Is Qualys cheaper than Tenable or Rapid7 for PCI ASV?

Roughly comparable at the SMB tier (all three price PCI ASV add-ons at $250 to $1,500 per year for small environments) with meaningful differentiation at the enterprise tier. Qualys is generally cheaper per-IP at scale because the Qualys VMDR platform amortises the PCI ASV cost across the broader vulnerability management subscription. For enterprises already running Qualys for internal vulnerability management, the PCI ASV add-on cost is minimal. For organisations starting fresh on PCI ASV without an existing VM platform, SecurityMetrics or Intruder typically price lower at the entry tier.

Is Qualys an officially approved PCI ASV?

Yes. Qualys is one of the longest-standing PCI Approved Scanning Vendors, listed on the official PCI SSC ASV directory at pcisecuritystandards.org. The Qualys PCI ASV product has been in continuous operation since the original PCI DSS 1.0 era and is widely used by enterprise PCI programmes as the primary external vulnerability scanning tool.

What is Qualys VMDR and do I need it for PCI?

VMDR (Vulnerability Management, Detection and Response) is Qualys' integrated vulnerability management platform that includes PCI ASV scanning as one of its modules. For PCI-only buyers, the standalone PCI ASV subscription is sufficient and is the cheapest path. For buyers who also need internal vulnerability management, asset inventory, patch management orchestration, and cloud security posture management, the VMDR bundle is materially better value than buying point solutions separately. The VMDR-bundled PCI ASV typically prices at $2,000 to $8,000 per year for mid-market environments, versus $500 to $2,000 for the standalone PCI ASV subscription.

How does Qualys define an IP for PCI ASV scope?

An IP for Qualys PCI ASV billing is a unique internet-facing IPv4 or IPv6 address that needs PCI quarterly scanning. Load balancers with multiple back-end IPs typically count as the load-balancer IP only for scanning purposes, though scope conversations can get nuanced for cloud-native environments. Auto-scaling cloud environments where IPs change frequently are charged based on the typical concurrent IP count rather than the cumulative unique-IP count over the quarter. Confirm the IP definition explicitly during scoping; this is the most common source of unexpected charges at renewal.

What happens to Qualys pricing when my IP count grows?

Qualys prices in IP bands rather than continuously, so passing a band threshold (typically 16, 32, 64, 128, 256 IPs) pushes the subscription into a higher tier at renewal. The tier-step jumps are typically 25 to 60 percent of the previous tier's annual fee. The largest unexpected cost step for growing buyers is passing the 64-to-128-IP band, which can roughly double the annual subscription. Mitigate by capping the in-scope IP inventory aggressively through network segmentation and by negotiating tier-threshold flexibility in the multi-year contract.

Can I use Qualys PCI ASV for non-PCI vulnerability scanning?

The PCI ASV subscription itself is purpose-built for PCI quarterly scanning compliance and produces PCI-compliant Attestation of Compliance documentation. For broader vulnerability management (internal scanning, authenticated scanning, configuration assessment, patch tracking), the VMDR product is the right Qualys subscription. Many organisations run both subscriptions concurrently or upgrade to VMDR once PCI ASV grows beyond the standalone tier.

ASV pricing

Qualys PCI ASV cost 2026: VMDR plus per-IP scanning pricing read

Qualys is the legacy enterprise PCI ASV. The pricing scales per-IP aggressively, which makes the standalone ASV product great value for small environments and expensive at scale. The VMDR bundle changes the economics meaningfully for buyers who also need broader vulnerability management.

Updated April 2026

Standalone ASV

$200 - $2,000/yr

Per subscription, 1-64 IP range

VMDR bundle

$5k - $30k+/yr

Enterprise scoping plus broader VM platform

Pricing model

Per-IP banded subscription

The Qualys pricing model in plain English

Qualys prices PCI ASV scanning as a per-IP banded annual subscription. Small environments with up to 16 internet-facing IPs typically price in the $200 to $500 range. Mid-sized environments with 16 to 64 IPs price $500 to $2,000. Enterprise scoping (64+ IPs) crosses into the VMDR conversation, where the PCI ASV becomes a module of the broader Qualys Vulnerability Management subscription priced at $5,000 to $30,000 or more per year depending on total asset count, modules in scope, and contract term.

The per-IP banded model means cost steps at the tier boundaries are sharp rather than continuous. Passing the 16-to-32-IP boundary typically jumps the subscription 30 to 50 percent; passing the 64-to-128 boundary can roughly double it. The pricing model rewards buyers who actively manage their in-scope IP inventory through network segmentation and aggressive scope reduction. It penalises buyers who let internet-facing IP count drift up without commercial review.

Multi-year terms typically discount the year-one fee 10 to 15 percent for a three-year commitment with tier-threshold flexibility built in. The tier-threshold flexibility clause is the single most valuable negotiation lever: a three-year contract that locks in current-tier pricing through the term protects against the cost cliff at IP-band boundaries.

