One of the server managers just asked a great question that I told him I'd pass along...
As the scans are done and validation/remediation work grows what tools are available in qualys to show positive remediation. Another way to put this, we've been patching and configuring but the good work my engineers are doing isn't showing up and how do we show we're not running an unpatched, mis configured system?
I explained the differences in reports, etc. but he wants to show, its started good, and is updaated in accordance with change processes. Some checks, i.e. new certificate requirments show as failing due to no 2048 certs yet, but they are 1024 which though needing updated are good according the the test.