Dear Andreas,
Can we assume that Qualys is a target application which is used by developers (Privileged Users) to do vulnerability scanning and other tasks?
If YES; Qualys is a critical resource in the organization and we don't want anybody to reach it directly, developers should use CA PAM to login to Qualys.