
Qualys Web Application Scanning
Application Security- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Qualys Web Application Scanning (WAS) Connector integrates with the Qualys WAS platform to synchronize web application inventory and dynamic application security testing (DAST) results into the Brinqa platform. It connects to the Qualys WAS API to retrieve scanned web applications, the findings detected against them, and the knowledge base entries (QIDs) that define those findings, mapping each to the Brinqa Data Model.
Data retrieved from Qualys Web Application Scanning
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Application | Yes | Application |
| Finding | Yes | Dynamic Code Finding |
| WAS Vulnerability Definition | Yes | Dynamic Code Finding Definition |
Model relationships
For detailed steps on how to view the data retrieved from Qualys Web Application Scanning in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Qualys Web Application Scanning from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API Server URL | Yes | https://qualysapi.qualys.com/ | Qualys platform API server url |
| Username | Yes | — | Qualys user login |
| Password | Yes | — | Qualys user password |
| Page size | No | 100 | Maximum number of hosts to request per API request |
| Parallel requests | No | 2 (or available processors) | Maximum number of parallel API requests |
| Maximum retries | No | 5 | The maximum number of retry attempts before giving up a request |
| Request timeout (secs) | No | 120 | The maximum seconds allotted before a request will time out. Enter zero (0) to disable timeouts (not recommended). |
Authentication
The connector authenticates with the Qualys API using HTTP Basic Authentication (username and password). Credentials are supplied through the connector configuration and applied to every request via a pre-emptive Basic auth scheme.
Endpoint
| Method | URL |
|---|---|
POST | https://qualysapi.qualys.com/qps/rest/3.0/... |
GET | https://qualysapi.qualys.com/qps/rest/3.0/... |
Request Headers
| Header | Value |
|---|---|
Authorization | Basic <base64(username:password)> |
Content-Type | application/xml |
Usage
The connector establishes a Basic credentials provider with the configured username and password and attaches the Authorization: Basic <base64(username:password)> header to all subsequent requests. The Qualys WAS API uses XML request and response bodies (the ServiceRequest / ServiceResponse envelope).
Sample Request Body (Finding search)
<ServiceRequest>
<preferences>
<verbose>true</verbose>
<limitResults>100</limitResults>
</preferences>
<filters>
<Criteria field="status" operator="IN">NEW, ACTIVE, REOPENED, FIXED</Criteria>
<Criteria field="severity" operator="IN">1, 2, 3, 4, 5</Criteria>
<Criteria field="lastDetectedDate" operator="GREATER">2026-01-01T00:00:00Z</Criteria>
</filters>
</ServiceRequest>
Sample Response Body
<ServiceResponse>
<responseCode>SUCCESS</responseCode>
<hasMoreRecords>false</hasMoreRecords>
<data>
<Finding>
<id>123456</id>
<qid>150001</qid>
<severity>3</severity>
<status>ACTIVE</status>
<webApp><id>987</id></webApp>
<firstDetectedDate>2025-12-01T10:00:00Z</firstDetectedDate>
<lastDetectedDate>2026-01-15T10:00:00Z</lastDetectedDate>
</Finding>
</data>
</ServiceResponse>
Response Fields
| Field | Description |
|---|---|
responseCode | Result of the request (e.g. SUCCESS) |
hasMoreRecords | Whether additional pages are available for pagination |
data | Container for the returned Finding / WebApp records |
How to obtain Qualys Web Application Scanning credentials
Create a Qualys user
To ensure the user account that the Qualys WAS connector uses to access the Qualys server has the appropriate permissions, follow these steps.
-
Log in to your organization's Qualys server.
-
Navigate to Users, and then select the Users tab.
-
Click New and select User. The New User dialog displays.

-
Fill out the general information for the new user.
-
Click User Role on the left menu.
-
From the User Role dropdown, select Reader.
-
Select GUI and API to enable API access, and leave Business Unit Unassigned.
-
Note: GUI access allows the user to log in to the Qualys GUI (graphical user interface). After you create the new Qualys user, log in to the Qualys GUI using the new credentials. The system prompts the user to reset their password. The Qualys connector will not function until you complete the password reset.

-
Click Asset Groups.
- From the Add asset groups dropdown, select All or only the asset groups the Qualys user needs access to.
