Qualys ETM Enhancements Part 1 – From QDS to QVSS to Fix the Most Persistent Flaw in Vulnerability Severity

Bhagyashree Thorat
Bhagyashree Thorat, Manager, Product Management – Enterprise TruRisk Management, Qualys
- 6 min read

Table of Contents

“Severity scores don’t fail because they’re wrong. They fail because they’re incomplete.”

One problem repeats itself with remarkable consistency in cybersecurity: teams don’t struggle to find vulnerabilities; they struggle to agree on which ones matter.

For years, security programs leaned on CVSS as the lingua franca of severity. It was universal, familiar, and mathematically neat. It was also blind to reality. Exploitability, threat activity, attacker interest, and environmental relevance were always bolted on after the fact, usually through spreadsheets, gut instinct, or endless risk review meetings.

Qualys has long treated severity as more than a static score. Qualys Detection Score (QDS) brought a practical, threat-informed lens to vulnerability prioritization, enabling teams to focus on what’s most likely to matter in the real world. QDS is widely used across the Qualys platform and remains a core, proven scoring construct.

Now, Enterprise TruRisk Management (ETM) introduces a complementary enhancement: QVSS (Qualys Vulnerability Scoring System), a CVSS-like 0.0–10.0 scale that preserves the QDS logic while expressing severity in a format that’s instantly familiar across security, IT, and leadership audiences. This is best understood as an evolution in how severity is expressed, not a change in what Qualys knows about the threat.

What is QVSS?

  • QVSS (Qualys Vulnerability Scoring System) is Qualys ETM’s scoring framework for assessing the severity of security exposures, including vulnerabilities and misconfigurations.
  • It runs on a CVSS-like 0.0–10.0 scale designed to be intuitive, benchmarkable, and aligned with industry severity thinking.
  • It preserves QDS threat intelligence logic while expressing severity in a familiar format.
  • It is CVSS-readable but not CVSS-limited, and fully compatible with existing QDS workflows.

In simple terms: QVSS = QDS intelligence expressed in a language the industry already understands.

Why QVSS Matters for Day-to-Day Operations?

Most organizations already anchor policy, SLAs, and reporting language around 0–10 severity bands. QVSS makes it easier to:

  • Compare severity across teams and workflows using a common scale
  • Communicate risk and urgency without converting between formats
  • Standardize thresholds for prioritization, reporting, and governance

QVSS combines Qualys threat intelligence (TruLens and RTIs) with a CVSS-like scale while preserving QDS logic, keeping everything that made QDS powerful while making it easier to operationalize.

Severity bands (QVSS criticality)

  • 0.0: None
  • 0.1–3.9: Low
  • 4.0–6.9: Medium
  • 7.0–8.9: High
  • 9.0–10.0: Critical

How QVSS Works Inside ETM?

QVSS is built on a two-layer model that aligns well with how risk really behaves: there’s the global threat reality, and then there’s your environment.

1) QVSS Base: Threat-Informed Global Severity

QVSS Base reflects the intrinsic severity of an issue using a combination of technical and threat context signals. Qualys specifically positions QVSS as bringing together TruLens and Real-Time Threat Indicators (RTIs) with a CVSS-like scale.

In practice, the QVSS inputs may incorporate signals such as exploit and campaign context, including RTI-based intelligence for vulnerabilities that are exploited, weaponized, or tied to active attack activity. This represents the intrinsic risk of a vulnerability or a misconfiguration, independent of your environment.

It factors in:

  • CVSS attributes (attack vector, complexity, privileges, impact)
  • Exploit availability (PoC, weaponized exploit)
  • Evidence of active exploitation
  • CISA KEV inclusion
  • Ransomware and malware associations
  • Threat actor usage
  • Dark web chatter and trending velocity
  • EPSS likelihood signals

This answers: “Is this issue dangerous in the real world right now?”

2) QVSS Environmental: Your-Specific Risk Context

ETM can adjust scoring using environmental context, so the same vulnerability can be scored differently depending on exposure, asset importance, and mitigations/controls. This is where operational reality comes into play: what is reachable, what is critical, and what is already constrained by compensating controls.

The base score is adjusted using:

  • Access/attack complexity
  • Industry-specific threat targeting
  • Compensating controls (WAFs, segmentation, EDR, mitigations, virtual patching)
  • Explicitly defined risk factors and controls

This answers the question: “Is this issue dangerous to us?”

Most tools stop at the first question. That’s why they drown teams in “critical” findings.

QVSS retains the industry-standard severity bands for temporal accuracy:

  • 0.0–3.9: Low
  • 4.0–6.9: Medium
  • 7.0–8.9: High
  • 9.0–10.0: Critical

But unlike static CVSS:

  • A “medium” can escalate to critical when exploitation is real.
  • A “high” can drop when threat evidence is absent, and controls are strong.
  • Scores move as threats evolve, not once a year.

Where You’ll See QVSS in ETM?

ETM uses QVSS as its severity framework for exposures (vulnerabilities and misconfigurations) on a 0.0–10.0 scale. You can add the QVSS column in the Findings listing and view QVSS in Finding Details, making it easy to sort, filter, and run SLAs and reports using a CVSS-style scale where day-to-day triage happens.

At the same time, QDS remains supported. QVSS is backward-compatible and preserves QDS logic by normalizing it, so existing QDS-based APIs and automations continue to work. If you have workflows that still depend on QDS, you can continue using them while adopting QVSS as the primary score for operational prioritization and reporting conversations.

What Does This Enable for ROC-Style Operations?

If you run ETM as a Risk Operations Center discipline, QVSS helps in three areas that always create friction:

  1. Prioritization alignment – “Critical means critical” becomes consistent across security, IT, and executive teams when the scale is familiar and the logic is threat-informed. Everyone speaks the same severity language again without losing threat intelligence depth.
  2. Executive reporting – You can explain urgency without spending the first five minutes explaining the scoring system. When asked why something was fixed first, the answer is grounded in evidence, not opinion.
  3. Governance and policy – Threshold-based workflows (searching, filtering, categorizing) become simpler when criticality maps cleanly to 0–10 bands. Fewer “critical-but-irrelevant” findings clog remediation queues.

The Takeaway: The Bigger Shift in ETM

QVSS doesn’t replace what QDS accomplished; it makes that intelligence easier to operationalize at scale. It preserves the threat-informed approach Qualys is known for while presenting severity in the format most organizations already use to drive action.

QVSS reflects a broader philosophy inside Enterprise TruRisk Management:

  • Stop treating severity as static
  • Stop assuming exploitability is theoretical
  • Stop forcing humans to translate scores between systems

Risk is dynamic. Threats move faster than patch cycles. Severity models must do the same. QVSS is a step toward severity that behaves like the real world.

Next, in Part 2, we’ll shift from scoring to experience: the enhanced user interface changes designed to make ETM faster to read, easier to trust, and simpler to act on when the pressure is real.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *