Qualys CEO On Offering An ‘Alternative To Platformization’ In Security

In an interview with CRN, Qualys CEO Sumedh Thakar says many solution providers and customers are looking to ‘get more value out of their existing investment in tools’ rather than heavily consolidating on a single vendor.

Even amid the massive attention being paid to “platformization” in the cybersecurity industry, many solution providers and customers would not prefer to heavily consolidate on a single vendor, according to Qualys President and CEO Sumedh Thakar.

In an interview with CRN, Thakar said that, by contrast, a significant number of solution providers and customers are looking to “get more value out of their existing investment in tools.”

Foster City, Calif.-based Qualys for much of the past year has been focused on offering what it believes is a different approach to tackling cybersecurity risk through what it has called its Risk Operations Center. The Risk Operations Center enables Qualys to combine all of an organization’s assets and data before then applying threat intelligence, business context and compensating controls, Thakar said.

That approach provides far greater quantification of risk as well as a way to better prioritize security efforts, he told CRN.

Crucially, the approach can also utilize existing, third-party security tools rather than requiring an organization to transition to new products in order to get the benefits of quantification and prioritization, according to Thakar.

“I look at this as giving the customers more options. Not everybody is at the place where they can rip and replace everything [to consolidate on] one vendor,” he said. “This is an alternative approach to platformization, which allows customers to get more value out of their existing investment in tools and build on top of that to get value.”

Meanwhile, Qualys has also enabled the delivery of a managed version of its offering, with its managed Risk Operations Center (mROC) through partners including GuidePoint Security, No. 37 on CRN’s 2025 Solution Provider 500.

Ultimately, “it’s not about one platform. It is about giving the CISOs the power to maintain the tools that they like,” Thakar said. “We can pull data from all of [those tools] and provide a singular, business-oriented view. I think this is really the right approach for the industry.”

What follows is more of CRN’s interview with Thakar.

For partners and customers, what is most important to know about your Risk Operations Center offering?

If you really look at it, the risk surface is actually significantly smaller than the attack surface for any organization. A Risk Operations Center [involves] bringing all the assets together, bringing all the findings and the data together, applying threat intelligence, applying business context, applying compensating controls—and then creating a remediation plan, executing the remediation plan and creating board reports. That’s really what streamlines the entire operation.

We demonstrated this [recently] where we imported data in our Risk Operations Center for a [Qualys] customer from Wiz, CrowdStrike [and] SecurityScorecard. It was a total of 65 million findings that came out. Once the Risk Operations Center applied its threat allegiance capability, it went down to 2 million findings that actually were even exploitable in any way. Then when we applied the business context to say, ‘Is this a revenue-generating app? Is this a database machine? Is this a PCI machine?’ That count went down even further to 304. So now the customer had a focused approach because of the Risk Operations Center on what really matters to their business and their environment that they should focus on protecting — rather than trying to chase CVSS high scores.

The Risk Operations Center is bringing a lot of efficiency to the organization because we’re significantly narrowing down from an attack surface to the risk surface. This has been very well received. We think of this as a transformational capability from cybersecurity for the future.

A big part of what we’re doing is also creating a managed Risk Operations Center concept, or mROC. [With our] mROC Alliance, partners will provide these services on risk quantification around the Risk Operations Center platform from Qualys. For our first batch of partners we have GuidePoint, a couple partners in the U.S., a couple of partners in Europe and a couple partners in the Middle East.

How does this contrast to the efforts by some vendors to emphasize consolidation and platformization?

What we hear from our customers is really that people are looking to use the best tool for the specific use case in security that they have. They may not think that the same tool or same company giving them container security might be giving them the best from AI security, as an example. There might be a startup that is providing them with AI security much better. CISOs want to empower their individual teams to pick the best tool. However, they want to bring all of the data into one platform. It’s not necessarily that replacing every single tool with the same vendor is what people are looking for. To rip and replace itself has a cost and it has a risk. Of course, there will be some adjacent consolidation in certain areas. But then you still will end up having a few platforms for endpoint, for cloud.

Where we’ve found a lot of excitement from our customers is less about, ‘Let’s go and replace everything with one thing’ and more about ‘[how do I get] more value out of what I have already purchased by creating a platform that helps me get more value?’ The Risk Operations Center approach, from a platformization perspective, is more about, how do we help you get more value out of the tools that you already have and that you’re happy with?

So this is an alternative to platformization?

Absolutely. I look at this as giving the customers more options. Not everybody is at the place where they can rip and replace everything [to consolidate on] one vendor. So this is an alternative approach to platformization, which allows customers to get more value out of their existing investment in tools and build on top of that to get value. That is something that is important to the board and the CFO from a business perspective.

A couple of years ago, cloud was the new, shiny thing. And now AI security is the shiny thing. And then next year, I can promise you, quantum security is going to be the next shiny thing. Shiny things will come and go. But the need for a risk operations approach—where you’re bringing your risk factors, prioritizing what is important and then [quantifying it]—that is going to remain perpetually. That’s where I think we are pioneering the approach, and the fact that we’re saying it’s not about one platform. It is about giving the CISOs the power to maintain the tools that they like. You want a different tool for containers, a different tool for mobile, that’s fine. We can pull data from all of that and provide a singular, business-oriented view. I think this is really the right approach for the industry.