OpenVAS → Qualys VMDR
OpenVAS ↔ Qualys VMDR: integration to migration path.
OpenVAS deploys alongside Qualys first, proves it matches your real findings across three clean scan cycles, and only then takes over non-PCI internal scope in blast-radius waves. No flag-day scanner switch, no re-credentialing — and every phase rolls back in minutes.
The honest end-state is partial retirement: Qualys is downsized, not deleted. Its PCI ASV external scans and its Cloud Agent fleet have no OSS equivalent, so they stay — we say so up front, because the rest of this only matters if you can trust it.
The idea
Scan in parallel first. Downsize Qualys last — never to zero.
The topology that makes this zero-downtime is a hard scope partition feeding one unified plane. OpenVAS and Qualys run against the same internal targets on offset schedules, both exporting into DefectDojo where findings dedup on CVE plus CPE plus hostname, anchored to a CMDB host_id so the two asset inventories never drift. DefectDojo becomes the system of record — dedup, ticketing, exceptions and SLA timers live there, not in either scanner — so a cutover is a config flag. OpenVAS earns each non-PCI internal class on real data before it takes over, while the ASV external scope and the Cloud Agent fleet stay on Qualys.
The phases
Seven steps. Each one reversible.
Baseline & inventory
We read your Qualys estate read-only: the full asset list with tracking method and CMDB criticality, every option profile and schedule, the top 500 QIDs by 90-day detect-count mapped to CVE, CPE and candidate NVT OIDs, and the PCI scope boundary confirmed with your QSA.
OpenVAS stands up in parallel
An HA GVM/OpenVAS deployment and DefectDojo go live in your network with both importers wired. Community Feed sync is proven and one canary group of up to 25 non-PCI internal hosts runs on a production schedule. No production traffic depends on it.
Parallel-scan window
Both scanners run the same representative classes per OS family on offset schedules at least an hour apart. Findings dedup in DefectDojo on CVE plus CPE plus hostname, with a per-cycle delta report classifying every both / Qualys-only / OpenVAS-only finding by root cause.
Cut OpenVAS primary on non-PCI internal
For non-PCI internal classes that passed parallel scanning, OpenVAS becomes primary in low/medium/high blast-radius waves. Qualys shadow-scans them for 30 more days. Tickets fire from DefectDojo's OpenVAS pipeline at the same dedup hash, so SLA timers never reset.
Stand down Qualys internal
Qualys schedules are disabled on non-PCI internal groups and internal scanner appliances are decommissioned or repurposed to PCI CDE only. The VMDR contract downsizes at next renewal. Cloud Agent and ASV external are left completely untouched.
Cloud Agent fleet decision
The Cloud Agent fleet is the irreducible gap. The default is to keep it — it catches roaming laptops and ephemeral cloud workloads OpenVAS misses, and an osquery substitute usually costs more than the saved licence. Only a small, homogeneous fleet justifies replacing it with osquery plus an in-house CVE-match service.
PCI CDE: decide with the QSA
The internal CDE scans (Req 11.3.1) move to OpenVAS only with written QSA sign-off after one quarterly cycle observed, or stay on Qualys for the simpler audit story. The external ASV scans (Req 11.3.2) never move — Qualys or another ASV remains contracted.
Feature parity
Where OpenVAS matches Qualys — and where it honestly does not.
