Qualys Security Blog Expert network security guidance and news
- Microsoft and Adobe Patch Tuesday, July 2026 Security Update Review by Diksha Ojha on July 14, 2026 at 9:23 pm
Microsoftâs July 2026 Patch Tuesday delivers security updates for a broad range of products and services, including several vulnerabilities that pose significant risks to enterprise environments. As attackers continue to target unpatched systems, the timely deployment of these updates remains one of the most effective defenses against exploitation. This blog provides an overview of the monthâs key security fixes,
- How Qualys ETM Identity Detects Identity-Based Attacks Fasterby Deeksha Chowdhury on July 14, 2026 at 6:00 pm
Key Takeaways Identity-based attacks are among the fastest and most effective intrusion methods because valid credentials let attackers operate as trusted users. Techniques like Pass-the-Hash, Kerberoasting, Domain Controller Synchronization (DCSync), and Authentication Server Response Roasting (AS-REP Roasting) are common Active Directory (AD) attacks that exploit AD trust relationships. Qualys ETM Identity helps organizations discover risky
- How to Meet a 3-Day Remediation SLA & Comply with CISA BOD 26-04by Lavish Jhamb on July 9, 2026 at 7:30 pm
Key Takeaways CISA BOD 26â04 mandates remediation of the publicly exposed, highest-risk, known-exploited vulnerabilities within 3 days. The directive applies a risk-based model evaluating exposure, KEV status, automation potential, and technical impact. Most high-risk vulnerability instances reside on non-critical endpoint assets, which are suited for automated patching at scale. Patchless remediation techniques can reduce exposure
- When AI-Accelerated Discovery Outruns Patching, Exploitability Proof Decides What Gets Fixed Firstby Saeed Abbasi on July 8, 2026 at 10:15 pm
Why Qualys joined the Athena coalition, and what it means for how you prioritize risk. Qualys is proud to have joined Athena, the industry coalition Chainguard launched to coordinate the defense of open source software. Itâs a cause we strongly support, because the problem Athena is working to solve is the same one the Qualys
- FortiBleed: Credential Reuse, Legacy Hashes, and the Risk of Internet-Exposed FortiGate Devices by Arun Pratap Singh on July 8, 2026 at 5:38 pm
Key Takeaways FortiBleed refers to June 2026 public reporting of large-scale credential exposure and abuse targeting internet-reachable FortiGate management and SSL-VPN gateways driven by credential reuse and brute-force, not a single new zero-day. Risk is highest for internet-exposed FortiGate devices without MFA, with reused or legacy-hashed credentials, or prior exposure to known-exploited Fortinet CVEs. A
- Operationalizing Day Minus Seven: The Cloud-Native ROCby Kunal Modasiya on July 8, 2026 at 2:56 pm
Summary Frontier AI models in the post-Mythos era are changing the speed and scale of exposure risk. Security teams are entering an era where AI can help discover, chain, and exploit weaknesses faster than traditional programs can absorb. The challenge is no longer finding more issues; itâs knowing which exposures are real, reachable, urgent, and
- Qualys Joins Cisco Cloud Control Studio as a Launch Partner to Bring Risk Intelligence to Agentic Operationsby Kunal Modasiya on July 7, 2026 at 3:00 pm
Key Takeaways Qualys is a launch partner in Cisco Cloud Control Studio, Ciscoâs new unified platform for agentic IT operations. Joint customers can access Qualys intelligence Unified Asset Inventory, TruRisk Prioritized Findings, and orchestrate remediation workflows directly within Ciscoâs AI Canvas environment. The integration is powered by Model Context Protocol (MCP) via Cisco Cloud Control
- Is Your AppSec Program Built to Close the OWASP Top 10 2025 Coverage Gap? by Shravan Dandage on July 6, 2026 at 3:00 pm
Key Takeaways Most AppSec programs treat API-layer coverage as a DAST extension, but BOLA, BFLA, and SSRF require authenticated multi-role testing that traditional scanners werenât built to run at scale. Modern authentication flows (OAuth2, JWT validation, MFA-protected sessions) often fall outside standard scan scope, meaning the exact endpoints where account takeover occurs go untested. TotalAppSec
- CERT-Inâs AI Vulnerability Blueprint: Why Indian CISOs Need Machine-Speed Risk Operations in the Post-Mythos Era by Indrani Das on June 24, 2026 at 8:42 am
A Qualys India perspective on CERT-Inâs blueprint, the post-Mythos threat landscape India faces, and why the operating model needs to change. Key Takeaways Mythos-class AI changes the vulnerability equation from CVE matching to autonomous exploit discovery, turning known, unpatched weaknesses into weaponized exploits at machine speed. CERT-Inâs 2026 blueprint expects 12-hour containment for known exploited vulnerabilities on
- 3 Paths to Upgrade Windows 11 before 24H2 End of Servicing (EOL)by Mukesh Choudhary on June 23, 2026 at 3:00 pm
Key Takeaways Windows 11 24H2 reaches the end of servicing on October 13, 2026, making timely enterprise upgrades critical. Enterprises often face version drift, with multiple Windows 11 builds across endpoints requiring different upgrade paths. Upgrade approaches vary based on system state and may include enablement packages, ISO-based feature updates, or direct Windows 10 upgrades.













