Sizing Your Scanners for Optimal Performance
Sizing scanners for an environment is never an exact science. While Qualys can provide detailed guidance, many variables make it challenging to recommend a single configuration that works for every scenario.
Drawing on our experience with hundreds of customers, we can help you shape your scanning setup, from establishing a strong baseline to fine-tuning it according to your specific needs and environment.
Recommended Scanner Sizing
As outlined in our scanner deployment guide, we recommend a 1:2 CPU-to-memory ratio, with a minimum configuration of 4 vCPUs and 8 GB of RAM. This setup typically supports small to medium workloads and can scan roughly 300 live assets per hour, although actual performance will vary based on environmental factors.
For larger subnets, like those common in enterprise environments, we recommend 8 vCPUs and 16 GB of RAM. While newer scanners can technically support dozens of CPUs and very large amounts of memory, deploying multiple smaller appliances (each with 8 vCPUs and 16 GB of RAM) is generally more efficient than relying on a single large scanner. A single scanner can scan only 300 live assets concurrently within one job, so extra hardware capacity often goes unused. Multiple smaller appliances allow each scanner to run at full concurrency in parallel.
CPU and RAM are crucial to scanner performance, but disk capacity also plays a significant role, especially for large or debug scans that generate substantial data. We recommend at least 100 GB of disk space per appliance, increasing to 200 GB for larger appliances.
Monitoring Scanner Utilization
Within the Qualys UI, you can view scanner utilization by selecting a scanner and checking its Preview tab. This provides insight into how effectively each scanner is being used.
If large scans are taking longer than expected, it is helpful to review the utilization graphs for a sample of scanners to see whether they are running close to full capacity.
At the end of this blog, we provide additional detail on the Total Capacity and Available Capacity metrics shown alongside these graphs for users who want a deeper understanding of scanner optimization.
If scanners appear underutilized but scans are still running slowly, consider adjusting the performance settings in your Option Profiles. You can increase the number of Hosts to Scan in Parallel or, if utilization is below 30 percent, enable Parallel Scaling. Parallel Scaling allows a scanner to process up to three times more hosts concurrently, as long as sufficient capacity is available. This feature requires a minimum of 8 vCPUs and 16 GB RAM.
If scanners are already heavily utilized—typically above 85 percent for sustained periods—consider increasing their specifications or redistributing scan jobs to reduce overlap. The Appliance Calendar view helps you visualize scan schedules over time and identify which days or hours are best suited for running additional jobs.
External Scans
Each customer has access to a single shared appliance from the Qualys external scanner pool. This is typically sufficient for most use cases, but if you are performing large discovery scans or targeting a high number of live IPs, then you can purchase additional external scanners to distribute the load and improve scan times.
External scans tend to be slower than internal scans, primarily due to network latency. When scanning across Internet links, latency is inherently higher than within internal networks. Port selection also affects scan time. Performing a full TCP and UDP scan offers comprehensive coverage but significantly increases scan duration, especially in external environments
Because the external scanner pool is shared among customers, Parallel Scaling is not supported for external scans to ensure fair resource distribution.
Understanding Capacity Units
Qualys defines scanner capacity using two key metrics: Total Scan Capacity Units and Available Scan Capacity Units. These values help the platform understand a scanner’s workload capability and determine whether Parallel Scaling can be applied for a given job.
Total Scan Capacity Units are primarily influenced by the number of CPUs and their base clock speed. As a general guideline, each CPU contributes about 60 capacity units, though this can vary based on factors such as virtualization, hyper-threading, and memory allocation. CPU performance remains the dominant factor.
Available Scan Capacity Units reflect the amount of unused capacity at any given time. The platform uses this value to schedule scan jobs efficiently across scanners. Different scan types consume different amounts of capacity, as shown below
| Scan Type | Required Capacity |
| Web Application scan | Requires capacity of 70 units. |
| Vulnerability Management scan | Requires capacity of 2 units per IP. |
| Policy Compliance scan | Requires capacity of 4 units per IP. |
| Map scan | Requires a minimum of 100 units or maximum capacity of the scanner in case it’s less than 100 units. |
Using this information, customers can estimate how many assets or web applications can be scanned in parallel based on their capacity score. Actual results may vary due to differences in asset complexity and configuration.
Examples
A scanner with a Total Capacity of 480 units, all available, running a typical Vulnerability Management scan with the default performance settings would consume 300 capacity units, leaving 180 units for a second job or for a different scan type.
The 300-unit calculation is derived as follows:
- Hosts to Scan in Parallel per Appliance: 50
- Parallel Scaling: 3×
- Capacity Required per IP (VM scan): 2 units
50 × 3 × 2 = 300 units
If a second scan job runs at the same time, it can use only the remaining 180 units. If that capacity is insufficient, Parallel Scaling will not apply, limiting the second job to 50 concurrent hosts (100 units). This causes the second scan to run slower than the first.
If the appliance had 600 units of capacity instead, both scans could use Parallel Scaling, allowing 300 assets to be scanned concurrently across two jobs.
Scanner capacity is based on forward estimation, but real-time monitoring ensures system stability. If resources become heavily utilized, a scanner may appear to have available capacity yet still delay new jobs until utilization returns to safe levels.
What’s Next
If you are scanning more than 10,000 live IP addresses or performing discovery scans across more than 10,000 IP addresses in a single run, please contact your Technical Account Manager (TAM) for guidance on optimizing your scan setup and configuration.
Contributors
Shweta Aher – Senior Manager, QA
George Akimov – Manager, Software Engineering
Joash Herbrink – Senior Security Solutions Architect
Ian Glennon – Senior Security Solutions Architect