Exclusive: Qualys outlines AI-driven cyber risk strategy

Qualys is calling on organisations to rethink their cyber security strategies as hybrid and multi-cloud environments create increasingly complex risk landscapes.

In a recent interview with Sam Salehi, Managing Director of ANZ at Qualys, he revealed how the company is using agentic AI and its Risk Operations Centre (ROC) platform to provide real-time, business-prioritised cyber risk insights.

Fragmented visibility

Many organisations still struggle to maintain visibility across disparate on-premises and cloud systems.

"Typically, customers have one tool for their on-premises environment and then another one for cloud, and the integration in between them is typically very challenging, which then results in having inconsistent and insufficient asset information," said Salehi.

Salehi said that without a unified asset inventory, understanding overall risk is difficult. Rapidly changing attack surfaces and compliance pressures add further complexity. "I would say that these four things are top of mind for a lot of them," he added.

AI evolution

Artificial intelligence is reshaping both defensive and offensive cyber strategies.

Some organisations are using AI to engage and delay scammers, making attacks more time-consuming and less effective.

"Both sides of the fence are using AI, and it is definitely changing the way that you see attackers are coming through. The messages are more believable; they have less grammatical errors. They have done a lot more research before they reach out to you," said Salehi.

The shift from reactive operations to proactive risk management is central to this approach. Qualys' ROC platform aggregates risks, from vulnerabilities to identity and third-party exposure, and applies threat intelligence to help organisations prioritise responses.

Strategic orchestration

Agentic AI is changing the role of CISOs from tactical responders to strategic decision-makers.

"Agentic AI is going to help with shaping a strategy through continuous risk informed decision making," said Salehi. By focusing on risk quantification, CISOs can tie every investment directly to risk reduction outcomes.

Autonomous workflows also reduce operational bottlenecks. "The same agent that does the detection, does the analysis in terms of what needs to be patched, and does the remediation as well. So that significantly reduces the mean time to detection and mean time to response for our customers," he added.

Operational efficiency

ROC uses AI to deliver real-time, business-prioritised insights.

"Our  Risk Operations Centre (ROC) leverages AI to synthesise data from across vulnerabilities, misconfigurations, identity and access management, and data exposure solutions. It then  applies threat intelligence and business context to help us prioritise the risks that matter the most," said Salehi.

Dynamic risk scoring updates continuously as business contexts and threats change, giving CISOs clear visualisation of potential impacts.

"Once you have that information, you can use that to help you with risk quantification. You obviously already have a risk appetite, and the moment these numbers go up and down, you can see the change reflected in a graph. That makes it very easy for someone like a CISO to visualise the impact of implementing a particular control on the organisation's overall risk posture," he said.

Repetitive tasks, such as Patch Tuesday updates, can be automated. Organisations can also create custom AI agents for other recurring tasks.

"It doesn't necessarily need to be limited to patching. If you have got a repetitive task that you do every week for your company, you can apply the same logic and build those agentic AI workflows, using your naming convention directly into the ROC," said Salehi.

Business context

Linking cyber security operations to business outcomes is a differentiator for Qualys.

"Bringing business context into the mix is one of the key metrics that we adopted into our ROC, which is helping us to stand out. Because at the end of the day, you want to make sure that you're protecting the most impactful assets you have in your business," said Salehi.

This approach enables more measurable returns on cybersecurity investment.

"If you invest $200,000 in a particular technology, you can directly see how that reduces the risk of losing critical assets or parts of the business that might represent a $2 million exposure, for example, reducing that risk by 50 per cent," he explained.

He also stressed the need for a mindset shift as organisations adopt AI: "AI is not going to take our jobs. The biggest shift in mindset should be from reactive and tool centric security approaches into a more data-driven approach that leverages AI to orchestrate different types of remediation actions," he said.

"Adopting AI, which is using agentic AI to take care of some of those repetitive tasks, will help you make those decisions faster or deploy those solutions faster in your environment," he added.

Looking at 2026, Salehi recommends organisations focus on  three priorities to manage cyber risk effectively: taking a risk-based approach, integrating business context for risk quantification, and adopting agentic AI to automate repetitive security tasks.