Asset Definition and Product-Specific QLU Usage Calculation

What is Counted

QLU usage for Enterprise TruRisk™ Management (ETM) is based on the total number of unique assets that have security findings, regardless of whether the findings originate from Qualys or non-Qualys sources.

ETM uniquely identifies assets using a canonical asset ID to ensure accurate normalization and de-duplication across the platform.

What is Not Counted

Assets without security findings are excluded from ETM subscription usage calculations.

How Usage is Measured

Usage is measured by counting the number of unique assets with findings detected since the start of the subscription.
QLU utilization is evaluated in 15‑day intervals. For each interval, Qualys records the highest unique asset count observed during that period. This method accounts for natural asset fluctuations and ensures that licensing reflects peak usage.

Example (Illustrative Only)

Assume a subscription starts on January 1. During a 15‑day interval, Qualys detects:

• 5,000 non-Qualys assets with findings.

If the subscription defines a 3:1 QLU-to-asset ratio:

• 5,000 assets × 3 QLUs = 15,000 QLUs consumed

Qualys records this value as the utilization for the interval and uses it for subscription usage tracking.

 The QLU-to-asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in the applicable Qualys subscription agreement.

Inclusion of CSAM with ETM Subscription

When a customer maintains a valid subscription to Qualys Enterprise TruRisk™ Management (ETM), Qualys CyberSecurity Asset Management (CSAM) is included as part of the ETM entitlement for the applicable subscription term.

Customers are not required to purchase, allocate, or assign separate Qualys Units (QLUs) for CSAM functionality when CSAM is included with the ETM subscription.

What is Counted

QLU usage for CyberSecurity Asset Management (CSAM) is based on the total number of unique managed assets that CSAM identifies and tracks. Assets are counted after de-duplication and normalization to ensure each asset is uniquely represented within the platform. Only assets directly managed by CSAM are included in the usage calculation.

What is Not Counted

Assets discovered exclusively through the following sources are excluded from CSAM subscription usage:

• External Attack Surface Management (EASM)
• Passive Sensor (PS)
• Cloud Agentless Passive Sensor (CAPS)
• Active Directory (AD) integrations
• VMware integrations
• CMDB integrations

These asset sources do not contribute to CSAM QLU usage.

How Usage is Measured

Usage is measured based on the number of unique managed assets detected since the start of the subscription. QLU utilization is evaluated in 15-day intervals, and for each interval, the highest unique asset count observed during that period is recorded as the utilization value. This approach accounts for natural fluctuations in asset discovery while ensuring licensing reflects peak usage.

Example (Illustrative Only)

Assume a CSAM subscription starts on January 1. All eligible managed assets detected from that date onward are considered for usage calculation.

With a 1:1 QLU-to-asset ratio, QLU usage is calculated as follows:

January 1–15
The number of unique managed assets fluctuates between 12,000 and 13,500.
The highest count (13,500 assets) is recorded as the utilization for this interval, resulting in 13,500 QLUs consumed.

January 16–30
The number of unique managed assets ranges from 13,000 to 14,200.
The highest count (14,200 assets) is recorded as the utilization for this interval, resulting in 14,200 QLUs consumed.

The QLU-to-asset ratio shown above is for illustration purposes only. Actual QLU usage depends on the ratio defined in your Qualys subscription agreement.

What Is Counted

QLU usage for ETM Identity is based on the total number of unique enabled identities identified across all configured identity providers (IDPs), including Active Directory (AD), Entra ID, Okta, Ping, and other supported providers. Identities are counted after de-duplication to ensure each identity is uniquely represented across multiple IDPs. Only identities in an enabled state are included in the usage calculation.

What Is Not Counted

The following identities are excluded from ETM Identity subscription usage:

• Disabled identities
• Duplicate identities detected across multiple IDPs

These identities do not contribute to ETM Identity QLU usage.

How Usage Is Measured

Usage is measured based on the number of unique enabled identities detected since the start of the subscription. QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest unique identity count observed during that period is recorded as the utilization value. This approach accounts for natural fluctuations in identity data while ensuring licensing reflects peak usage.

Example (Illustrative Only)

Assume an ETM Identity subscription starts on January 1. All eligible enabled identities detected from that date onward are included in the usage calculation.

With a 1:1 QLU-to-identity ratio, QLU usage is calculated as follows:

January 1–15
The number of unique enabled identities ranges from 9,200 to 10,000.
The highest count (10,000 identities) is recorded as the utilization for this interval, resulting in 10,000 QLUs consumed.

January 16–30
The number of unique enabled identities ranges from 10,500 to 11,200.
The highest count (11,200 identities) is recorded as the utilization for this interval, resulting in 11,200 QLUs consumed.

 The QLU-to-identity ratio shown above is for illustration purposes only. Actual QLU usage depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for Vulnerability Management, Detection & Response (VMDR) is based on the total number of unique assets assessed by VMDR during the subscription term. Assets identified through Qualys on‑premises agents and Qualys scanners are combined, normalized, and de‑duplicated so that each asset is counted only once when correlation is possible.

