Sales Specialist

Linux security layer extremely vulnerable: 12.6 million systems affected. Nine critical vulnerabilities have been found in AppArmor, a Linux Security Module standard on Ubuntu, Debian, and SUSE. Together, they are referred to as CrackArmor. The vulnerabilities allow unauthorized users to bypass kernel protections, obtain root privileges, and break container isolation. This was discovered by researchers at Qualys. Together, they form the so-called CrackArmor advisory. The flaws have existed since 2017 (kernel version v4.11) and affect more than 12.6 million enterprise Linux instances worldwide. AppArmor is the standard Mandatory Access Control mechanism for Ubuntu, Debian, and SUSE. It is widely used in cloud environments, Kubernetes, IoT, and edge infrastructure. How the attack works. The vulnerabilities exploit a confused deputy attack. An unauthorized user can manipulate a privileged process to perform actions on their behalf, without having the necessary rights themselves. Specifically, attackers abuse tools such as Sudo or Postfix to modify AppArmor profiles via pseudo-files such as /sys/kernel/security/apparmor/.load and .replace. This bypasses user-namespace restrictions and allows arbitrary code to run in the kernel. Consequences include local privilege escalation (LPE) to root, denial-of-service via stack exhaustion, and KASLR bypasses via out-of-bounds reads. Container isolation is also no longer guaranteed as a result. Qualys TRU has developed Proof of Concept exploits that demonstrate the entire attack chain. These are not being released publicly, but have been shared with the relevant security teams to speed up patching. "CrackArmor proves that even the most entrenched protections can be bypassed without admin credentials. For CISOs, this means patching alone isn't enough; we must re-examine our entire assumption of what 'default' configurations mean for our infrastructure," said Dilip Bachwani, CTO of Qualys. All Linux kernels from v4.11 onwards are vulnerable on distributions that integrate AppArmor. Debian released a security update on March 12, 2026 that addresses the vulnerabilities. Ubuntu and SUSE are working on similar patches. Qualys recommends applying vendor kernel patches immediately and setting up monitoring on /sys/kernel/security/apparmor/ for unauthorized profile changes.

