Qualys CyberSecurity Asset Management Reviews

The asset management part is very simple and essential. When examining vulnerabilities on assets, having information about those assets is crucial. It is very difficult to see remediation options without knowing details about the asset, such as whether the operating system is end of life. The detections are excellent at finding Windows 11, Windows 10, and Windows Server, but they are not very effective with other systems. While you can have a CMDB, Qualys CyberSecurity Asset Management was particularly effective because the information was available exactly where needed. This enables automation and quick access to necessary answers.

One of the significant challenges Qualys is discovery, which I know Microsoft excels at. I can't recall how well Qualys performs this function; it seems I might be missing some details. However, if there's one key aspect to focus on, it's discovery—the ability to identify assets that you are not aware of, even when you can see they are present. Understanding what those assets are is crucial.

With Qualys CyberSecurity Asset Management, it was very difficult to extract detections from the system. The features within Qualys are limited to what they have developed. Sometimes a complete overview is needed to push to a Power BI dashboard, Splunk, ServiceNow, or other platforms. The export process is incredibly challenging. We needed a developer to write a hundred-line Python script that would loop over certain assets due to export limitations.

Qualys CyberSecurity Asset Management could improve its integration capabilities. While it generates substantial data, correlating it with other data sources can be challenging. The export process is difficult, and pre-built integrations with other tools could be enhanced for better process implementation.

As a consultant, my usage varied depending on the client, but I worked with it for approximately two years. I changed companies three months ago, and at my current workplace, we are not using Qualys CyberSecurity Asset Management.

It is stable.

The solution is highly scalable, almost limitless. Being a cloud solution, it simply requires pointing to IPs for scanning.

The alternative solution I used was Tenable. I used to prefer Tenable, thinking of Qualys as the underdog. However, after working more with Qualys, I’ve come to appreciate it more. It's not because it’s more powerful or because it doesn’t have any issues or better features, but because it is more transparent.

Tenable is very easy to use, but it doesn’t provide a clear understanding of its inner workings. In contrast, Qualys can be more complex to use due to its numerous settings and the need for additional training, but at least it gives you a clearer idea of what it does. Comparing the two is challenging. Tenable is more powerful, but whether that power is necessary depends on your specific needs. I acknowledge that Tenable is more expensive, as it requires purchasing additional modules. Overall, Qualys is a great option.

I haven't been a part of the deployment. I've only been part of existing setups because I came in as a consultant for companies that already had it set up.

Learning it was quite straightforward due to the availability of free training materials, which Tenable does not offer as their training is very expensive. The learning curve was manageable as all necessary materials were provided to learn the required functionality.

At one client, there was an entire team dedicated to vulnerability management and Qualys CyberSecurity Asset Management maintenance. While I focused on vulnerability management, implementing results, creating processes, and organizational implementation, they handled the tool maintenance. Based on this experience, I would estimate it requires significant maintenance, though my role was different from the maintenance team.

We are currently using a cheaper solution, and I sometimes get the feeling that our solution is less stable. When things go wrong and you don't get the expected results, it becomes very difficult to figure out why or what happened. I believe that the stability and reliability of Qualys offer great value for the money.

I don’t know the exact pricing. From what I understand, Qualys is a bit cheaper than Tenable but more expensive than some other solutions available. Overall, I think it’s one of the best options out there, although it is on the pricier side. Nevertheless, I believe its pricing is fair given the value it provides.

The vulnerability management aspect differs from penetration testing, which focuses on configurations rather than vulnerabilities. From a hacker's perspective, 'living off the land' involves exploiting existing configurations without utilizing vulnerabilities. This might include users having inappropriate access to files and folders, violating least privilege principles. Vulnerability scanners can detect CVEs but struggle with identifying misconfigurations or IT hygiene issues, which attackers can exploit.

Regarding CMDB and CSAM, they serve different purposes. External attack surface management focuses on domains and URLs owned by a company, while CSAM handles internal asset management. The EASM module can be valuable independently.

I would rate Qualys CyberSecurity Asset Management an eight out of ten.

Public Cloud

Microsoft Azure

We use Qualys CyberSecurity Asset Management mainly to build up our inventory so we can ensure we have all our scans in place for all our assets. We use it for remediation, dashboarding, and reporting on how effectively we are remediating across the enterprise. Additionally, we use it to determine whether there are assets we are scanning that don't have our agents on them, which helps us true up our agent distribution.

We're using EASM, though our implementation isn't optimal. We're currently working with Qualys to reconfigure it because we're seeing too many assets on the attack surface, more assets than we actually have.

For example, EASM indicates we have 700,000 assets on our attack surface. We know this isn't accurate because we only have 22,000 assets in total. There's a configuration problem creating too much noise, and we're working with Qualys to get that sorted to filter out the noise and focus on the real data.