De‑duplication depends on the availability of asset identifiers. In certain network configurations (for example, devices with multiple IP addresses), correlation may not be feasible, and such assets may be recognized as separate instances.

Eligible assets include, without limitation:

• Physical servers
• Virtual machines
• Cloud compute instances
• Desktops or laptops
• Container hosts
• Any other device or system assigned a unique hostname, IP address, Agent ID, instance ID, or other unique identifier

An asset scanned by both a Scanner Appliance and a Cloud Agent is counted as one asset, provided it represents the same uniquely identifiable asset.

Assets are counted based on unique system identifiers as determined by the Qualys platform. Any asset that is scanned, assessed, or reported during the subscription term contributes to QLU usage, regardless of scan frequency.

What is Not Counted

The following are excluded from VMDR subscription usage:

• No‑Finding Assets, defined as assets with no open ports and no reported vulnerabilities
• Decommissioned assets, including inactive, terminated, or unused assets, only when purge rules are enabled

 Customers must enable purge rules to exclude inactive, terminated, and unused assets from QLU usage.

How Usage is Measured

Usage is measured based on the total number of unique assets detected during the subscription term, using the following components:

A – On‑Premises Agent and Scanner‑Discovered Assets
A represents all unique assets identified through on‑premises agents and network‑based scanning, calculated as:

• A1 – All‑Time On‑Premises Agents
  All unique assets that have had a Qualys Agent installed and have reported to the Qualys platform at any time during the subscription term. Each asset is counted once based on Agent ID, regardless of current status.

• A2 – Scanner‑Discovered Assets (Non‑Agent Based)
  All unique assets identified through network or cloud‑based scanning methods, excluding assets already counted under A1. This includes assets discovered through IP‑based discovery, DNS resolution, NetBIOS discovery, cloud instance discovery, and authenticated or unauthenticated vulnerability scans.

B – Cloud Service Provider Assets
B represents all unique assets identified through Cloud Service Provider (CSP) integrations, including AWS, Microsoft Azure, Google Cloud Platform, OCI, and Alibaba. Each cloud resource is counted once per unique instance ID or cloud‑native identifier. Assets terminated or deleted during the subscription term are included if discovered during the term.

C – Ghost Assets
C represents assets with no open ports and no reported vulnerabilities that result from transient scan artifacts, IP reuse, or incomplete metadata correlation. These assets are deducted from total QLU usage. Ghost asset classification is determined by Qualys platform reconciliation rules.

QLU usage is calculated as:

QLU Consumed = (A + B − C) × QLU ratio

QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest usage value observed is recorded. The applicable QLU‑to‑asset ratio defined in the subscription is applied to determine consumption.

Example (Illustrative Only)

Assume a VMDR subscription starts on January 1. During a 15‑day interval:

• On‑premises and scanner‑discovered assets (A): 6,000
• Cloud assets discovered through CSP integrations (B): 2,000
• No‑Finding (Ghost) Assets (C): 1,000

Step 1: Calculate effective asset count
6,000 + 2,000 − 1,000 = 7,000 assets

Step 2: Apply the QLU‑to‑asset ratio
7,000 × 1.5 = 10,500 QLUs consumed

 The QLU‑to‑asset ratio shown above is for illustration purposes only. Actual QLU usage depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for VMDR Mobile is based on the total number of unique devices enabled through VMDR Mobile, Qualys Cloud Agent, or the Intune Connector. All enabled devices are included in the usage calculation.

What is Not Counted

No devices are excluded from VMDR Mobile subscription usage.
All deployments contribute to QLU usage.

How Usage is Measured

Usage is measured based on the number of unique devices enabled or detected since the start of the subscription. QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest unique device count observed during that period is recorded as the utilization value. This approach accounts for natural fluctuations in device discovery while ensuring licensing reflects peak usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the subscription. For example, a 1.5:1 QLU‑to‑asset ratio means each VMDR Mobile deployment consumes 1.5 QLUs.

Example (Illustrative Only)

Assume a VMDR Mobile subscription starts on January 1. All eligible devices detected from that date onward are included in the usage calculation.

With a 1.5:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

January 1–15
The number of unique devices ranges from 9,200 to 10,000.
The highest count (10,000 devices) is recorded as the utilization for this interval, resulting in 15,000 QLUs consumed.

January 16–30
The number of unique devices ranges from 10,500 to 11,200.
The highest count (11,200 devices) is recorded as the utilization for this interval, resulting in 16,800 QLUs consumed.

 The QLU‑to‑asset ratio shown above is for illustration purposes only. Actual QLU usage depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for VMDR Operational Technology (VMDR‑OT) is based on the total number of OT assets inventoried and assessed within VMDR‑OT. Each asset is uniquely identified and classified based on the level of identification and security assessment performed.

Assets are categorized as follows:

• Basic Identification Assets
  Assets for which only basic identification details are available and no known vulnerabilities are identified.

• Enriched Data Assets
  Assets for which additional information is available, including associated components or child modules (for example, assets attached to a parent rack or slot).

• Assets with Vulnerabilities
  Assets that have been assessed and flagged with one or more vulnerabilities.