Ingest, enrich, and deduplicate Qualys vulnerability findings with Dynatrace. Dynatrace integrates with Qualys to help DevSecOps teams reduce alert fatigue by unifying and deduplicating vulnerability findings, contextualizing findings with runtime entities, and offering smarter prioritization, automation, and remediation. What is Qualys host scanning? Qualys is a leading provider of vulnerability management solutions. Qualys Enterprise TruRisk platform offers a range of products, including Vulnerability Management, Detection, & Response (VMDR), which helps detect and prioritize vulnerabilities for remediation on hosts. Host monitoring has been a best practice in security hygiene for decades and is required by various compliance standards. If your organization is already applying all the best practices for host scanning, you may still be wondering how to improve the prioritization of detected vulnerabilities. Challenges in managing host vulnerabilities. Imagine you periodically run scans of hosts in your environments: production hosts, development hosts, etc. Each scan discovers hundreds or even thousands of vulnerabilities. Your goal is to minimize the risk by fixing the most critical vulnerabilities first. Even with a simple strategy like this, your DevSecOps teams might still struggle to handle all the vulnerabilities. Your MTTR (Mean Time to Remediation) is increasing, and your management is not happy about it. In addition, while focusing on critical vulnerabilities, are you sure you're prioritizing the top risk for your organization? That approach is a good start; however, some top-risk vulnerabilities might not be critical in severity; they're the ones that directly impact your critical production applications and services. Even if it is a high-severity vulnerability, you may want to address it before a critical vulnerability because it affects your production environment. What can you do? Is there a way to further improve vulnerability prioritization? The answer is yes; you need to consider additional runtime context and focus on production risk in addition to severity. You may want to have a robust deduplication mechanism in place and visibility into the top risks. And you might also benefit from tracking the fixes and posture drifts, increasing security coverage, and reducing the number of risks over time. Dynatrace as a runtime security platform. The Dynatrace platform offers native Runtime Vulnerability Analytics that detect vulnerabilities in your running applications and services, helping keep your application's security risk low. This complements the host scanning and provides a complete picture of the security risks. As an observability platform, Dynatrace also monitors the infrastructure on which your apps and services run. Hosts are one such infrastructure entity. Dynatrace knows whether a host is connected to the internet, how much traffic flows through it, whether production applications are running on that host, and how those applications are connected to other hosts and services in your organization. With Dynatrace OpenPipeline(R) as the data ingest engine and Grail(R) as the unified data lakehouse, it is possible to ingest security findings from third-party products to bring security context to operational personas. DevSecOps teams can simultaneously benefit from ingested and contextualized security findings using Dynatrace as a security platform, gaining ultimate visibility into all risks in one place, prioritizing based on production risks, and improving their security posture. Qualys integration in work. Dynatrace integrates with Qualys to connect host vulnerability findings with runtime application context, allowing smarter vulnerability prioritization and better visibility into your security risks from the perspective of your runtime environment. Here is how this integration works, and how it allows you to achieve your goals in several simple steps: Step 1: ingest and unify. Dynatrace delivers this integration as an extension that allows granular control over the data flow between Qualys and the Dynatrace platform. Leveraging OpenPipeline, Tenable vulnerability findings and activity logs are pushed to Dynatrace and stored in Grail, where they're mapped to semantic conventions that make them available in a unified schema for further analysis. Step 2: deduplicate and visualize. As soon as Qualys vulnerability findings are in Grail, you can view them in the Vulnerabilities app as individual findings or, using deduplication logic, as a focused list of unique findings. In this way, hundreds of findings reported repeatedly by each executed scan are deduplicated and become tens of vulnerabilities instead. Here's what it might look like before deduplication: And here is what it looks like after applying the deduplication filter: The Qualys integration also includes several ready-made dashboards that help you deduplicate and display vulnerability findings in a summarized view. Step 3: enrich and prioritize. The next step is to use the Dynatrace runtime context to further prioritize the vulnerabilities. In this sample dashboard, which is also shipped with the integration, Dynatrace, Inc. first filter the ingested vulnerability findings for monitored hosts and then add the production application-level filter. This filtering approach focuses on runtime impact and helps reduce the number of vulnerabilities to address. Step 4: communicate and remediate. With Dynatrace native automation capabilities represented in the Workflows app, you can operationalize the vulnerability findings by notifying relevant stakeholders and creating work tickets for remediation. Step 5: track improvement. Whether remediation is applied or new vulnerabilities are identified, you can easily monitor changes across scans to see which vulnerabilities are new, unresolved, or fixed. Here is a dashboard Dynatrace, Inc. provide with the integration that helps achieve this goal: Step 6: increase security coverage. Finally, Dynatrace also helps you to understand whether you've covered all important hosts in your environment with vulnerability scans. This security observability is fueled by monitored host entities and Qualys ingested findings. Here is a snippet from the security coverage dashboard shipped with the integration: What's next. The Dynatrace platform helps reduce noise from vulnerability scanning and provides runtime insights to efficiently prioritize remediation efforts. Follow its updates and news about additional integrations and learn about which products from your security stack Dynatrace, Inc. already cover. If you don't find support for your product or tool, feel free to contact Dynatrace, Inc. in its Community channel. Get started. To learn more about the Qualys integration and how to set it up, read its documentation for ingesting Qualys vulnerability findings, scanning events, and auditing logs. Install Qualys to prioritize production risks and reduce alert overload.

Qualys, a cloud-based security platform provider, reported fourth-quarter revenue of $175.3 million, representing 10% growth. International markets revenue grew 15%, outpacing domestic revenue growth of 6%. Channel revenue rose 17%, accounting for 51% of total revenue. The company posted adjusted EBITDA of $82.6 million and earnings of $1.87 per diluted share for the quarter, whilst generating $74.9 million in free cash flows. However, operating expenses increased 11% to $68.9 million due to higher sales and marketing costs. For 2026, Qualys projects revenue between $717 million and $725 million, indicating 7% to 8% growth. UBS analyst Roger Boyd lowered the firm's price target from $150 to $140 whilst maintaining a Neutral rating.