-
Click Permissions and select all of the available permissions.
-
Click Options to modify the notification options as needed.
-
Click Save.
The new Qualys user with appropriate permissions to retrieve data displays on the Qualys Users page.
If you do not wish to create a new Qualys user, you can leverage an existing user with the appropriate permissions.
Note: If you do not have permissions to create a new Qualys user, contact your Qualys administrator. For additional information, see Qualys documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Application
| Source Field Name | SDM Attribute |
|---|---|
(predefined attribute on schema) | IP_ADDRESSES |
| ASSET_CATEGORY_WEB_APPLICATION | CATEGORIES |
webApp.getAttributes (per custom attribute name) | Custom attributes |
webApp.getComments (comment contents) | Comments |
webApp.getCreatedDate | SOURCE_CREATED_DATE |
webApp.getId | UID |
webApp.getLastScanStatus | LAST_SCAN_STATUS |
webApp.getName | NAME |
webApp.getOs | OPERATING_SYSTEM |
webApp.getOwner (first + last name or username) | OWNER |
webApp.getTags (tag names) | TAGS |
webApp.getUpdatedDate | SOURCE_LAST_MODIFIED |
webApp.getUrl | URL |
Finding
| Source Field Name | SDM Attribute |
|---|---|
"Dynamic Code" (constant) | CATEGORIES |
| Calculated from normalized status | STATUS_CATEGORY |
finding.getCwe (formatted as CWE-<id>) | CWE_IDS |
finding.getExternalRef | REFERENCES |
finding.getFirstDetectedDate | FIRST_FOUND |
finding.getId | UID |
finding.getLastDetectedDate | LAST_FOUND |
finding.getLastDetectedDate (when status FIXED) | LAST_FIXED |
finding.getLastTestedDate | LAST_SCANNED |
finding.getOwasp (category names) | OWASP_CATEGORIES |
finding.getResultList payload requests (decoded) | REQUEST |
finding.getResultList payload responses | RESPONSE |
finding.getSeverity (normalized) | SEVERITY |
finding.getStatus | PROVIDER_STATUS |
finding.getStatus (normalized) | SOURCE_STATUS |
finding.getTimesDetected | TIMES_FOUND |
finding.getUrl | URL |
finding.getWebApp.getId | TARGETS |
finding.isIsIgnored | Suppressed |
QID_PREFIX + finding.getQid | TYPE |
WAS Vulnerability Definition
| Source Field Name | SDM Attribute |
|---|---|
| Calculated from severity | SEVERITY_SCORE |
discovery.getAUTHTYPELIST | Auth type |
discovery.getREMOTE | Discovery |
Instant.now() at sync start | LAST_CAPTURED |
QID_PREFIX + vuln.getQID | UID |
vuln.getAUTOMATICPCIFAIL | Automatic PCI failure |
vuln.getBUGTRAQLIST | BugTraq ID |
vuln.getCATEGORY | CATEGORIES |
vuln.getCOMPLIANCELIST | Compliance type |
vuln.getCONSEQUENCE | SUMMARY |
vuln.getCORRELATION (exploits) | EXPLOITS |
vuln.getCORRELATION (malware) | MALWARE |
vuln.getCVELIST | CVE_IDS |
vuln.getCVELIST | CVE_RECORDS |
vuln.getCVSS.getBASE | CVSS_V2_BASE_SCORE |
vuln.getCVSS.getTEMPORAL | CVSS_V2_TEMPORAL_SCORE |
vuln.getCVSS.getVECTORSTRING / vuln.getCVSSV3.getVECTORSTRING | CVSS Metrics |
vuln.getCVSSV3.getBASE | CVSS_V3_BASE_SCORE |
vuln.getCVSSV3.getTEMPORAL | CVSS_V3_TEMPORAL_SCORE |
vuln.getDIAGNOSIS | DESCRIPTION |
vuln.getLASTSERVICEMODIFICATIONDATETIME | SOURCE_LAST_MODIFIED |
vuln.getPATCHABLE | PATCHABLE |
vuln.getPCIFLAG | PCI flag |
vuln.getPCIREASONS | PCI reasons |
vuln.getPUBLISHEDDATETIME | PUBLISHED_DATE |
vuln.getSEVERITYLEVEL (as double) | SOURCE_SEVERITY_SCORE |
vuln.getSEVERITYLEVEL (normalized) | SEVERITY |
vuln.getSOFTWARELIST (products) | AFFECTED |
vuln.getSOFTWARELIST (vendors) | Vendor |
vuln.getSOLUTION | RECOMMENDATION |
vuln.getTHREATINTELLIGENCE | Threat indicators |
vuln.getTITLE | NAME |
vuln.getVENDORREFERENCELIST (URLs) | REFERENCES |
vuln.getVULNTYPE | Type |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Application
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (XML request/response,
ServiceRequest/ServiceResponseenvelope) · Endpoint:POST /qps/rest/3.0/search/was/webapp - Default filters: On delta syncs,
updatedDate GREATER <since>
Finding
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
status | String | NEW, ACTIVE, REOPENED, FIXED | Finding status filter (status IN ...) |
severity | String | 1, 2, 3, 4, 5 | Severity filter (severity IN ...) |
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (XML request/response,