Only Enriched Data Assets and Assets with Vulnerabilities contribute to QLU usage. Basic Identification Assets are inventoried but do not consume QLUs.

What is Not Counted

The following are excluded from VMDR‑OT subscription usage:

• Assets not detected or inventoried by VMDR‑OT
• Assets with only basic identification details and no enriched data or known vulnerabilities

These assets do not contribute to QLU usage.

How Usage is Measured

Usage is measured based on the number of active assets detected since VMDR‑OT activation. QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest weighted asset count observed during that period is recorded as the utilization value. This approach accounts for natural fluctuations in asset discovery while ensuring licensing reflects peak usage.

Asset Weightage

• Enriched Data Assets:
  1 asset for QLU usage= 2/3 enriched data asset.

• Assets with Vulnerabilities:
  1 asset for QLU usage = 1 asset with vulnerabilities.

This weightage reflects the depth of visibility and assessment performed on each OT asset.

Example (Illustrative Only)

Assume a VMDR‑OT subscription starts on January 1. All unique weighted assets detected from that date onward are considered for usage calculation.

With a 1.5:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

January 1–15
Basic Identification Assets:1,000
Enriched Data Assets: 600
Assets with Vulnerabilities: 400

Total Weighted asset count:
400 + (600 × 2/3) = 800

Total QLUs consumed:
800 × 1.5 = 1,200 QLUs

January 16–30
Basic Identification Assets: 1,000
Enriched Data Assets:200
Assets with Vulnerabilities: 300

Total Weighted asset count:
300 + (200 × 2/3) = 433

Total QLUs consumed:
433 × 1.5 = 649.5 QLUs

Basic Identification Assets are inventoried but do not consume QLUs.

The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for Endpoint Detection & Response (EDR) is based on the total number of unique endpoints on which the EDR agent is installed and active. Each endpoint is uniquely identified to ensure accurate tracking and to prevent double counting. Only endpoints with an active EDR agent are included in the usage calculation.

What is Not Counted

The following are excluded from EDR subscription usage:

• Endpoints on which the EDR agent is not installed
• Inactive or decommissioned endpoints, provided the EDR agent is removed or the endpoint is de‑registered

Endpoints that remain registered on the platform with an active EDR agent continue to contribute to QLU usage.

How Usage is Measured

Usage is measured based on the number of active EDR agents detected since the start of the subscription. Utilization is evaluated in 15‑day intervals, and for each interval, the highest endpoint count observed during that period is recorded as the utilization value. This approach accounts for natural fluctuations in endpoint counts while ensuring licensing reflects peak usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the subscription. In this illustrative example, a 2.85:1 QLU‑to‑asset ratio means each active EDR endpoint consumes 2.85 QLUs.

Example (Illustrative Only)

Assume an EDR subscription starts on January 1.

January 1–15
The number of active EDR endpoints ranges from 2,400 to 2,650.
The highest count (2,650 endpoints) is recorded as the utilization for this interval.

QLUs consumed:
2,650 × 2.85 = 7,552.5 QLUs

January 16–30
The number of active EDR endpoints ranges from 2,600 to 2,900.
The highest count (2,900 endpoints) is recorded as the utilization for this interval.

QLUs consumed:
2,900 × 2.85 = 8,265 QLUs

The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for Zlinux Cloud Agents (Zlinux) is based on the total number of unique endpoints on which the Zlinux agent is installed and active. Each endpoint is uniquely identified to ensure accurate tracking and to prevent double counting. Only endpoints with an active Zlinux agent are included in the usage calculation.

What is Not Counted

The following are excluded from Zlinux subscription usage:

• Endpoints on which the Zlinux agent is not installed

How Usage is Measured

Usage is measured based on the number of active Zlinux agents detected. Utilization is evaluated in 15‑day intervals, and for each interval, the highest endpoint count observed during that period is recorded as the utilization value. This approach accounts for natural fluctuations in endpoint counts while ensuring licensing reflects peak usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the subscription. For example, a 60:1 QLU‑to‑asset ratio means each active Zlinux endpoint consumes 60 QLUs.

Example (Illustrative Only)

Assume a Zlinux subscription starts on January 1.

January 1–15
The number of active Zlinux endpoints ranges from 400 to 650.
The highest count (650 endpoints) is recorded as the utilization for this interval.

QLUs consumed:
650 × 60 = 39,000 QLUs

January 16–30
The number of active Zlinux endpoints ranges from 600 to 900.
The highest count (900 endpoints) is recorded as the utilization for this interval.

QLUs consumed:
900 × 60 = 54,000 QLUs

 The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for Cloud Security Posture Management (CSPM) is based on the total number of Cloud Compute Workloads monitored by CSPM. Cloud Compute Workloads include Virtual Machines and Serverless workloads running across supported cloud platforms, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI).

Each Cloud Compute Workload is uniquely identified to ensure accurate tracking and to prevent double-counting. Only Cloud Compute Workloads scanned by CSPM are included in the usage calculation.

