Microsoft and Adobe Patch Tuesday, February 2026 Security Update Review

Microsoft's February 2026 Patch Tuesday focuses on closing security gaps that attackers could exploit, reinforcing the importance of timely patching in enterprise environments. Here's a quick breakdown of what you need to know. Microsoft Patch Tuesday for February 2026 This month's release...

TruConfirm: Autonomous, Agent-Led, Safe Exploit Validation for Real-World Risk Reduction

Key Takeaways CISOs still can’t answer the only question that matters: Is this exposure exploitable on this asset, in our production environment, against our controls, right now? The vulnerability firehose broke the old model: With 48,177 CVEs published in 2025, “critical” lists are too large to...

Mutagen Astronomy: From Discovery to CISA Recognition—A Seven-Year Journey

Introduction On January 26, 2026,the Cybersecurity and Infrastructure Security Agency CISA added CVE-2018-14634 to its Known Exploited Vulnerabilities KEV catalog. The same vulnerability was discovered by the Qualys Threat Research Unit TRU in September 2018. We nicknamed it "Mutagen Astronomy" a...

ROC vs. CTEM: How a Risk Operations Center Evolves Beyond Continuous Threat Exposure Management in 2026

Key Takeaways: The Essentials of ROC vs. CTEM What is a ROC? A risk operations center ROC is a centralized command hub that unifies cyber risk management across security, IT, and compliance. It uses agentic AI to provide a real-time view of business risk, prioritize what matters, and then automat...

Top 10 Cloud Compliance Tools for Enterprise Security and Audit Readiness in 2026

Key Takeaways Cloud compliance has shifted from periodic audits to a continuous operating requirement as hybrid and multi-cloud environments change faster than traditional controls can keep pace. Modern cloud compliance solutions provide continuous, automated compliance monitoring across AWS,...

How Public Container Registries Have Become a Silent Risk Multiplier in a Modern Supply Chain

Key Takeaways Pulling container images from public registries is a trust decision, not a neutral operational step. The impact extends to infrastructure stability, cloud spend, and security risk. Cryptomining is the most common form of malicious abuse in public container images, driven by the ease...

Qualys Named a Leader and Outperformer in the 2025 GigaOm Radar for CNAPP

We’re proud to share that Qualys has been recognized as a Leader and Outperformer in the 2025 GigaOm Radar Report for Cloud-Native Application Protection Platforms CNAPP. This year’s evaluation underscores an important reality of the CNAPP market: while 18 vendors were evaluated , only a small...

Cybersecurity Predictions for 2026 Signal the Maturation of Risk-First Security Models

Key Takeaways Cyber risk management gets operationalized in 2026. Leading organizations move beyond visibility and frameworks to govern risk through prioritization, simulation, and deliberate action. Attack-path modeling matures into execution. Static views give way to dynamic, decision-driving...

Your VMDR Year in Review: Making Security Progress Visible and Actionable

Security Teams Rarely Stop to Reflect When a security program is working well, very little seems to happen. That is by design. There is no alert for the incident that was prevented. No visibility into the attack path that was quietly closed. No recognition for the vulnerability that was fixed...

Why Serverless Risk Demands Identity-Aware Security at Cloud Scale

Key Takeaways Serverless shifts security risk from infrastructure to identity, permissions, and configuration, where small design choices can have an outsized impact. Short-lived cloud credentials reduce persistence but remain powerful; when exposed, they enable authenticated access, escalation,...

Microsoft and Adobe Patch Tuesday, January 2026 Security Update Review

Starting the year on a security-first note, Microsoft's January 2026 Patch Tuesday resolves several vulnerabilities that could impact enterprise environments. Here's a quick breakdown of what you need to know. Microsoft Patch Tuesday for January 2026 This month's release addresses 115...

Agent Grant: From Identity Signals to Measurable Risk Reduction

Executive Summary Identity is now the 1 attack surface. Agent Grant in Qualys ETM Identity uses agentic AI to measure and reduce identity risk across AD, Entra, Okta & other cloud IdPs/IDaaS. It operationalizes identity risk by turning messy Active Directory & identity-risk signals into validated...

Cloud Agent in 2025: A Year of Scale, Security, and Smarter Visibility

As we move into 2026, 2025 stands out as a defining year for the Qualys Cloud Agent. In 2025, Cloud Agent delivered deeper visibility into running systems and applications , stronger security controls , expanded support across operating systems and architectures , and meaningful platform...

Your Guide to PCI DSS 4.0.1 Web Application and API Controls with a Simplified Path to Compliance

Executive Summary PCI DSS 4.0.1 compliance mandates stricter security controls for web applications and APIs. Key updates include maintaining an inventory of custom software PCI 6.3.2 and managing payment page scripts to prevent skimming attacks PCI 6.4.3. Organizations must also adopt risk-based...

ShadyPanda: The Silent Browser Takeover Threat and How Qualys TruRisk Eliminate Helps You Stop It

Executive Summary ShadyPanda has exploited trusted browser extensions to compromise millions of users, illustrating how legitimate software can unexpectedly become harmful. Qualys TruRisk Eliminate empowers organizations to identify risky behaviors, prioritize real threats, and eliminate maliciou...

Navigating Change: Evolving Your Exposure Management Strategy in a Post-Kenna World with Qualys

Key Takeaways Cisco is ending support for it vuln management product formerly Kenna Security by June 2028 Risk-based vulnerability management RBVM used to be adequate, but is no longer sufficient Exposure assessment platforms allow you to assess risks from all organizational risk surfaces SOC...

Scale AI Securely with Qualys TotalAI’s Streamlined Onboarding, Deeper Risk Detection, and Compliance-Ready Reporting

Executive Summary Enterprises are entering a phase where AI systems function as decision engines that shape customer interactions, operational workflows, and business outcomes. This creates a new class of risk that is behavioral, contextual, and dynamic, driven by how models interpret instruction...

React2Shell: Decoding CVE-2025-55182 – The Silent Threat in React Server Components

On December 3, 2025, a critical remote code execution RCE vulnerability, dubbed "React2Shell," was disclosed, impacting React Server Components and frameworks like Next.js. The flaw, CVE-2025-55182, could lead to full server takeover and is rated CVSS 10.0. It is under active exploitation, has be...

Microsoft and Adobe Patch Tuesday, December 2025 Security Update Review

As the year winds down, Microsoft Patch Tuesday in December arrives with essential fixes and enhancements to close vulnerabilities and boost performance. Here's a quick breakdown of what you need to know. Microsoft Patch Tuesday for December 2025 This month's release addresses 72 vulnerabilities,...

Active Exploitation of 7-Zip RCE Vulnerability Shows Why Manual Patching is No Longer an Option

A critical remote code execution RCE vulnerability in 7-Zip CVE-2025-11001 is now being actively exploited. The issue stems from improper handling of symbolic links within crafted ZIP files. When a malicious archive is extracted, 7-Zip may write files outside the intended directory, allowing an...

The Future of Cloud Security: A New Act for Cyber Risk Operations

Qualys, the leader in Cyber Risk Operations, is proud to be recognized in Latio Tech’s 2025 Cloud Security Market Report as a leader in both CTEM and the Cloud Security Ecosystem. This acknowledgement by Latio Tech reinforces the strength of our strategy—anchored by the industry’s first Risk...

From Vision to Value: Gartner® Identifies Qualys as 2025 Magic Quadrant™ Leader in Exposure Assessment Platforms

Why Was Qualys Named a Leader in Exposure Assessment Platforms? We're proud to share that Qualys has been named a Leader in the 2025 Gartner® Magic Quadrant for Exposure Assessment Platforms. We believe this recognition reflects our forward-thinking vision and the proven value of the Qualys...

Zero-Day Zero: The AI Attack That Just Ended the Era of the Forgiving Internet

Why the Exploit Window Has Collapsed and How CISOs Must Pivot to Survive For decades, cybersecurity was a game of time. We banked on the buffer between a vulnerability’s disclosure and its widespread exploitation. We relied on the forgiving internet, where human attackers needed days or weeks to...

GenAI: Harness the Power, Eliminate the Risk — A Practical Playbook for Securing AI from Day One

Enterprises everywhere are racing to leverage AI to gain sharper insights, automate workflows, and deliver richer customer experiences. Based on an assessment conducted by Bain & Company, generative AI adoption is soaring, with 95% of US companies using it, up 12 percentage points in just a year...

