This chapter covers Qualys and OpenVAS vulnerability scanners, two of the most commonly referenced tools in the CompTIA CySA+ CS0-003 exam. Understanding their architectures, deployment models, strengths, and weaknesses is critical for questions in Domain 2.0 (Vulnerability Management), especially Objective 2.1 (Given a scenario, implement vulnerability scanning methods and concepts). Expect roughly 5–10% of exam questions to involve scanner selection, configuration, or interpretation of results. This chapter provides a deep dive into both tools, including their internal mechanisms, key differences, and exam traps.
Jump to a section
Imagine two security guards inspecting a large office building for vulnerabilities. Qualys is like a guard with a central security camera system: all cameras are managed from a single control room, footage is stored in the cloud, and the guard can view any camera at any time without visiting each floor. The system automatically detects motion, records events, and provides a unified dashboard. OpenVAS, on the other hand, is like a guard with a powerful flashlight: he walks through each room individually, shines the light into every corner, takes notes manually, and then compiles a report. The flashlight gives him deep visibility but requires more effort to cover the entire building. Qualys uses a lightweight agent on each host that reports back to a cloud platform, enabling continuous assessment without heavy scanning traffic. OpenVAS runs a network-based scanner that sends probes directly to targets, consuming bandwidth and requiring careful scheduling. The key difference is management overhead: Qualys offloads most work to the cloud, while OpenVAS gives you full control but demands local resources and expertise. In an exam context, remember: Qualys is agent-based, cloud-managed, subscription-based; OpenVAS is open-source, network-based, and requires local installation.
What Are Qualys and OpenVAS?
Qualys and OpenVAS are vulnerability scanning tools used to identify security weaknesses in networks, systems, and applications. The CompTIA CySA+ CS0-003 exam expects candidates to understand the differences between commercial and open-source scanners, agent-based versus network-based scanning, and how to select the appropriate tool for a given scenario.
Qualys: A commercial, cloud-based vulnerability management platform. It uses a combination of network scanners (virtual appliances) and lightweight agents installed on endpoints. All data is sent to Qualys Cloud Platform for analysis, reporting, and remediation tracking. It is subscription-based and offers continuous monitoring, asset inventory, and integration with other security tools.
OpenVAS: An open-source vulnerability scanner that is part of the Greenbone Security Manager (formerly OpenVAS). It is network-based, meaning it actively probes target hosts from a central scanning engine. It requires local installation and configuration, and its results are stored locally unless integrated with other systems. It is free to use but requires more manual effort to deploy and maintain.
How They Work Internally
Qualys Architecture: - Cloud Platform: The central repository for scan configurations, results, and remediation data. It is hosted in Qualys data centers (multi-tenant) or private cloud (single-tenant). - Virtual Scanner (VS): A virtual appliance (VMware, Hyper-V, AWS, etc.) deployed within the target network. It performs authenticated and unauthenticated scans against internal hosts. It communicates with the Qualys Cloud Platform via HTTPS (outbound only) to receive scan jobs and upload results. - Cloud Agent: A lightweight software agent installed on endpoints (Windows, Linux, macOS). It performs local vulnerability detection without network scanning. It checks installed software, patch levels, configuration settings, and sends results to the cloud every 4 hours by default (configurable from 1 hour to 24 hours). - Scanner Appliances: Physical or virtual appliances for large-scale scanning. They can be managed centrally.
OpenVAS Architecture: - OpenVAS Scanner: The core scanning engine that executes Network Vulnerability Tests (NVTs). It runs on a Linux host (typically a Greenbone appliance or a custom installation). - Greenbone Security Assistant (GSA): Web-based interface for managing scans, viewing results, and configuring targets. - NVT Feed: A continuously updated database of vulnerability checks. OpenVAS uses a feed maintained by Greenbone (commercial feed) or a community feed (slower updates). - Targets: Defined by IP addresses, hostnames, or IP ranges. Each target can have credentials for authenticated scanning.
Key Differences
| Feature | Qualys | OpenVAS | |---------|--------|--------| | Deployment Model | Cloud-based (SaaS) | On-premises (local) | | Scanning Method | Agent-based + network | Network-based only | | Licensing | Subscription (paid) | Open-source (free) | | Management | Centralized cloud console | Local web interface | | Scalability | Very high (cloud scales) | Limited by local hardware | | Update Frequency | Continuous (cloud feed) | Daily/weekly (feed updates) | | Reporting | Rich, customizable, compliance | Basic, can be extended | | API Integration | Extensive REST API | Limited API (via Greenbone) |
When to Use Each
Qualys: Ideal for large enterprises requiring continuous monitoring, compliance reporting (PCI DSS, HIPAA, etc.), and minimal network impact. Agent-based scanning reduces bandwidth usage and can scan hosts that are not always connected (e.g., laptops).
OpenVAS: Suitable for small to medium organizations with limited budgets, or for specific one-time assessments. It requires careful scheduling to avoid network congestion. It is also used in lab environments for learning.
Exam Focus: Deployment Considerations
The CS0-003 exam emphasizes selecting the right scanner based on scenario constraints:
Network Impact: Agents reduce traffic; network scanners can cause congestion. For a production network with limited bandwidth, prefer agent-based.
Firewall Restrictions: If hosts cannot be reached from a central scanner (e.g., cloud instances with no inbound access), agents are necessary because they initiate outbound communication.
Authentication: Both tools support authenticated scanning (using credentials) for deeper checks. Unauthenticated scans are less accurate and may miss vulnerabilities.
Compliance: Qualys has built-in compliance templates; OpenVAS requires manual configuration.
Configuration and Verification
Qualys Agent Installation (Linux example):
curl -s 'https://<customer_id>:<activation_key>@qualys.com/agent/installer' | bashVerification: qualys-cloud-agent status should show "Running".
OpenVAS Scan Creation (via GSA): 1. Navigate to Scans > Tasks > New Task. 2. Enter Name, select Target (created earlier), select Scan Config (e.g., "Full and fast"). 3. Click Save, then start the task.
Interaction with Related Technologies
SIEM Integration: Qualys can send scan results to SIEMs like Splunk via Syslog or API. OpenVAS can export results in XML/CSV for import.
Patch Management: Qualys integrates with patch management tools (e.g., SCCM, WSUS) to trigger remediation. OpenVAS is typically used for detection only.
Asset Management: Qualys automatically discovers and inventories assets; OpenVAS requires manual target definition.
Common Pitfalls
Assuming agents are always better: Agents require installation and maintenance; they may not be suitable for ephemeral environments (e.g., containers). Network scanners can detect devices that cannot have agents (e.g., network printers).
Ignoring authentication: Unauthenticated scans miss many vulnerabilities. The exam often presents a scenario where authenticated scanning is required for accurate results.
Overlooking scan scheduling: Running a network scan during peak hours can degrade performance. The correct answer may involve scheduling scans during maintenance windows.
Specific Values and Defaults
Qualys Agent Check-in Interval: Default 4 hours, configurable from 1 hour to 24 hours.
OpenVAS NVT Count: Over 100,000 tests in the commercial feed.
Qualys Cloud Platform: Hosted at qualys.com (US), qualys.eu (Europe), etc.
OpenVAS Default Port: 9392 (HTTPS for GSA).
Security Considerations
Encryption: Both use TLS for management traffic. Qualys agents communicate over HTTPS; OpenVAS uses HTTPS for GSA.
Credentials: Store scan credentials securely. Qualys encrypts them at rest; OpenVAS stores them in its database (encrypted if configured).
Segmentation: Place network scanners in a management VLAN with access to target subnets. Agents can be deployed anywhere with outbound internet access to Qualys cloud.
Conclusion
Qualys and OpenVAS represent two ends of the vulnerability scanner spectrum: commercial cloud-managed vs. open-source self-managed. The exam expects you to choose based on budget, scale, network constraints, and compliance needs. Remember that agents reduce network load but require endpoint support, while network scanners are simpler to deploy but can be intrusive.
Define scanning requirements
Before selecting a scanner, determine the scope: number of assets, network topology, bandwidth constraints, compliance requirements (e.g., PCI DSS), and budget. For example, if you need to scan 10,000 hosts across multiple geographic locations with minimal network impact, Qualys with agents is appropriate. If you have 200 hosts in a lab and no budget, OpenVAS is suitable. The exam often presents a scenario with constraints like 'limited bandwidth' or 'no inbound firewall rules' to guide your choice.
Deploy scanner or agents
For Qualys, deploy virtual scanners in each network segment or install agents on endpoints. Virtual scanners require outbound HTTPS access to Qualys cloud (TCP 443). Agents require outbound HTTPS to Qualys cloud and local system permissions. For OpenVAS, install the Greenbone appliance or set up a Linux server with OpenVAS. Ensure the scanner has network connectivity to target hosts (ICMP, TCP ports for services). OpenVAS uses raw sockets and may require root privileges.
Configure scan targets and credentials
Define target IP ranges or hostnames. For authenticated scanning, provide credentials (SSH keys, Windows credentials, SNMP community strings). Qualys stores credentials in the cloud; OpenVAS stores them locally. Authenticated scans provide deeper results (e.g., missing patches, local vulnerabilities). Unauthenticated scans only detect externally visible issues. The exam frequently tests the importance of authenticated scanning for accurate results.
Run scan and monitor progress
Initiate the scan from the management console. Qualys scans can be scheduled or on-demand. OpenVAS tasks run in the background. Monitor for errors: unreachable hosts, authentication failures, or excessive scan duration. Qualys provides real-time progress; OpenVAS shows task status (running, done, failed). Network scans can generate significant traffic; use throttling options (e.g., Qualys 'Max Scan Load' or OpenVAS 'Alive Test').
Analyze results and remediate
After scan completion, review the vulnerability report. Qualys gives severity scores (CVSS), asset details, and remediation steps. OpenVAS provides similar data but less polished. Prioritize vulnerabilities by severity and exploitability. Assign remediation tasks to system owners. Qualys has built-in remediation tracking; OpenVAS requires external tracking. The exam may ask how to interpret scan results, e.g., distinguishing false positives from real issues.
Enterprise Scenario 1: Large Financial Institution
A bank with 20,000 endpoints (servers, workstations, ATMs) needs continuous vulnerability monitoring to comply with PCI DSS. They choose Qualys because of its agent-based scanning: agents are installed on all endpoints, sending results every 4 hours to the Qualys cloud. This avoids network congestion from traditional scanning. The security team uses Qualys dashboards to track remediation SLAs: critical vulnerabilities must be fixed within 72 hours. They also use Qualys API to feed vulnerability data into their SIEM. A common issue is that agents on ATMs may not check in if the ATM is offline; they configure a longer check-in interval (12 hours) for those devices.
Enterprise Scenario 2: Small MSP
A managed service provider (MSP) with 50 small business clients uses OpenVAS for quarterly external scans. They deploy a single OpenVAS server in their data center and scan each client's public IP ranges. Since clients have limited budgets, OpenVAS's free model is attractive. However, the MSP must manually update the NVT feed and configure each client as a separate target. They often miss vulnerabilities because scans are not authenticated (clients are reluctant to provide credentials). The MSP learns to use OpenVAS's 'Discovery' scan first to identify live hosts, then follow up with authenticated scans where possible. Performance is an issue: scanning 1000 IPs takes several hours, so they schedule scans during weekends.
Scenario 3: Cloud-Native Startup
A startup running 500 AWS EC2 instances uses Qualys Cloud Agent because agents can be installed via AWS Systems Manager. The startup has a DevOps culture and uses Infrastructure as Code (IaC); they automate agent installation in their AMI build process. Qualys's cloud platform integrates with AWS Security Hub, providing a single pane of glass. A challenge is that ephemeral instances (auto-scaling groups) may not stay long enough for a full scan; Qualys's agent-based approach detects vulnerabilities within the first check-in, which is sufficient for compliance. They also use Qualys's asset tagging to group instances by environment (prod, dev).
What the Exam Tests
The CS0-003 exam, specifically Objective 2.1, expects you to:
Differentiate between agent-based and network-based scanning.
Choose the appropriate scanner (Qualys vs. OpenVAS) based on given constraints.
Understand the impact of authenticated vs. unauthenticated scanning.
Recognize the role of cloud-managed vs. on-premises scanners.
Identify common deployment issues (e.g., firewall rules, bandwidth).
Common Wrong Answers and Why
Choosing OpenVAS for a large enterprise with compliance needs: Candidates think 'free is better for budget', but the exam scenario often includes compliance requirements (e.g., PCI DSS) that demand a commercial tool with built-in reporting. Qualys has pre-built compliance templates; OpenVAS does not.
Selecting network scanning when hosts are in different cloud regions without VPN: Candidates may overlook that network scanners need direct connectivity. The correct answer is agent-based scanning because agents initiate outbound connections and don't require direct access.
Assuming unauthenticated scans are sufficient: The exam often presents a scenario where 'deep vulnerability detection' is needed. Unauthenticated scans miss many vulnerabilities (e.g., missing patches, local privilege escalation). Authenticated scans are required for accurate results.
Confusing Qualys and OpenVAS deployment models: Some candidates think Qualys is on-premises because it has 'virtual scanners'. But the management plane is cloud-based. OpenVAS is entirely on-premises.
Specific Numbers and Terms
Qualys Agent check-in default: 4 hours.
OpenVAS default port: 9392 (GSA).
CVSS scores: Used by both for severity.
NVT: Network Vulnerability Test (OpenVAS).
QID: Qualys ID (unique identifier for vulnerabilities).
Greenbone: The company behind OpenVAS (formerly known as OpenVAS).
Edge Cases and Exceptions
Scanning air-gapped networks: Neither works well; you would need a local scanner with periodic updates via physical media. The exam may present this as a challenge.
Scanning IoT devices: Agents cannot be installed; network scanning is required. But IoT devices may be fragile and crash under scan load — the exam might test that you should use a gentle scan profile.