We use this feature to convert already deployed Qualys Cloud Agents into passive sensors that detect assets connected to the network in real time. I don't have a way to measure its effectiveness. I have it enabled but cannot determine its value. This might be valuable feedback for Qualys regarding how clients can measure the value they're getting from this feature.

The CMDB Sync affects our mean time to remediation. Using the VMDR module with the CMDB, we sync our vulnerabilities to the CMDB and asset information. We receive asset owner information and application owner information, which helps us understand who we need to work with to remediate vulnerabilities. When we can pull that information from the CMDB, it's very helpful.

The TruRisk score helps me prioritize vulnerabilities and assets. The TruRisk score allows us to show where we have our highest risk. When an asset has a very high TruRisk score, it's easy to demonstrate to partners that an asset needs immediate remediation. However, when a TruRisk score is moderate or low and has vulnerabilities on the attack surface, it appears healthier than it is. Our partners might delay addressing these assets due to the lower score, despite their presence on the attack surface making them more vulnerable.

Qualys CyberSecurity Asset Management enables us to identify end-of-life and end-of-support software.

Qualys CyberSecurity Asset Management has Qualys Query Language that works within itself. However, when switching to other modules the QQL either doesn't work or requires a different query to access the information, including in dashboards. They need to make their query language universal across the entire product so when using one module and making a query, it doesn't require changing the query to work in another module.

The stability has decreased significantly on the product in the last couple of months. It takes considerable time to log into the product, and sometimes access is denied. Screens take long to load and occasionally crash. The product stability has notably declined over the last two months, and the performance to fulfill a page request is very slow compared to its previous performance.

I've been using Qualys CyberSecurity Asset Management for approximately 10 months.

The stability has decreased significantly on the product in the last couple of months. Other clients and customers have similar complaints, and Qualys is aware. It takes considerable time to log into the product, and sometimes access is denied. Screens take long to load and occasionally crash. The product stability has notably declined over the last two months, and the performance to fulfill a page request is very slow compared to its previous performance.

Since it's a SaaS app for us, we don't see the scalability on our end, except through our user base using it. When they moved to their new instances, it doesn't seem to be scaling effectively, which manifests as performance issues.

The support has been excellent. They are responsive and effectively bring in the appropriate resources to help solve problems.

Neutral

We use alternatives to Qualys CyberSecurity Asset Management. We have a CMDB with ServiceNow and a tool called Axonius. Axonius is an asset aggregation tool with numerous connectors. It can connect to systems such as Active Directory and various other systems, then aggregates the data it sees from these different systems. We're doing extensive tagging to identify our asset owners and classify our assets. Axonius has a different view than Qualys. Qualys CyberSecurity Asset Management scans everything in the network, but we haven't set up the AD connector yet, though it's available.

The initial deployment of Qualys CyberSecurity Asset Management was relatively easy. It required some time to complete, but the deployment process was straightforward.

One person was required for this deployment.

It took approximately one month to set up Qualys CyberSecurity Asset Management, configure it, and have it providing value.

We're paying a premium for Qualys CyberSecurity Asset Management. It's an expensive tool. We had to pay significant additional money to buy CSAM. It's a foundational item that should have been included in our base subscription with VMDR. It's a major concern for my CISO. We purchased it because it adds substantial value, but it should be included with the base product.

We use alternatives to Qualys CyberSecurity Asset Management. We have a CMDB with ServiceNow and a tool called Axonius.

We use tagging extensively in Qualys CyberSecurity Asset Management. Based on my experience with this solution, I rate it 8 out of 10.

Public Cloud

Other

I use it primarily with tagging, asset counts, and groups that we can put them in, and we also use it to tell if a device has been merged and seen in Qualys CyberSecurity Asset Management, so that's beneficial for us too.

I use it primarily with tagging, asset counts, and groups that we can put them in, and we also use it to tell if a device has been merged and seen in Qualys CyberSecurity Asset Management, so that's beneficial for us too.

I think Qualys CyberSecurity Asset Management could provide more capabilities for us to be able to manually merge a device if we know that it's the correct device. We appreciate that, but the GUI is a bit cumbersome. I know they redesigned it, but we don't really have any ability for cloud agents to see a history of logins and a history of scans. I would love a history; the activity log is problematic. It just takes so long to actually get in there and do some work. In general, I use Splunk for capabilities that I just can't seem to get out of Qualys CyberSecurity Asset Management. They pull in Qualys information and I have all these capabilities of searching, filtering, and other features that just for instance, all the scan data, they pulled into Splunk. Now I know the scan, the time, the option profile, all that good information, but I couldn't do that inside Qualys CyberSecurity Asset Management. I would much rather have it in Qualys than have to pump it over to Splunk, so we use Splunk quite a bit for our vulnerabilities and reopenings and other concerns.

For room for improvement, I would like to see more capabilities to be able to manually merge devices, a history of logins and scans, the activity log could be improved, support ticket priority, and sorting and filtering of the columns. The activity log is terrible. Additionally, we're trying to get authentication completed, but I'm having a difficult time authenticating Linux to a domain, so I'll probably be contacting my TAM or support.

I have been using it for five years, the whole time I've been here.

I haven't seen any lagging, crashing, downtime, or any sort of instability; we watch the notifications, so for the most part, we haven't really had any major outages other than when we tried to renew and we didn't get the renewal in, which cut off certain modules that we couldn't get into. That was the only major issue.

Qualys CyberSecurity Asset Management is fine for scalability because we're at maybe 17,000 assets, so there is no issue there.

I have contacted the technical support or customer support. It was terrible for a while, but now it's better because we actually get answers back pretty quickly. I don't like that we can't increase the priority of a ticket; we can't escalate it unless we escalate it to our TAM, but that's kind of a pain in itself as well.

If I were to put the support on a scale from 1 to 10, I would give them an 80%, something like that, which is about an eight.

Positive

I did not use anything before Qualys CyberSecurity Asset Management.

The initial deployment of Qualys CyberSecurity Asset Management was set up when I came online, so I have no experience with setting up a Qualys environment from the start.

I do not have a favorite feature.

I do not know if Qualys CyberSecurity Asset Management identifies all other risk factors for our assets in addition to vulnerabilities.

We don't use CMDB Sync, which is a feature that they have.

As far as I know, it covers all of our domains regarding External Attack Surface Management.

We haven't actually gone to TruRisk yet; we're kind of in the middle of getting that set up. We're probably just beginning in many ways.

We used passive sensors a couple of times, but we just couldn't get them placed where we needed to get them placed. They were giving us all kinds of incorrect IPs, so we stopped.

I don't think it was difficult at all when I first started using Qualys CyberSecurity Asset Management.

I'm still somewhat learning about it, but I do remember how long it took me to fully understand the interface and all the intricacies.

There's no maintenance on Qualys CyberSecurity Asset Management, as far as I know, other than our own.

I would rate this product a 9 out of 10.

On-premises

Other

Qualys CyberSecurity Asset Management is definitely good for a big company. It really helps you keep an eye on your whole environment rather than little pieces here and there throughout your tech stack. It really lets you be able to manage everything in one location.

I use Qualys CyberSecurity Asset Management to pull up the end-of-life and end-of-support software to make sure that those that are expiring get remediated and remove any vulnerabilities that are there. I'm looking forward to being able to bring it on full-time to enable the Cloud Agent Passive Sensor to be able to turn all the cloud agents into passive sensors themselves. I also appreciate the EASM aspect of it to check out the external threats that are there and be able to remediate those before they become a problem.

The end-of-life and end-of-support features of Qualys CyberSecurity Asset Management have come in really handy. Our IT department isn't staying on top of that too much and so we've had some that have been end-of-support for quite a while and that just leaves us vulnerable.

The open ports and any certificates that are coming either coming at end-of-life or expired are factors that Qualys CyberSecurity Asset Management definitely identifies, so it definitely helps close that gap.

The TruRisk score helps me to identify and prioritize vulnerabilities and assets by giving me more than just one factor in determining what is most at risk and what is a lower priority. Just because a CVSS score is high doesn't necessarily mean it should be a high priority based on all the other factors that the TruRisk score takes into account.

The quality at times of the technical support or customer support for Qualys CyberSecurity Asset Management is not as fast as what you would it to be. If you have an issue out there, I don't really know if it's so much related to the support or if you're going through your account manager also for the remediation. But that can be a little slow at times.

There have been a couple of times where Qualys CyberSecurity Asset Management wasn't accessible and I'd reach out to our TAM and they'd say, 'Qualys is down.' They say, 'We'll let you know when it's back up.' Of course, they never let you know when it's back up. You just keep trying later on and then eventually it comes back up. It's probably gone down maybe about five or six times since I've had it.

Nothing can be identified offhand regarding improvements for Qualys CyberSecurity Asset Management. I've been pretty impressed with everything so far. There have been no problems as far as I can tell with the CMDB Sync feature.

As always with any product, you always want it to be as cheap as possible, but since I don't manage the purse strings, it doesn't really affect me too much, but Qualys CyberSecurity Asset Management works with you on the pricing and there are always incentives and discounts available depending on the time of the month or year.

Neutral

At my old job, we were just bringing on Tenable as an alternative to Qualys CyberSecurity Asset Management. I didn't get a whole lot of trial time with Tenable, but the biggest differences that come to mind are that Qualys CyberSecurity Asset Management is fairly easy and intuitive and if there are any questions while you're on something, there's generally a little icon you can hover on to get more information regarding it and then it helps you pick what you're looking for.

