Enterprise TruRisk Management Release 1.7

March 09, 2026

Introduced TruRisk Customization Using Risk and Compensatory Factors

A customizable rule that adjusts the TruRisk score of an asset based on specific conditions without changing the raw security data itself. This aligns security scoring with business priorities and risk appetite.

The impact of customization of TruRisk Score:

• Original data remains intact and unaltered
• Scores become more business-contextual
• Adjustments are non-destructive
• Fully auditable and reversible

You can customize the TruRisk score by using risk and compensatory factors.

Custom Risk Factor

Focus remediation efforts on what truly impacts your organization by dynamically adjusting TruRisk™ scores based on contextual risk.

• Increase Risk for High-Exposure Assets
  Automatically elevate TruRisk scores for internet-facing systems, privileged accounts, critical business assets, or unpatched high-risk vulnerabilities, ensuring environmental risk is accurately reflected.
• Enhance TruRisk™ 
  Improve scoring precision by incorporating real-world exposure and business context into risk calculations.
• Highlight Critical Exposures
  Identify and amplify conditions that significantly increase the likelihood of attack or business impact.
• Add Custom Risk Factors
  Tailor risk scoring to your organization’s industry, geography, regulatory requirements, or asset role.

Custom Compensatory Factors

Refine TruRisk™ scoring by accounting for existing security controls that meaningfully reduce exposure. Compensatory Factors allow you to adjust risk downward when strong protections such as EDR, firewalls, or network segmentation are in place.

Navigate to Risk Management tab > Risk Customization > Risk Factors or Compensatory Factors to define and apply custom factors tailored to your environment.

The following screenshot shows one example of the TruRisk Customization. The image illustrates how TruRisk™ scoring is dynamically customized through a structured rule application order that combines system-defined and user-defined factors. The TruRisk™ is fully customizable through additive and subtractive factors, applied in a defined order, enabling organizations to transition from static vulnerability severity to dynamic, environment-aware, business-aligned risk scoring.

Risk Factors amplify exposure. Compensatory Factors credit defenses. The order of application ensures a controlled, predictable score transformation.

To know more about TruRisk Customization, refer to ETM Online Help.

Introduced ACS Score Recomputing

The Asset Criticality Score (ACS) system helps you evaluate and manage the importance level of assets within your organization. This feature provides a structured approach to assigning, updating, and tracking criticality ratings for all assets across business entities.

Key Features: ACS Score Recomputing

Here are the important key features for recomputing the ACS score:

Tag-Based Criticality Assignment

The system uses tags to assign criticality scores to assets. When you create a tag, you assign a criticality score value to it. This score is then applied to any asset that receives that tag.

Multiple Tags: If an asset receives multiple tags with different scores, the system automatically applies the highest criticality score to that asset.

Static and Dynamic Tags

The system supports two types of tags to match your organizational needs.

• Static Tags

  Static tags are manually created and applied to assets. You define the criticality score when creating the tag, and it remains constant until you change it.

• Dynamic Tags

  Dynamic tags are automatically applied to assets based on rules you define. These tags automatically adjust when asset properties meet specified conditions.

• How it works:
  • Create tags within the system
  • Assign a criticality score to each tag (ranging from 1 to 5)
  • Apply tags to individual assets
  • The asset automatically inherits the tag's criticality score

Impact of TruRisk Calculation

Criticality score updates affect your organizational view across multiple levels:

• Asset Level
  Individual asset criticality status
• Business Entity Level
  Aggregated criticality for all assets within a business entity
• Organization Level
  Overall risk dashboard showing organization-wide criticality

Score Recalculation

The system recalculates criticality scores automatically, but you can also trigger manual recalculation when needed.

• Automatic Updates:
  • Scheduled automatic recalculation every couple of hours
  • All dependent calculations are updated in sequence
• Manual Recalculation:
  • Use the Recalculate Score option to update scores immediately
  • Manual recalculation completes in approximately 15 minutes
  • Useful when you need updated scores without waiting for scheduled updates

Currently, this feature does not apply to WAS-type assets.

Use Case: ACS Update and TruRisk Recalculation

Consider a scenario where:

• An asset has an ACS score of 2.
• The corresponding TruRisk score is 323, calculated using criticality 2.

You determine that the asset is more critical and should have an ACS score of 5.