What is Not Counted

The following are excluded from CSPM subscription usage:

• Cloud resources not classified as compute workloads (for example, storage, network, IAM, and database resources)
• Cloud Compute Workloads that are not scanned by CSPM
• Decommissioned or deleted workloads that no longer exist in the cloud environment

How Usage is Measured

Usage is measured using a rolling 90‑day lookback period.

For each day, the unique count of Cloud Compute Workloads (Virtual Machines and Serverless workloads) scanned by CSPM across AWS, Azure, GCP, and OCI is recorded. The daily average across the 90‑day rolling period is calculated and used to determine the total weighted asset count for QLU usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the subscription.

Asset Weighting

• Virtual Machines
  1 asset = 1 Virtual Machine

• Serverless Functions
  1 asset = 100 Serverless Functions

Example (Illustrative Only)

Assume a CSPM subscription is active starting January 1, with workloads deployed across multiple cloud platforms.

January 1–March 31 (90‑day rolling period)

Step 1: Asset Weighting Calculation

Virtual Machines scanned: 1,000
1,000 × 1 = 1,000 assets

Serverless Functions scanned: 2,500
2,500 ÷ 100 = 25 assets

Total weighted assets for the day:
1,000 + 25 = 1,025 weighted assets

Step 2: QLU Usage Calculation

With a 12:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

1,025 × 12 = 12,300 QLUs

The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for Agent‑Based Cloud Workload Protection (CWP Agent‑Based Scan) is based on the total number of unique virtual machines in supported cloud platforms on which Qualys agents are deployed. Assets are normalized and de‑duplicated so that each asset is counted only once.

Eligible assets include:

• Virtual machines (VMs) hosted on AWS, Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI) where Qualys agents are deployed

What is Not Counted

The following are excluded from CWP Agent‑Based Scan subscription usage:

• Assets with no open ports and no reported vulnerabilities.

Customers must enable purge rules to avoid counting inactive, terminated, and unused assets.

How Usage is Measured

Usage is measured based on the following components:

• A – Cloud assets with Qualys agents
  Virtual machines hosted on public cloud platforms with deployed Qualys agents

• B – No‑Finding Assets
  Assets with no open ports and no reported vulnerabilities

The effective asset count for usage calculation is:

Usage = A − B

QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest usage value observed during that period is recorded. QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the subscription (for example, 1.5:1).

Example (Illustrative Only)

Assume a CWP Agent‑Based Scan subscription starts on January 1. During a 15‑day interval:

• Cloud assets with Qualys agents (A): 10,000
• No‑Finding Assets (B): 1,000

Step 1: Calculate effective asset count
10,000 − 1,000 = 9,000 assets

Step 2: Apply the QLU‑to‑asset ratio
9,000 × 1.5 = 13,500 QLUs consumed

The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for Cloud Workload Protection (CWP) FlexScan is based on the total number of unique Virtual Machines monitored using agentless scanning. This includes Virtual Machines running in Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI) where API‑based or snapshot‑based scans are enabled.

Each Virtual Machine is uniquely identified to ensure accurate tracking and to prevent double-counting. Only Virtual Machines scanned using CWP FlexScan are included in the usage calculation.

What is Not Counted

The following are excluded from CWP FlexScan subscription usage:

• Virtual Machines that are not scanned using CWP FlexScan

When both agent‑based and agentless scans are performed on the same Virtual Machine, usage is attributed to agentless (FlexScan) scans for licensing purposes.

How Usage is Measured

Usage is measured using a rolling 90‑day lookback period.

For each day, the unique count of Virtual Machines scanned by CWP FlexScan across AWS, Azure, GCP, and OCI is recorded. The daily average of scanned Virtual Machines is calculated over the 90‑day rolling period.

This rolling daily average represents the utilization value used for QLU usage. QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the Qualys subscription agreement.

Example (Illustrative Only)

Assume a CWP FlexScan subscription is active starting January 1, with agentless scans enabled across supported cloud platforms.

January 1–March 31 (90‑day rolling period)
The daily number of Virtual Machines scanned by CWP FlexScan ranges from 800 to 1,000.
The calculated 90‑day rolling daily average is 900 Virtual Machines.

With a 3:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

900 × 3 = 2,700 QLUs

The QLU‑to‑asset ratio shown above is for illustration purposes only. Actual QLU usage depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for Cloud Detection and Response (CDR) is based on the total number of Cloud Compute Workloads protected by CDR. Cloud Compute Workloads include Virtual Machines and Serverless Functions running in Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) where CDR threat scanners are enabled.

Each Cloud Compute Workload is uniquely identified to ensure accurate tracking and to prevent double-counting. Only workloads protected by CDR are included in the usage calculation.

What is Not Counted

The following are excluded from CDR subscription usage:

• Cloud resources not classified as compute workloads.
• Virtual Machines or Serverless Functions not protected by CDR threat scanners.
• Decommissioned or deleted workloads that no longer exist in the cloud environment.

How Usage is Measured

Usage is measured using a rolling 90‑day lookback period.

For each day, the unique count of Cloud Compute Workloads (Virtual Machines and Serverless Functions) protected by CDR across AWS, Azure, and GCP is recorded. The daily average across the 90‑day rolling period is calculated and used to determine the total weighted asset count for QLU usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the subscription.

