Try our new research platform with insights from 80,000+ expert users

Lacework FortiCNAPP vs Qualys CyberSecurity Asset Management comparison

Sponsored
 

Comparison Buyer's Guide

Executive SummaryUpdated on Jan 16, 2025

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Zafran Security
Sponsored
Ranking in Vulnerability Management
32nd
Average Rating
9.6
Reviews Sentiment
8.1
Number of Reviews
2
Ranking in other categories
Continuous Threat Exposure Management (CTEM) (4th)
Lacework FortiCNAPP
Ranking in Vulnerability Management
17th
Average Rating
8.6
Reviews Sentiment
7.2
Number of Reviews
10
Ranking in other categories
Container Security (15th), Cloud Workload Protection Platforms (CWPP) (13th), Cloud Security Posture Management (CSPM) (15th), Cloud-Native Application Protection Platforms (CNAPP) (11th), Compliance Management (7th)
Qualys CyberSecurity Asset ...
Ranking in Vulnerability Management
11th
Average Rating
9.2
Reviews Sentiment
7.6
Number of Reviews
21
Ranking in other categories
Patch Management (8th), Cyber Asset Attack Surface Management (CAASM) (2nd), Attack Surface Management (ASM) (4th), Software Supply Chain Security (7th)
 

Featured Reviews

Israel Cavazos Landini - PeerSpot reviewer
Weekly insights and risk analysis facilitate informed security decisions
I appreciate the weekly insights Zafran provides, which include critical topics for networks and IT security, allowing us to evaluate which insights apply to our environment. The organization score feature is valuable to keep the leadership team updated on how our infrastructure fares security-wise. The applicable risk level versus base risk level feature is beneficial because prior to Zafran, we only used the base risk level, but now understand that risk depends on the asset itself. Zafran is an excellent tool.
Carlos Vitrano - PeerSpot reviewer
Provides quick visibility and significantly reduces alerts
Its integrations with third-party SIEMs can be better. That is one of the things that we discussed with them. We have integrations, for instance, with Splunk. The data that we are receiving in Splunk is huge, and it is valid because Lacework has a bunch of data that they can provide to you. However, to be able to import the data and create alerts, we needed to do some work, so integration is one of the things that they can improve. For container security, how they scan images and how they provide results is something that they need to continue improving in terms of visibility. We already have visibility to several artifacts, but they can take that to the next level and see what else they can do. There can be better integrations with CI/CD pipelines. There can be improvements in terms of how we can take action or how we can report from the number of inventories they are providing to us.
Revathi VeeraRaghavan - PeerSpot reviewer
Provides comprehensive visibility and covers the complete attack surface
For some of the software, there was no life cycle or general information. We wanted them to give details in the database as and when the software comes. I raised a ticket for that, and after that, they updated the details for more than one million software. They should address the false positives generated in EASM. It is fetching assets that have Infosys as the keyword. They should fix that. When we click on the web application, it only shows potential web assets. The application details are not there. Overall, CSAM has matured a lot. These are the few enhancements that need to be done.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Zafran is an excellent tool."
"Zafran has become an indispensable tool in our cybersecurity arsenal."
"There are many valuable features that I use in my daily work. The first are alerts and the event dossier that it generates, based on the severity. That is very insightful and helps me to have a security cap in our infrastructure. The second thing I like is the agent-based vulnerability management, which is the most accurate information."
"For the most part, out-of-the-box, it tells you right away about the things you need to work on. I like the fact that it prioritizes alerts based on severity, so that you can focus your efforts on anything that would be critical/high first, moderate second, and work your way down, trying to continue to improve your security posture."
"The most valuable aspects are identifying vulnerabilities—things that are out there that we aren't aware of—as well as finding what path of access attackers could use, and being able to see open SSL or S3 buckets and the like."
"The compliance reports are definitely most valuable because they save time and are accurate. So, instead of relying on a human going through and checking or providing me with a report, I could just log into Lacework and see for myself."
"The most valuable feature, from a compliance perspective, is the ability to use Lacework as a platform for multiple compliance standards. We have to meet multiple standards like PCI, SOC 2, CIS, and whatever else is out there. The ability to have reports generated, per security standard, is one of the best features for me."
"I find the cloud configuration compliance scanning mature. It generates a lot of data and supports major frameworks like ISO 27001 or SOC 2, providing reports and datasets. Another feature I appreciate is setting custom alerts for specific events. Additionally, I value the agent-based monitoring and scanning for compute nodes. It gives us deeper insights into our workloads and helps identify vulnerabilities across our deployed assets."
"The best feature, in my opinion, is the ease of use."
"The most valuable feature is Lacework's ability to distill all the security and audit logs. I recommend it to my customers. Normally, when I consult for other customers that are getting into the cloud, we use native security tools. It's more of a rule-based engine."
"I would rate Qualys CSAM a ten out of ten."
"My favourite feature of Qualys CyberSecurity Asset Management is its ability to target missing software."
"It provides most of the information needed regarding the assets, including the operating system and whether the assets are network devices or servers."
"Overall, I would give Qualys CyberSecurity Asset Management a nine out of ten."
"The scanning results are pretty good, and some insights are quite valuable."
"I would rate Qualys CyberSecurity Asset Management ten out of ten."
"Authorized and unauthorized software visibility is the best feature for me. It helps me understand security controls on our network and where we lack visibility. With a single security tool, we are able to get an extensive list."
"I would rate the Qualys CSAM a ten out of ten for its overall performance."
 

