The cybersecurity industry continues to talk about AI as if it is the missing link in their security strategy. Most companies are now integrating elements of AI into their products. But how many are using AI in their own companies, and how are they using it?
Dilip Bachwani, Chief Technology Officer, Qualys, talked with Enterprise Times editor Ian Murphy to talk about cloud and product evolution. Importantly, he talked about how Qualys is using AI to advance cybersecurity.
Who are Qualys?
When Bachwani joined Qualys in 2014, the company had around 600 staff. Of those, 250 were in the engineering division. Over the last decade, the headcount has grown fourfold to around 2,300, and the engineering team, headed by Bachwani, is now 1,000 strong.
The company started out with a focus on vulnerability management, compliance and web application scanning. Since then, Bachwani said, it recognised the need “to build a unified security platform that could scale with customers’ needs.”
As CTO, he has defined the engineering strategy to expand the platform through new product development on a common foundation. Bachwani continued, “We started with the idea that we had a really good technology foundation and could expand the platform by gradually developing new products on top of it.”
Evolving the Platform and unlocking the power of data with AI
Qualys also took the decision to build that common platform using a cloud-native architecture. One of the benefits of that has been to change how the platform looks. Bachwani admits that early on, it had been a typical monolithic codebase. Today, it is a collection of 3-400 microservices and growing.
Bachwani says there are several advantages to using microservices. The first is that the code is easier to manage and maintain. It also gives Qualys visibility into how the platform is used by its customers. That allows it to prioritise new features and services.
Underneath the platform is the data lake that Qualys has built over the last decade. It is fed by 10-12 different databases that receive up to 45 billion messages a day between them. That is almost half a million messages a second. Generating those messages is a massive agent network of over 110 million endpoints worldwide.
With its data lake containing petabytes of anonymized security signals, Bachwani notes, “Qualys is well-positioned to derive powerful insights through AI that individual point solutions could not.”
He continued, “Qualys is applying AI techniques like machine learning and deep learning to analyze patterns in petabytes of anonymized data from endpoints. This helps surface new insights that individual data points could not reveal on their own. Additionally, Qualys is exploring how large language models can be fine-tuned on its proprietary data sets to provide more contextualized responses that directly apply to customers’ environments.”
Transforming Engineering with an AI-First Approach
Qualys is also revolutionizing its engineering workflows using AI. Bachwani aims to “socialize AI/ML development across all engineering teams” and make AI “a tool that increases efficiency.” To do this, engineers are encouraged to “explore use cases and iteratively refine models using an automated ML pipeline, applying DevOps principles.”
What makes this especially interesting is how LLMs will be used by the teams. Qualys could create a single LLM across the whole of engineering. However, that would require a lot of maintenance. The alternative that Bachwani sees is smaller LLMs being given to each engineering team.
He commented, “Each engineering team has access to large language models pre-trained on codebases to assist with tasks like generating documentation or sample code. Teams can then fine-tune models for their specific projects or domains.
“An automated machine learning pipeline allows continuous refinement and redeployment of these models without disrupting work. Over time, Qualys aims to have LLMs understand the full context of each project to offer trustworthy solutions aligned with the organization’s policies and guidelines.”
It’s a bold approach to LLM and model development. It resolves one of the existing problems in that organisations have no quality control over how they build LLMs. Will this improve the quality? The answer is almost certainly yes.
But what about customers? Several vendors are looking at building LLMs to help customers improve how they use tools. The challenge, however, is keeping those up to date, especially in cybersecurity. There would need to be constant updating from a master model maintained by Qualys, which raises questions as to how customers would fine-tune their environments.
Generating Trustworthy Code through Model Training
Another area where Qualys is looking at AI is the generation of code snippets. While some organisations have tried this, the quality of those snippets is highly variable. It suggests that they are better suited for general ideas and not production code until the quality of the code improves.
When asked about this, Bachwani said, “Human verification is still needed to ensure functionality and absence of vulnerabilities.” He also discussed how Qualys is researching training models on secure codebases and integrating security checks into the code generation process to build trust in AI-generated solutions.
Bachwani said, “Qualys is researching how to train generative models from the start on large corpora of high-quality, secure code to improve the reliability of any suggestions. The company is also exploring techniques like Constitutional AI to verify generated code complies with predefined specifications before being presented to engineers for review.”
Enterprise Times: What does this mean?
Qualys aims to set the standard for integrated, risk-focused security by infusing AI throughout its platform and operations. Bachwani predicts that in the future, “AI will transform not only how Qualys secures enterprises but also how its own engineers work.”
It will be interesting to see how this plays out. Bachwani was extremely open about where Qualys is going and what it wants to achieve. It will take time for the results to come through, although, listening to Bachwani, it is clear that the current results are positive.
The key thing here, however, is that if successful, Qualys will demonstrate AI’s power to revolutionize cybersecurity and beyond. And that will significantly impact the industry by showing that AI is more than just a marketing message.
