Qualys Blog

Key Takeaways Software inventory used to stop at the server. Modern application delivery erased that boundary. In cloud-native environments, software now moves continuously through container images, registries, CI/CD pipelines, and Kubernetes clusters, often reaching production faster than traditional governance models can track it. A single outdated base image or unsupported runtime no longer stays contained

The Qualys Threat Research Unit (TRU) has discovered and published the full advisory for CVE-2026-46333, a logic flaw in the Linux kernel’s __ptrace_may_access() function that permits an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions. The bug has resided in mainline Linux since

The Verizon 2026 Data Breach Investigations Report has been published. Qualys is proud to have served as a research partner and contributor, contributing analysis of more than one billion anonymized vulnerability remediation records across four consecutive DBIR reporting cycles of CISA Known Exploited Vulnerabilities (KEV) data. The DBIR described the picture our data painted in

Qualys SaaS Security Posture Management (SSPM) introduces native support for the Secure Cloud Business Applications (SCuBA) compliance framework, bringing CISA’s toughest M365 security benchmarks directly into your continuous posture monitoring workflow. Key Takeaways What Is SCuBA and Why Does It Matter for Enterprise Security The Secure Cloud Business Applications (SCuBA) project is a cybersecurity initiative

Executive Summary The 2025 SANS ASM Survey highlights a clear shift in cybersecurity operations. Organizations are moving beyond fragmented, alert-driven security approaches toward unified, automated, and business-aligned risk operations. Continuous visibility, intelligent automation, and business-contextual prioritization are becoming essential for managing modern attack surfaces at scale. The findings reinforce the growing need for operational models

Qualys TotalCloud™ has achieved FedRAMP High Authorization, marking a major milestone in delivering validated cloud security and compliance assurance for high-impact federal and regulated environments. Key Takeaways Cloud security and compliance expectations have fundamentally shifted. Organizations are no longer evaluated based on whether controls exist; they’re evaluated on whether those controls are continuously enforced, validated, and measurable under real-world conditions. FedRAMP

May 2026’s Patch Tuesday arrives with Microsoft addressing a fresh set of vulnerabilities across its ecosystem, reinforcing the ongoing need for timely patching in an increasingly threat-heavy landscape. Here’s a quick breakdown of what you need to know. Microsoft Patch Tuesday for May 2026 This month’s release addresses 137 vulnerabilities, including 30 critical and 103 important-severity vulnerabilities. In this month’s updates, Microsoft has not addressed any publicly disclosed zero-day vulnerability. Microsoft has addressed 128 vulnerabilities in Microsoft Edge (Chromium-based)

A first-class data model for the next generation of findings AI-driven code security is becoming a real category. Anthropic’s Claude Code Security and OpenAI’s Codex Security are the leading examples, and more will follow. These tools reason about source code at a depth that traditional SAST cannot reach, surfacing logic flaws, broken authentication patterns, hardcoded

Dirty Frag is a Linux local privilege escalation (LPE) chain published on May 7, 2026. It combines two previously unknown kernel vulnerabilities can allow an unprivileged local user to escalate to root on many major Linux distributions. As of May 8, 2026, CVE-2026-43284 had been patched in mainline Linux, while public reporting indicated that CVE-2026-43500

Key Takeaways The Problem with Calling QA “Non-Production” Most security conversations begin at the wrong end of the problem. We start with the breach, the alert, the investigation, and the inevitable question: how did it happen? Attention moves to production because that is where consequences become visible. But production is rarely where the story begins.