You mentioned we have used 100 IPs so far. But my map reports 200 hosts. How is the used-IP determined? Does it include just the hosts scanned or all the hosts discovered by map.
Anything you do with the Map is free - there is no charge and no limit to how many devices you can Map.
The Scan is per Host - but what this means depends on what you think a Host is. Typically, for nearly all our customers, it's an IP. For others it is a NetBIOS name, and for some a FQDN. Meaning you can scan a class C (254 possible targets, not counting network and broadcast) with 10 live systems in it that move around due to DHCP. The systems that move around can either be tracked by their IP (so you could possibly pay for 254 IPs) or by their FQDN/NetBIOS name, in which case you'll only pay for the 10.
This is where the difference between IPs Purchased, IPs in Subscription, and Unique Hosts Scanned comes from.
There is another side effect, unrelated to billing, to be considered when defining what a Host is. QualysGuard is able to track changes over time and report vulnerability evolution data. If you track moving targets per IP as per the above example with DHCP, having a scan report for 254 systems (when you only really have 10) makes no sense. The evolution over time of a given IP will be entirely meaningless. However, if you track by name (NetBIOS or FQDN), then a report for that range will show only 10 systems, each with their respective history of vulnerabilities.