Cloud agents in containers: Qualys has a container agent; OpenVAS does not. If the scenario involves containerized workloads, Qualys is the better choice.
How to Eliminate Wrong Answers
If the scenario mentions 'continuous monitoring' or 'real-time', lean toward agent-based (Qualys).
If the scenario mentions 'budget constraints' or 'small environment', OpenVAS may be acceptable.
If the scenario mentions 'compliance reporting', Qualys is likely the answer.
If the scenario mentions 'network bandwidth concerns', agents reduce traffic.
If the scenario mentions 'no inbound connectivity to hosts', agents are necessary.
Qualys is a cloud-based commercial scanner; OpenVAS is an on-premises open-source scanner.
Agent-based scanning (Qualys) minimizes network impact; network-based scanning (OpenVAS) can cause congestion.
Authenticated scanning provides deeper vulnerability detection than unauthenticated scanning.
Qualys agents check in by default every 4 hours (configurable from 1 to 24 hours).
OpenVAS uses Network Vulnerability Tests (NVTs) to identify vulnerabilities.
For compliance-driven environments, Qualys is preferred due to built-in reporting.
OpenVAS is suitable for small budgets or lab environments, but requires more manual effort.
The exam often tests the decision between agent and network scanning based on network constraints.
These come up on the exam all the time. Here's how to tell them apart.
Qualys
Cloud-managed SaaS platform
Agent-based scanning reduces network traffic
Subscription-based with predictable costs
Built-in compliance templates (PCI, HIPAA, etc.)
Scalable to hundreds of thousands of assets
OpenVAS
On-premises installation required
Network-based scanning can saturate links
Open-source with no licensing fees
No built-in compliance templates
Limited by local hardware resources
Mistake
OpenVAS is completely free with no licensing costs.
Correct
OpenVAS itself is open-source, but the Greenbone Security Manager (commercial version) requires a subscription for the full NVT feed and support. The community feed has fewer tests and slower updates.
Mistake
Qualys only uses agents for scanning.
Correct
Qualys also offers network-based scanning via virtual scanners. Agents are an option, not the only method. The choice depends on the environment.
Mistake
Agent-based scanning is always better than network scanning.
Correct
Agents cannot scan devices that don't support them (e.g., network printers, routers). Network scanning is necessary for those. Also, agents consume resources on the host.
Mistake
Unauthenticated scanning provides the same results as authenticated scanning.
Correct
Unauthenticated scans only detect externally visible vulnerabilities. Many critical vulnerabilities (e.g., missing patches, local exploits) require authenticated access to detect.
Mistake
OpenVAS cannot be used for compliance reporting.
Correct
OpenVAS can export results in formats like PDF, CSV, and XML, which can be used for compliance reports. However, it lacks built-in compliance templates like Qualys, so manual effort is needed.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default check-in interval is 4 hours. This can be configured during agent installation or via the Qualys Cloud Platform to range from 1 hour to 24 hours. The agent communicates with the Qualys cloud over HTTPS to send scan results and receive configuration updates.
Yes, OpenVAS supports authenticated scanning. You can provide credentials (SSH, Windows, SNMP) when configuring a target. Authenticated scans allow OpenVAS to log in to the target system and perform deeper checks, such as verifying patch levels and local configuration issues, which are missed by unauthenticated scans.
Qualys Cloud Agent is better because it initiates outbound connections to the Qualys cloud, so it works even if the instance has no public IP (as long as it has outbound internet access). OpenVAS requires direct network connectivity to the target, which may not be possible without a VPN or public IP.
The Virtual Scanner is a network-based scanner deployed as a virtual appliance that performs active scanning of hosts. The Cloud Agent is a lightweight software installed on endpoints that performs local scanning. The Virtual Scanner generates network traffic; the Cloud Agent does not. The Cloud Agent can scan hosts that are offline or behind firewalls.
Yes, OpenVAS uses the Greenbone Security Assistant (GSA), a web-based interface typically accessed via HTTPS on port 9392. GSA allows you to manage targets, tasks, and view scan results. The default credentials are usually 'admin' with a password set during installation.
Yes, Qualys supports continuous monitoring through its Cloud Agents, which scan and report every few hours. The Qualys Cloud Platform also allows scheduling recurring network scans. Continuous monitoring is a key feature that distinguishes Qualys from periodic scanning tools like OpenVAS.
NVT stands for Network Vulnerability Test. It is a script or plugin that checks for a specific vulnerability. OpenVAS has a large library of NVTs (over 100,000 in the commercial feed) that are regularly updated. Each NVT is written in a custom scripting language and is executed during a scan.
You've just covered Qualys and OpenVAS Scanners — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?