What's New in TotalAppSec 

This topic gives you an overview of TotalAppSec latest releases. For details, refer to TotalAppSec Release Notes

TotalAppSec 2.7 | Web Application Scanning 1.27 

TotalAppSec

The API Compliance tab in the Application Details window is renamed to OpenAPI Compliance, and the scan hover-over text in the Scan List screen is updated from API Compliance to Compliance Scan for consistency with OpenAPI specifications.

TotalAppSec and Web Application Scanning

  • The Knowledge Base now displays Qualys Detection Score (QDS) information in a new QDS Details tab within the View KnowledgeBase Entry window, for QIDs associated with vulnerabilities and sensitive content.
  • A new finding.reason QQL token is available in the Detections,Web Applications, and APIs tabs, allowing you to filter findings by why a finding was detected, not detected, or not tested—for example, when authentication failed, a URL was not found, or the scan time limit was reached.
  • A new scan.progressionNumber QQL token is available in the Scan List tab, allowing you to filter scans by progression count using comparison operators (>, <, >=, <=) to identify scans running longer than expected.
  • The Status column in the Scan List tab now displays scan duration in minutes for scans under one hour, and in hours and minutes for longer scans—for example, 1 hr 20 min.
  • Ignored findings are now reported to Enterprise TruRisk™ Management (ETM) for more accurate TruRisk™ score calculation. Requires ETM version 1.7.0 or later.

TotalAppSec 2.7 | Web Application Scanning 1.27 Release Notes

TotalAppSec 2.6 | Web Application Scanning 1.26 

TotalAppSec

  • Google Apigee API Discovery Connector: TotalAppSec now supports API discovery via GCP API Connectors, enabling discovery of Swagger files and all endpoints exposed in your GCP environment. Discovered APIs can be added to your subscription and scanned for vulnerabilities.
  • Kong Gateway API Discovery Connector: TotalAppSec now supports API discovery using Kong Gateway connectors, allowing discovery of Swagger files and all endpoints from Kong Gateway instances to expand API visibility and strengthen your security posture.
  • Renamed API Connectors for Clarity: API Connectors have been renamed to follow a standardized naming convention — Azure API Connector is now Azure API Management API Discovery Connector, MuleSoft API Connector is now MuleSoft API Discovery Connector, and AWS API Connector is now AWS API Gateway API Discovery Connector.

TotalAppSec and Web Application Scanning

  • Enhanced Mean Time to Remediate (MTTR) Widget: The Average option in the Function Type section is now always available when building dashboard widgets, regardless of the data source selected. This enables you to display the MTTR widget on the TotalAppSec dashboard for better remediation tracking and prioritization.
  • Limited Visibility of WAF Features: WAF-related UI options and QQL tokens are now shown only when the WAF module is enabled and the user has the required permissions, reducing confusion and surfacing only relevant actions per user role.
  • Enhanced Progressive Scan Behavior: Progressive scans now evaluate whether QID 150497 was reported in the previous scan. If it was, the scan resets and treats itself as the first in a new progression cycle; if not, progression continues from the previous scan state as before.

TotalAppSec 2.6 | Web Application Scanning 1.26 Release Notes

TotalAppSec 2.5 | Web Application Scanning 1.25 

TotalAppSec

  • The Client Secret field in OAuth2 authentication records is now masked during creation and editing to protect sensitive credentials. This enhancement ensures secure handling of confidential data and applies to both new records and updates to existing authentication records.
  • The MuleSoft API Connector now supports RESTful API Modeling Language (RAML) files alongside OpenAPI, expanding API discovery for MuleSoft-standard specifications.

TotalAppSec and Web Application Scanning

The Header Injection guidance has been updated to clarify the correct header format, caution against including sensitive headers, and direct users to configure masked headers under Authentication Record > Headers.

TotalAppSec 2.5 | Web Application Scanning 1.25 Release Notes

TotalAppSec 2.4 | Web Application Scanning 1.24 

TotalAppSec

  • Enhanced Discovery of Web Applications and APIs: Discovery and vulnerability scans now identify potential web applications and APIs within existing web assets. You can add the discovered web applications and APIs to your subscription and scan for vulnerabilities and compliance. 
  • End-to-End Logging for Connector Activities: Comprehensive logs for TAS connector activities—MuleSoft, Azure, and so on,  are now available in the Connector > Logs tab, providing deeper insights for advanced analysis and troubleshooting.

TotalAppSec and Web Application Scanning

  • New Scan Settings in the Additional Configurations for Web Application: You can now configure key scan parameters directly in the create or edit web application or API workflow under the Additional Configurations, including authentication retries, session checks, crawling behavior, browser settings, and scan time optimization—providing greater flexibility and control.
  • Debug Scan Option: A new Debug Scan checkbox is available in vulnerability scan settings, allowing you to collect detailed logs for troubleshooting scan issues.

TotalAppSec 2.4 | Web Application Scanning 1.24 Release Notes

TotalAppSec 2.3 | Web Application Scanning 1.23 

TotalAppSec

Qualys Container Security now supports,

  • AI-Powered Scan Optimization: This new option uses AI to intelligently streamline vulnerability scans by removing redundant checks and focusing on the most relevant detections. It significantly improves scan speed and efficiency while maintaining accuracy. Available in both vulnerability scan and schedule workflows; contact your Technical Account Manager (TAM) to enable.
  • Scan List Tab Enhancements: New columns Coverage and Findings added in the Scan List to show QID counts, links tested, and findings.  
  • Discover APIs Using AWS API Connectors: TotalAppSec enables discovery of Swagger files and endpoints in AWS environments via AWS API Connectors, enhancing API discovery and scanning coverage.
  • TotalAppSec Trial Expiration: The TotalAppSec trial now lasts one month, after which TAS features are disabled; existing WAS customers on a TAS trial will retain access to WAS features only.

TotalAppSec and Web Application Scanning

  • License Consumption Data on Account Info Page: Displays the count of web applications, API endpoints, and the percentage of license consumption in the Account Information page for better usage visibility.
  • Configure Columns for Detection Datalist Reports: Allows users to select which columns to include when downloading detection datalist reports, with a limit of 14 columns for non-CSV formats.
  • Create Distribution Groups in Report Schedule: Adds support for building distribution groups and selecting them as recipients when scheduling reports, so generated reports are automatically emailed to group members.
  • Customize Datalist Report Names: Lets users define a custom name for datalist reports before download (instead of auto-generated names), applicable across all tabs.
  • Implementation of QQL Token Standardization: Qualys has introduced standardized QQL token naming across applications using the new <entity>.<attribute> format, improving consistency, search usability, backward compatibility, and cross-application interoperability.

TotalAppSec 2.3 | Web Application Scanning 1.23 Release Notes

TotalAppSec 2.2 | Web Application Scanning 1.22

TotalAppSec

  • Customize Advanced Filters for Enhanced Search: Advanced filters now support operators that let you build precise and complex search queries without manually typing QQL tokens. You can refine searches using text-based operators such as contains, exact, starts with, and ends with, or numeric operators like equals, greater than, and less than. This enhancement helps you quickly narrow results—for example, finding applications with names containing specific text or locating assets with a TruRisk™ Score above a given threshold.
  • Persistent QQL Searches Across Tabs: QQL search results now remain active when you navigate between different tabs — you no longer need to re-enter your query after switching context.
  • Custom Header Support for OAuth 2.0: When creating or editing OAuth 2 authentication records, you can now specify a custom header for access-token and refresh-token requests, enabling better integration with external identity providers.

TotalAppSec 2.2 | Web Application Scanning 1.22 Release Notes

Previous Release Notes

If you want to refer to the previous release notes that were in the PDF format, refer to the Release Notes page. 

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: May, 2026