Cons

"Initially, we were somewhat concerned about the scalability of Zafran due to our large asset count and the substantial amount of information we needed to process."
"Lacework lacks remediation features, but I believe they're working on that. They're focused on the reporting aspect, but other features need to improve. They're also adding some compliance features, so it's not worth saying they need to get better at it."
"The solution lacks a cohesive data model, making extracting the necessary data from the platform challenging. It uses its own LQL query language, and each database across different layers and modules is structured differently, complicating correlation efforts. Consequently, I had to create extensive custom reports outside Lacework because their default dashboards didn't communicate risk metrics. They're addressing these issues by redesigning their tools, including introducing the dashboard, which is a step closer to actionable insights but still needs refinement."
"Lacework has not reduced the number of alerts we get. We've actually had to add resources as a result of using it because the application requires a lot of people to understand it to get the value out of it properly."
"A feature that I have requested from them is the ability to sort alerts and policies based on a security framework. Right now, when you go into alerts, you have hundreds and hundreds of them that you have to manually pick. It would be useful to have categories for CIS Benchmark or SOC 2 and be able to display all the alerts and policies for one security framework."
"The biggest thing I would like to see improved is for them to pursue and obtain a FedRAMP moderate authorization... I don't believe they have any immediate plans to get FedRAMP moderate authorized, which is a bit of a challenge for us because we can only use Lacework in our commercial environment."
"Its integrations with third-party SIEMs can be better. That is one of the things that we discussed with them."
"I would like to see a remote access assistance feature. And the threat-hunting platform could be better."
"The configuration and setup of alerts should be easier. They should make it easier to integrate with systems like Slack and Datadog. I didn't spend too much time on it, but to me, it wasn't as simple as the alerting that I've seen on other systems."
"In my opinion, the area that needs improvement is the role-based access control (RBAC). The access privilege management needs to be more robust and streamlined to enhance user access management."
"They should address the false positives generated in EASM. It is fetching assets that have Infosys as the keyword."
"Some areas that would be helpful are more comprehensive tagging and the ability to set up better dynamic rules."
"There can be further simplification to reduce the overall noise and provide ESAM-related data."
"The Qualys CAPS service requires further exploration and improvement, particularly in its handling of protocols and reactivity with MAC and IP addresses for CAP agents."
"It is automatically exporting the vulnerabilities and the assets. However, it would be useful to have the ability to select or to filter which we would like to export."
"The UI needs improvement as it can become overwhelming after prolonged use."
"The main aspect that needs improvement is the user interface, which should be more intuitive."
 

Pricing and Cost Advice

Information not available
"It is slightly expensive. It depends on how big your environment is, but it is expensive. Right now, we are spending a lot of money. We have covered all of the cloud providers and most of our colocation facilities as well, so we cannot complain, but it is slightly expensive. It is not super expensive."
"The pricing has gotten better. That scenario was somewhat unstable. They have a rather interesting licensing structure. I believe you get 200 resources per "Lacework unit." It was difficult, in the beginning, to figure out exactly what a "resource" was... That was a problem until about a year or so ago. They have improved it and it has stabilized quite a bit."
"My smaller deployments cost around 200,000 a year, which is probably not as expensive as Wiz."
"The licensing fee was approximately $80,000 USD, per year."
"Qualys CyberSecurity Asset Management can be expensive, especially if we already have VMDR."
"Though the solution is considered expensive, if bundled with other services such as VMDR or cloud agents, its value would significantly increase. It is currently a bit costly, but with bundling, it could become attractive to more customers."
"The pricing for Qualys CSAM is nominal."
"The pricing for Qualys Cybersecurity Asset Management is reasonable, with an annual subscription costing around $1,000 per year or a monthly subscription starting at approximately $72 per month, depending on the specific package and features included."
"The cost for Qualys CyberSecurity Asset Management is high."
"The pricing is fair. I would love to see the price come down a little bit, but we do get a lot of value out of it. We are squeezing every ounce of value we can out of the tool."
"Qualys offers excellent value for money."
"It is cost-effective because, in a single tool, we are getting everything. All the solutions come in a single license or price."
report
Use our free recommendation engine to learn which Vulnerability Management solutions are best for your needs.
842,651 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Computer Software Company
14%
Financial Services Firm
12%
University
6%
Retailer
6%
Computer Software Company
18%
Financial Services Firm
13%
Manufacturing Company
7%
Healthcare Company
6%
Computer Software Company
23%
Financial Services Firm
13%
Government
8%
Retailer
6%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
No data available
 

Questions from the Community

What is your experience regarding pricing and costs for Zafran Security?
Pricing for Zafran Security is not expensive. We have a contract for five years, and the cost is lower than other too...
What needs improvement with Zafran Security?
I would like to see an integration with Check Point firewalls. It's essential for us and they are currently working o...
What is your primary use case for Zafran Security?
We use Zafran Security for threat prioritization. We establish priority to understand which risks should be patched o...
What do you like most about Lacework?
Polygraph compliance is a valuable feature. In our perspective, it delivers significant benefits. The clarity it offe...
What is your experience regarding pricing and costs for Lacework?
My smaller deployments cost around 200,000 a year, which is probably not as expensive as Wiz.
What needs improvement with Lacework?
The solution lacks a cohesive data model, making extracting the necessary data from the platform challenging. It uses...
What is your experience regarding pricing and costs for Qualys CyberSecurity Asset Management?
The Qualys Cybersecurity Asset Management pricing is well-aligned with our usage.
What needs improvement with Qualys CyberSecurity Asset Management?
Qualys is continually developing, adding new features each year. Previously, there was no on-demand scan feature in a...
What is your primary use case for Qualys CyberSecurity Asset Management?
I have been working with Qualys for approximately two and a half years. I have used this module to manage security po...
 

Also Known As

No data available
Polygraph, FortiCNP
No data available
 

Overview

 

Sample Customers

Information Not Available
J.Crew, AdRoll, Snowflake, VMWare, Iterable, Pure Storage, TrueCar, NerdWallet, and more.
Information Not Available
Find out what your peers are saying about Lacework FortiCNAPP vs. Qualys CyberSecurity Asset Management and other solutions. Updated: March 2025.
842,651 professionals have used our research since 2012.