Secure Your Containerized Environments with Qualys Containerized Scanner Appliance (QCSA) 

Himanshu Kathpal

IT has undergone a series of significant shifts over the years, from physical infrastructure to virtual, and how infrastructure was managed and maintained. This shift led IT through the digital transformation era, introducing various types of clouds and “As-a-Service” models. Although virtualization of infrastructure solved many issues, it did not fix all of them. The Agile nature of CI/CD (Continuous Integration and Continuous Delivery) quickly exposed the weaknesses of large, complex monolithic architectures, leading to the birth of microservices and containerization. 

The introduction of virtual machines enabled IT to increase the efficiency of compute resources. Containerization allows even more efficient use of compute resources, with a more lightweight approach to sharing the OS kernel. As more organizations shift their infrastructure to containerized environments, services like vulnerability management must adapt and provide solutions that are native to these environments. 

Containers are standalone units of software that package code and underlying dependencies, allowing applications to run faster, more reliably, and be transferred easily between environments. Containers are lightweight, containing code, runtime, system tools, system libraries, configuration files, and anything else required for an application to run efficiently and independently. This makes containers ideal for hosting mission-critical production applications. Recent trends indicate that more than 70% of enterprise-grade applications are being containerized. 

While Qualys scanners are available in various forms—Internal scanners (I), External scanners (E), Perimeter scanners (P), or Off-line scanners (O)—Qualys is thrilled to unveil the ‘network scanner in a Docker container,’ known as the Qualys Containerized Scanner Appliance (QCSA). 

Introducing the Qualys Containerized Scanner Appliance (QCSA) 

The containerization of the network scanner provides agility, flexibility, scalability, isolation, and standardization of Docker containers. QCSA is a highly secure, hardened scanner with all inbound ports closed, allowing only HTTPS outbound connections. It can scan anything with an IP address, whether physical, virtual, cloud targets, databases, IP phones, IoT devices, and more. All scan data is protected inside encrypted files and is cleared post-scan completion. QCSA is always connected to the Qualys cloud, receiving automatic updates to the latest vulnerability signatures and scanning engine updates. The scan invocation is supported via UI and API, just like the virtual and physical flavors of Qualys scanners. 

Key Features & Use Cases of the Qualys Containerized Scanner Appliance (QCSA) 

QCSA brings a suite of powerful features, combining the proven capabilities of Qualys scanners with the flexibility and efficiency of containerization. Here’s what you can expect – 

  • Scanning prowess of QVSA – QCSA inherits the robust scanning capabilities of the tried and tested Qualys Virtual Scanner Appliance (QVSA), ensuring reliable and accurate vulnerability assessments. 
  • Versatile scanning capabilities – Scan anything with an IP address, including IT assets across all platforms, switches, routers, IP phones, and more. 
  • Automatic Updates – Vulnerability signatures and the scanning engine are automatically updated every 30 minutes, ensuring your scans are always up-to-date with the latest threat intelligence. This interval is configurable to suit your needs. 
  • Current and future scan support – Currently supports Vulnerability Management (VM) and Policy Compliance (PC) scans, with Web Application Scanning (WAS) capabilities to be added in the near future. 
  • Flexible invocation and management – Manage and invoke scans seamlessly via the user interface (UI) or API, providing flexibility to integrate QCSA into your existing workflows. 

Here are some key use cases where QCSA excels:

  • Exclusively containerized infrastructure – Some customers have transitioned their production environments entirely to containerized setups. In such scenarios, deploying a network scanner using physical hardware or virtual machine-based scanners isn’t feasible. QCSA provides an ideal solution, seamlessly integrating into containerized environments without the need for traditional hardware or VMs. 
  • Scale up and down on-demand – As the number of scan targets fluctuates, the ability to scale scanning capabilities accordingly becomes crucial. The lightweight and easy-to-deploy nature of QCSA allows organizations to quickly scale their scanning infrastructure up or down, ensuring efficient resource utilization and timely security assessments. 
  • Segmentation of scanning – QCSA enables segmentation of available physical resources based on specific needs, allowing you to target different segments of your network or logical segments of your assets using different containers. This ensures more granular control over scanning operations and optimizes the use of scanning resources. 
  • QCSA’s versatile deployment options and scalability make it an essential tool for organizations leveraging containerized environments, ensuring robust security and compliance across dynamic and complex IT infrastructures. 

Benefits of the Qualys Containerized Scanner Appliance (QCSA) 

  • QCSA offers a host of benefits that make it an invaluable tool for modern IT environments. Here are some key advantages – 
  • Cost savings on virtualization platforms – By leveraging the Linux + Docker + QCSA stack, you can avoid the high costs associated with expensive virtualization platforms for your on-prem scanners. This approach provides all the benefits of standardization along with significant cost savings. 
  • Efficient hardware resource utilization – QCSA allows for the easy deployment of multiple scanner instances on the same hardware. This flexibility enables you to plan deployments strategically, ensuring optimal utilization of your hardware resources. Sharing hardware resources as needed helps you scale your scanning infrastructure efficiently without unnecessary expenses. 
  • Agility and flexibility – QCSA’s containerized form factor brings agility and flexibility to your scanning operations. You can quickly deploy, scale, and manage scanners based on your dynamic needs, ensuring that your security posture adapts swiftly to changes in your IT environment. 
  • Scalability – The lightweight nature of QCSA makes it easy to scale up or down as the number of scan targets changes. This scalability ensures that your scanning infrastructure can handle varying loads without compromising performance or security. 
  • Granular control and segmentation – QCSA enables the segmentation of available physical resources, allowing you to target different segments of your network or logical asset groups using different containers. This granularity in control enhances the precision and effectiveness of your scanning operations. 
  • Enhanced security and compliance – With automatic updates of vulnerability signatures and scanning engine every 30 minutes (configurable), QCSA ensures that your scans are always current with the latest threat intelligence. This continuous update mechanism strengthens your security posture and helps maintain compliance with industry standards. 
  • Seamless integration – QCSA supports both UI and API-based scan invocation and management, allowing seamless integration into your existing workflows and automation processes. This flexibility ensures that you can leverage QCSA’s capabilities without disrupting your established operational procedures. 

Expanding Capabilities of QCSA 

The current release of QCSA supports Qualys Vulnerability Management and Policy Compliance scans leveraging QCSA for comprehensive vulnerability assessments and policy compliance checks within their containerized environments. The QCSA’s ability to perform these critical security functions ensures that your containerized infrastructure remains secure, compliant, and resilient against emerging threats. 

Future releases of QCSA will expand its capabilities to support additional types of scans, such as Web Application Scanning (WAS) and Security Content Automation Protocol (SCAP) scans. These forthcoming features will further enhance QCSA’s utility, making it a versatile and indispensable tool in your cybersecurity arsenal. 

Stay tuned for updates as we continue to innovate and extend the functionalities of QCSA, ensuring it meets the evolving needs of modern IT environments. 

Get started with QCSA 

For detailed steps to deploy and manage QCSA, please refer to the section on QCSA in the Qualys Cloud Platform 10.27 release notes. This resource provides comprehensive guidance on setting up and configuring QCSA from the Qualys Portal.  

Additionally, the QCSA User Guide offers more in-depth information on deployment and troubleshooting aspects, ensuring a smooth and efficient deployment process. 

To get started with QCSA, you can download it directly from the Qualys Portal. However, it may need to be enabled for your Qualys subscription first. For any query, please reach out to Qualys Support for assistance. 


  • Sumedh Inamdar, Director, Product Management, Platform and Scanners
Share your Comments


Your email address will not be published. Required fields are marked *