No more typing reviews! Try our Samantha, our new voice AI agent.

Qualys Web Application Scanning vs Rapid7 InsightAppSec comparison

 

Comparison Buyer's Guide

Executive Summary

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Qualys Web Application Scan...
Average Rating
7.6
Reviews Sentiment
6.3
Number of Reviews
40
Ranking in other categories
Application Security Tools (17th), Static Application Security Testing (SAST) (14th)
Rapid7 InsightAppSec
Average Rating
8.2
Reviews Sentiment
6.7
Number of Reviews
20
Ranking in other categories
Dynamic Application Security Testing (DAST) (5th), AI Observability (21st)
 

Mindshare comparison

While both are Quality Assurance solutions, they serve different purposes. Qualys Web Application Scanning is designed for Application Security Tools and holds a mindshare of 1.7%, down 2.1% compared to last year.
Rapid7 InsightAppSec, on the other hand, focuses on Dynamic Application Security Testing (DAST), holds 5.8% mindshare, up 4.7% since last year.
Application Security Tools Mindshare Distribution
ProductMindshare (%)
Qualys Web Application Scanning1.7%
SonarQube12.4%
Checkmarx One8.2%
Other77.7%
Application Security Tools
Dynamic Application Security Testing (DAST) Mindshare Distribution
ProductMindshare (%)
Rapid7 InsightAppSec5.8%
Veracode14.5%
Checkmarx One14.2%
Other65.5%
Dynamic Application Security Testing (DAST)
 

Featured Reviews

AnkitSharma13 - PeerSpot reviewer
Security Officer at a tech vendor with 10,001+ employees
Web scanning needs improvement but offers good vulnerability detection
The downside of Qualys Web Application Scanning is that it cannot crawl automatically. If I provide an IP address and a login form, it does basic testing, but it doesn't go deep as IBM AppScan does. If Qualys Web Application Scanning could improve its crawling capability, it would be more user-friendly. Qualys Web Application Scanning does IP-level testing, requiring direct input of credentials, and can only scan a few pages to provide known generic vulnerabilities, which isn't as beneficial from my point of view. The Vulnerability Management also relies heavily on version numbers and will flag vulnerabilities based on the component version, but it doesn't check if a real fix exists, leading to flags on components that actually have workarounds available.
Shritam Bhowmick - PeerSpot reviewer
Vulnerability Management Lead at garrett
Provides reliable applications security but needs better integration options
There are areas for improvements regarding false positives. Integration capabilities are lacking, as options for integrations with other tools such as SNOW, Jira, or other integration tools are not sufficient in Rapid7 InsightAppSec. The user interface sometimes has glitches, which may prevent appropriate results during navigation, and even when we get appropriate results, it can be impossible to export them to CSV records or download files. Regarding scalability, Rapid7 InsightAppSec is not a scalable solution for our industry due to limited integration capabilities. Rapid7 relies on another tool called InsightConnect, which requires additional investment, detracting from scalability. Another area that needs improvement is the integration of AI capabilities into the platform. Both Rapid7 InsightAppSec and InsightVM need to advance in that area. In terms of behavioral and pattern recognition, identifying complex attacks such as SQL, blind SQL, JSON, and LDAP injections often results in 94% false positives. This necessitates improvement in their behavioral-based analytics feature.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"It protects against zero-day vulnerabilities, like Heartbleed."
"​QualysGuard web-based scanner is very useful for performing external penetration and PCI scans from remote locations.​"
"The best thing about this product is that it is really easy to use."
"WAS gave us visibility into our externally exposed web applications and showed us vulnerabilities that we were not aware of and did not know how to test for."
"Qualys Web Application Scanning is accurate and provides minimal false positives."
"The most valuable feature of Qualys Web Application Scanning is the effective scanning that can be done."
"Licensing is the most valuable. Qualys provides the best licensing for companies. It is the best product for the development purposes of web applications. The product has a lot of integrations."
"We’re a Linux shop and Qualys gave us good Linux vulnerability scanning; it reports only a few glaring false-positive errors, and the long baseline of iterative results was valuable to track changes and our rate of improvement while access to the API let us automate its use in our CI/CD pipeline for machine images."
"This is a product that I recommend and my advice for anybody who is interested in trying it, there is a free 60-day trial period where they will fix your problems without any payment."
"We have seen measurable decrease in the mean time to respond to threats by 20 percent."
"It is a very robust solution."
"I rate stability ten out of ten."
"Relatively speaking, InsightAppSec is good compared to Insight VM."
"When considering DAST, it is not attributed to a singular feature but rather the capabilities of the engine that provides a genuine penetration testing experience and delivers insightful reports."
"In Rapid7 InsightAppSec, a distinctive feature is the provision of a CDM for integrating web servers and web applications. To establish the connection between these applications, you only need to paste the provided CDN into your metadata. Once connected, every piece of information, including vulnerabilities, can be accessed. It also offers demo sessions."
"Customers use the product for scanning purposes and do not want to be restricted with respect to the number of scans they perform."
 