To update this:

• Assign a tag configured with a criticality score of 5 to the asset.
• The asset immediately reflects the updated ACS score of 5.

However, you may notice that the TruRisk score still shows 323. This is because the TruRisk calculation was performed using the earlier criticality score (2).

By default, the system updates the TruRisk score during the scheduled automatic recalculation (every couple of hours). If you need the updated TruRisk score immediately:

• Click Recalculate TruRisk Score.
• The updated score will be available in approximately 15 minutes.

The following video illustrates this use case.

Introduced Risk Reprioritization Flow Widget Represented by Sankey Chart

The Risk Reprioritization Flow widget is a new dashboard visualization that helps security teams understand how vulnerability findings move between different risk scoring models. It visually shows how findings are deprioritized or reprioritized when moving from traditional scoring (such as CVSS or source-provided risk scores) to Qualys-driven QVSS.

By showing the flow of findings between risk categories, the widget highlights how Qualys Insights reduces noise while surfacing vulnerabilities that genuinely matter.

A Sankey chart is an industry-standard visualization used to show the flow of items from one state to another.

In this widget:

• Nodes represent risk severity buckets (Critical, High, Medium, Low).
• Links represent how findings move from one severity bucket to another.
• Link width indicates the number of findings flowing between buckets.
• Colors represent severity levels and transitions.

Key Objectives of the Widget

The Risk Reprioritization Flow widget helps you:

• Reduce vulnerability noise by showing findings that can be safely deprioritized
• Identify hidden risk where low or medium findings are reprioritized as higher risk
• Compare traditional scoring models with Qualys intelligence-driven QVSS
• Focus remediation efforts on what truly requires attention

To add the widget to your dashboard, navigate to Dashboard, click Add Widget, and select Risk Reprioritization Flow from available ETM widgets. Enter your queries, customize the widget, and the widget starts showing in your dashboard.

The following image illustrates how the QVSS-based scoring system has downgraded 46% of critical findings to medium priority. This allows your organization to reduce vulnerability noise by highlighting only those findings that can be safely deprioritized. Overall, 91% of findings are effectively downgraded, enabling you to focus your remediation efforts on the issues that truly require attention.

The following image illustrates that 16% of medium findings have been escalated to critical status. Overall, 15% of low and medium findings were re-prioritized. This highlights the importance of focusing remediation efforts on issues that truly require attention.

Introduced Risk Arrival and Remediation Burndown Widget

The Risk Arrival and Remediation Burndown widget helps you understand how findings are entering your environment, how quickly they are being resolved, and whether a backlog is building up over time. The widget visualizes arrival and remediation (burn-down) trends, as well as cumulative open findings to support informed remediation planning.

This widget uses predefined logic and thresholds in generating insights or messages. 

Key Objectives of the Widget

Effective management of findings requires a clear visualization of trends and rates to enhance remediation strategies. The key objectives are:

• Visualize the rate at which findings arrive
• Track the rate at which findings are remediated
• Identify whether a backlog of open findings is increasing or stabilizing
• Provide trend-based insights and recommendations for better remediation decisions

To add the widget to your dashboard, navigate to Dashboard, click Add Widget, and select Risk Arrival and Remediation Burndown from available ETM widgets.

Operational Value and Insights

Here are some insights on using widgets:

• Provides clear visibility into how quickly new findings are entering the environment
• Compares arrival rates with remediation velocity to measure performance
• Helps identify backlog buildup early to prevent risk accumulation
• Delivers actionable trend insights to support data-driven security decisions

Introduced Customized Merge Rules for UAI Account

This release introduces customized finding identification rules, enabling tailored de-duplication and identification logic for individual user environments.

These rules include:

• Support for customized identification rules
• Rule execution based on explicit priority order
• Database-backed rule management for improved scalability
• Automatic fallback to generic rules when no customized rules exist

Behavior Changes

• Customized rules fully replace generic rules for that user
• Findings are recalculated when rules change to prevent stale or inconsistent data
• New Rules will be applicable for all existing and new data.

Prerequisites for Customized Merge Rules

This feature is available on request. Contact your Technical Account Manager or Qualys Support to enable it for your account.

