Global sales SVP at Qualys Shawn O’Brien kicked off the company’s Qualys ROCon 2025 event this week in Houston, Texas. Driving straight into an opening keynote to explain what ROCon means today (remember that Qualys traditionally used the term Qualys Security Conference – QSC, as the nametag for its symposia and conferences), O’Brien said that this coming together of practitioners is an evolution of a focused effort derived from feedback the company has received from actual users.

The shift to risk over vulnerability appears then to be real.

With teams now looking to identify, manage and minimize their risk in live operations today, Qualys separated out content at this event across both business and technology professionals’ interests. That’s all because the company says it knows that organizations “need to be able to communicate risk management to the board” at this time.

The Fractional CISO View

Guest speaker Kip Boyle, founder of Cyber Risk Opportunities and a self-proclaimed “fractional CISO” (he spends a good portion of time as a podcast host too) took over a portion of this keynote with a presentation entitled “Fire Doesn’t Innovate” on the opening morning.

Boyle suggested that we’re trying to fight “today’s digital battles with yesterday’s mindset” and this is born out by his reference to an Anthropic analysis of so-called “vibe hacking” i.e. chatting with AI services to learn how to launch cyber attacks. 

According to Anthropic itself, “Agentic AI has been weaponized. AI models are now being used to perform sophisticated cyberattacks, not just advise on how to carry them out. [Our team] recently disrupted a sophisticated cybercriminal who used Claude Code to commit large-scale theft and extortion of personal data. The actor targeted at least 17 distinct organizations, including those in healthcare, the emergency services and government and religious institutions.” 

Forrester analyst Jeff Pollard agrees with the movements seen here. He thinks that “fraud is no longer manual” and says that AI enables real-time adaptation, behavioral targeting and operational resilience for adversaries.”

The View From The CEO 

“The whole conversation around vulnerability management has gravitated towards risk operations management for some time now. Back when I started at Qualys some two decades ago, our customers used to scan once a quarter (and that might be a typical customer with 5000 servers) and give their IT team 90 days to fix any vulnerabilities. Today, we’re looking at scans every four hours… and some customers are asking for a cadence that runs as fast as every 45 minutes – so you understand how much things have sped up,” said Thakar.

But, questions Thakar, if teams are looking at that kind of speed… then how much time is the team actually spending fixing things?

The attack surface is expanding and so is the alert surface, says Thakar. This means that as more core compute happens, more attack points naturally surface as a result. All this happens at the same time as the base level “time to exploit” is also compressing, sometimes down to a negative number of days. This negative number of days happens in situations where an exploit patch is released slowly i.e. attackers have seen that CVE’s have been identified and already delivered exploits to unpatch a patch, so to speak. 

“We cannot fix everything, so we need prioritization and we need fast remediation. AI is being used to generate malicious (exploit-related) emails so fast that the only way to detect these things is with AI itself. If you are asking developers to fix things that don’t really matter to the company, then that is effectively ‘stealing from the company’ really,” suggested Thakar. “This is why we talk about the need for a business to analyze its security posture management position. It all comes down to the fact that organizations need an operationalized process for cyber risk management.”

Qualys introduced the idea of a Risk Operations Center (ROC) last year. In total, this incorporates:

• A unified asset inventory.
• Risk factor aggregation tools.
• Threat intelligence.
• Business context information.
• Risk prioritization.
• Risk response orchestration.
• Compliance & executive reporting functions.

The way ahead for Thakar and team is a process designed to allow organizations to eliminate risk, with or without a patch. This is defined as a process to patch, mitigate – then work in a central cloud exploitation prevention zone… and then also consider being able to isolate a machine, or fully uninstall a vulnerable server instance.

“Fighting agentic threats with agentic AI requires a new level of human + AI collaboration,” said Thakar. By this year embedding agentic AI functions into Enterprise TruRisk Management, Qualys insists that it can enhance its risk-centric automation capabilities. Already a cornerstone of the ROC approach, ETM now aggregates exposures to measure, communicate and eliminate cyber risk aligned to business value. 

Define Your Risk Appetite

With its new AI fabric, Qualys says it delivers pre-built AI agents that automate threat prioritization and drive remediation strategies tailored to each organization’s “risk appetite” and environment. There is also a Cyber Risk Assistant i.e a prompt-driven interface that helps teams navigate the risk journey, translate millions of exposures, and deliver context-aware risk insights with autonomous operations.

“Cybersecurity has never been able to keep pace with the volume of enterprise exposures due to human-scale prioritization and remediation,” said Tyler Shields, principal analyst at Enterprise Strategy Group. “Integrating Agentic AI into the Qualys platform marks a major leap – from reactive response to real-time risk reduction. With autonomous remediation and intelligent prioritization, this type of innovation enables faster risk reduction, more efficient resource usage and greater accuracy in recommended actions. This evolution shifts security teams from tactical responders to strategic agentic AI orchestrators, bringing us closer to a future of self-healing cybersecurity.”