What is Patch Management Automation and Why It Matters

Executive Summary Environments rarely stay as orderly as they begin. New workloads, faster releases, and growing attack surfaces stretch manual patching beyond its limits. The real risk emerges in the widening gap between spotting a vulnerability and fixing it. Automated patch management closes...

What It Takes to Design Trust into Event-Driven Architectures with Amazon EventBridge

How disciplined design turns Amazon EventBridge from an open event bus into a system of verified trust. Event-driven architecture has become essential for achieving agility in the cloud. Yet as integrations multiply, so do the hidden pathways that adversaries can exploit. Amazon EventBridge helps...

Unauthenticated Authentication Bypass in Fortinet FortiWeb (CVE-2025-64446) Exploited in the Wild

A critical authentication bypass vulnerability affecting Fortinet FortiWeb web application firewalls has been actively exploited since early October 2025. The vulnerability allows unauthenticated attackers to create admin accounts and gain complete control over vulnerable devices exposed to the...

Microsoft Patch Tuesday, November 2025 Security Update Review

Microsoft released its November Patch Tuesday Security Updates. Here's a quick breakdown of what you need to know. Microsoft Patch Tuesday for November 2025 This month's release addresses 68 vulnerabilities, including five critical and 59 important-severity vulnerabilities. In this month's update...

Battle Compliance Confusion and Security Fatigue with Qualys and ServiceNow

Once upon a time, your biggest worry was whether Dave in Accounting would click on a suspicious link. Today, you wish Dave were your only worry. You’re likely balancing four major clouds, including AWS, Azure, Google Cloud, and Oracle, plus on-premises, hybrid environments, thousands of ephemeral...

Inside an Automotive Giant’s Data Leak — A Cloud Misconfiguration Lesson for AWS Users

70 TB+ of data, hard-coded keys, and weak IAM controls. For even the most experienced enterprises, one configuration decision can be enough to surface how interdependent and vulnerable modern cloud systems truly are. The recent data exposure incident at a large automotive firm highlights this...

What Security Teams Need to Know as PHP and IoT Exploits Surge

Attack automation is accelerating, widening the window between detection and response. Qualys TRU telemetry reveals how these attacks unfold and what defenders can do next. The Qualys Threat Research Unit TRU has identified a sharp increase in attacks targeting PHP servers, IoT devices, and cloud...

Oracle Critical Patch Update, October 2025 Security Update Review

Oracle released its third quarterly edition of this year’s Critical Patch Update. The update received patches for 374 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families,...

A Strategic Response to the F5 BIG-IP Nation-State Breach 2025

In mid-October 2025, the cybersecurity landscape was dealt a severe blow. F5 disclosed a long-term, sophisticated breach by a nation-state threat actor. This incident exposed critical F5 BIG-IP vulnerabilities and triggered heightened scrutiny across enterprise edge infrastructure. This was not a...

Bringing the Power of Agentic AI for Identity Risk, Adaptive Threat Prioritization, and Exposure Exploitability Validation

Qualys Enterprise TruRisk Management ETM extends the power of risk operations with agentic AI — Introducing ETM Identity, TruLens for industry-based threat prioritization, and TruConfirm exposure exploitability validation to accelerate your remediation. Every year at our yearly conference, now...

Introducing TruConfirm for Enterprise TruRisk™ Management: Automated Exposure Validation

Enterprise security leaders and their teams face an impossible challenge: drowning in thousands of critical exposures in an ever-expanding attack surface while simultaneously trying to determine which ones pose a genuine risk of exploitation in their organizational environment. Traditional CVSS...

Introducing TruLens for Enterprise TruRisk™ Management: Unified Threat Intelligence

CISOs and security leaders today face extraordinary challenges: the constant influx of vast quantities of fragmented threat data, information that lacks the context necessary for their unique organizations, and mounting operational gaps that hinder genuine risk reduction. The need has shifted fro...

Qualys ETM Identity — The First True Quantification of the Identity Perimeter

Security has always been about controlling who can do what and where. In 2025, that control is mediated entirely by identity. When an attacker “logs in,” not "breaks in", they inherit legitimate permissions, blend into normal telemetry, and pivot across AD, Entra/Okta, SaaS, and cloud, driving...

