Qualys Launches Deep Scan to Uncover Hidden Vulnerabilities in Non‑Standard Install Locations
What Happened – Qualys announced “Deep Scan,” a new vulnerability‑detection capability that extends traditional scanning beyond known system directories. The feature inspects binaries on secondary drives, custom paths, and unmanaged folders, delivering visibility into software that conventional scanners miss.
Why It Matters for TPRM –
- Hidden software can harbor unpatched CVEs, creating supply‑chain risk for downstream vendors.
- Incomplete asset inventories undermine continuous monitoring and third‑party assurance programs.
- Expanded coverage helps organizations meet contractual security clauses that require full‑stack vulnerability management.
Who Is Affected – Enterprises with decentralized environments (finance, healthcare, manufacturing, SaaS providers) that rely on Qualys or similar scanning tools.
Recommended Actions –
- Verify whether your current scanning solution includes Deep Scan or an equivalent capability.
- Update vendor risk questionnaires to ask about coverage of non‑standard installation paths.
- Align remediation workflows (e.g., TruRisk) with the expanded data set to prioritize newly discovered findings.
Technical Notes – Deep Scan operates at the file‑system level, allowing configurable directory inclusion/exclusion and multi‑drive scanning. It complements Software Composition Analysis (SwCA) by providing binary‑level vulnerability context where package managers lack visibility. No new CVE is disclosed; the value is in broader detection coverage. Source: Qualys Blog – Deep Scan Announcement