It was actually pretty easy to deploy Qualys CyberSecurity Asset Management. We got Qualys right after I started on the security team and I was the one for our side that rolled it out to all the sites and got it stood up.

After all the sessions with the onboarding team for Qualys CyberSecurity Asset Management, it took about a few months to fully set it up to a working condition.

I was the only person required for this type of deployment of Qualys CyberSecurity Asset Management.

The only advice I have for new users on how to start with Qualys CyberSecurity Asset Management is that the only way that you eat an elephant is one bite at a time. There's a lot of things that need configuring and a lot of things that can be done through the system, and it can seem overwhelming. Just do one thing at a time. Check out the best practices for setups and definitely utilize your account managers, especially when first onboarding, to set up those onboarding calls to make sure that the main priorities that you're looking for get set up. On a scale from 1 to 10, I would rate Qualys CyberSecurity Asset Management an eight overall.

We use Qualys CyberSecurity Asset Management to manage our cybersecurity asset count, to manage the count of our cloud assets, our on-prem assets, our data center assets, as well as our endpoints. 

We use it for CIS benchmarking. It helps us with security because it allows other security teams such as incident response to quickly view a workstation and look at some of the telemetry data. 

The TruRisk score helps us identify and prioritize things to fix first since you can't fix everything, so it's really important to prioritize the tasks that will make a difference.

The comprehensive view that Qualys CyberSecurity Asset Management gives us on our assets enables us to go to a single screen and get a good idea of our holistic asset count. This was a problem before. In cybersecurity for us on the vulnerability management team, we couldn't patch what we couldn't see. Qualys CyberSecurity Asset Management provides us with the ability to see everything. 

It de-duplicates findings and helps you understand what the vulnerabilities from your external scans and your external attack surface management are and how they connect to the vulnerabilities on your internal scans. 

It gives us a holistic asset view, a very comprehensive asset inventory, and a cybersecurity-owned asset view, eliminating the need to connect to other teams or ask IT teams for information.

We're only licensed for CSAM, VMDR, and FCA. So it also does help us with configuration assessments. So we use it for CIS benchmarking. In general, it does help us overall with security as it allows other security teams like incident response to quickly view, for example, a workstation and look at some of the telemetry data. We have the Qualys agents deployed. So we can see a lot of information about the machine, the user, the IP, disk size, and installed software, all of that useful information can be used in many different aspects of our security team.

The main benefits that we have seen from using CSAM in our environment include a holistic asset view, a very comprehensive asset inventory, and a cybersecurity-owned asset view. We don't need to connect to other teams or ask IT teams for. It's something that we can see on our own that we can manage and maintain on our own, and we can also help enrich the CMDB data that our IT team may own.

The solution's true risk scoring help prioritize vulnerabilities and assets. We're not chasing CVE scores. Often, the CVE could be higher critical, however, depending on where it is, what machine it's on, it may not be that important. So the TruRisk score helps us identify and prioritize things to fix first. You can't fix everything. So it's really important to to prioritize the stuff that really will make a difference. 

The UI and menu navigation has improved significantly, however, the menus could still be clunky, making navigation within the assets challenging.

We have been using Qualys CyberSecurity Asset Management product for about three or four months.

We haven't had any stability issues.

We have not faced any scalability issues.

Qualys's customer service stood apart based on their responsiveness, customer support, ability to address pain points, and their approach during the negotiation process. It was very impressive, and they were on top of everything.

Positive

We didn't have anything similar to Qualys CyberSecurity Asset Management.

The initial setup was straightforward. The deployment process went very well. We actually utilize a newly formed deployment team. We had someone from Qualys and had three calls a week during the deployment phase where we met with that person and kinda of went through the steps, went through how we're deploying, and went through any pain points. So it was excellent.

We're using the endpoint agents for all of our end-user devices, and we're using scanners or appliance scanners for all of our data centers, and then we're using the cloud connector for all of our cloud environments, like Azure and AWS.

Someone from Qualys's newly formed deployment team helped us with the implementation.

We purchased it through a reseller and the pricing was reasonable. We received Qualys CyberSecurity Asset Management included in our licensing at no cost for the first year.

We conducted a POC with Qualys and Tenable. From a product standpoint, they were pretty evenly matched, however, Qualys stood out because of their customer service and responsiveness.

We do have Qualys scanners deployed in our data centers, however, since this is a fresh deployment, we haven't had to convert anything. Everything's being deployed net new.

We don't use any of the passive network sensors yet. We have plans to deploy them. Currently, all we have deployed are the endpoint agents. We have the data center scanning appliances deployed, and then we also have the cloud connectors deployed. So we don't have any of the network passive sensors deployed yet.

Here's what I would say to someone a colleague at another company who says that they only need to add external attack surface management for their vulnerability management detection, but they don't need to to go the full depths, you know, the system offering: first of all, I don't even think you can add external attack surface management without CSAM. They're a hand-in-hand product. Second of all, you can't correlate your internal scan assets with your external tech service assets if you don't have CSAM. So it really helps deduplicate findings. It helps you understand what the vulnerabilities from your external scans and your external attack surface management are and how they connect to the vulnerabilities on your internal scans.

I'd advise others to deploy endpoint agents or cloud agents to get the most comprehensive view. Take your time with the deployment for accuracy. The deployment effort directly correlates to its effectiveness. 

Qualys CyberSecurity Asset Management is a Ferrari. If not configured properly, it performs as a Ford engine. 

I rate Qualys CyberSecurity Asset Management ten out of ten.

Hybrid Cloud

Other

We use Qualys CyberSecurity Asset Management mainly for asset management consolidation because we are using different tools. We have around 256 locations and 480 sites. We have created multiple platforms and are managing all the assets through Qualys CyberSecurity Asset Management.

We primarily focus on discovering and assessing vulnerabilities in internet-facing assets, web servers, and cloud services. Our activities include DNS enumeration, web crawling, and enhancing transparency in our processes. In the automotive sector, we also work with IT and OT devices. We assess the vulnerabilities of critical assets based on their contributions and potential exploits related to physical security. Our team checks for payload validations and actively monitors for exploitation attempts.

Additionally, our software team continuously monitors asset vulnerabilities, feeding this information into our Security Information Management (SIM) and vulnerability management systems, as well as Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) platforms.

The main thing I appreciate about Qualys CyberSecurity Asset Management is the cloud environment while tracking software and zero-day vulnerability risk, alongside asset discovery and tagging, as well as attack surface management. This is mainly focused on hardware and software assets across all on-premises and cloud environments, where we are tracking the lifecycle states and identifying vulnerabilities and everything related to risk management.

Integration of Qualys CyberSecurity Asset Management, particularly with ServiceNow, takes a very long time, and it needs prioritization of patch rules based on vulnerability risk. It should support complex environments, including MSP domains and multi-tenant setups.

The initial setup can be complex and requires coordination between IT and security teams, as API integration takes significant time. We have faced limitations on patch frequency control and legacy system support multiple times.

Additionally, the discovery elimination for unknown assets in CSAM should be enabled, as the discovery platform didn't segregate values properly when we are doing IT and OT assets. Furthermore, effective integration with CMDB such as ServiceNow for asset synchronization and a strong classification of risk scoring needs to allow us to focus on high-risk assets.

I have been using Qualys CyberSecurity Asset Management for around eight months.

We haven't observed any significant issues in the service. There were some issues about six months ago, but since then, it's been fine. Occasionally, we experience slowness, which might be a network issue on our end, but we only faced slowness once in the last six years, and that issue was addressed effectively.

We have a ticketing system in place and an internal team. Additionally, we have a technical account manager assigned from Qualys. Whenever we need support, we coordinate directly with this manager, and the Qualys support team assists us as needed, which happens occasionally.

I am happy with the quality and speed of the support provided by Qualys. We frequently reach out for support regarding different applications such as vulnerability management and web application scanning, especially given that we use multiple solutions for various clients. The support includes telephone availability, live chat options, and a solid support ticketing system. Additionally, the certification provided by Qualys has been beneficial for my SOC team, helping them with demo training and certification programs. We escalate incidents through the customer support portal for ongoing support tickets.

Positive

We also use BeyondTrust and TrapX. TrapX is suitable only for a very limited range of assets. It is primarily designed for the IT sector and may not be appropriate for other industries, such as automotive or healthcare, where multiple devices are involved.

When working in a small environment, everything tends to run smoothly. However, in larger and more distributed IT environments, especially at the lower tiers, challenges arise in compliance tracking and asset visibility. Initially, when we deploy these systems, we face multiple difficulties, particularly in coordinating with the support team. We have a technical account manager in place, and I hope they can help us navigate these issues more effectively.

For initial setups in smaller environments, everything is manageable. However, when scaling up to larger and distributed IT environments, there are significant challenges. For instance, the processes for asset visibility and content stacking can be quite complex. Automated tagging and continuous updates are essential for reducing manual asset management and enhancing the vulnerability prioritization process. Currently, significant initial configuration is required, along with software categorization and detailed reporting. In our work with a client, we would have customer calls for deployments, which would often coincide with support calls. Unfortunately, the documentation provided was not user-friendly, making it difficult to check and follow the necessary procedures.

For vulnerability management, we have a good price. We have a solid deal in place for the first and second years. However, as we expand to multiple locations, the pricing varies. For some clients, we have been able to adjust the pricing downwards due to lower costs for certain applications.

The risk score and asset evaluation are primarily based on multiple factors, including the asset criticality score and the Qualys Detection Score (QDS) for vulnerabilities, as well as their severity levels. Additionally, we consider the Asset Criticality Score (ACS) to reflect the value of critical assets. The QDS is also used for the Common Vulnerability Scoring System (CVSS) base score and to assess exploits, while checking on the maturity level and mitigation controls in place.

I would rate Qualys CyberSecurity Asset Management a nine out of ten.

Private Cloud

Other

I am clear and have used Qualys CyberSecurity Asset Management earlier, focusing on VMDR and web application scanning only, as I used it only for those two modules, while acknowledging that it has many other modules. We specifically use AWS.

As a user, whenever I'm doing testing, it's nice to have a scanner that can simplify my job. The results I get are really helpful in reducing the amount of time I need to spend and gives me more time to focus on particular things.

The best features of Qualys CyberSecurity Asset Management include its ability to scan and consider each and every endpoint based on the target we have given. This makes it stand out. When I use Burp Suite for identifying any version-related vulnerabilities or any vulnerabilities, I get almost 90% false positives, whereas Qualys CyberSecurity Asset Management provides accurate content that identifies all the endpoints, making it better in that way. The review results for finding vulnerabilities and reporting also show that Qualys CyberSecurity Asset Management identifies most of them; although there are still false positives, it's not 100% perfect. However, compared to other scanners, Qualys CyberSecurity Asset Management is the best.

The user interface is friendly and looks cool. Others can be very difficult to use, and also difficult to map; in Qualys CyberSecurity Asset Management, everything is easy to understand. The fact that I didn't need external resources such as YouTube videos, unlike other tools, is a great feature. In addition to vulnerabilities, it helps identify other risk factors for my assets, with fast support when issues are raised.

When I started using Qualys, there was no one there to teach me, so I went online and did it myself and got certified. One can easily understand the technology.

As of now, the support, results, and low false positives do not necessitate changes.

I have more than three years of experience with Qualys CyberSecurity Asset Management.

I would rate stability at nine out of ten. 

We haven't experienced downtime or bugs, which led us to shift from other scanners to Qualys CyberSecurity Asset Management.

Regarding scalability, I'm uncertain if the organization expects using it with more than 15 users, however, it definitely makes my job easier.

I rate support at a nine out of ten due to the immediate assistance provided whenever there is an issue. When issues get raised, support is very fast.

Positive

We've used other vendors, like the Burp Suite and Nessus. The user interface is very good in Qualys. The mapping is harder in other solutions.

The deployment was not complex; when I joined, the company had already been using Qualys CyberSecurity Asset Management, and I didn't deploy or implement anything; I just received access in my second year after demonstrating my personal progress.

Qualys CyberSecurity Asset Management saves about 20% of my time during pen testing, allowing us to complete tasks in 3.5 days instead of five.

I did not use the CMDB Sync feature. As a pen tester, I want a scanner that simplifies my job, and Qualys CyberSecurity Asset Management is the only scanner that meets that need. Without it, manual checks would take five days for complete pen testing, but now, using the results, we can complete it within 3.5 days, reducing my time by almost 20%, allowing me more focus.

I did not use the external attack surface management module. I would recommend Qualys CyberSecurity Asset Management because it is easily understandable, requiring no guidance if someone knows cybersecurity terminologies, allowing them to initiate scans directly. I can't think of negative points at the moment, as I haven't used other scanners recently, though I am examining HCL AppScan documentation. I believe that integrating any AI module into Qualys CyberSecurity Asset Management would be beneficial, especially to simplify technical support interactions since AI is becoming commonplace in other scanners.

I would rate Qualys CyberSecurity Asset Management a ten out of ten overall.

Public Cloud

Amazon Web Services (AWS)

I have been working on Qualys CyberSecurity Asset Management for the last four years. I used Qualys CyberSecurity Asset Management for multiple purposes, working in both infrastructure security and application security. The inventory was huge because the client I was working for is one of the biggest mining industries in the world, with an inventory count of almost 300,000 to 400,000 applications and more than 10,000 to 12,000 infrastructure assets. The infrastructure was quite large and very systematically organized.

I was working for a company whose client was this mining industry, so I am a third party to the end client.

Qualys CyberSecurity Asset Management is good enough to differentiate different kinds of assets, whether applications, computers, or servers. There are categories to differentiate all of them, making it easier to manage this kind of infrastructure.

One thing that I particularly liked about Qualys CyberSecurity Asset Management is that it has a very broad classification of different kinds of assets, which is very helpful to manage. The ticketing functionality that it has to manage all these kinds of infrastructure makes it easier to work on different kinds of problems that these large inventories face. It is mostly scalable and quite a good option.

The inventory count was really huge, and doing it manually or using other options would have been difficult. We considered ServiceNow at that time, which was a good option. However, having real-time scanning and all those things in one single solution makes Qualys always the best option. Getting different kinds of modules and inventory in one solution is good enough.

TruRisk scoring was enabled, and we had integrated ServiceNow with Qualys. All findings from Qualys used to go into ServiceNow, where we had our own scoring system. For example, if an asset is critical to the organization and has a risk scoring as critical but is also exposed to the internet, we would have two different kinds of risk scores. We did not consider directly using the Qualys TruRisk score but instead used custom scores of our own, which worked well enough.

I deployed a few Cloud Agents on both Linux and Windows machines for scanning purposes. It was a cloud-based SaaS solution.

Qualys CyberSecurity Asset Management has been satisfactory to me as of now. However, if the user interface might be changed, that would be better.

I have been working on Qualys CyberSecurity Asset Management for the last four years.

ServiceNow was one solution that we were trying at that time, and it was a good option.

Earlier, we were four team members, and later on, mostly two to three of us used to be engaged in the kind of work that was needed on a regular basis. Otherwise, almost 70 to 80 percent of the time is saved using this solution.

Qualys CyberSecurity Asset Management is moderately good, while Rapid7 is slightly much better. However, if you are asking about multiple kinds of services and which vendor offers the best in terms of multiple services, Qualys CyberSecurity Asset Management is better in that regard. For accessibility, Rapid7 is better.

If companies implement it, it is always good. I am satisfied with the current offering.

My overall review rating for this solution is 8 out of 10.

Public Cloud

Other

I use Qualys CyberSecurity Asset Management for vulnerability management and patch management, as it gives me a global view of our infrastructure, including what is installed and what assets we have. As we always say, before securing your infrastructure, you need to know what you have. I use Qualys CyberSecurity Asset Management to obtain this global view of our infrastructure.

I recently implemented external attack surface management and have not yet explored it extensively. I'm in the process of discovering its features over time; I began monitoring our subdomains and websites from an external view about a month ago. Therefore, I don't have a detailed answer regarding its effectiveness yet. I am still in the early stages of implementing the external attack surface management solution. We haven't reached a point to provide feedback or evaluate how well it has helped us discover any previously uncovered assets in the vulnerability management program. I am currently working on this and plan to present my findings to our IT leadership.

In addition to identifying vulnerabilities, Qualys CyberSecurity Asset Management monitors our infrastructure, including tracking certificates and user access to assets. This information is useful in our IT department for compliance purposes.

The TruRisk scoring feature of Qualys CyberSecurity Asset Management helps prioritize vulnerabilities and assets, offering more information than traditional metrics, where we usually focus only on severities four and five. By examining TruRisk, we find vulnerabilities of severity five that might not be as dangerous as they appear, allowing us to target the exact vulnerabilities we need to fix better than just relying on severity alone. However, not all IT departments may focus on TruRisk, as most tend to adhere to traditional approaches.

I utilize the CMDB sync feature in Qualys CyberSecurity Asset Management. I want to mention that previously, in my last position, we used traditional CMDBs, but now we synchronize the CMDB with Qualys. This correlation with other information in Qualys, the VMDR module, gives us better visibility and correlation between our asset inventory and our vulnerability inventory.

The correlation between the VMDR and CMDB in Qualys CyberSecurity Asset Management affects our meantime to remediation significantly. If there is a vulnerability in one software, the CMDB correlation can provide all assets with this vulnerable software, allowing us to deploy remediation efforts efficiently and focus on the exact assets that require attention.

One of the useful cases for Qualys CyberSecurity Asset Management is during compliance or audit missions, where we need to report on assets with specific software. For instance, if we need to confirm how many assets comply with our software whitelist, Qualys CyberSecurity Asset Management greatly assists us in obtaining these reports quickly and with enhanced visibility of information.

I mainly appreciate Qualys CyberSecurity Asset Management for its patch management capabilities, which are essential in my job for deploying patches and remediating vulnerabilities. While deploying patches, I utilize Qualys CyberSecurity Asset Management to identify exactly which assets are vulnerable and which require new software installations or updates. One thing I appreciate about Qualys CyberSecurity Asset Management is that it is user-friendly; the interface is easy to navigate, and it provides extensive information. Before using Qualys CyberSecurity Asset Management, I relied on multiple applications for information, but it consolidates all that information from different platforms into one solution.

Qualys CyberSecurity Asset Management continues to improve and get better day by day, particularly with enhancements dashboards. I encountered a few problems while using Qualys CyberSecurity Asset Management, particularly regarding software inventory management. I primarily check for deployed updates; however, sometimes both updates and software types appear together on one list, making it hard to differentiate. For example, when I review what's deployed on my laptop, I see Microsoft software, Windows updates, and other software mixed together, resulting in noisy reports. 

Additionally, I find that while information is available regarding which users have access to our servers, retrieving it often requires checking servers individually rather than obtaining a consolidated extraction when needed. These two use cases are beneficial, but improvements in these features would be greatly appreciated.

I have been using Qualys CyberSecurity Asset Management for two years.

The scalability of Qualys CyberSecurity Asset Management system is satisfactory. It is indeed scalable. 

I have previously worked with Qualys technical support, and they were quite helpful and responsive, providing us with the exact solutions we needed when we reached out for assistance. I would rate the tech support of Qualys a perfect ten out of ten for their performance.

Positive

I have worked with different solutions associated with the CMDB, and for patch management.

We utilize the cloud version of Qualys, which is hosted on AWS. I haven't been involved in the purchasing or initial setup of this part.

Regarding the deployment of Qualys CyberSecurity Asset Management, I did not work directly on the project. I typically find that the project is already completed, so my role involves deploying the Qualys agent. I think this process is smooth, as my colleagues who manage the project have not reported any significant problems.

To a colleague at another company who believes they only need external attack surface management for their vulnerability management and detection response program, I would advise them to fully utilize Qualys CyberSecurity Asset Management for a better experience. By using all its features, rather than limiting themselves to just external attack surface information, they can gather more comprehensive information that can enhance their job performance.

For organizations considering Qualys CyberSecurity Asset Management, my advice is to fully utilize all the features available to maximize the experience. By leveraging all information provided, IT professionals can enhance their operations since every detail matters, and more information generally leads to better outcomes.

I would rate Qualys CyberSecurity Asset Management an eight out of ten.

Public Cloud

Amazon Web Services (AWS)

I use Qualys CyberSecurity Asset Management for management, cycle life, analysis, cataloging, enumeration, classification, and remediation.

I am using Qualys CyberSecurity Asset Management for managing assets with Qualys and CMDB, along with business intelligence for classification and extraction for information classification. I analyze this data with TruRisk score to understand the impact on business and risk classification.

I use Qualys CyberSecurity Asset Management for looking at the network with a focus on Shadow IT. I examine network devices across the network using TruRisk score for criticality, classification, risk assessment, and cycle life in remediation.

I use Qualys CyberSecurity Asset Management for metrics to check the timeline for resolution of problems. With RSC and classification of IT and devices, this represents the best practice of business. I use the metrics for resolutions to prioritize risk score for remediation, mitigation, classification, and reporting to the CISO and the board members.

I manage the cycle life with Qualys CyberSecurity Asset Management to make the work easier in practice.

Qualys CyberSecurity Asset Management has excellent resources for asset management, and the C-SAM module is complete and powerful. It manages assets and their roles on the network, access, and classification.

The solution provides analysis and criticality with TruRisk score for management and Shadow IT detection. It creates visualization in the network for the business.

Qualys CyberSecurity Asset Management delivers positive impact through organization management visualization and control for statistics on cycle life and remediation and mitigation in application standards and business rules, such as PCI DSS, and other filters with the PC module and classification in Qualys patch for remediation cycle life.

In the best practice for categorizing assets with the C-SAM module in Qualys CyberSecurity Asset Management, I see potential for improvement with integration of other CMDB systems in creating a relationship with Qualys and other solutions. I would like to see improvements in the criticality score and TruRisk, along with KDS and those classifications for analyzing the real risk impact for business, and in the periodic checking of devices and networking.

I have been using Qualys CyberSecurity Asset Management for three years.

Qualys CyberSecurity Asset Management is stable.

The scalability of Qualys CyberSecurity Asset Management is acceptable and working well.

There are no problems with the customer support of Qualys CyberSecurity Asset Management.

Positive

Qualys CyberSecurity Asset Management is the principal solution I use currently. However, in other organizations, I have used other solutions based on different CISO perspectives and administrative cultures.

Regarding return on investment, I first look at the reality of the environment and the decrease in critical vulnerabilities with Qualys CyberSecurity Asset Management, which equals a positive return on investment.

Qualys CyberSecurity Asset Management is a perfect tool at a nine out of ten rating. A perfect tool does not exist, but I rate it a nine for its recurring increase in capability and the increase in expertise among Qualys specialists. The more expert the team, the better the results.

I work more in the organization in the on-premises environment with Qualys CyberSecurity Asset Management. I do not have difficulty, but it requires more organization for successful results. I am using only integration with AWS and Azure.

With specialists, I do not have concerns regarding price with Qualys CyberSecurity Asset Management. For me, it is only a matter of organization and the architecture implementation. My experience with Qualys is excellent. I would rate Qualys CyberSecurity Asset Management a nine on a scale of one to ten.

On-premises

Amazon Web Services (AWS)