Qualys Out-of-Band Configuration Assessment.

Extend security and compliance to inaccessible assets.

Cloud solution for detecting vulnerabilities and misconfigurations in isolated and hard-to-reach assets

451 Research

Qualys Out-of-Band Configuration Assessment helps to eliminate blind spots by securely gathering and managing asset and configuration data from high-sensitivity assets and assessing their security exposure.

Robert Ayoub Scott Crawford Research Director, Information Security, 451 Research

Qualys OCA Highlights

Customized data collection for isolated devices

Most organizations have critical assets, which for technical or policy reasons, can’t be actively scanned or monitored with an agent. In these cases, customers make manual assessments, create ad hoc scripts or use ineffective products — making the process difficult, time-consuming, and inexact. With Qualys OCA, customers can easily collect metadata and configuration information from such devices, controlling how, when, and what data is accessed and by whom. They can then upload the data to Enterprise TruRisk Platform.

Multidimensional and global view of data

Once in the Enterprise TruRisk Platform, data collected via Qualys OCA is shared and leveraged across Qualys apps, including Asset Inventory, Policy Compliance, and Vulnerability Management. This simplifies visibility and analysis of the evaluation data from different perspectives. Qualys OCA data is also consolidated with the data gathered by Qualys scanners and agents, giving organizations a complete view of their assets’ security and compliance from a central “single-pane-of-glass” dashboard.

Flexible data extraction, uploading

Qualys OCA helps you extract IT, configuration, and vulnerability data from these assets and upload it to the Enterprise TruRisk Platform via various methods. For example, you can automate these tasks using Qualys OCA’s APIs, or carry them out more granularly using the product’s simple user interface. With this flexibility, you can easily eliminate blind spots, complete your asset inventory, and obtain full security and compliance coverage.

Streamlined, consolidated reporting for IT GRC programs

In the context of an IT GRC (Governance, Risk and Compliance) program, Qualys OCA helps speed up and streamline the process of gathering data from various end-points and creating assessment reports. Qualys OCA provides automated data collection, parsing and analysis, readily available benchmarks and reporting templates. This gives audit teams and asset owners a holistic view of their devices’ GRC posture.

Broadened security and compliance scope

Qualys OCA easily gathers security and compliance information from IT assets that can't be monitored with scans or agents. These may include:


  • Assets deployed on disconnected (air-gapped) networks
  • Legacy or uncommon network devices, apps, hardware appliances, and others
  • Locked-down systems hosting highly sensitive data and subject to strict policies and regulations

In this way, Qualys OCA helps organizations broaden the scope of their security and compliance efforts to these inaccessible or sensitive assets, for more complete and effective vulnerability management, policy compliance, and asset management.


Many of these assets such as network or storage appliances are on platforms that are not covered in various compliance benchmarks and standards. All these platforms are researched by Qualys’ dedicated team of security experts, to come up with Qualys OCA’s out-of-the-box policies.

Platforms supported by Qualys OCA

The following platforms are either currently supported or will be supported soon by the Qualys OCA app for policy compliance:


  • ACME Packet OS
  • Arista EOS 4.x
  • ArubaOS 6.x/8.x
  • Cisco ACS 5.x
  • Cisco FTD 6.x
  • Cisco IOS 12.x/15.x
  • Cisco IOS XR 6.x/7.x
  • Cisco ISE 2.x/3.x
  • Cisco UCS Manager 2.x
  • Cisco WLC 8.x
  • Aruba ClearPass Policy Manager 6.x
  • Comware 5.x/7.x
  • Data Domain OS 5.x/6.x
  • Extreme Networks BOSS 5.x
  • Extreme Networks VOSS 6.x/7.x/8.x
  • Symantec SGOS 6.x (Bluecoat)
  • Brocade Fabric 7.x/8.x
  • FireEye CMS 7.x/8.x
  • Fortinet FortiOS 5.x/6.x
  • Gigamon GigaVUE-OS 5.x
  • HP and Samsung Printers
  • HP Safeguard (on Tandem)
  • HPE 3Par OS 3.x
  • IBM z/OS Security Server RACF 2.x
  • Imperva WebApplication Firewall
  • Juniper IVE 8.x
  • Juniper JUNOS 15.x/16.x/17.x/18.x/19.x/20.x
  • Microsemi SyncServer 3.x
  • Juniper Pulse Connect Secure 9.x
  • Riverbed SteelHead Interceptor 7.x
  • Riverbed SteelHead RiOS 9.x
  • Symantec NetBackup
  • Riverbed Steelcentral
  • Cisco UCS server
  • Dell EMC Data Domain
  • Oracle Tape Library
  • McAfee Email Gateway
  • Lancope Stealthwatch
Qualys Out-of-Band Configuration Assessment: Add Assets | Qualys