Asset Weighting

• Virtual Machines
  1 asset = 1 Virtual Machine

• Serverless Functions
  1 asset = 100 Serverless Functions

Example (Illustrative Only)

Assume a CDR subscription is active starting January 1, with workloads deployed across multiple cloud platforms.

January 1–March 31 (90‑day rolling period)

Step 1: Asset Weighting Calculation

Virtual Machines protected: 1,000
1,000 × 1 = 1,000 assets

Serverless Functions protected: 2,500
2,500 ÷ 100 = 25 assets

Total weighted assets for the day:
1,000 + 25 = 1,025 weighted assets

Step 2: QLU Usage Calculation

With a 12:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

1,025 × 12 = 12,300 QLUs

The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for Container Security is based on the total number of Kubernetes or container nodes protected by container runtime security. Licensing is applied per node, regardless of the number of containers, pods, or namespaces running on the node. There is no limit on the number of containers supported per node.

Each node is uniquely identified to ensure accurate tracking and to prevent double-counting. Only nodes protected by container runtime security are included in the usage calculation.

What is Not Counted

The following are excluded from Container Security subscription usage:

• Individual containers, pods, or namespaces running on a node
• Nodes not protected by container runtime security
• Decommissioned nodes that are no longer active

Node Activity Determination

Nodes are considered active based on regular heartbeat signals.
A node must miss multiple consecutive heartbeats before it is classified as inactive for usage calculations.

How Usage is Measured

Usage is measured using a rolling 90‑day lookback period.

Node utilization is derived from hourly snapshots of active nodes. The daily average node count is calculated from these hourly snapshots. This rolling daily average represents the utilization value used for QLU and supports dynamic environments where nodes are frequently created and destroyed.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the Qualys subscription agreement.

Example (Illustrative Only)

Assume Container Security is enabled in a dynamic Kubernetes environment starting January 1.

January 1–March 31 (90‑day rolling period)
The daily number of active nodes ranges from 120 to 180.
The calculated 90‑day rolling daily average is 150 nodes.

With a 45:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

150 × 45 = 6,750 QLUs

The QLU‑to‑node ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for Container Image Scanning is based on the total number of container image scans performed. This includes initial scans of new images and rescans of existing images, which may occur on a recurring basis (for example, weekly) based on customer configuration and scanning requirements.

Each container image scan is uniquely tracked to ensure accurate usage calculation.

What is Not Counted

The following are excluded from Container Image Scanning subscription usage:

• Duplicate scans of the same image performed at multiple stages of the delivery pipeline (such as CI/CD pipelines and container registries) within the same measurement period
• Images analyzed as part of container runtime security, which are included with container runtime licensing and do not consume separate QLUs

 If the same image is scanned at multiple stages of the pipeline, it is counted only once per occurrence, subject to the de‑duplication rules applied during usage calculation.

How Usage is Measured

Usage is measured using a rolling 90‑day lookback period.

All unique container image scans (including initial scans and rescans) performed during the 90‑day period are aggregated. De‑duplication is applied across the pipeline to ensure that the same image scanned in multiple locations is not double counted.

The total number of recorded image scans during the 90‑day interval represents the QLU utilization value. QLU usage is calculated by applying the QLU‑to‑scan ratio defined in the Qualys subscription agreement.

Example (Illustrative Only)

Assume Container Image Scanning is enabled across CI/CD pipelines and container registries starting January 1.

January 1–March 31 (90‑day rolling period)
A total of 2,400 unique image scans are performed, including new image scans and scheduled rescans.

With a rate of 0.12 QLUs per scan, QLU usage is calculated as follows:

2,400 × 0.12 = 288 QLUs consumed

 The QLU‑per‑scan ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for Serverless Containers is based on the total number of serverless container instances for which node‑level sensors cannot be deployed. Each serverless container instance represents a licensable unit, independent of nodes, to ensure coverage for managed and serverless container platforms.

Only serverless container instances observed through serverless runtime telemetry are included in the usage calculation.

What is Not Counted

The following are excluded from Serverless Containers subscription usage:

• Nodes or containers already counted under container runtime or node‑based licensing.
• Serverless containers not observed or reported through serverless runtime telemetry.

How Usage is Measured

Usage is measured using a rolling 90‑day lookback period, which continuously updates to include the most recent 90 days of observed runtime container instances.

For each day, the unique count of serverless container instances observed is recorded. The daily counts are averaged over the 90‑day period, and this rolling daily average is used to calculate QLU usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the Qualys subscription agreement (for example, 3:1).

Example (Illustrative Only)

Assume Serverless Containers are active starting January 1 across multiple managed platforms.

January 1–March 31 (90‑day rolling period)
The daily number of observed serverless container instances ranges from 90 to 120.
The calculated 90‑day rolling daily average is 105 container instances.

With a 3:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

105 × 3 = 315 QLUs consumed

 The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for SaaS Security Posture Management (SSPM) is based on the total number of users monitored across supported SaaS applications. Each user is uniquely identified to ensure accurate tracking and to prevent double-counting. Only users actively monitored by SSPM are included in the usage calculation.

