Qualys Customers Realised 403% ROI in 3 Years: IDC

Qualys has released the findings of an IDC commissioned study that looked to quantify how Qualys customers perceive business value. Based on the resulting research in the IDC White Paper, The Business Value of Qualys, IDC found that Qualys customers see an average annual benefit of US$102,000 per 1,000 internal users with a three-year return on investment (ROI) of 403% and a payback period of 5 months.

“The urgency of having a strong cybersecurity posture is well understood. It’s the constant news of cyber breaches that keeps board members and executives up at night. With cyber threats, the entire business is at stake, and the stakeholders fret about whether their organisation’s defenses can manage the risk. As a security leader, one of your roles is helping stakeholders understand that risk is under control — or at least in the process of significant reduction,” commented Thomas Nuth, Vice President, Product Marketing at Qualys. “As a cybersecurity leader, you may struggle to help your C-suite see the business value of what your team does. Forget “speeds and feeds”; key decision-makers are solely focused on The Numbers. While reports from most security tools excel at spewing out numbers, their technology-focused integers rarely address the nuts and bolts of managing corporate finance and business risk. Using business-friendly language is vital for connecting with the leadership, including CFOs, CISOs, and CIOs, which is why we commissioned this IDC study.”

The IDC study revealed six number-focused metrics to help security leads describe the business value of Qualys Enterprise TruRisk Platform to leadership.


IDC discovered Qualys users get a return on investment (ROI) of 403%. This is money returned in two ways. There is a lower total cost of investment (TCO) achieved by eliminating point solutions that are integrated with the Qualys Enterprise TruRisk Platform. ROI is also achieved by reducing manual processes with streamlined workflows and automation enabled by the platform.


Payback is how quickly you reach a net dollar zero cost/benefit of the initial investment in Qualys. Payback for the Qualys Enterprise TruRisk Platform is five months. This accelerated timeline occurs with the platform approach using three or more integrated solutions. Platform adoption by multiple teams streamlines workflows across departmental boundaries such as IT, security, and compliance.

Total Value 

Total value is ROI plus related qualitative value from investing in the Qualys Enterprise TruRisk Platform. IDC reports Qualys customers interviewed for its study are each getting a total value of $5.1 million per year. This return climbs exponentially over time and as additional integrated solutions are added to the platform by customers.

Staff Time Efficiency 

A primary enabler of staff time efficiency is operationalising SecOps with the Qualys Enterprise TruRisk Platform. IDC reports Qualys users are achieving 24% more efficiency by security teams. Mean time to repair (MTTR) improved up to 50% with bidirectional integrations of ITSM and CMDB tools. An improved four-hour mean time to discover (MTTD) was six times faster than competitive platforms with less than 24-hour response for critical CVEs. The platform enabled two-second visibility across a hybrid infrastructure.

Risk Reduction 

The benefits of risk reduction have three primary sources, according to Qualys customers interviewed by IDC. These include 65% fewer unplanned application outages, a 66% improvement in quicker resolution of outages, and a 24% reduction in fines for non-compliance. Unplanned outages are avoided with proactive security measures guided by 25+ threat intelligence sources and Qualys Threat Research findings and the platform’s ability to see all external-facing assets for stronger supply chain security. Faster resolution of outages is achieved with the platform’s bi-directional data flows between tools and an 89% observed improvement in patching. Better compliance is achieved with 86% coverage of MITRE ATT&CK guidance and support and reporting for 850 policies, 20,000 controls, and 100 regulations.

Security Staff Key Performance Indicators 

Three KPIs for security staff were improved with Qualys Enterprise TruRisk Platform, according to IDC’s study. Staff were 56% more effective at proactively detecting threats thanks to the platform’s growing database of 85,000+ CVEs. Staff were 40% more efficient in responding to potential threats. Better efficiency was helped by reducing up to 85% of vulnerabilities due to risk-based prioritisation and the use of the platform’s automated workflow logic with scripts. Staff were 37% more efficient with patching, closing tickets 60% faster – including remediation of vulnerabilities in custom first-party software.