Benefits of Customized Merge Rules

• Accurate deduplication aligned to your environment
  You can align finding identification logic with how assets, services, and vulnerabilities are actually structured in their environment. This reduces false merges and improves the accuracy of identified findings.
• Better control over finding prioritization
  Rule execution order allows customers to control which attributes (such as protocol, port, or asset characteristics) take precedence during identification. This ensures critical identifiers are evaluated first.
• Consistent and predictable identification results
  Once customized rules are applied, the same logic is consistently used across all future aggregations. This improves trust in results and eliminates unexpected changes caused by generic rule updates.
• Safe transition without data corruption
  When rules are updated, existing findings are recalculated using controlled de-merging and re-aggregation. This ensures historical data remains accurate and no stale or inconsistent findings persist.

Enhanced Purge Rule for UAI-Enabled Accounts

The Asset Purging feature enables administrators to remove outdated or irrelevant assets from the system based on defined conditions. This helps maintain accurate inventory data and ensures a clean and reliable security posture.

Asset purging now supports:

• Compute (Host-Based Assets)
  Allows deletion of host-based assets such as servers, virtual machines, and endpoints.
• Other Asset Classes
  Supports purging across additional asset categories beyond compute assets.
  • Third-Party Sources
    Enables purging of assets ingested from external connectors or third-party integrations.
  • Subclass-Level Deletion
    Provides granular control by allowing deletion at the asset subclass level.

Purpose of Asset Purge Rules

Administrators can define purge conditions based on:

• Asset source
• Connector ID
• Asset name
• First detected date
• Last detected date
• Other relevant asset attributes

By defining these conditions, organizations can:

• Maintain an accurate and up-to-date asset inventory
• Reduce clutter from obsolete assets
• Improve reporting accuracy
• Maintain a reliable and actionable security posture

 If assets are linked to findings or risk calculations, the behavior of dependent data should be reviewed before purging.

To view the feature, navigate to Inventory > Rules > Purge. Select the required asset from Compute Asset or Other Assets.

Extended Support to View Activity Logs

With this release, we introduced comprehensive Activity log support for tracking user and system actions. This feature enhances visibility, traceability, and compliance by recording critical operations through the shared services activity log framework. The Admin user can view the details in the Admin Utility.

Activity Logs 

Activity logs show logs for the following features and activities:

• Company Profile updates
• Business Entities
• ETM Customer Onboarding steps
• Prioritization plans and templates 
• Findings closure activity
• Finding rules: Source Trust Ranking, Custom Merge, Purge 
• Trurisk Customization
• Custom Attributes

The key benefits of the comprehensive Activity Logs support feature include:

• Enhanced Visibility
  Users have a clear view of all actions taken within the system, allowing for better monitoring and oversight.
• Improved Traceability
  By recording critical operations, organizations can easily trace back actions to their origins, which is essential for troubleshooting and understanding system changes.
• Increased Compliance
  Maintaining an accurate audit trail helps organizations adhere to regulatory requirements and internal policies, facilitating compliance during audits.
• Accountability
  The Activity logs hold users accountable for their actions, promoting responsible usage of the system.

To view the Activity logs, navigate to Admin utility > Activity Logs.

Enhanced Processing Parent-Child Tag Management for Asset Tags

With this release, we have improved system efficiency and ensured consistent data handling across all tag operations. 

Earlier, dashboard calculations considered only Parent Tags. Child tags were not included in dashboard scoring or metric calculations. This could result in incomplete business entity scoring when assets were associated only with child tags. Dashboard calculations now include Parent Tags and Child Tags, so the combined asset scope includes both. 

This ensures that all assets mapped within the tag hierarchy are appropriately included in dashboard computations.

Key Benefits

• Accurate Business Entity Scoring
  Risk and scoring calculations now reflect the complete tag hierarchy.
• Correct Dashboard Metrics
  Metrics represent the complete asset scope instead of partial parent-only data.
• Improved System Efficiency
  Tag processing is optimized to reduce redundant computations.
• Consistent Data Handling
  Tag operations now follow a unified and standardized processing model.

Tag Hierarchy Management

The system now automatically:

• Establishes parent-child tag relationships
• Maintains multi-level tag hierarchies
• Makes hierarchy relationship data available for all downstream processing

Dependent considerations are:

• Existing tag structures are automatically aligned to the new hierarchy model.
• Any integrations consuming tag data will now receive fully resolved hierarchical relationships.
• Dashboard calculations depend on the updated tag hierarchy model for accuracy.

