TruRisk™ Quick Start

Begin by understanding your organization’s risk appetite and the business value of each asset. Ask:

• What level of risk is acceptable to the business?
• How critical is each asset to operations?
• What is the potential impact if a high-value asset is compromised?

Classify assets based on business importance. This enables Qualys TruRisk™ to apply meaningful context to every vulnerability, instead of treating all systems equally.

Get full visibility of your asset inventory. With Qualys TruRisk™, you can:

• Discover and track all assets across your environment.
• Collect metadata such as asset type, owner, location, and business function.
• Map vulnerabilities to assets using internal data and external threat intelligence.

Business impact is a crucial part of risk prioritization. Many organizations already define asset importance in their Business Continuity or Disaster Recovery plans, but rarely translate that into effective security controls.

Assign an Asset Criticality Score (ACS) to each asset based on:

• Confidentiality: How sensitive is the data?
• Integrity: What happens if it’s modified or corrupted?
• Availability: What’s the impact if it goes offline?

Start with your “crown jewels” (e.g., production databases, payment systems) and assign them the highest criticality. Then tier the remaining assets into medium and low impact.

This approach combines technical exposure (QDS) with business impact (ACS), giving you a true picture of where remediation creates the greatest risk reduction.

Prioritization must go beyond counting vulnerabilities. It requires understanding both the likelihood of exploitation and the business impact.

Qualys TruRisk™ calculates risk using this formula:
Risk = Likelihood × Impact

• Likelihood is calculated using TruRisk™’s scoring engine (similar to QDS), which evaluates exploitability, threat intelligence, and live attacker activity.
• Impact comes from your asset criticality scores (ACS).

This dynamic scoring model helps you remediate the risks that truly matter first and not just the highest CVSS scores. As environments and threats evolve, you can continuously validate and adjust your risk strategy.

Identifying and prioritizing vulnerabilities is only half the job proving measurable risk reduction is just as important.

Qualys TruRisk™ provides multiple ways to track improvements and communicate results:

If you're using Patch Management, you can launch remediation jobs directly from its UI. Watch Now. 

1. Prioritize with Risk Modes
   • TruRisk™ Mode: Automatically prioritize remediation based on TruRisk™’s risk scoring (likelihood × impact). 
   • Custom Mode: Build your own prioritization strategy using threat indicators, detection age, and asset context.
2. Patch and Remediate Efficiently
   Shift to a patch-prioritized view to streamline actions. Focus on fixes that directly reduce high-risk exposures. Watch Now.
3. Use MITRE ATT&CK for Contextual Risk
   Leverage the MITRE ATT&CK Matrix framework to understand which techniques are most relevant to your environment. Prioritize vulnerabilities tied to known attacker behaviors.
4. Monitor with the Steps to TruRisk™ Dashboard
   • No setup required; import and start tracking.
   • View trends for vulnerabilities, CISA KEV, CVSS vs TruRisk™.
   • Get real-time updates as new assets check in and risk updates. 
   • Track risk posture and business impact over time.