6 min Security Techzine Talks on Tour

Why your SOC needs a ROC

Qualys CEO Sumedh Thakar dives into vulnerability, risk and the ROC

Why your SOC needs a ROC

Qualys CEO Sumedh Thakar discusses with us why organizations need to build a Risk Operations Center (ROC) alongside their Security Operations Center (SOC). Not as a replacement, but as a strategic complement focused on proactive risk management rather than reactive threat hunting. What do organizations need to achieve this, and how realistic is it? Watch and listen to our conversation with the Qualys CEO.

Subscribe to Techzine Talks on Tour (soon to be the Techzine TV Podcast) and watch and/or listen to our other episodes via SpotifyApple YouTube or another service of your choice.

Speaking at Qualys’ newly rebranded ROCon conference (formerly QSC), Thakar explains SOC are very good at some things, but not so good at others. If you want things like 24/7 breach detection and immediate remediation, a SOC is indispensable. However, a SOC is not built to helpt organizations with strategic risk planning over months and quarters. For that, they need a Risk Operations Center, or ROC. As Qualys has always focused heavily on vulnerability and therefore also risk, it is well-positioned to offer that ROC to organizations.

From vulnerability management to risk operations

Qualys has evolved from its vulnerability management roots founded in 1999. The company now positions itself at the cross-roads of multiple security disciplines: vulnerabilities, misconfigurations, and identity. The goal is to standardize all of these in one risk scoring framework, Thakar says. An important reason for going in this direction is tool sprawl. That is, organizations drowning in disparate risk scores from many different tools. Tools that each speak a different language too.

Qualys’ True Risk Score platform aims to translate technical findings into business impact measured in euros or dollars. “At the end of the day, what is the need for a dashboard?” Thakar asks rhetorically. “Really what you want to be able to do is get it fixed. The dashboard is just one step along the journey.” This focus on operational outcomes over visibility alone represents a shift from what he calls “dashboard tourism”, the low-adoption fate of many security dashboards.

Prevention makes a comeback

In an industry that declared “the perimeter is dead” a decade ago, Thakar wants more focus on prevention again, without abandoning detection. Using a car analogy, he notes: “Just because your car has great brakes doesn’t mean you’re not going to wear your seat belt for preventative measures. And just because you have a seatbelt in the car doesn’t mean you’re gonna drive carelessly.”

Rather than forcing wholesale replacement of best-of-breed solutions, Qualys wants its platform to be an orchestration layer that can incorporate specialized tools while providing unified risk visibility. “Customers want to empower their teams to pick the best tool for the specific job,” Thakar says. Eliminating security tools in favor of one big tool to rule them all is a fool’s errand anyway, he acknowledges. New technologies like quantum computing will continue to spawn specialized startups.

The AI arms race

On artificial intelligence, Thakar is unequivocal: “AI is not optional anymore.” But he frames it as an equalizer rather than a silver bullet. Since attackers are already using AI to accelerate research and exploitation, defenders must leverage the same technology for triage, correlation, and prioritization. The agentic AI approach Qualys is implementing aims to reduce the time between vulnerability disclosure and remediation. That is a race that is increasingly measured in hours, not days.

Profitability over hypergrowth

When we question him about Qualys’ relatively modest 10% growth compared to competitors posting 30%+ increases, and the relatively small size of the 25+ years old company, Thakar points at the company’s focus on profitability. With a 47% EBITDA margin, the best in the industry, he emphasizes, Qualys prioritizes sustainable value creation over land-grab expansion. “Different companies have different top lines,” he notes. He thinks Qualys is on the right track and points to superior stock performance and earnings per share as evidence that the market values its balanced approach.

Watch the full interview in this episode of Techzine Talks on Tour (the Techzine Talks Podcast) to understand how the Risk Operations Center concept might reshape your security organization’s structure. Also gain an understanding of why standardizing risk scoring could finally give CISOs the business language they need to justify security investments to the board.

Podcast player

If you don’t want to or can’t watch the video, it’s possible to listen to the audio-only version below.

Techzine Talks on Tour becomes Techzine TV Podcast

Starting 1 January 2026, Techzine Talks on Tour will be rebranded as the Techzine TV Podcast. As we add video to every podcast we record, we think it makes more sense to cluster everything around our newly-launched Techzine.tv platform. If you don’t like watching conversations but rather listen to them without video, that will remain possible. The Techzine TV Podcast will be available on Spotify, Apple and many other podcast platforms. Just search for Techzine Talks on Tour in your favorite podcast app.

Our commitment to our listeners and viewers hasn’t changed. We aim to publish interesting conversations with leaders in the IT space. Tell us how we do by leaving a comment or rate us. We are always looking to improve, but obviously also like to receive a compliment every now and again.

Previous episodes of Techzine Talks on Tour:

Get in touch

We hope you like this podcast series. If so, please let us know. If you have suggestions on how we can improve, we would like to hear those too. We’re also open to suggestions around specific topics, or specific people that want to appear in an episode of Techzine Talks on Tour. You can find both Coen van Eenbergen and Sander Almekinders on LinkedIn, or you can send an email to info@techzine.eu.