What is Not Counted

The following are excluded from SSPM subscription usage:

• Inactive or deactivated user accounts
• User accounts not monitored by SSPM

How Usage is Measured

Usage is measured using a rolling 90‑day lookback period.

For each day, the number of active users monitored by SSPM is recorded. The daily average across the 90‑day rolling period is calculated and used to determine QLU usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the Qualys subscription agreement.

Example (Illustrative Only)

Assume SSPM monitors multiple SaaS applications with varying user activity.

January 1–March 31 (90‑day rolling period)
The daily number of active users ranges from 4,000 to 4,500.
The calculated 90‑day rolling daily average is 4,250 users.

With a 1.5:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

4,250 × 1.5 = 6,375 QLUs

 The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for TotalAppSec (TAS) is based on the total number of web applications and API endpoints onboarded in TAS. Each web application and API endpoint is uniquely identified to ensure accurate tracking and to prevent double counting. Only web applications and API endpoints onboarded in TAS are included in the usage calculation.

What is Not Counted

The following are excluded from TAS subscription usage:

• Web applications or API endpoints not onboarded in TAS

Web applications and API endpoints that remain configured for testing or are actively scanned in TAS continue to contribute to QLU usage, even when testing frequency is reduced.

How Usage is Measured

Usage is measured based on the number of unique web applications and API endpoints onboarded since the start of the subscription. QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest count of unique applications and API endpoints observed during that period is recorded as the utilization value. This approach accounts for natural fluctuations in testing activity while ensuring licensing reflects peak usage.

QLU usage is calculated using predefined asset weightings, and the total weighted asset count is multiplied by the QLU‑to‑asset ratio defined in the subscription.

Asset Weighting

• Web Applications
  1 asset = 1 Web Application

• API Endpoints
  1 asset = 10 API Endpoints
  (Each API endpoint represents 1/10 of an asset for QLU calculation purposes.)

Example (Illustrative Only)

Assume a TAS subscription starts on January 1. All eligible web applications and API endpoints onboarded from that date onward are considered for usage calculation.

With a 45:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

January 1–15
Peak usage during the interval includes 85 web applications and 200 API endpoints.

Asset equivalents:

• Web applications: 85 assets
• API endpoints: 200 ÷ 10 = 20 asset equivalents

Total asset equivalents:
85 + 20 = 105 assets

QLUs consumed:
105 × 45 = 4,725 QLUs

January 16–30
Peak usage during the interval includes 95 web applications and 250 API endpoints.

Asset equivalents:

• Web applications: 95 assets
• API endpoints: 250 ÷ 10 = 25 asset equivalents

Total asset equivalents:
95 + 25 = 120 assets

QLUs consumed:
120 × 45 = 5,400 QLUs

The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

 Available for Fed High subscriptions only.

What is Counted

QLU usage for Web Application Security (WAS) is based on the total number of web applications configured and active for scanning within the WAS module. Each web application is uniquely identified to ensure accurate tracking and to prevent double counting. Only web applications configured for scanning in WAS are included in the usage calculation.

What is Not Counted

The following are excluded from WAS subscription usage:

• Web applications not onboarded or not configured for scanning in WAS
• Decommissioned applications that have been removed from the WAS configuration

Web applications that remain configured for scanning in WAS continue to contribute to QLU usage, even if scans are paused or executed infrequently.

How Usage is Measured

Usage is measured based on the number of web applications configured or active for scanning since the start of the subscription. QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest application count observed during that period is recorded as the utilization value. This approach accounts for natural fluctuations in application configuration while ensuring licensing reflects peak usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the subscription.

Example (Illustrative Only)

Assume a WAS subscription starts on January 1. All eligible web applications configured from that date onward are considered for QLU calculation.

With a 45:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

January 1–15
The number of configured web applications ranges from 70 to 85.
The highest count (85 applications) is recorded as the utilization for this interval.

QLUs consumed:
85 × 45 = 3,825 QLUs

January 16–30
The number of configured web applications ranges from 80 to 95.
The highest count (95 applications) is recorded as the utilization for this interval.

QLUs consumed:
95 × 45 = 4,275 QLUs

The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for Policy Audit (PA) is based on the total number of unique assets assessed by PA. Assets identified through Qualys on‑premises agents and Qualys scanners are combined, normalized, and de‑duplicated so that each asset is counted only once when correlation is possible.

De‑duplication depends on the availability of asset identifiers. In certain network configurations (for example, devices with multiple IP addresses), correlation may not be feasible, and such assets may be recognized as separate instances.

Eligible assets include, without limitation:

• Physical servers
• Virtual machines
• Cloud compute instances
• Desktops or laptops
• Container hosts
• Any other device or system assigned a unique hostname, IP address, Agent ID, instance ID, or other unique identifier

An asset scanned by both a Scanner Appliance and a Cloud Agent is counted as one asset, provided it represents the same uniquely identifiable asset.