| Capability | OpenVAS / Greenbone CE | Qualys VMDR | Parity |
|---|---|---|---|
| Network scanning (unauth) | OpenVAS scanner daemon + Community Feed NVTs | Qualys scanner appliances / cloud scanners | At parity |
| Authenticated scanning | NVT LSC families (SSH/sudo, SMB/WMI, SNMP, DB creds) | Qualys credentialed scan + credential vault | Partial |
| Agent-based scanning | None first-party in CE | Qualys Cloud Agent (continuous on-host detection) | SaaS only |
| Vuln content / feed cadence | Community Feed (~170k NVTs); Enterprise Feed paid; lags days to weeks on KEV CVEs | Qualys QID feed, same-day to 72h commercial coverage | Partial |
| Prioritisation scoring | CVSS only; bolt-on EPSS + CISA KEV + criticality in DefectDojo | Qualys TruRisk (CVSS + RTI threat-intel + asset weighting + ML) | Partial |
| PCI ASV certification | Not ASV-certified; no path to certify the binary | Qualys is a PCI SSC Approved Scanning Vendor | SaaS only |
| Asset inventory | Per-scan; no cross-scan auto-dedup | Cloud Agent + cloud connectors + tracking-method continuity | Partial |
| Remediation workflow / ticketing | DefectDojo Engagements to Jira/ServiceNow | Qualys workflow + integrated patch orchestration (Patch Mgmt SKU) | Partial |
| Cloud connectors | None first-party CE; Steampipe / CloudQuery to GMP targets | Native AWS/Azure/GCP connectors with reconciliation | Partial |
| Custom check authoring | NASL — author internal-only NVTs, source visible | Qualys QID custom detection (limited, scripted) | OSS only |
| API surface | GMP (XML over TLS) + gvm-tools + python-gvm | Qualys REST/XML API (/api/2.0/fo/...) | At parity |
| Compliance (CIS/STIG, SOC 2 boundary) | Limited CE NVTs; Enterprise adds Policy Compliance; org absorbs SOC 2 | Qualys Policy Compliance module + vendor SOC 2 boundary inheritance | Partial |
| Deployment & HA | Self-hosted (Postgres + Redis + scanner), air-gap deployable, you own HA | SaaS regional pods, vendor-managed HA | Partial |
| Cost model | Free at small scale; Enterprise Feed at scale = small Qualys contract band | Per-asset / per-SKU subscription | Partial |
What we're honest about
The caveats most vendors leave out.
PCI ASV scans cannot move to OpenVAS
PCI DSS v4.0 Req 11.3.2 requires external scans by a PCI SSC Approved Scanning Vendor. Qualys is one; OpenVAS is not, and there is no path to certify it — ASV status attaches to the vendor org, not the tool. Any CDE in scope means Qualys (or another ASV) stays contracted for external-facing scope. The goal is Qualys downsized, not deleted — surface this before procurement zeroes the line item.
The Cloud Agent fleet is irreplaceable for roaming and ephemeral assets
Greenbone CE ships no first-party agent, so roaming laptops, ephemeral cloud instances and air-gapped subnets lose continuous coverage on cutover. The default is to keep Cloud Agent on a reduced asset count; an osquery substitute is build-it-yourself and loses vendor-curated detections, so we only recommend it when the fleet economics clearly favour it.
TruRisk prioritisation has no portable equivalent
Qualys TruRisk blends CVSS, real-time threat indicators, asset weighting and ML — it is not exportable as a formula. We rebuild ranking in DefectDojo from CVSS, EPSS, KEV presence and asset criticality, which approximates the ranking but loses the proprietary threat-intel overlay. Where Qualys still scans, we keep TruRisk as a custom field, so on-call sees mixed-mode priorities honestly.
Community Feed lags, and you own the platform
The Community Feed can trail Qualys's same-day-to-72-hour coverage by days to weeks on KEV-listed CVEs; we mitigate with KEV-driven NVT prioritisation or interim nuclei templates and document the SLA. Self-hosting OpenVAS plus DefectDojo, Postgres, Redis and feed sync becomes your SOC's problem — HA, monitored backups and a DR runbook are part of the deal.
Why this beats a flag day
Reversible in minutes, downsized only after a long soak.
No phase forces an outage. Each non-PCI internal cutover rolls back in under 15 minutes while the Qualys schedule is still running, and a class only counts as migrated after at least 30 days of OpenVAS-primary scanning with zero Qualys-only critical findings missed and SLA performance at or under the Qualys baseline. Qualys is never zeroed: its internal scope downsizes after the soak, while the ASV external contract and the Cloud Agent fleet stay on indefinitely under PCI DSS v4.0 Req 11.3.2.
See how much of Qualys you can actually retire.
A call with a senior vulnerability-management engineer. We map your QIDs to OpenVAS NVTs, size your PCI ASV and Cloud Agent gaps honestly, and model the realistic Qualys spend reduction — without inventing risk on your CDE.
Map my migration →