Three concrete cost scenarios

Scenario	Qualys annual fee	Configuration
Small e-commerce (4 internet-facing IPs)	$250 - $450/yr	Standalone PCI ASV subscription, quarterly scans, automatic AOC generation
Mid-market SaaS (40 internet-facing IPs)	$900 - $1,800/yr	Standalone PCI ASV at the 32-64 IP band, quarterly scans, compliance portal
Enterprise fintech (250+ IPs, VMDR bundle)	$15k - $35k/yr	VMDR enterprise subscription including PCI ASV module, internal scanning, asset inventory, CMDB integration

Triangulated from Vendr aggregated buyer data, Qualys free trial pricing, public Qualys customer case studies, and PCI engagement quotes shared on practitioner forums. Qualys does not publish a retail rate card so these are planning anchors rather than commitments.

Standalone PCI ASV vs the VMDR bundle

The decision between standalone PCI ASV and VMDR turns on whether the buyer needs vulnerability management beyond the PCI quarterly scan obligation. For Level 3 and Level 4 e-commerce merchants who only need PCI ASV (and have internal vulnerability management handled separately by cloud-provider tooling or open-source scanners), the standalone subscription is the right answer at $200 to $2,000 per year. For Level 1 and Level 2 enterprises who also need internal authenticated scanning, configuration assessment, patch management orchestration, and cloud security posture management, VMDR consolidates the tooling stack at materially better total cost of ownership.

The VMDR economics are favourable when the buyer would otherwise purchase three or more point solutions. A typical mid-market stack of standalone PCI ASV ($1,500/yr) plus Nessus Professional ($4,800/yr) plus a cloud-CSPM tool ($10,000/yr) plus an asset inventory tool ($8,000/yr) totals $24,300, versus a VMDR enterprise subscription that consolidates all four at $15,000 to $20,000 per year for equivalent functionality. The VMDR cost arbitrage grows with stack complexity.

The VMDR economics are unfavourable when the buyer only needs PCI ASV and has no broader VM ambition. Forcing a VMDR conversation onto a buyer who genuinely wants only quarterly external scanning is a 5 to 10x overspend that delivers no operational value. Buyers should resist VMDR pitches if the in-scope use case is genuinely PCI-only and the rest of the security stack is settled.

When Qualys wins and when it does not

Qualys wins for enterprises with existing or planned investment in the VMDR platform, where the PCI ASV module is a small marginal cost on a larger vulnerability management subscription. It wins for organisations that need genuine enterprise-grade reporting, compliance automation, and integration with broader IT operations tooling (CMDB, ITSM, SIEM). It wins for buyers who care about long-term vendor consolidation and want one VM platform across PCI, ISO 27001, SOC 2, internal scanning, and cloud security.

Qualys does not win for small merchants who only need PCI ASV (SecurityMetrics and Intruder price 30 to 60 percent below for small environments), for buyers who already use Nessus or InsightVM for internal scanning (the VMDR consolidation pitch falls flat), or for buyers who prioritise modern UX and rapid deployment (Tenable.io and Rapid7 InsightVM are typically faster to onboard).

Negotiating with Qualys

Three tactics. First, negotiate tier-threshold protection into multi-year contracts explicitly; this is the single most valuable cost-control clause and Qualys engagement managers will agree to it under modest pressure. Second, bring competitive quotes from Tenable.io and Rapid7 InsightVM for the VMDR-tier conversation; Qualys responds to these specific competitors and will match credible quotes down by 10 to 20 percent. Third, for standalone PCI ASV at the SMB tier, ask explicitly whether the SecurityMetrics PCI ASV product would meet the same compliance requirement; Qualys engagement managers know SecurityMetrics is the genuinely cheapest mainstream PCI ASV at small scale and will sometimes match SMB pricing to retain the account for future VMDR upgrade.

For combined PCI ASV plus internal authenticated scanning, bundle these explicitly in the proposal request. Qualys prices the bundle competitively because the authenticated-scanning capability is a high-margin add-on for them and they prefer to capture both line items in one contract.

Qualys on the PCI SSC ASV directory

Qualys is listed in the official PCI SSC Approved Scanning Vendor directory.

Verify on pcisecuritystandards.org →

Frequently asked

Qualys PCI ASV subscriptions run roughly $200 to $2,000 per year for the merchant tier (small SMB to mid-market environments with 1 to 64 internet-facing IPs). Enterprise scoping (64+ IPs, multi-region, integrated with Qualys Vulnerability Management Detection and Response) pushes into the $5,000 to $30,000+ range. Qualys lists product pricing through their sales process rather than a public retail rate card; the bands above triangulate from publicly disclosed customer disclosures and Vendr aggregated buyer data. The per-IP scaling is the most common surprise at renewal.

Tenable PCI cost

Per-asset pricing model for buyers already on Nessus.

Rapid7 PCI cost

InsightVM plus PCI ASV combined pricing.

SecurityMetrics ASV cost

The cheapest mainstream PCI ASV for SMB.

PCI scanning + pen test cost

The full ASV plus pen test market.

Level 2 PCI cost

$10k to $50k for 1M-6M transactions per year.

SAQ D cost

$5k to $20k for the full-scope self-assessment.