Qualys Web Application Firewall Review

Overview

Qualys WAF was a cloud-managed web application firewall offered as part of the Qualys Cloud Platform. What made it unique was its deep integration with Qualys Web Application Scanning (WAS), allowing security teams to automatically generate WAF rules from discovered vulnerabilities — creating a seamless detect-and-protect workflow.

Important: Qualys announced the decommission of their WAF product effective September 1, 2024. This page is maintained for historical reference and for organizations that may still be transitioning away from the product.

The Qualys WAF deployed as a virtual appliance (VMware, Hyper-V, Docker, or cloud platforms) with centralized management through the Qualys Cloud Platform. Unlike cloud-proxy WAFs, application traffic stayed within the customer's environment, minimizing latency while the Qualys cloud handled configuration, updates, and reporting. The platform included pre-built policies for WordPress, Joomla, Drupal, SharePoint, and generic web applications.

Ratings Breakdown

Ease of Use 3.2/5

Value for Money 2.5/5

Customer Support 3.5/5

Features 3.5/5

Key Features

WAS Integration

Automatically generate WAF rules from Qualys Web Application Scanning results for one-click virtual patching.

Cloud-Managed Appliance

Virtual appliance deployed locally but managed centrally through the Qualys Cloud Platform.

Custom Security Policies

Flexible policy engine with reusable rules and templates for common platforms and custom applications.

Pre-Built CMS Policies

Out-of-the-box protection policies for WordPress, Joomla, Drupal, SharePoint, and Outlook Web Application.

Security Event Analytics

Detailed dashboards with traffic summaries, threat trends, and drill-down capabilities for incident investigation.

Local Traffic Processing

Application traffic stays within your environment for minimal latency and full data control.

Pros & Cons

Pros

Vulnerability-to-protection workflow
Unique integration with Qualys WAS enabled automatic virtual patching of discovered vulnerabilities.
Enterprise platform integration
Part of the broader Qualys Cloud Platform alongside vulnerability management, compliance, and asset inventory.
Local traffic processing
Traffic stayed in customer environment, addressing data sovereignty and latency concerns.
Flexible deployment
Supported VMware, Hyper-V, Docker, and major cloud platforms for versatile deployment options.

Cons

Product decommissioned
Qualys WAF was shut down September 1, 2024. No longer available for new deployments.
Required Qualys ecosystem
Full value depended on using other Qualys products, particularly WAS, creating vendor lock-in.
Complex setup
Virtual appliance deployment was more complex than cloud-proxy WAF solutions.
Limited standalone value
Without the WAS integration, the WAF itself was less compelling compared to dedicated WAF products.

Pricing

Pricing model: Subscription, per-asset licensing (product decommissioned)

Qualys WAF (Decommissioned)

Previously subscription-based

Cloud-managed WAF with vulnerability integration (decommissioned Sep 2024)

One-click virtual patching from WAS scans
Customizable security policies
Pre-built CMS policies
Centralized cloud management
Elasticsearch and Splunk integration

Our Verdict

Qualys WAF was an innovative product that demonstrated the value of integrating vulnerability scanning with web application firewall protection. The ability to automatically generate WAF rules from scan results was ahead of its time and addressed a real pain point in application security workflows.

However, the product was decommissioned in September 2024, likely due to limited market traction in the highly competitive WAF space. Organizations still using Qualys WAF should plan their migration to an alternative solution.

Our verdict: An innovative but now-discontinued WAF that proved the concept of scan-to-protect workflows. Existing users should migrate to an active WAF product.

CVE Coverage

Qualys Web Application Firewall can detect and block attacks matching 105K+ known CVEs based on its supported rule sets.

13K+

Critical

25K+

High

44K+

Medium

1.7K+

Low

Coverage by Attack Type

Cross-Site Scripting (XSS) High

45K+ CVEs

SQL Injection High

19K+ CVEs

Improper Input Validation Medium

12K+ CVEs

Path Traversal High

9.1K+ CVEs

Code Injection Medium

6.5K+ CVEs

OS Command Injection High

5.9K+ CVEs

Unrestricted File Upload Medium

4.1K+ CVEs

Command Injection High

3.6K+ CVEs

Open Redirect Medium

1.5K+ CVEs

XML External Entity (XXE) High

1.2K+ CVEs

Latest Blockable CVEs

CVE	Description	Severity
CVE-2026-49294	Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. …	UNKNOWN
CVE-2026-20262	A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could …	MEDIUM
CVE-2026-9863	Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch …	UNKNOWN
CVE-2026-9862	Fortra's Core Privileged Access Manager (BoKS) contains an OS command injection vulnerability in the boks_autoregisterd …	UNKNOWN
CVE-2025-15659	Contributor Cross Site Scripting (XSS) in Elizaibots <= 1.0.2 versions.	UNKNOWN
CVE-2025-15658	Administrator Cross Site Scripting (XSS) in WP Emmet <= 0.3.4 versions.	UNKNOWN
CVE-2026-52704	Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice …	UNKNOWN
CVE-2019-25746	WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to …	HIGH
CVE-2018-25436	WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows …	CRITICAL
CVE-2016-20084	WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar …	HIGH

Browse all CVEs →

Frequently Asked Questions

Is Qualys WAF still available?

No. Qualys announced the decommission of their WAF product effective September 1, 2024. Existing customers should contact their Technical Account Manager (TAM) about transitioning their licenses. Qualys continues to offer Web Application Scanning (WAS) for vulnerability detection.

What are good alternatives to Qualys WAF?

For organizations already in the Qualys ecosystem, consider cloud WAFs like Cloudflare, AWS WAF, or Imperva that can integrate with vulnerability scanning tools. For the virtual patching workflow, look at solutions like F5 Advanced WAF or Fortinet FortiWeb that offer similar vulnerability-to-rule automation.

Ready to try Qualys Web Application Firewall?

Visit the website to learn more or request a demo.

Visit Website View Pricing

Quick Info

Company: Qualys, Inc.
Founded: 1999
Headquarters: Foster City, CA, USA
Pricing Model: Subscription, per-asset licensing (product decommissioned)
Last Reviewed: February 26, 2026

Available on

Best For

Historical reference; previously suited for Qualys platform customers wanting integrated vulnerability management and WAF

Not Ideal For

Any new deployment (product decommissioned); organizations not already using the Qualys platform

Supported Platforms

AWS Azure Docker Google Cloud On-Premises

Compliance

PCI DSS SOC 2 FedRAMP ISO 27001 (Qualys platform level)

Your ad here

Reach engineers evaluating Qualys Web Application Firewall

Contextual placement on 1,000+ comparison and review pages

Learn about sponsorship →

Compare With...

View all comparisons →

Embed This Review

Add this badge to your site to show your WAFplanet rating.

Copy embed code:

<a href="https://wafplanet.com/waf/qualys-waf/" title="Qualys Web Application Firewall review on WAFplanet" rel="nofollow"><img src="https://wafplanet.com/static/badges/qualys-waf-rated.svg" alt="Qualys Web Application Firewall - Rated 3.0/5 on WAFplanet" width="240" height="44"></a>

More badge styles →