In terms of core product news, Qualys used its conference this year to unveil new capabilities in Qualys Enterprise TruRisk Management that strengthen proactive risk management. Announced at Qualys Risk Operations Conference (ROCon), the enhancements are promised to bolster identity security for both human and non-human identities, improve predictive threat analysis and also provide confirmation of an exposure’s exploitability safely, allowing security teams to anticipate and predict cyber risk before a breach happens.

“Agentic AI is transforming cybersecurity and forcing organizations to rethink how they manage risk. To stay ahead, they must proactively reduce risk, anticipate where attackers are most likely to strike, and clearly demonstrate the impact of their security investments,” said Thakar. “Qualys Enterprise TruRisk Management now rises to this challenge with expanded risk verification – now including user identities and exploit validation – providing the clarity and precision security leaders need. We’re empowering organizations to measure, communicate, and eliminate cyber risk in ways that drive real, verifiable risk reduction at the executive and board level.”

A Proactive Intelligence-Driven Approach

He says that the adoption of AI has increased the volume and complexity of attacks, while fueling a surge in non-human and autonomous identities that security teams must manage. As a result, many security teams are stretched thin, struggling to prioritize and respond effectively. Organizations need a proactive, intelligence-driven approach to breach prevention, tailored to their unique risk profile. Qualys ETM delivers this by aligning Identity Risk Posture Management, contextual threat intelligence for prioritization, and exposure exploitability validation with a unified Risk Operation Center (ROC) framework, enabling provable risk reduction at enterprise scale.

The CEO says that these enhancements to Qualys ETM act as force multipliers within the ROC, unifying teams around a single risk language, TruRisk to prioritize and reduce the most critical risk factors with clarity and precision. ETM Identity uncovers identity-based risks through deep domain insights, TruLens prioritizes threats and adversaries based on real-time, industry-specific intelligence, and TruConfirm validates which vulnerabilities are truly exploitable within your environment, providing a quantifiable way to measure and verify real risk reduction. Beyond just identifying vulnerabilities, Qualys ETM helps close the loop from detection to response by pairing insights with guided, operationalized remediation.

ETM Identity, TruLens & TruConfirm 

ETM Identity enables organizations to proactively reduce both human and non-human identity-related risks. It unifies visibility, context, and remediation across all identity and access management (IAM) systems, including on-premises Active Directory, Microsoft Entra ID, cloud identity providers (IdPs), and Identity as a Service (IDaaS) platforms, and correlates identity and asset risk into a single Identity TruRisk™ score. 

TruLens delivers real-time, tailored threat intelligence that enables organizations to detect, prioritize, and remediate cyber risks with greater speed and precision. By continuously applying live threat analysis and business impact context, TruLens dynamically re-ranks exposures, such as CISA KEV vulnerabilities, so teams focus on fixing what truly matters before threats escalate. 

It unifies fragmented threat and vulnerability data, enriches it with asset and business context, and surfaces the risks most likely to affect critical operations. With access through a mobile application and tailored, industry-leading intelligence, TruLens delivers actionable insights customized for your specific industry and environment, so leaders can make faster, more informed decisions across the organization.

TruConfirm extends the value of the Qualys platform by proactively confirming the exploitability of an exposure before attackers get to it. By safely executing real-world attack scenarios, TruConfirm validates exploitability and identifies where security controls have failed, giving security teams clear, actionable proof of risk. 

“This attacker’s perspective enables faster, more effective prioritization and accelerates mitigation by closing the loop from detection to response. Once a vulnerability is confirmed to be exploitable, Qualys ETM orchestrates patching or mitigations through ITSM workflows, verifies remediation, and automatically updates the TruRisk™ score. When combined with TruLens, TruConfirm ensures that remediation efforts are laser-focused on exposures that meaningfully reduce incident likelihood now,” stated the company, in a technical briefing document.

Are We Ready To De-Risk?

All of which discussion finally begs the question: if CISOs have to move their teams onward now to focus on risk as the key quantifier for system strength, is everyone emotionally ready to leave the Security Operations Center (SOC) behind and pledge allegiance to the Risk Operations Center (ROC) approach?

Speaking directly to Techstrong Group on this point, Qualys CEO Thakar said that, “The ROC  today reflects the reality of where we are, rather than the ideal state necessarily. If an organization thinks it has the time and the budget to fix every single thing, sure go for it. But what organization today has that? In risk management, you get to a point where the Return on Investment from total remediation does not justify the expenditure. If a firm could apply 10,000 patches, but find that overall risk reduces by almost nothing, because those vulnerabilities were not exploitable, that’s not a practical approach.”

Ultimately, it comes down to the risk appetite that any individual organization adopts and this is a factor of a) company culture b) use of data that Qualys offers pertaining to operations inside each industry vertical and c) the age and maturity of the business itself. Taken together, those are the ingredients that make up risk appetite, let’s hope its tasty enough for every palette.