Automation of workflow with APIs

In order to assess crucial configurations and vulnerabilities, Qualys OCA identifies important configuration files and/or commands in these hard-to-reach assets. Customers need to fetch these files or the output of commands from each asset in a manual or automated way. Once the data is uploaded to the Enterprise TruRisk Platform, assessment reports are generated according to the selected policies.

The APIs that are provided by Qualys OCA app help customers automate the process of bulk-provisioning as well as uploading the assessment data for the assets to the Enterprise TruRisk Platform. These APIs can be invoked through curl calls to automate the configuration or security assessment workflows.

Qualys OCA exposes REST APIs for carrying out following tasks:

  • Provisioning of Qualys OCA assets for vulnerability management or policy compliance

  • Editing of few asset attributes after provisioning

  • Listing of commands for Qualys OCA technologies

  • Uploading of configuration data/command output for each asset

  • Revoking the assets

Qualys Out-of-Band Configuration Assessment: Add Assets | Qualys
Qualys AssetView: Assets tab | Qualys

Integrated view of data from Qualys OCA and other Qualys sensors

Similar to Qualys’ other sensors such as active scanners and Cloud Agents, Qualys OCA collects asset data that is then displayed in Qualys Global AssetView – a single-pane-of-glass interface. This data has an Qualys “OCA” tag, which differentiates it from the data gathered by the other sensors. Once the configuration data is uploaded for Qualys OCA assets, scan reports are generated and displayed in the same manner as those containing asset data collected by other Qualys sensors. This gives organizations a consolidated, unified view of the security and compliance of all their assets, not just the ones that can be scanned and monitored with agents.

Qualys AssetView: Assets tab | Qualys

Comprehensive reports

After the signature evaluation on the collected data is completed, the assessment reports are fetched in a similar way to the Qualys agents or traditional Qualys scanners. The evaluation report displays the Qualys OCA assessment in the same format as that of other assets in the environment. The reports can be generated according to different frameworks. All the controls added for Qualys OCA supported technologies are mapped with mandates such as GDPR, PCIDSS, HIPAA, etc. This enables customers to fetch mandate-based reports as well.

Powered by Enterprise TruRisk Platform

Single-pane-of-glass UI

See the results in one place, in seconds. With AssetView, security and compliance pros and managers get a complete and continuously updated view of all IT assets — from a single dashboard interface. Its fully customizable and lets you see the big picture, drill down into details, and generate reports for teammates and auditors. Its intuitive and easy-to-build dynamic dashboards to aggregate and correlate all of your IT security and compliance data in one place from all the various Qualys Cloud Apps. With its powerful elastic search clusters, you can now search for any asset – on-premises, endpoints and all clouds – with 2-second visibility.

Centralized & customized

Centralize discovery of host assets for multiple types of assessments. Organize host asset groups to match the structure of your business. Keep security data private with our end-to-end encryption and strong access controls. You can centrally manage users’ access to their Qualys accounts through your enterprise’s single sign-on (SSO). Qualys supports SAML 2.0-based identity service providers.

Easy deployment

Deploy from a public or private cloud — fully managed by Qualys. With Qualys, there are no servers to provision, software to install, or databases to maintain. You always have the latest Qualys features available through your browser, without setting up special client software or VPN connections.

Scalable and extensible

Scale up globally, on demand. Integrate with other systems via extensible XML-based APIs. You can use Qualys with a broad range of security and compliance systems, such as GRC, ticketing systems, SIEM, ERM, and IDS.

Learn more about Enterprise TruRisk Platform

See for yourself. Try Qualys for free.

Start your free trial today. No software to download or install. Email us or call us at 1 (800) 745-4355.

Try it free