Enhancing QDS Accuracy: Better Risk Visibility in Qualys Policy Audit
Starting in August 2026, Qualys Policy Audit introduces an important enhancement to the calculation of Qualys Detection Scores (QDS) for System-Defined Controls (SDCs). This update provides a more accurate and meaningful view of your compliance posture, especially when controls align with multiple industry standards.
Let’s take a look at what’s changing, why it matters, and what you can expect.
What Is QDS?
The Qualys Detection Score (QDS) is a composite score ranging from 1 to 100, used to evaluate the importance and risk impact of controls. Several factors contribute to QDS, including control criticality, policy standard mappings, MITRE ATT&CK associations, and best-practice considerations.
One key component of this calculation is Policy Standard Mapping, which assigns a higher value to controls aligned with recognized compliance frameworks.
Why This Enhancement
Policy Standard Mapping rewards controls that align with industry-recognized compliance frameworks. As organizations increasingly map controls to multiple frameworks, the scoring model should accurately reflect the broader compliance significance of those controls.
This enhancement improves QDS accuracy by recognizing the cumulative value of multiple policy standard mappings, including CIS, DISA STIG, and Qualys/Vendor best practices, rather than limiting contributions to a single standard.
What Is Changing?
Previously, the Policy Standard Mapping component of QDS considered only the first mapped standard. This meant that additional framework alignments were not factored into the score.
With this update, QDS calculations will:
- Evaluate all policy standard mappings associated with a control
- Apply a combined scoring weight based on multiple standards
- Reflect the true cumulative compliance significance
As a result, controls spanning multiple frameworks would receive more accurate and higher QDS values.
Who Is Affected?
This change applies to:
- All Policy Audit subscribers
- Environments that use System-Defined Controls (SDCs)
- Controls mapped to multiple standards, such as CIS + DISA, or CIS + DISA + Vendor
Controls mapped to a single standard are not affected, and their QDS values will remain unchanged.
What to Expect After August 2026
- Increase in QDS values for SDCs currently mapped to multiple compliance standards.
- As QDS contributes to TruRisk calculations, TruRisk scores for assets associated with these controls may also increase proportionally.
- Your overall compliance posture view, including the QDS severity distribution (Critical, High, Medium, Low), may shift as some controls move to a higher QDS severity band based on their new QDS values.
Do You Need to Take Any Action?
No action is required.
This enhancement will be applied automatically across the platform. Your policies and controls will be updated seamlessly, with no manual intervention required.
Next Steps
1. Review your Policy Audit posture dashboards after August 2026 to understand the updated QDS and TruRisk scores in your environment.
2. Revisit remediation priorities if controls previously classified as Medium now appear as High or Critical.
3. Update any internal reports or thresholds that are based on current QDS or TruRisk score values, as scores for multi-standard controls will increase after this change.
4. No reconfiguration of policies or controls is required. The update will be applied automatically across the platform.