Enhanced TruRisk V2 Formula: Environment-Based Configuration

We introduced new configuration capabilities in the TruRisk V2 formula, enabling user to better align risk calculation with their operational environment.

The update allows controlled adjustment of:

• Volume capping for Critical and High-Risk Assets
• Weightage of High-Risk Assets when no Critical Assets are present.

These changes provide greater flexibility while preserving formula integrity.

To configure these settings, contact Qualys  Support.

Volume Capping for Critical and High-Risk Assets

You can now limit (cap) the number of:

• Critical assets 
• High-risk assets 

used in the TruRisk V2 calculation.

This does not change the total number of assets in the environment.
It only limits the number of assets considered in the formula computation.

Weightage of High-Risk Assets in Absence of Critical Assets

A new parameter has been introduced: Weightage of High-Risk Asset in Absence of Critical Assets

This setting defines how much weight High-risk assets should carry when there are zero Critical assets in the environment.

Previously, if no Critical assets existed, High-risk assets automatically inherited the sliding weight logic.

Now a dedicated configurable weight is applied. No default value should be assumed. This must be explicitly configured via Support.

The update affects only:

• Asset count contribution (Critical and High-risk)
• Weight applied when Critical assets = 0

It does not:

- Modify ARS scoring logic
- Modify asset classification thresholds
- Change G-value defaults
- Change vulnerability scoring

Extended CVSS v4 Support

With this release, we introduced CVSS v4 support. Let us see how CVSS information is displayed across the platform. The change ensures alignment with the latest industry standards and improves clarity in the user interface.

CVSS (Common Vulnerability Scoring System) is an industry-standard score assigned to vulnerabilities (CVE level). Previously we supported CVSS v2, CVSS v3, now we support CVSS v4. CVSS v4 has already been introduced in the industry (for example, in NVD data sources). This update ensures proper handling and display of CVSS v4 data.

Currently, we support the CVSS v4 base score.

Impact on User interface

Previously, there were three separate columns for different CVSS versions. Now, only one unified CVSS column is displayed. The system automatically determines which CVSS version to show.

The platform prioritizes CVSS v4 (the highest), followed by CVSS v3 and CVSS v2. If CVSS v4 is available, it is displayed. If v4 is unavailable but v3 is, then v3 is shown. If both v4 and v3 are unavailable, v2 is displayed.

When you hover over the CVSS column, a tooltip appears, indicating the version (for example CVSS v4) and vector details (Base/Temporal, as applicable). This same prioritization logic for the Common Vulnerability Scoring System (CVSS) is consistently applied in all areas where CVSS is used.

The same prioritization logic of the Common Vulnerability Scoring System (CVSS) is now consistently applied in all areas where CVSS is used.

You can see this update in the following:

• Finding Listing Page

  

• CVSS Vs QVSS Card on Findings and CVE Details pages

  

• Detection Details Page

  

Enhanced Finding Details Page 

This release includes updates to the Finding Details page, improvements in tab structure, technology/category visibility, lifecycle graph enhancements, and performance comparison messaging updates.

The changes improve usability, remove unused sections, and provide clearer contextual information

This UI and structural changes apply only to the Finding Details page.

Remediation Section Tab Reordering and Cleanup

The order of tabs under Remediation & Action has changed. The new order is:

1. Recommendation (now first)
2. Remediation

The Mitigation tab has been completely removed due to a lack of backend data, which aims to prevent confusion.

Conditional Display for Recommendation

• The Recommendation tab is displayed only if recommendation data is available.
• If no recommendation data exists:
  • The Recommendation tab is not displayed.
  • Only the Remediation tab is displayed.

This ensures you only see meaningful and actionable data.

Technology and Category Display Improvement

Earlier on the Listing Page, under the Technology Category column, both Technology Name and Category were displayed. In some cases, the Technology Name was missing. However, Category data was available. When users navigated to the Finding Details > Detection Details, only the Technology Name was displayed. If the name was missing, the field appeared incomplete, even though category data existed.

The page now displays Detection Details as follows: If both Technology Name and Category are present, they are displayed together, separated by a '/'. If only the Category is present, it will display that. If neither is available, the field remains blank or follow the current behavior.
This ensures consistency between the Listing Page and the Finding Details page.

