Authenticate using HTTP Basic auth with your Qualys username and password; determine your API gateway URL from the Qualys platform UI (e.g., qualysapi.qg2.apps.qualys.com for US POD2).
Request the Host Detection List with POST https://{gateway}/api/2.0/fo/asset/host/vm/detection/ with body action=list and optional filters such as ids (asset IDs), severities, status (New, Active, Re-Opened, Fixed), and truncation_limit.
Parse the returned XML response; each <HOST> element contains <IP>, <QID>, <SEVERITY>, <STATUS>, <FIRST_FOUND_DATETIME>, and <LAST_FOUND_DATETIME> fields for each detection.
Page through large result sets using the <WARNING><URL> element in the response, which provides the continuation URL for the next batch when truncation_limit is reached.
Enrich detections by cross-referencing QIDs against the Qualys KnowledgeBase API (action=list on /api/2.0/fo/knowledge_base/vuln/) to obtain CVE IDs, CVSS scores, and remediation guidance.
Known gotchas
The Host Detection List API is one of the slowest Qualys APIs for large asset inventories; use narrow filters (specific asset IDs or groups, date ranges) to reduce response time and avoid gateway timeouts.
Qualys enforces API concurrency limits per subscription; exceeding them returns an HTTP 409 error — implement a queue and retry with back-off rather than parallel requests.
Results are paginated via a continuation URL embedded in the XML response body, not via standard HTTP headers; missing this causes silent data truncation.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp