The launch of the mROC Partner Alliance marks a pivotal evolution in Qualys’ mission to make cyber-risk management more strategic, scalable and business-aligned. Sumedh Thakar, President and CEO at Qualys, tells us the initiative was designed to empower trusted partners with the tools, expertise and frameworks needed to deliver measurable risk reduction and bridge the gap between cybersecurity and business priorities.
What inspired the development of the mROC Partner Alliance and how does it advance your original vision for the Risk Operations Center?
The mROC Partner Alliance was born out of our vision for the Risk Operations Center – to extend its impact by bringing in trusted partners who can deliver the elements essential to risk reduction. The ROC addresses key cybersecurity challenges: fragmented tools, overwhelming risk findings, and the widening disconnect between cyber-risk and business priorities. It is a necessity for CISOs to translate cyber-risk into the language of business – financial terms that resonate with boards and CFOs.
The ROC isn’t just a tool – it’s a cyber-risk management framework built on people, processes and technology. Qualys delivers the technology part of the ROC through its Enterprise TruRisk Management (ETM) platform. However, effective risk management goes beyond deploying technology. It demands the right combination of expertise, strategic alignment and continuous monitoring – the people and process parts of the equation.
In conversations with our customers, we recognised that many of them struggle with the required basics of a ROC, such as cyber-risk quantification, technology integrations, remediation and prioritisation. They need the right kind of support from trusted partners. That’s why we launched the managed ROC (mROC) Partner Alliance to scale the ROC model through a network of experienced MSSPs and GSI partners, making business-aligned cyber-risk management accessible to more organisations. This initiative equips partners to deliver tailored consulting services, leveraging industry-aligned risk models and actionable strategies for risk mitigation or transfer. Through the mROC Partner Alliance, organisations can now fully benefit from the people, process and technology aspects of the ROC – achieving a more strategic and business-centric approach to cyber-risk management.
How does the mROC framework differ from traditional managed security services in terms of delivering measurable business outcomes for organisations?
Think of the mROC framework as a bold reimagining of managed security services (MSS), one that moves beyond chasing threats to proactive, outcomes-driven cyber-risk reduction. The difference lies in a ‘wartime’ versus ‘peacetime’ approach. Traditional MSS and managed detection and response (MDR) models operate in ‘wartime’ mode – prioritising detecting and responding to breaches after they occur. In contrast, the ROC adopts a ‘peacetime’ approach.
It proactively assesses the overall risk and attack surface, applying threat intelligence and business context, and empowering stakeholders to make informed decisions on where to invest time and resources to minimise the chance of an attack happening. This leverages a whole different architecture and mindset, looking at your risk surface – what you stand to lose – rather than just your attack surface.
mROC delivers a unified, strategic platform that quantifies cyber-risk in business terms, reflecting the impact on revenue, brand trust and operations. Beyond the technology, mROC services incorporate continuous risk monitoring, automated remediation orchestration, and expert advisory from certified partners, enabling organisations to measure, communicate and eliminate their cyber-risk more effectively.
Why should MSSPs join the Qualys mROC Partner Alliance?
Today’s MSSPs are battling it out in an overcrowded MDR market, where standing out is tough and margins are tight. At the same time, partners are looking for ways to differentiate and grow beyond traditional reselling, which doesn’t grow revenue long-term. That’s what makes mROC so exciting – it’s not just a platform; it’s a growth engine for MSSPs looking to build new services and expand their market presence.
By partnering with Qualys and leveraging the ROC model, MSSPs can offer high-value services like cyber-risk quantification, continuous monitoring and automated remediation.
The mROC Partner Alliance unlocks new revenue streams for MSSPs, expands market reach through access to Qualys’ extensive installed base, and strengthens client relationships with strategic risk advisory services. This shift allows MSSPs to deliver measurable security value while fostering long-term trust and business growth.
Can you share how Qualys ensures consistency and quality across its mROC partners, particularly when they are operating across diverse global markets?
The good news is that while our mROC partners span the globe, the global language of risk remains the same. No matter where in the world you are, cybersecurity is essentially a risk management exercise to preserve business value. The technology we develop and the toolsets our customers use worldwide are the same, enabling us to deliver a uniform, high-quality experience across geographies.
As a company, Qualys has always operated as a truly global organisation, with sales and support teams in multiple countries, to cater to all markets. We are also very intentional in investing in partner enablement and training, leveraging regular touchpoints to engage with channel partners, equip them with more knowledge and skills, and ensure consistency across markets.
How are mROC partners trained and enabled to provide value-added services, especially when integrating third-party tools into the Qualys-powered ROC model?
Our work with channel partners is a true collaboration, grounded in ongoing, two-way communication and feedback. We’ve built an entire programme to set partners up for success. We equip them with more than just training on the technology, we also guide our partners on the business aspects of mROC, such as how to position services and go-to-market strategies. We work closely with partners to help shape their service offerings, providing access to a test platform for validation, as well as free proof-of-concept deployments for their customers. This open dialogue enables us to continually refine our offerings, promotions and initiatives based on partner input. We also host regular partner advisory councils and product roadmap briefings to keep partners informed and engaged.
Looking ahead, how do you see the mROC ecosystem evolving in terms of capabilities, partnerships and its role in addressing the global cybersecurity skills gap?
Security teams are too often stuck in a never-ending cycle of chasing low-risk issues while drowning in alerts. The ROC flips that script. It’s built to help organisations operationalise cyber-risk management by reducing redundant manual work and zeroing in on what truly matters. Rather than playing an endless game of ‘risk whack-a-mole’, teams can prioritise and remediate the vulnerabilities that have the greatest impact on reducing risk. Meanwhile, mROC partners supplement lean teams with experienced human analysts that help close the cyberskills gap. Together, these capabilities reduce the need for large internal teams, lower alert fatigue and burnout, improve staff retention, and enable existing personnel to focus on high-value work.
As technology evolves, so do cyber-risks. For example, first we saw cloud security grow in prominence, now we’re seeing AI security come to the fore, and in the future, with quantum computing, customer needs will change again. The mROC program was designed to evolve in lockstep with the shifting landscape. We have no doubt that as we continue collaborating with partners and listening to our customers, mROC will remain agile and relevant, continuously adapting to changing customer needs.
