Qualys CyberSecurity Asset Management Reviews

Currently, we have 70,000 to 80,000 assets in our infrastructure. We have installed Qualys agents and started receiving vulnerability details. We use the TruRisk score and send reports to respective stakeholders and ask them to close them on priority. If they do not address vulnerabilities promptly, we quarantine the assets from the infrastructure. We also use Qualys CSAM along with VRM for handling vulnerabilities.

Qualys CSAM has provided insights into critical application vulnerabilities in our assets, which has helped us quarantine machines to prevent them from getting attacked. It has improved our ability to handle asset vulnerabilities efficiently in our infrastructure. It helped detect about 10,000 vulnerabilities so far. We do not have any high-risk vulnerability.

It discovered any open source, end-of-life, or end-of-support applications with critical or high vulnerabilities. Everything was discovered. We got them remediated.

We use the TruRisk score, but we also have our own criteria or formula for risk levels. We are using both.

With Qualys CSAM, we can see which assets have critical application vulnerabilities. This feature helps us prioritize and address these vulnerabilities more efficiently.

All required features are available in Qualys CSAM. However, it would be helpful if Qualys CSAM started incorporating AI models. An inclusion of threat details for AI and LLM-related risks would be beneficial.

We are not facing any issues with stability. Everything is smoothly managed by a different team, and our scheduled scans run without interruptions. The reports are automated, and the scans are scheduled. The reports are automatically sent to respective stakeholders. 

If there is going to be any downtime, they inform us in advance.

I have no issues with scalability. Everything is fine, and all necessary processes are in place.

We recently had some issues related to the continuous monitoring of the SaaS module. I am working with someone from the Qualys support team. He is helping us to resolve all the issues. One request is still open with the team because the risk scan was not happening at the application level. We opened a ticket and requested them to schedule a call. It might happen next week.

The support provided by Qualys is good. Their SMEs have sufficient knowledge, and if they are not the right contact, they quickly redirect us to someone who can help resolve issues. The only minor issue is occasionally being redirected to multiple teams, causing slight delays. I would rate their support a ten out of ten.

Positive

We have not used any alternatives to Qualys CSAM. Qualys CSAM is our primary tool.

A separate team within our organization manages its initial setup, deployment, and administration, so I do not have visibility on this process.

It is our main tool, and I find it better than others. 

I would rate Qualys CSAM a ten out of ten.

Qualys Cybersecurity Asset Management helps us manage our technical debt by identifying end-of-life and end-of-service software and hardware within our IT infrastructure.

Qualys CSAM is primarily a cloud-based solution. The only optional on-premise component is a passive sensor that monitors network traffic at our egress point. This sensor collects data and sends it to the Qualys Cloud interface for analysis, but it's not essential for using CSAM.

The external attack surface management identified unexpected assets, suggesting some exist outside our known inventory. While these may not be directly managed by us, the process has brought valuable awareness to the fact that our core servers are externally hosted, prompting a review of similar situations.

An external attack surface management scan revealed several outsourced name services, along with one unexpected third-party-linked IP. It's unclear if this was due to past consulting work or a registration error, but since it wasn't relevant to our company, it was easily excluded from future scans.

The benefits of Qualys CyberSecurity Asset Management are immediate. We already had the cloud agents installed. They were already on all the servers and workstations. Once we upgraded from the VMDR included GAV (Global AssetView) to CSAM, it was no time before I could see the end-of-life, end-of-service software, and hardware.

In addition to vulnerabilities, CSAM provides a better view of other risk factors, but VMDR is very powerful. VMDR was already seeing our limitations in hardening our vulnerabilities. CSAM enhanced our view by adding more visibility and insight into what we have.

TruRisk scoring goes beyond traditional vulnerability scoring like CVSS to prioritize both vulnerabilities and assets based on real-world exploitability and industry targeting. This provides a clearer picture of our actual risk by considering factors like published exploits and what attackers are currently focusing on, allowing us to quickly identify critical issues and avoid wasting time on vulnerabilities with a high theoretical risk but low real-world threat.

Qualys Cloud Agents can now be configured as passive sensors to discover all devices on our network in real-time, eliminating the requirement for separate virtual or physical passive sensor appliances. These cloud agent sensors monitor network broadcasts instead of egress traffic, and they can even designate a secondary sensor to take over if the primary becomes unavailable, ensuring continuous asset discovery and populating our CSAM platform with managed and unmanaged devices.

The end-of-life and end-of-service software and hardware are some of my favorite features. The insight into the endpoints with the cloud agent is also valuable. We get more value than we do with the global asset view that comes with VMDR.

The CMDB Sync feature currently only works with ServiceNow, which is common in larger organizations. If the feature could integrate with other, more affordable CMDB options, like those used by smaller businesses, we would be more likely to use it.

Qualys CyberSecurity Asset Management could be more cost-effective by offering a much lower price point or including it with existing VMDR subscriptions. Additionally, providing more pre-built reports would improve accessibility for organizations by reducing the need for custom report creation.

I have been using Qualys CyberSecurity Asset Management for one year.  however, I have been using Qualys solutions for over 20 years.

Qualys CyberSecurity Asset Management has been very reliable, with only occasional syncing issues following major updates, which is common for cloud-based software. Overall, I've been impressed with its stability.

Qualys CyberSecurity Asset Management is designed to scale effectively for environments of all sizes. While our environment may be on the smaller side, the solution is proven to handle deployments ranging from just a hundred devices to well over ten thousand, ensuring smooth operation regardless of our specific needs.

I've been a long-time Qualys user, so my technical support interactions tend to involve complex issues. For example, when the CSAM component was new and I encountered a bug, their team promptly cleared the back-end database, resolving the problem. Their expertise and willingness to help have been consistently impressive.

Positive

The initial deployment is easy, especially if a client is already on VMDR, to enable CSAM we only need a license.

One person can deploy VMDR and CSAM if they have the necessary access and permissions. For complex deployments with separate network management duties, involving the right personnel for whitelisting is crucial. Deployment time varies: for existing VMDR users, it's nearly immediate; for new implementations, it can take a bit longer, depending on team size and experience. Working with experienced professionals can expedite the process.

Qualys CyberSecurity Asset Management can be expensive since it is an add-on to VMDR. The cost seems to be a barrier to entry for some organizations, and a lower price point might lead to more automatic adoption of CSAM.

I would rate Qualys CyberSecurity Asset Management ten out of ten.

Qualys Cybersecurity Asset Management seems to offer a more comprehensive solution than what I've seen from competitors like Tenable and Rapid7. While I haven't reviewed their offerings recently, in the past they primarily focused on vulnerability scanning, which isn't as extensive as Qualys CSAM's asset management capabilities.

No maintenance is required. Everything is self-updating from Qualys. From cloud agents to sensors, all of those are automatically updated.

Organizations that rely solely on external attack surface management for vulnerability management are making a dangerous assumption. This approach presumes complete knowledge of their assets, which is unrealistic without full visibility into internal and external environments. Companies with a 'we're secure' attitude often have poor security, while those welcoming security assessments tend to have a strong security posture.

CSAM's tagging features, especially dynamic tagging with its easy-to-use rules, can significantly improve your efficiency across various tasks like patch and vulnerability management. By automating manual work, dynamic tags free up your time. Take advantage of the free CSAM training and consider consulting a trusted partner to accelerate your learning and implementation – their experience can save you weeks of effort.

Our primary tool for asset inventory is Qualys CyberSecurity Asset Management, which our software asset management team also utilizes to check our software library.

We deploy Qualys Cloud agents as passive sensors to gain comprehensive asset visibility and identify gaps in policy agent coverage. Additionally, we are collaborating with our cyber defense center team to enhance external service management.

Our cyber defense center team effectively utilizes Qualys CSAM, an external service management tool, to cover the entire attack surface.

The external service management tool has helped discover over 6,000 assets that were previously discovered.

We immediately saw the benefits of Qualys CyberSecurity Asset Management. As platform owners, we collaborate with the validation and cyber defense center teams to ensure asset availability and address any discrepancies.

Qualys CyberSecurity Asset Management helps identify all risk factors using the TruRisk score.

TruRisk Insights assists in identifying vulnerabilities and prioritizing them from highest to lowest risk.

We have begun utilizing Qualys Cloud agents as passive sensors and are currently investigating the necessary protocols to maximize the effectiveness of this feature. 

Our cybersecurity, IT, and cloud software teams effectively use Qualys to gain comprehensive visibility into our software environment, aided by excellent support. This visibility enables us to integrate Qualys into various facets of our operations, including our internal tools, allowing us to efficiently share updates with both the IT team and end-users, thus streamlining our workflow.

The most valuable feature is the Management sensor, which helps identify gaps in policy agent availability, thereby improving agent utilization. Additionally, the tool's code aids in risk identification and mitigation.

The Qualys CAPS service requires further exploration and improvement, particularly in its handling of protocols and reactivity with MAC and IP addresses for CAP agents. Enhanced functionality in these areas would increase the service's effectiveness and efficiency. We anticipate updates that will address these issues and optimize our use of the service.

We have been using CSAM for more than two years. 

We have not encountered significant stability issues with Qualys CyberSecurity Asset Management. The design appears robust, and we have not experienced any latency problems.

Qualys Cybersecurity Asset Management has proven to be a highly scalable solution for us over the past couple of years, seamlessly integrating new features as we have expanded from a few licenses to a much larger deployment.

We receive excellent support from Qualys. Our Technical Account Manager is very responsive and helpful in addressing any concerns that arise.

Positive

The initial deployment was straightforward. We integrate CSAM with other Qualys modules including VMDR.

The Qualys Cybersecurity Asset Management pricing is well-aligned with our usage.

I would rate Qualys CyberSecurity Asset Management ten out of ten.

Qualys CyberSecurity Asset Management does not require maintenance on our end.

To gain comprehensive visibility and reporting within the policy, new users should deploy the agent. This action provides a complete overview of vulnerabilities and support statuses, offering valuable insights for both IT management and cybersecurity purposes.

We use Qualys CSAM for information related to EOL and EOS applications. For the machines connected to Qualys CSAM, we have information about the serial number and hardware ID. We have some integration mechanisms with AD. All these helped us to make sure the agents and applications that we use are good enough to run in our infrastructure.

We have a mechanism called authorized and unauthorized applications inside our organization. Qualys CSAM helps us implement this by reporting unauthorized applications through pop-ups or alerts. This mechanism ensures that any unauthorized application is quickly identified, and appropriate measures are taken swiftly. The tool provides valuable insights into our infrastructure.

For external attack surface management, we have a configuration profile that we configure with the domain name. With this domain name, we get all the information from Qualys. They have integration with Shodan and their own scanning mechanism to get publicly exposed IPs or domains for our organization and its subsidiaries. 

It is a useful solution for us for IT-related or security-related activities. We get information about all the assets in our organization, and we also get to know if any ports are open or exposed to the Internet.

It helps us with risk prioritization. It highlights any vulnerabilities that are exploitable. We have various reports. We can see EOL or EOS software or any unauthorized applications. All these reports are triggered in a daily manner. We get the latest list every day. We can also use the dashboard.

In addition to the asset criticality score that we have configured, we have the TruRisk score. All this data helps us to prioritize the assets and vulnerabilities. 

The most valuable features of Qualys CSAM include the ability to manage authorized and unauthorized applications efficiently. This feature helps in validating applications and maintaining a secure environment. 

Additionally, Qualys CSAM offers comprehensive data, including serial numbers, BIOS information, and software details related to EOL and EOS. These capabilities are crucial for ensuring infrastructure readiness and security.

In my opinion, the area that needs improvement is the role-based access control (RBAC). The access privilege management needs to be more robust and streamlined to enhance user access management. Additionally, improvements to the user interface could be beneficial.

I have been using Qualys CSAM for one and a half years.

I would rate the stability of Qualys CSAM a ten out of ten. The agent-related stability is excellent, and we have not experienced any lags.

The scalability of Qualys CSAM is good. It is a SaaS platform. I would rate it a nine out of ten for scalability.

We have it at multiple locations and countries. We have multiple networks and subsidiaries. We have about 300k users.

The customer service is excellent. I would rate them a nine out of ten. Although there have been occasional delays in response time, the support generally addresses issues promptly and effectively.

Positive

I have only used Qualys CSAM in this organization and have not switched from any previous solutions.

We have a hybrid setup. The initial setup is straightforward, requiring a single code within an agent file, making the deployment process very easy.

Other than the upgrades, it does not require any maintenance from our side.

I would strongly recommend Qualys CSAM to other users because of its reliable detection logic and high level of support. We have not seen any glitches with it. In the case of any issues, we can get them resolved promptly, maintaining efficiency. 

I would rate the Qualys CSAM a ten out of ten for its overall performance.

I am working as a senior security analyst. I provide enterprise vulnerability management solutions. CyberSecurity Asset Management helps us categorize all the assets and products. We can see the current software assets and the software or product lifecycle. We can see details about the end-of-life or the end-of-support in CyberSecurity Asset Management.

We create customized tags for the assets. In my environment, there are IT servers and OT servers, so we need to customize the tags based on the servers. 

We can deep dive into asset inventory and check the external attack surface. We do attack surface management for the servers that are external or public-facing servers. We need deep investigations of assets to see if there is any vulnerability or suspicious activity in the server. For that purpose, I utilize the Qualys CSAM module.

It is able to discover assets or servers that are public-facing. For example, if there is a domain in the organization with a lot of external or public IPs, and these IPs are being used for an e-commerce website or any kind of website, hackers would want to hack these websites using ransomware. They might also do a DDoS attack to take down these websites. For such websites or web servers, we need such a module so that we can proactively gather any vulnerabilities that can be exploited and take the required steps to mitigate them before exploitation.

Qualys CSAM has saved a huge amount of time and manual effort. Features like Asset Purge Rule and dynamic tags have reduced a lot of time and manual effort of the team. In Qualys CSAM, we can get the EASM module. We can integrate CSAM or ESAM with any kind of ticketing tool, such as ServiceNow. When integrated with a ticketing tool such as ServiceNow, a vulnerability incident is created in ServiceNow for any critical or high-severity vulnerability. The incident is assigned a remediation owner. We just need to investigate whether the vulnerability is a true positive or a false positive and if remediation has been done or not. Previously, these all things had to be done manually, but now, we have automated them using Qualys CSAM. It has saved a lot of time and improved vulnerability discovery and asset segmentation in our estate.

We are able to identify two things. The first one is the vulnerability level or risk factors. The second one is the product life cycle, which is also important, so we can determine if a product is end-of-life or end-of-support. If it comes under the end-of-life or end-of-support category, we need to check with the vendor team, and we need to ask for possible workarounds. Otherwise, we can go to the project team and tell them to upgrade the product or operating system. There is a risk factor when a product is end-of-life or end-of-support. It becomes a vulnerable product. This is an additional benefit that we get, and we can ask the vendor or the project team to mitigate the issues.

When I need to prioritize external or internal facing servers, I use TruRisk Scoring. It is very effective. When I need to prioritize vulnerabilities, there are a lot of attributes that I need to keep in mind such as CVSS score, severity, etc. There are a lot of factors, so when I need to determine the top ten vulnerable servers, I use TruRisk Scoring. It is very helpful.

We have implemented cloud agents and deployed specific sensors. In our environment, we have on-premises servers and Azure and AWS clouds. We have implemented cloud agents and designed the configuration profile for those cloud agents. In Qualys CSAM, we can visualize if the cloud agent is active or not and if the scan frequency is working fine or not. We can monitor these from the Qualys CSAM module. When we implement the Asset Purge Rule on-premises or on cloud servers, there should be two sources in Qualys CSAM. One is the IP-based source, and the second one is the agent-based source. They are also monitored by Qualys CSAM. We can generate a report in Excel or CSV format, and by using the report, we can do the risk assessment and prioritize things.

I have four years of experience in cybersecurity, and I have used a lot of tools. Qualys CyberSecurity Asset Management has some advantages over others.

The first one is a feature called dynamic tag. When you implement a dynamic tag using a query, you do not need to manually tag all the servers. It categorizes all the servers that come under that query. The tagging part is automatically done within a few minutes. It reduces the effort.

The second feature is a feature called Asset Purge Rule. For example, there might be some servers or products that have not been used for the last 90 or 120 days. If they are still being reported in Qualys, it will be difficult to prioritize the servers or products to determine the top ten vulnerable servers or products. Previously, if we wanted to purge those assets or remove them from scanning, we had to do that manually, whereas Qualys CyberSecurity Asset Management provides a feature for that. We do not need to do anything from our side. A server older than the last 90 days will automatically get purged or removed from the account or scanning scope. Whenever we generate the scan report, there will be only assets or servers that are reporting in Qualys. The ones that are not reporting are automatically purged. This is known as data sanitization or vulnerability report sanitization. This is done by Qualys CSAM through the Asset Purge Rule feature. These are its core features for me.

In Qualys CSAM, there is a module called EASM. One improvement that they can make in the EASM module is the scan frequency. After EASM is configured the first time, it allows you to do the complete configuration, but if you want to reconfigure it, it will not ask or provide any option for scan frequency. For that, you need to raise a case with Qualys and talk to the Qualys team.

It only allows us to add the domain. There are only certain criteria that we can use to create a new profile inside EASM. I know that EASM is a new module in Qualys, and it is improving day by day, but it currently does not have the same configuration area that CSAM has. In the future, I hope it will be improved so that we are able to handle the configuration of EASM on our own. We do not have to raise any kind of vendor ticket or Qualys support ticket for that. Mainly, the configuration area needs improvement. Currently, we do not have all the rights to do the configuration. For any critical change, we cannot wait for the vendor to resolve the ticket. Just like CSAM, we should be able to do the configuration on our own in EASM.

I have been using it for two years. I have been using it since 2022.

It is stable. I would rate it an eight out of ten for stability.

It is scalable. I would rate it a ten out of ten for scalability.

It is being used in multiple locations such as India, Germany, and the UK. As of now, there are 15 users. In the future, we will onboard more.

I was previously working on other projects where I used Tenable Nessus and Rapid7.

I joined this project about two years ago. It was a new project, but I knew the advantages of Qualys. I have done certification in Qualys. It was the VMDR or Vulnerability Management Detection and Response certification. At that time, I got to know that Qualys has a lot of advantages. I knew that if we could implement this solution, it would be helpful to prioritize the vulnerabilities and vulnerable servers and products in our overall estate. That is why we switched and started implementing Qualys in the organization.

Overall, with Qualys as a tool, not only CSAM, we can do everything. We can do on-premises vulnerability scanning and cloud agent scanning. If we want to do security policy compliance, that also comes under Qualys. Qualys CSAM has various features for assets and custom tagging. There are lots of features.

It is a hybrid deployment currently, but in the future, it will completely be on the cloud.

Its deployment is straightforward. Everything is mentioned in Qualys documentation. We can find information about all the states and configurations. Even if we have a basic license, we can raise a case with the vendor. They are helpful. They can help us to resolve any issues or problems. They help to solve the problem as soon as possible. It has been a great experience.

If we start from the documentation part, it takes us more than one week because there are some client approvals we need. To cover everything, it takes almost 12 to 13 days to complete the overall process and start working with the tool.

Two people are fine for its deployment. If there are three, that will be an advantage, but it does not require more than three people.

It has saved time and resources. Previously, tagging took a lot of our time. We also needed more project members. When there are 5,000 servers, doing it manually takes a lot of time. It has reduced the time and resources required. It is cost-effective. It has saved about 45% of the time.

It is cost-effective because, in a single tool, we are getting everything. All the solutions come in a single license or price. In my opinion, Qualys is one of the best solutions available in the market for vulnerability management, policy compliance, and security compliance.

I would recommend this solution because by using a single solution, we can cover the three main pillars of CyberSecurity: vulnerability management, asset and product lifecycle management, and compliance management. It is the best product. In a single product, we can do all these things. These are the three pillars of cybersecurity.

Nowadays, cyber threats are increasing. As vulnerability analysts and managers, our prime focus is to gather all the servers and categorize the servers based on the operating system technology. It can be an IT or OT server. It can be public-facing or private-facing. Our main focus is to gather vulnerabilities, and based on the severity of the vulnerabilities, we have to prioritize the servers. We can shortlist the top ten vulnerable servers. The remediation team can then focus on them to mitigate vulnerabilities. To implement that solution, we need to categorize everything. The categorization part has to be done as per the CSAM model. If we want to do external server categorization, we have to go for external attack surface management or EASM, or we can use CSAM for internal servers.

When you get the product license, external attack surface management is not available. It is not activated. You need to activate it from CSS and configure it. It asks for domain details and the domain you want to focus on. Based on the domain details, it configures external attack surface management. You also need to consider the scan schedule, such as, after how much time, it will launch a discovery scan. You need to provide information about how many servers or products are managed by Qualys or how many are unmanaged but still detected in Qualys. After the configuration, you have to wait for the first discovery scan. When that is completed, Qualys looks for the domain name mentioned in the configuration area and pulls out details related to that domain. It shows the status and any vulnerabilities, and whether an asset is managed or unmanaged. You have the overall data, and you can also define or prioritize based on TruRisk Score, which is generated by external attack surface management.

We are not using the CMDB Sync feature. We have integrated Qualys CSAM with ServiceNow CMDB, so all the onboarded servers or products are directly reflected in ServiceNow CMDB. When any high-severity vulnerability is detected by Qualys CSAM through discovery scans, it automatically raises a ServiceNow incident, which is automatically assigned to the asset owner or product owner. This automation has been implemented by our team.