Cons

"The scanner reports a lot of false positives, which is something that needs to be improved."
"The reporting contains too many false positives."
"The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected."
"The pricing of Qualys is quite expensive in comparison with the other products in this category that are offering pretty much the same thing."
"The licensing and user permissions are a little wonky for a DevOps team to use, probably because it’s traditionally an InfoSec tool."
"In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us."
"They should try to include business logic vulnerabilities in the scanner testing."
"The solution needs to adjust its pricing. They should make it more affordable."
"The technical support from Rapid7 is not bad, but the response time can be quite slow sometimes."
"They should add more features. I would like to see them do a little more on static analysis and also interactivity analysis. Currently, it does very basic static analysis. It could do a little more static analysis, which is something that would help. A lot more interactivity analysis should also be there. It should basically look at security during interactivity."
"The reporting is definitely an aspect of the solution that's in need of some work. We found that we'd try to use widgets, but often getting them to work for us wasn't very clear. They need to be more user friendly or offer better instructions."
"The reporting feature of Rapid7 InsightAppSec needs improvement as it currently provides basic reports."
"When you add new projects for the same product, it either duplicates or replaces the scan configuration. If I run a scan for the same product with a different scan configuration, it should keep the previous scan configuration and not replace it with the new scan configuration. It should just add the new scan configuration. That would be helpful. They do keep the results as it is, but the scan configuration keeps changing. For example, I have set a scan configuration to a full scan, and next week, I want to run a new scan for the same product with some changes or new functionalities. I want to run a partial scan. Currently, if I change the scan configuration to partial, it changes the old one also to partial. That should be improved."
"Currently, InsightAppSec lacks similar functionality. Customers must wait for remediation during the developers' preparation of a new version."
"We'd like to see integrations with WAF solutions."
"The only concern I have with Rapid7 is that it does not provide enough information about vulnerabilities within AppSec."
 

Pricing and Cost Advice

"Qualys WAS' pricing is competitive."
"Pricing was reasonable and competitive. It was not too far above the other products."
"From my perspective, it is a budget-friendly option."
"I rate the software’s pricing a six out of ten."
"Qualys Web Application Scanning's pricing is a bit expensive compared to other solutions available in the market."
"Licensing was based on the number of assets that you want to scan on your network. You can also do licensing on subscription. On subscription, it is easier and more flexible. You tell Qualys that you want to move from the 1000 to 2000 band or the 3000 or 5000 band, then they will give you the quotation for it. Once you pay for it, applying the licensing is quite easy and effective."
"​It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders​."
"The product is expensive, at least initially, in comparison to other products in this category."
"I'm not sure how much it costs exactly, but I know it's expensive."
"I rate Rapid7 InsightAppSec’s pricing an eight out of ten."
"Rapid7 InsightAppSec is cheap."
"They offer a good price, but I don't remember its cost. It is fair as compared to the competition. We have opted for project-based licensing, not user-based. We can add any number of users. That doesn't matter. It is worth the money."
"The price of this product is very cheap."
"Its price is competitive. It is not expensive."
report
Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
903,257 professionals have used our research since 2012.
 

Top Industries

By visitors reading reviews
Financial Services Firm
14%
Manufacturing Company
12%
Computer Software Company
8%
Construction Company
7%
Manufacturing Company
13%
Financial Services Firm
10%
Construction Company
9%
Government
9%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business8
Midsize Enterprise6
Large Enterprise27
By reviewers
Company SizeCount
Small Business12
Midsize Enterprise2
Large Enterprise5
 

Questions from the Community

What is your experience regarding pricing and costs for Qualys Web Application Scanning?
Regarding pricing, I think for personal use, it is costly, but if organizations are ready to pay, then it is fine as they are using it.
What needs improvement with Qualys Web Application Scanning?
The downside of Qualys Web Application Scanning is that it cannot crawl automatically. If I provide an IP address and a login form, it does basic testing, but it doesn't go deep as IBM AppScan does...
What is your primary use case for Qualys Web Application Scanning?
I use Qualys Web Application Scanning, and we are using Vulnerability Management. By Vulnerability Management, I mean not TotalCloud; they have some on-premises solutions also. Patch Management and...
What needs improvement with Rapid7 InsightAppSec?
Customers sometimes experience issues with performance. One thing that I recall is that most customers often want to have reporting as per their customized dashboard. This needs to be improved beca...
What is your primary use case for Rapid7 InsightAppSec?
I usually recommend this solution for financial institutions. Banks and financial institutions need this solution mostly because they have to follow stringent compliance advisory requirements, so t...
What advice do you have for others considering Rapid7 InsightAppSec?
I have not heard any complaints. I do not have any recommendations because customers were initially worried about the number of scans they used to perform, and now it has been enhanced or it will s...
 

Also Known As

Qualys WAS
InsightAppSec
 

Overview

 

Sample Customers

BskyB, Cartagena, ClearPoint Learning Systems, Connect Group, du, Fortrex Technologies, HBOR, HDI, Highlights for Children, The Lithuanian State Enterprise Centre of Registers, City of Miami Beach, Microsoft, MidlandHR, MSCI Inc., Northern Arizona University, Ofgem, Olympus Europa, PhoneFactor, RTL Nederland, ThousandEyes, VGZ Organisatie B.V.
CenterPoint Energy, CPA Australia, Hypertherm, First American Financial Corporation, Rackspace
Find out what your peers are saying about SonarSource Sàrl, Checkmarx, Veracode and others in Application Security Tools. Updated: June 2026.
903,257 professionals have used our research since 2012.