Assets are counted based on unique system identifiers as determined by the Qualys platform. Any asset that is scanned, assessed, or reported during the subscription term contributes to QLU usage, regardless of scan frequency.

What is Not Counted

The following are excluded from PA subscription usage:

• No‑Finding Assets, defined as assets with no open ports and no reported vulnerabilities
• Decommissioned assets, including inactive, terminated, or unused assets, only when purge rules are enabled

Customers must enable purge rules to avoid counting inactive, terminated, and unused assets toward QLU usage.

How Usage is Measured

Usage is measured using the following components:

A – On‑Premises Agent and Scanner‑Discovered Assets

A represents the total number of unique assets identified through on‑premises agents and network‑based scanning, calculated as:

A = A1 + A2

• A1 – All‑Time On‑Premises Agents
  All unique assets that have had a Qualys Agent installed and have reported to the Qualys platform at any time during the subscription term. Each asset is counted once based on Agent ID, regardless of current status.

• A2 – Scanner‑Discovered Assets (Non‑Agent Based)
  All unique assets identified through network‑ or cloud‑based scanning methods, excluding assets already counted under A1. This includes assets discovered through IP‑based discovery, DNS resolution, NetBIOS discovery, cloud instance discovery, and authenticated or unauthenticated vulnerability scans.

B – Cloud Service Provider Assets

B represents all unique assets identified through Cloud Service Provider (CSP) integrations, including AWS, Microsoft Azure, Google Cloud Platform, OCI, and Alibaba. Each cloud resource is counted once per unique instance ID or cloud‑native identifier. Assets discovered during the subscription term are included even if later terminated or deleted.

C – Ghost Assets

C represents assets with no open ports and no reported vulnerabilities that result from transient scan artifacts, IP reuse, or incomplete metadata correlation. These assets are deducted from total QLU usage. Ghost asset classification is determined by Qualys platform reconciliation rules.

QLU usage is calculated as:

QLU Consumed = (A + B − C) × QLU ratio

QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest usage value observed is recorded. The applicable QLU‑to‑asset ratio defined in the subscription (for example, 1.87:1) is applied to calculate consumption.

Example (Illustrative Only)

Assume a PA subscription starts on January 1. During a 15‑day interval:

• On‑premises and scanner‑discovered assets (A): 6,000
• Cloud assets discovered through CSP integrations (B): 2,000
• No‑Finding (Ghost) Assets (C): 1,000

Step 1: Calculate effective asset count
6,000 + 2,000 − 1,000 = 7,000 assets

Step 2: Apply the QLU‑to‑asset ratio
7,000 × 1.87 = 13,090 QLUs consumed

 The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for Audit Fix (PAF) is based on the total number of agents activated for PAF. Each activated agent is uniquely identified and counted once to ensure accurate tracking and to prevent double-counting. Only agents activated for Audit Fix are included in the usage calculation.

What is Not Counted

The following are excluded from PAF subscription usage:

• Decommissioned agents
• Inactive agents

How Usage is Measured

Usage is measured based on the number of activated agents detected since the start of the subscription. QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest agent count observed during that period is recorded as the utilization value. This approach accounts for natural fluctuations in agent activation while ensuring licensing reflects peak usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the subscription.

Example (Illustrative Only)

Assume an Audit Fix (PAF) subscription starts on January 1. All eligible agents activated from that date onward are considered for usage calculation.

With a 0.95:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

January 1–15
The number of activated agents ranges from 2,400 to 2,650.
The highest count (2,650 agents) is recorded as the utilization for this interval.

QLUs consumed:
2,650 × 0.95 = 2,518 QLUs

January 16–30
The number of activated agents ranges from 2,600 to 2,900.
The highest count (2,900 agents) is recorded as the utilization for this interval.

QLUs consumed:
2,900 × 0.95 = 2,755 QLUs

The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for File Integrity Monitoring (FIM) is based on the total number of unique assets with FIM enabled. Eligible assets include:

• Agent‑based assets with FIM enabled
• Container runtime sensors that have sent FIM events within the last 30 days
• Scanner‑based assets that have sent FIM events within the last 30 days

Each asset is uniquely identified to ensure accurate tracking and to prevent double-counting. Only assets that meet the event‑reporting criteria are included in the usage calculation.

What is Not Counted

The following are excluded from FIM subscription usage:

• Assets for which FIM is not enabled
• Container or scanner‑based assets that have not sent FIM events in the last 30 days
• Decommissioned assets that have been removed from the platform

Assets that remain enabled for FIM and continue to send events within the defined time window contribute to QLU usage.

How Usage is Measured

Usage is measured based on the number of unique FIM‑enabled assets detected since the start of the subscription. QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest asset count observed during that period is recorded as the utilization value. This approach accounts for natural fluctuations in asset activity while ensuring licensing reflects peak usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the subscription.

Example (Illustrative Only)

Assume a FIM subscription starts on January 1. All eligible assets detected from that date onward are considered for usage calculation.

With an 18:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

January 1–15
The number of unique FIM‑enabled assets ranges from 1,100 to 1,250.
The highest count (1,250 assets) is recorded as the utilization for this interval.