ServiceRequest/ServiceResponseenvelope) · Endpoint:POST /qps/rest/3.0/search/was/finding - Default filters:
status IN (NEW, ACTIVE, REOPENED, FIXED),severity IN (1, 2, 3, 4, 5)(both overridable via operation options); on delta syncs,lastDetectedDate GREATER <since>
WAS Vulnerability Definition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST (Qualys FO XML API; URL-encoded query parameters in, XML response out) · Endpoint:
GET /api/3.0/fo/knowledge_base/vuln/ - Default filters: Only knowledge base entries whose supported modules include
WASare synced (others are skipped client-side)
Changelog
The Qualys Web Application Scanning connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 5.3.41 | Improvements - Added a "Last captured" timestamp to Vulnerability Definition records, recording when each record was last retrieved from Qualys during a sync. | N/A |
| 5.3.40 | No changes in this release. | N/A |
| 5.3.39 | Bug Fixes - Fixed attribute type mismatches that caused Web Application and Finding syncs to fail. Several values were being stored with the wrong type: the Application "Source created date" / "Source last modified", and the Finding "Last scanned" / "First found" / "Last found" / "Last fixed" dates were stored as numbers instead of timestamps, and the Finding "Times found" count was stored as a long instead of an integer. These now use the correct types and the syncs complete successfully. | • Application and Finding: the date attributes and "Times found" changed type. Re-sync the Qualys_WAS connector to repopulate these records. |
| 5.3.38 | No changes in this release. | N/A |
| 5.3.37 | Bug Fixes - Fixed a data integration failure on the Vulnerability Definition sync (which shares the affected base model with Qualys VM). The source severity score was being emitted as an Integer, but the platform schema requires a Double, causing the job to abort with an attribute type mismatch error. The value is now written as a Double. | N/A |
| 5.3.36 | Improvements Coding Standards Modernization - Bumped http-connectors-parent from 2.1.7 to 2.1.12 and connectors-model from 1.5.10 to 1.6.19 to align with the current connector framework baseline. - Replaced all new AttributeInfoBuilder(...) usages with AttributeInfos.newAttribute(...) across all model classes. This ensures custom attributes are registered with the correct consolidation priority, so they participate properly in attribute consolidation and value precedence. - Removed local addAttribute helper methods in favor of AttributeUtils.addAttribute from connectors-model, which prevents null values from silently reaching the attribute builder and adds type validation. - Migrated storage initialization from the deprecated LocalFactory / LocalConfig to StorageManager from connectors-model. - Removed the connector-local InstantDeserializer / InstantUtils in favor of OptionalInstantDeserializer from connectors-model, which supports a broader set of input formats. - Applied Spotless code formatting to the full codebase. | N/A |
| 5.3.35 | No changes in this release. | N/A |
| 5.3.34 | No changes in this release. | N/A |
| 5.3.33 | No changes in this release. | N/A |
| 5.3.32 | No changes in this release. | N/A |
| 5.3.31 | No changes in this release. | N/A |
| 5.3.30 | No changes in this release. | N/A |
| 5.3.29 | No changes in this release. | N/A |
| 5.3.28 | No changes in this release. | N/A |
| 5.3.27 | No changes in this release. | N/A |
| 5.3.26 | No changes in this release. | N/A |
| 5.3.25 | New Features - Findings now record a "Last fixed" date, set when Qualys reports a finding as fixed, so you can see when a vulnerability was resolved. Improvements - Finding status is now captured in two distinct attributes — "Source status" (the normalized lifecycle status) and "Provider status" (the raw status reported by Qualys) — giving clearer visibility into how a finding's state was derived. | • Finding: the single status value was split into "Source status" and "Provider status". Re-sync the Qualys_WAS connector so existing findings are repopulated with the new status attributes. |
| 5.3.24 | No changes in this release. | N/A |
| 5.3.23 | No changes in this release. | N/A |
| 5.3.22 | No changes in this release. | N/A |
