

Additional Snapshot Scan Techniques

Snapshot-based Scan for AWS also extends the scans to the following:

Amazon Machine Images - Evaluates the security and compliance of Amazon Machine Images (AMIs) before deployment, ensuring only validated images enter production.

Software Composition Analysis - Identifies vulnerabilities and licensing risks in open-source components and third-party libraries, strengthening software supply chain integrity.

Secret Detection - Locates and reports exposed credentials, tokens, and other sensitive data within workloads to prevent unauthorized access and data leaks.

Cloud Perimeter Scan

Cloud Perimeter Scan uses Qualys External Scanners hosted on the Qualys Cloud Platform to assess workloads accessible over the internet. FlexScan automatically deploys the correct scanner when new workloads are created.

This method provides a network-level perspective of your cloud environment and is best suited for internet-facing workloads or assets where agents cannot be installed. Network scanners detect protocol-level vulnerabilities and provide an external view of your security exposure.

See Configure Cloud Perimeter Scan for configuration guidance.

Qualys Agent Scan

Qualys Agent Scan uses AWS Systems Manager (SSM) documents and Run Command for agent-based scanning. Qualys provides public SSM documents that can be used directly or provisioned through Qualys Flow.

You can trigger scans through Qualys Flow or AWS SSM State Manager.

See Configure Qualys Agent Scan for details.

Run FlexScan

1. Open the Connectors application.
   The list displays all configured connectors from TotalCloud or Connector applications.
2. Select one or more connectors to configure for FlexScan.
3. Select Configure FlexScan.
4. Choose one or more scan types: API-based, Snapshot-based, or Cloud Perimeter.
   Note: If FlexScan settings already exist for a connector, selecting Configure overwrites them. To proceed, enable the Modifying the settings now... checkbox.
5. Select Configure to apply the settings.

View Connectors with FlexScan Enabled

Use the token isFlexScanConfigured with a value of true or false to filter connectors by FlexScan configuration status. This query displays connectors with or without active FlexScan settings.