QLUs consumed:
1,250 × 18 = 22,500 QLUs

January 16–30
The number of FIM‑enabled assets ranges from 1,200 to 1,350.
The highest count (1,350 assets) is recorded as the utilization for this interval.

QLUs consumed:
1,350 × 18 = 24,300 QLUs

The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for PCI Compliance (PCI) is based on the total number of IP addresses and DNS entries scanned to meet PCI compliance requirements. Each IP address or DNS entry is uniquely identified and counted once to ensure accurate tracking and to prevent double counting. Only IP addresses and DNS entries configured for PCI scanning are included in the usage calculation.

What is Not Counted

The following are excluded from PCI subscription usage:

• IP addresses or DNS entries not scanned for PCI compliance
• Decommissioned or inactive IP addresses or DNS entries

IP addresses and DNS entries that remain configured for PCI scanning continue to contribute to QLU usage, even if scans are temporarily paused.

How Usage is Measured

Usage is measured based on the number of IP addresses and DNS entries scanned since the start of the subscription. QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest count observed during that period is recorded as the utilization value. This approach accounts for natural fluctuations in scanning scope while ensuring licensing reflects peak usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the subscription.

Example (Illustrative Only)

Assume a PCI subscription starts on January 1. All eligible IP addresses and DNS entries detected from that date onward are included in the usage calculation.

With a 1.5:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

January 1–15
The number of scanned IP addresses and DNS entries ranges from 1,200 to 1,350.
The highest count (1,350 assets) is recorded as the utilization for this interval.

QLUs consumed:
1,350 × 1.5 = 2,025 QLUs

January 16–30
The number of scanned IP addresses and DNS entries ranges from 1,300 to 1,500.
The highest count (1,500 assets) is recorded as the utilization for this interval.

QLUs consumed:
1,500 × 1.5 = 2,250 QLUs

The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

Available for Fed High subscriptions only.

What is Counted

QLU usage for Patch Management (PM) is based on the total number of agents activated for any of the following features:

• Patch Management (PM)
• Isolation (ISL)
• Mitigation (MTG)

Each activated agent is uniquely identified and counted once to ensure accurate tracking and to prevent double counting. Only agents activated for PM, ISL, or MTG are included in the usage calculation.

What is Not Counted

The following are excluded from PM subscription usage:

• Agents not activated for PM, ISL, or MTG
• Decommissioned or inactive agents

Agents that remain activated continue to contribute to QLU usage, even when idle or temporarily not performing tasks.

How Usage is Measured

Usage is measured based on the number of activated agents detected since the start of the subscription. QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest agent count observed during that period is recorded as the utilization value. This approach accounts for natural fluctuations in agent activation while ensuring licensing reflects peak usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the subscription.

Example (Illustrative Only)

Assume a Patch Management (PM) subscription starts on January 1. All eligible agents activated from that date onward are considered for usage calculation.

With a 2.85:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

January 1–15
The number of activated agents ranges from 2,400 to 2,650.
The highest count (2,650 agents) is recorded as the utilization for this interval.

QLUs consumed:
2,650 × 2.85 = 7,553 QLUs

January 16–30
The number of activated agents ranges from 2,600 to 2,900.
The highest count (2,900 agents) is recorded as the utilization for this interval.

QLUs consumed:
2,900 × 2.85 = 8,265 QLUs

The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.

What is Counted

QLU usage for TruRisk Eliminate (ELIM) is based on the highest asset count observed across the following modules:

• Patch Management (PM)
• Isolation (ISL)
• Mitigation (MTG)

Each asset is counted once, based on its presence in any of these modules, to ensure accurate tracking and to prevent double counting.

What is Not Counted

The following are excluded from ELIM subscription usage:

• Assets not managed by PM, ISL, or MTG
• Decommissioned or inactive assets

Assets that remain managed in any of the three modules continue to contribute to QLU usage.

How Usage is Measured

Usage is measured based on the number of assets managed across PM, ISL, and MTG since the start of the subscription. QLU utilization is evaluated in 15‑day intervals, and for each interval, the highest asset count observed across the three modules is recorded as the utilization value. This approach accounts for natural fluctuations in asset counts while ensuring licensing reflects peak usage.

QLU usage is calculated by applying the QLU‑to‑asset ratio defined in the subscription. In this illustrative case, a 5.7:1 QLU‑to‑asset ratio means each qualifying asset consumes 5.7 QLUs.

Example (Illustrative Only)

With a 5.7:1 QLU‑to‑asset ratio, QLU usage is calculated as follows:

January 1–15
The highest asset count across PM, ISL, or MTG ranges from 2,000 to 2,200.
The highest count (2,200 assets) is recorded as the utilization for this interval.

QLUs consumed:
2,200 × 5.7 = 12,540 QLUs

January 16–30
The highest asset count ranges from 2,100 to 2,400.
The highest count (2,400 assets) is recorded as the utilization for this interval.

QLUs consumed:
2,400 × 5.7 = 13,680 QLUs

The QLU‑to‑asset ratio shown above is for illustration only. Actual QLU consumption depends on the ratio defined in your Qualys subscription agreement.