| 5.3.21 | No changes in this release. | N/A |
| 5.3.20 | No changes in this release. | N/A |
| 5.3.19 | No changes in this release. | N/A |
| 5.3.18 | No changes in this release. | N/A |
| 5.3.17 | No changes in this release. | N/A |
| 5.3.16 | No changes in this release. | N/A |
| 5.3.15 | No changes in this release. | N/A |
| 5.3.14 | No changes in this release. | N/A |
| 5.3.13 | No changes in this release. | N/A |
| 5.3.12 | No changes in this release. | N/A |
| 5.3.11 | No changes in this release. | N/A |
| 5.3.10 | Improvements - The Vulnerability Definition "Patch available" indicator was renamed to "Patchable" to align with the platform's standard attribute naming. | • Vulnerability Definition: the "Patch available" attribute was renamed to "Patchable". Re-sync the Qualys_WAS connector so this attribute is repopulated under its new name. |
| 5.3.9 | No changes in this release. | N/A |
| 5.3.8 | No changes in this release. | N/A |
| 5.3.7 | No changes in this release. | N/A |
| 5.3.6 | No changes in this release. | N/A |
| 5.3.5 | New Features - Added a configurable request timeout setting (default 120 seconds). This lets you tune how long the connector waits for slow Qualys WAS API responses before timing out, which helps large environments avoid premature failures. | N/A |
| 5.3.4 | No changes in this release. | N/A |
| 5.3.3 | No changes in this release. | N/A |
| 5.3.2 | No changes in this release. | N/A |
| 5.3.1 | No changes in this release. | N/A |
| 5.3.0 | No changes in this release. | N/A |
| 5.2.4 | No changes in this release. | N/A |
| 5.2.3 | No changes in this release. | N/A |
| 5.2.2 | Improvements - The Vulnerability Definition "Source severity" attribute was renamed to "Source severity score" to better reflect that it carries the raw numeric severity from Qualys. | • Vulnerability Definition: the "Source severity" attribute was renamed to "Source severity score". Re-sync the Qualys_WAS connector so this attribute is repopulated under its new name. |
| 5.2.1 | No changes in this release. | N/A |
| 5.2.0 | No changes in this release. | N/A |
| 5.1.13 | No changes in this release. | N/A |
| 5.1.12 | No changes in this release. | N/A |
| 5.1.11 | No changes in this release. | N/A |
| 5.1.10 | No changes in this release. | N/A |
| 5.1.9 | No changes in this release. | N/A |
| 5.1.8 | No changes in this release. | N/A |
| 5.1.7 | No changes in this release. | N/A |
| 5.1.6 | No changes in this release. | N/A |
| 5.1.5 | No changes in this release. | N/A |
| 5.1.4 | No changes in this release. | N/A |
| 5.1.3 | No changes in this release. | N/A |
| 5.1.2 | No changes in this release. | N/A |
| 5.1.1 | No changes in this release. | N/A |
| 5.1.0 | New Features - Added a configurable maximum retries setting, so transient Qualys API errors are retried automatically before a sync fails. - Added support for the platform's latest-sync-token mechanism, improving how incremental syncs are tracked. | N/A |
| 5.0.18 | Improvements - Vulnerability Definition severity handling was expanded: alongside the normalized severity, the connector now records a "Severity score" derived from the normalized severity and retains the raw Qualys severity as "Source severity". | • Vulnerability Definition: severity is now stored as a normalized value with an added "Severity score", and the raw value moved to "Source severity". Re-sync the Qualys_WAS connector so these records reflect the new severity attributes. |
| 5.0.17 | Improvements - Vulnerability Definition severity is now normalized to the platform's standard severity scale, and the original Qualys value is preserved separately as "Source severity". | • Vulnerability Definition: the severity value was rescaled and the raw value moved to "Source severity". Re-sync the Qualys_WAS connector so existing records are repopulated with the normalized severity. |
| 5.0.16 | Bug Fixes - Fixed an issue where multi-valued attributes containing null entries could cause syncs to fail. Null values are now filtered out before attributes are built. | N/A |
| 5.0.15 | No changes in this release. | N/A |