Lifecycle Graph Enhancement

Earlier, the lifecycle graph displayed timeline progression but did not explicitly show First Detection Date and Last Detection Date.

The lifecycle graph now includes: First Detection date, Last Detection date. These dates are now visually reflected within the lifecycle view to provide clearer historical tracking of findings.

This improves visibility into finding persistence, detection timeline, and Vulnerability aging analysis.

Peer Benchmarking

With this release, we have improved the Peer Benchmarking section. Now, the card follows color-coded bars and structured percentile comparison. It transforms MTTR from a raw metric into a strategic performance indicator.

Your performance is indicated by various colors.

Green – Strong Performance

It indicates one of the following 

• Performing better than peers
• Top tier performance
• Faster MTTR or fewer vulnerabilities

Instantly signals success.It reinforces positive performance amd enables quick executive-level understanding without reading detailed text

Light Yellow – Slight Negative Deviation

It indicates one of the following 

• Slightly worse than peers
• Minor performance gap

This indication serves as an early warning, highlighting areas that need attention before they become critical. It encourages corrective action while the impact is still small.

Red – Poor Performance

It indicates one of the following 

• Significantly worse than peers
• Lowest tier of performers

It immediately draws attention and clearly identifies risk areas. It helps prioritize remediation efforts.

The updated color-coded peer benchmarking with standardized comparison messaging provides:

• Faster insight
• Reduced interpretation effort
• Clear industry positioning

Increased Limit for Business Entities

With this release, you can now create more Business Entities in Qualys ETM. Previously, the maximum limit was capped at 50 Business Entities. This enhancement increases the allowable limit, enabling organizations to model and manage risk across a broader set of critical business applications and asset groupings.

This update provides greater scalability and flexibility for enterprises with complex environments and a larger number of critical business domains.

To enable your limit over 50, contact Qualys Support.

Introduced New Tokens 

We have introduced two new tokens:

Token	Tab	Description
finding.sourceSeverity	Risk Management > Findings > Vulnerability Risk Management > Findings > Misconfiguration	Use this token to filter findings by the severity level assigned by the source (vendor) product. finding.sourceSeverity: 3 finding.sourceSeverity: High
finding.sourceScoreRange	Risk Management > Findings > Vulnerabilities Risk Management > Findings > Misconfigurations	Use a text value to represent the range of scores defined by the source (vendor) product during connector configuration. finding.sourceScoreRange: "1-400"

Issues Addressed

The following reported issues are fixed in this release.

Component	Description
ETM Dashboard	Resolved an issue where the Trendline widget did not update correctly when tags were selected from the Dashboard tag selector. Tag filtering now works consistently across all widgets, including support for both Any and All filter options, ensuring accurate and expected results.
ETM Dashboard	Resolved an issue where the Risk Removal Velocity widget was not showing accurate data for findings marked as Fixed within the last 7 days. The logic has been corrected to ensure that recently fixed findings are correctly counted. The widget now reflects accurate results.
ETM Dashboard	Resolved an issue where the Funnel widget does not take into account the dashboard tags or the entity. Due to this, there was a discrepancy between the actual findings and those displayed in the widget.
ETM Dashboard	Resolved an issue in the Dynamic Trending Widget where the configured color for the third query was not being saved and reverted to the default (lime green) after logout and login. The color settings now save correctly between sessions.
ETM User Interface	Resolved an issue where the Add button was turned off in the Custom Merge section under Finding Rules, confusing users. A tooltip has been added to clarify the behavior. The application now clearly indicates when no additional attributes are available to add because all supported attributes are already included in the custom merge rule.
ETM Findings	Resolved a discrepancy when the user encountered an issue while purging a large asset. We corrected the logic to ensure proper updates and prevent unintended entries.
ETM Findings	Resolved an issue in the TTD (Time to Detect) calculation for ttd QQL where certain findings were showing incorrect detection timelines. The calculation logic has been corrected to ensure TTD values are accurately aligned with the CVE publish date and finding detection timeline.
ETM User Interface	Addressed user confusion regarding NULL TruRisk scores in the Asset Inventory. Clarified system behavior in the documentation: Assets that have not been scanned recently do not have a TruRisk score calculated and display “–” in the UI. Assets that have been scanned and contain no active vulnerabilities display a TruRisk score of 0. This update ensures a clear understanding of how TruRisk scores are represented.