In today’s rapidly evolving threat landscape, security isn’t just a technical concern—it’s a boardroom priority. That’s the central message from Sumedh Thakar, CEO of Qualys, who recently joined TFiR’s Secure by Design to introduce their latest innovation: the Risk Operations Center (ROC) and the Managed ROC (mROC) Partner Alliance.

From Reactive SOCs to Proactive ROCs

Unlike traditional Security Operations Centers (SOCs), which focus on detecting attackers already inside, the ROC is designed to proactively manage cyber risk by aligning security strategy with business impact. “The first question in risk management is always: how much?” said Thakar. “If you can’t quantify cyber risk in dollar terms, how can you justify the cost to mitigate it?”

ROC brings together asset data, threat intelligence, and business context to calculate potential financial loss. It helps organizations not only understand but also prioritize and act on the risks that matter most.

What mROC Means for Global Scale

With the launch of the mROC Partner Alliance, Qualys enables service providers to deliver ROC capabilities at scale. These partners work directly with customers—often without direct involvement from Qualys—helping them define risk appetite, tailor remediation strategies, and generate board-ready reports.

“Our partners sit with the CFO, CIO, and CISO to customize risk quantification per business,” Thakar noted. “We provide the platform; they bring the context.”

Actionable Insights, Not Just Dashboards

The ROC isn’t just a reporting layer. Thakar illustrated how Qualys helped one enterprise cut through 65 million raw findings down to just 300,000 actionable risks—thanks to contextual filtering using threat intel and business impact data. Without that, security teams waste time fixing theoretical vulnerabilities that don’t reduce real risk, he emphasized.

Integrating, Not Replacing, Existing Tools

A key ROC advantage is its interoperability. Organizations don’t have to rip and replace current tools. “We pull telemetry from CrowdStrike, Tenable, Palo Alto, Rapid7—you name it,” said Thakar. “ROC sits atop your stack and provides you with a unique view that maximizes the ROI from the investments you’ve already made in those other tools.”

The Role of Agentic AI

GenAI and agentic AI are being used within ROC to triage vast amounts of security data and reduce analyst workload. “Agentic AI enables automation of decision-making workflows,” explained Thakar. “It doesn’t replace human analysts—it makes them more strategic.”

Reporting That Boards Actually Understand

Ultimately, ROC reframes cybersecurity as a business risk. “Boards don’t care about misconfigurations or container scans,” said Thakar. “They want to know: what is our dollar-value risk exposure, and what are we doing to reduce it?”

Qualys even partnered with Diligent to deliver risk reports tailored for board-level consumption—focusing on risk mitigation, acceptance, and transfer.

Key Takeaway: The ROC is more than a product—it’s a mindset shift. And with the mROC partner ecosystem, Qualys is making that shift globally scalable.