Microsoft and Adobe Patch Tuesday, October 2025 Security Update Review

As cybersecurity threats evolve, Microsoft's October 2025 Patch Tuesday delivers one of the most comprehensive security updates of the year. Here's a quick breakdown of what you need to know. Microsoft Patch Tuesday for October 2025 This month's release addresses a staggering 193 vulnerabilities,...

Qualys Recognized as a Leader in the 2025 GigaOM Radar for Patch Management Solutions

With vulnerabilities growing faster than most organizations can keep up with, the need for a smarter, easier way to reduce risk has never been more urgent. That’s why in 2019 Qualys launched Patch Management—the first solution built to reduce risk, not just push software updates. Since then, the...

Ensuring Safe and Reliable Updates with Qualys TruRisk™ Manifest Version Control

The Fragility of “One Bad Update” In cybersecurity, speed is non-negotiable. New vulnerabilities surface daily, and enterprises expect coverage the moment exploits are in the wild. For years, the mantra was simple: push signatures fast, and you reduce risk. Faster updates meant faster protection...

Subscription Health Dashboard 2025 Update

Deployment health is mission-critical in today’s digital environment. Duplicate records, ghost hosts, and stale data obscure insights, slow decisions, and erode confidence. Building on last year’s Subscription Health Dashboard blog and best practices, the 2025 update delivers cleaner visibility,...

How to Prevent NPM Supply Chain Attacks in CI/CD Pipelines with Container Security

Introduction Containerized applications power the backbone of modern software delivery. But with speed comes risk. Vulnerabilities and embedded secrets can slip through the cracks long before they hit production. The result? Alert fatigue, noisy false positives, and critical exposures that disrup...

Qualys Named a Leader in the 2025 IDC MarketScape: Worldwide Exposure Management Vendor Assessment

We’re proud to announce that Qualys has been recognized as a Leader in theIDC MarketScape: Worldwide Exposure Management 2025 Vendor Assessment doc US52994525, August 2025. We believe this recognition underscores Qualys’ commitment to helping organizations proactively manage cyber risk with...

How Agentic AI Powers Seamless Audit Readiness with Agent Chang

Audits are rarely simple. Security and compliance teams often find themselves buried in repetitive, time-consuming tasks—collecting logs from multiple systems, exporting reports from various tools, and manually reconciling data in spreadsheets. Evidence must be traced back to the correct controls...

Patch Automation for Browsers with TruRisk™ Eliminate

Recently, CISA added a Chrome zero-day vulnerability, CVE-2025-10585, to its Known Exploited Vulnerabilities KEV Catalog, confirming that threat actors are actively exploiting this high-severity flaw in real-world attacks. This vulnerability affects multiple web browsers that utilize the Chromium...

Steps to TruRisk™ – 5: Eliminate Risk and Lead with Confidence

“We shall not fail or falter; we shall not weaken or tire … Give us the tools and we will finish the job.” – Winston Churchill Every security team knows this truth: you can’t patch everything, and you can’t necessarily protect everything. Perfection is rare, but decisive execution can change...

Introducing Enhanced User Interface for Qualys PCI DSS 4.0 ASV Compliant Solution

We’re excited to introduce the new Qualys PCI ASV user interface, built to deliver a smarter, faster, and more intuitive experience. The redesigned PCI ASV UI helps you simplify PCI DSS 4.0 compliance, save time, and reduce audit-related stress. This major update improves usability, streamlines...

Navigating SEBI’s Cloud Security Requirements: A Guide for Regulated Entities

Overview: Who is impacted: The Securities and Exchange Board of India SEBI is the primary regulatory authority for the securities market in India. It was established to protect investor interests and promote market development, but its guidelines also impact cybersecurity professionals at regulat...

Patch Tuesday Risk Elimination with Agent Sara

Introduction Risk elimination is the goal of any vulnerability management program. It is typically achieved through a combination of patching and scripting solutions. SecOps teams usually prioritize vulnerabilities and forward them to IT teams for remediation. However, the real challenge lies in...

When Dependencies Turn Dangerous: Responding to the NPM Supply Chain Attack

On September 8, 2025, attackers compromised a set of 18 widely used npm packages —including chalk, debug, ansi-styles, and strip-ansi—collectively downloaded over 2.6 billion times per week. Through a targeted phishing campaign against a maintainer, the attackers published malicious versions...