| 5.0.14 | Improvements - The Application, Finding, and Vulnerability Definition models now use the platform's standard unique identifier (UID) for record matching, replacing the previous custom identifier mappings. This improves consolidation consistency across syncs. | • Application, Finding, and Vulnerability Definition: the record identifier scheme changed. Re-sync the Qualys_WAS connector so records are re-matched under the new identifiers. |
| 5.0.13 | Improvements - The "Category" attribute was renamed to "Categories" on the Application, Finding, and Vulnerability Definition models, and web applications now use the platform's standard "Web Application" asset category value. | • Application, Finding, and Vulnerability Definition: the "Category" attribute was renamed to "Categories". Re-sync the Qualys_WAS connector so this attribute is repopulated under its new name. |
| 5.0.12 | Improvements - The Application model's record identifiers were updated to use the application URL and name directly, improving how web applications are matched and consolidated across syncs. | • Application: the record identifier scheme changed. Re-sync the Qualys_WAS connector so applications are re-matched under the new identifiers. |
| 5.0.11 | No changes in this release. | N/A |
| 5.0.10 | Improvements - The Application "IP address" attribute was changed to the multi-valued "IP addresses" attribute, so applications resolving to multiple addresses are represented fully. | • Application: the single "IP address" attribute was replaced by the multi-valued "IP addresses" attribute, and it is no longer used as a record identifier. Re-sync the Qualys_WAS connector so applications are repopulated with the new attribute. |
| 5.0.9 | No changes in this release. | N/A |
| 5.0.8 | No changes in this release. | N/A |
| 5.0.7 | No changes in this release. | N/A |
| 5.0.6 | Improvements - Finding status is now mapped to the platform's standard finding status categories, improving how open and resolved findings are classified. | N/A |
| 5.0.5 | Improvements - Record identification for the Application, Finding, and Vulnerability Definition models was refined to use consistent UID and source-UID consolidation criteria, improving how records are matched across syncs. | • Application, Finding, and Vulnerability Definition: record matching criteria changed. Re-sync the Qualys_WAS connector so records consolidate correctly under the new criteria. |
| 5.0.4 | Improvements - The Finding Definition model was renamed to Vulnerability Definition to align with the platform's standard finding-definition naming. | • Vulnerability Definition (formerly Finding Definition): the model type was renamed. Purge or re-sync the Qualys_WAS connector so records are recreated under the new model type. |
| 5.0.3 | No changes in this release. | N/A |
| 5.0.2 | New Features - Added a Finding Definition model that captures vulnerability knowledge-base details (severity, CVSS scores, CVE references) for findings reported by Qualys WAS. Improvements - Findings now populate a "Times found" count and include the HTTP request and response captured for each detection. - Finding attributes were aligned to the platform's standard names: CWE values are now stored as "CWE IDs", OWASP values as "OWASP categories", and the reference field as "References". | • Finding: several attributes were renamed (CWE → CWE IDs, OWASP → OWASP categories, References). Re-sync the Qualys_WAS connector so findings are repopulated under the new attribute names. |
| 5.0.1 | Improvements - Application date attributes were aligned to the platform's standard names: "Date created" is now "Source created date" and "Last updated" is now "Source last modified". - Vulnerability Definition now records CVE references in the platform's standard "CVE IDs" and "CVE records" attributes, and its modification timestamp moved to "Source last modified". | • Application and Vulnerability Definition: several attributes were renamed. Re-sync the Qualys_WAS connector so records are repopulated under the new attribute names. |
| 5.0.0 | Overview The Qualys Web Application Scanning connector integrates with Qualys WAS to synchronize scanned web applications and the security findings discovered against them. Category: Application Security Models | N/A |