Kikimora
← all integrations
Qualys WAS

Vulnerability Management

Qualys WAS

Enterprise web application scanning, included - no Qualys license to buy.

✦ built-in

Core platform capability - included with every plan. No third-party account, license, or API key required.

TRY ASKING:

“Launch a web application scan against our staging app and summarize new findings.”

  • “Set up an authenticated scan for the app behind our login and run it.”
  • “Compare this scan against the last one and show only new findings.”
  • “Summarize the critical web findings and group them by vulnerability class.”

Qualys Web Application Scanning is built into Kikimora as a core platform capability. There’s no Qualys account to create, no license to procure, and no API key to paste. The platform provides the scanning engine, and you talk to it.

Web application scanning, included and conversational

The capability covers the full web application scanning lifecycle: launching, monitoring, and cancelling scans, configuring crawl scope and scan templates, and managing authentication records for logged-in scanning. Because it is built in, the usual friction of standing up a scanner, buying seats, and managing API keys simply is not there.

What you can do

  • Launch, monitor, and cancel web application scans conversationally.
  • Configure crawl scope, scan templates, and authentication records for logged-in scanning.
  • Get findings summarized, prioritized, and folded into cross-stack triage with the rest of your tools.

Things you might ask

  • “Launch a scan against the staging app, then show me only the findings that are new since last week.”
  • “Set up an authenticated scan for the dashboard behind our login and run it tonight.”
  • “Roll the critical web findings into our audit evidence.” Web scan results make solid control evidence. Our guide on how to collect your SOC 2 evidence by asking for it shows how findings like these become audit artifacts.

Why it matters

A standalone Qualys WAS subscription is a serious line item. Kikimora includes the capability out of the box. Every plan, including free, can run enterprise-grade web application scans without owning or managing a separate Qualys license. For broader vulnerability data, pair it with the Tenable integration, which brings your existing scanner findings into the same conversational triage.

Use Qualys WAS - included free Browse all integrations

[ faq ]

Do I need my own Qualys account or license? +

No. This is the whole point. Qualys Web Application Scanning is built into Kikimora as a core capability. There is no Qualys account to create, no license to procure, and no API key to paste. You cannot, and do not need to, bring your own Qualys.

How do I activate it? +

It is included with every plan, including the free tier. There is nothing to install or license. You ask the agent to launch a scan and it runs.

Can it scan apps that sit behind a login? +

Yes. You configure authentication records and the agent runs authenticated scans, so the parts of the app only logged-in users see get covered too.

Can I use the findings as compliance evidence? +

Yes. Web application scan results fold into cross-stack triage and can be pulled into compliance briefings, for example as part of a SOC 2 evidence package.

More in Vulnerability Management

Tenable