What is Qualys TruRisk™
Security teams face an overwhelming volume of vulnerabilities, with most posing minimal real-world risk. CVSS/EPS scores alone provide insufficient context for prioritization, as they focus on technical severity without considering exploitability or business impact.
Qualys TruRisk addresses these issues by incorporating enterprise business context, including asset criticality, network segmentation, and threat intelligence, to accurately identify high-risk vulnerabilities on your most critical assets. This business context transforms how risk is assessed and prioritized.
For instance, consider assets with identical vulnerabilities in a production environment. Identical vulnerabilities receive dramatically different risk prioritization based on business context, ensuring security teams focus on what truly matters to the organization.
| Environment | ACS | TruRisk Score | Business Impact |
| Production | 5 (mission-critical) |
800-900 (on a scale of 0-1000, where higher scores indicate greater risk) |
High - Direct impact on business operations |
| Non-Production | 2 (low-medium) | 200-400 | Low - Minimal impact on business operations |
Organizations must quantify risk in business terms, bridging the gap between technical teams and decision-makers to drive accountability and strategic action.
To begin this process, organizations must answer two pivotal questions:
- What is the organization's risk tolerance?
- Which assets are most critical, and what are the repercussions if they are compromised?
The TruRisk Approach with Qualys VMDR
TruRisk prioritizes vulnerabilities, assets, and groups of assets based on actual organizational risk rather than technical severity alone. The system leverages over 25+ sources of threat intelligence to measure exploitation likelihood through two key components:
- Qualys Vulnerability Score (QVS) - Assesses exploitation probability using comprehensive threat intelligence from 25+ sources.
- Qualys Detection Score (QDS) - Evaluates detection and response capabilities.
This approach automatically aggregates threat intelligence data and continuously updates risk scoring based on environmental context. Organizations can prioritize vulnerabilities by actual risk exposure rather than generic CVSS scores, enabling efficient resource allocation and targeted remediation of environment-specific threats.
TruRisk Data Sources and Threat Intelligence
TruRisk operates on an extensive threat intelligence foundation covering:
- 190,000+ CVEs with comprehensive vulnerability data.
- 25+ unique threat and exploit sources.
This comprehensive data enables TruRisk to identify vulnerabilities that are actively exploited, used in malware/ransomware/threat campaigns, and part of emerging threat trends. This contextual intelligence supports informed decision-making, reduces alert fatigue, and prioritizes remediation of genuine vulnerabilities.
New to TruRisk?
Before diving deep, explore the TruRisk Fundamentals to understand: