PortSwigger Burp Suite Professional and Qualys Web Application Scanning compete in the web application security testing arena, with Burp Suite excelling in manual and in-depth testing, and Qualys leading in automation and coverage capabilities.
Features: Burp Suite Professional offers robust penetration testing tools such as traffic interception, a wide range of extensions via the BApp store, and manual testing enhancements like Repeater and Intruder. Its customization options are extensive, supporting in-depth security testing. Qualys Web Application Scanning provides comprehensive cloud-based scanning, integrates well with CI/CD pipelines, and efficiently addresses a broad spectrum of vulnerabilities, including PCI compliance scanning. It delivers scalable and accurate scans with minimal false positives, which are crucial for automated processes.
Room for Improvement: Burp Suite struggles with false positives and lacks built-in support for REST API scanning, although community plugins help mitigate this. Its resource-heavy nature and limited automation could be improved. Qualys could refine its user interface for ease of navigation and further minimize false positives. Its limited integration with AI and support for standards beyond OWASP complicate deployment, and enhancements in pricing and documentation would increase its competitiveness.
Ease of Deployment and Customer Service: Qualys Web Application Scanning provides flexible deployment across hybrid, private, and public clouds, catering to diverse infrastructures, along with praised 24/7 customer support, though customer engagement could be improved. Burp Suite, mainly on-premises, is easy to set up within existing infrastructures, though experiences with its support vary, with some users having responsive experiences while others face delays.
Pricing and ROI: Burp Suite Professional is generally seen as cost-effective, especially for manual penetration testing, with an affordable licensing model that includes a free version for individual use. This makes it appealing for small to medium enterprises. In contrast, Qualys Web Application Scanning is considered more expensive, potentially limiting scalability for smaller setups. Both products show significant ROI, with Qualys reducing web application failure rates through efficient automation, while Burp Suite provides strong manual testing value at a competitive price.
The technical support from PortSwigger is excellent.
The technical support for PortSwigger Burp Suite Professional is pretty good, and I would give it a nine.
They have various options in the vulnerability management process, and when we initially bought our license, we didn't realize we needed PCI for better results, which isn't included in the default configurations.
Once we purchase the license, we have access to top-notch support.
I have dealt with Qualys's technical support, and any enhancements are challenging.
My concern remains the lack of deep dive analysis and that it produces similar vulnerability results as other tools such as Nessus based on version checks instead of real impact checks.
At one point, there was a limitation on reporting for 100,000 assets at a time.
It is licensed for assets, so we just contact the team for additional licenses if needed.
PortSwigger Burp Suite Professional is very stable.
PortSwigger Burp Suite Professional is a very stable tool, and I would rate its stability as eight out of ten.
Some AI features might be added.
The dashboard of PortSwigger Burp Suite Professional could be made more user-friendly.
Qualys Web Application Scanning does IP-level testing, requiring direct input of credentials, and can only scan a few pages to provide known generic vulnerabilities.
With the growing reliance on AI, Qualys Web Application Scanning should be updated to handle AI-based applications and LLM-based attacks.
One area of improvement is reducing false positives by prioritizing agent findings over remote findings when there is a corresponding local agent finding.
The pricing for PortSwigger is very cheap, and there are benefits in terms of time and cost savings.
I find the price of PortSwigger Burp Suite Professional to be very cost-efficient.
They offer discounts on bulk licenses, making it cheaper compared to competitors like Veracode DAST.
I find it a bit expensive compared to other competitors.
Regarding pricing, I think for personal use, it is costly, but if organizations are ready to pay, then it is fine as they are using it.
I especially value the features for penetration testing.
The most valuable features of PortSwigger Burp Suite Professional are its ease of use and its cost efficiency.
The most valuable feature of Burp Suite Professional is its ability to schedule tasks for scanning websites.
It effectively detects vulnerabilities like the OWASP Top 10 without any issues in reporting.
Qualys Web Application Scanning is accurate and provides minimal false positives.
Credential scanning is very effective because it goes in-depth into the system, crawling the pages, and reporting on vulnerabilities.
| Product | Market Share (%) |
|---|---|
| PortSwigger Burp Suite Professional | 2.4% |
| Qualys Web Application Scanning | 1.8% |
| Other | 95.8% |
| Company Size | Count |
|---|---|
| Small Business | 16 |
| Midsize Enterprise | 14 |
| Large Enterprise | 35 |
| Company Size | Count |
|---|---|
| Small Business | 8 |
| Midsize Enterprise | 6 |
| Large Enterprise | 27 |
Burp Suite Professional, by PortSwigger, is the world’s leading toolkit for web security testing. Over 52,000 users worldwide, across all industries and organization sizes, trust Burp Suite Professional to find more vulnerabilities, faster. With expertly-engineered manual and automated tooling, you're able to test smarter - not harder.
PortSwigger is the web security company that is enabling the world to secure the web. Over 50,000 security engineers rely on our software and expertise to secure their world.
Qualys Web Application Scanning (WAS) is a fully cloud-based web application security scanner. The scanner will automatically crawl periodically and test web applications to discover potential vulnerabilities, including cross-site scripting (XSS) and SQL injection. The consistent testing equips the automated service to generate consistent results, lessen false positives, and offer the ability to scale to protect thousands of websites effortlessly.
Qualys Web Application Scanning is bundled with different scanning technology to carefully scan websites for malware infections and will send notifications to website owners to assist in preventing blacklisting and brand reputation damage. As digital transformation takes place in various organizations, Qualys WAS gives organizations the ability to track and document their web app security status through its interactive reporting capabilities.
Qualys WAS empowers organizations to remediate any web application vulnerabilities quickly. Some of the key tools offered are:
Benefits of Qualys Web Application Scanning
Qualys Web Application Scanning offers many benefits, including:
Reviews from Real Users
Qualys Web Application Scanning stands out among its competitors for a variety of reasons. Two of those reasons are its progressive scan and quick detection of vulnerabilities.
P.K., a senior software developer at a tech vendor, writes, "The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours."
Nagaraj S., lead cybersecurity engineer at a tech service company, notes, "I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews."
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