Overall, I would rate Qualys CSAM a ten out of ten.

Currently, I use Qualys CSAM for asset management. It allows me to search for assets and manage them by implementing license management, asset inventory discovery, and ensuring that no device goes unmanaged. 

Qualys CSAM improves my organization's asset posture by providing visibility on cybersecurity assets and streamlining asset management and inventory.

It can detect every asset in our network. It is able to detect network devices such as switches, printers, and servers. However, it may provide information that is not useful, and sometimes, tagging might also be incorrect.

We were able to realize its benefits within six months. It took us around two to three months to get a good understanding of it. We spent some time fine-tuning it based on our needs and understanding false positives. Overall, in about six months, we could properly see its benefits.

Qualys CSAM helps me prioritize vulnerabilities through Qualys Vulnerability Score (QVS), which combines various threat and impact factors. It enables me to prioritize vulnerabilities based on the criticality and risk posed to my organization. This is beneficial for efficiently managing vulnerabilities.

Qualys TruRisk Scoring helps prioritize vulnerabilities and assets. It helps understand what could be prioritized for further remediation and what could be kept on hold for some time based on the manpower availability and the needs of the business.

Qualys CSAM helps find all the assets. It categorizes information based on various criteria such as host and tenant version. It provides in-depth visibility into both hardware and software.

Initial scans can produce excess data that needs refining. This extra data is not always useful for us in terms of understanding. They should provide the exact information required by the end user. It sometimes produces false positives for configurations when it comes to identifying exact hostnames and DNS names pertaining to certain IPs. Sometimes, the tagging might be incorrect. It might incorrectly tag assets. This is something that should be fixed.

Software composition analysis capability at the source code level would also be helpful. Other tools can check JAR and WAR files for any vulnerabilities. This capability is missing in Qualys CSAM.

From the user experience perspective, we need a simpler interface and reduced complexity in certain features, particularly with the Qualys Query Language. I work for a bank. I am a part of the regional team. We ask branches to use this tool effectively, but the branch IT teams find it difficult in terms of user experience. It is not easy for them to understand and use Qualys Query Language to fetch some inputs. The user interface must be improved in terms of giving some examples through popups and other UI elements. Currently, our users are not able to use it easily based on the basic training that we are giving them. That is why we are now documenting step-by-step instructions for completing tasks.

Some of the users find the UI to be very cluttered. They should simplify the dashboard. They would also like more customizable navigation.

Some users have reported slow asset discovery. They should improve speed and efficiency. When we use some of the profile options within Qualys for scanning, it can take 40 to 50 minutes to scan a single asset. That time could be reduced.

Users would also like more customizable reports. Currently, after downloading the reports, the team has to format the data provided by Qualys CSAM. If there is an option to customize the reports directly before downloading them, it would be very helpful. They can directly deliver the report to higher management. They do not have to spend time formatting the report.

There could also be better integration with other tools. Based on my integration experience previously, not in this company, there were some limitations with the integration. The APIs and integration options can be improved making the integration with various tools such as ITSM tools a smooth experience.

My team is using some Python scripts. It would be great if Qualys could provide some custom scripts as a part of the subscription. It will help new users in terms of understanding the solution better. There should be better tagging and categorization. That would be helpful for us. The tagging system should be more intuitive and flexible. Currently, the dynamic grouping of these assets based on the conditions is not up to the mark. Some of them are incorrectly tagged.

In terms of the learning curve, some of the new users find it challenging to learn the full capabilities of the platform. In addition to supporting more customizations for dashboards, reporting, or navigation, there should be more resources for people to become familiar with the product. There should be more hands-on learning materials and a better onboarding experience. The current knowledge base is not up to date with the latest features. There should be updated learning material available along with a release. When they release any new features, it can take one or two months for the learning resources to be updated.

Vulnerability remediation recommendations need to be more appropriate and specific. There could also be improvements in terms of vulnerability context. Even though Qualys CSAM identifies vulnerabilities very well, it would be helpful to have more context. Currently, in some cases, Qualys is not able to fetch the right remediation solution or proper context. It gives a generic statement. At times, recommendations are also not appropriate.

I have been using Qualys CSAM for almost four years.

Qualys' technical support team is responsive. They have a good knowledge base and helpful resources. The resolution of complex issues may sometimes take longer due to various factors, but the community and forum support is strong. Plenty of forums and resources are available from the support perspective.

Positive

The initial setup was not easy or difficult; it was moderate. 

Qualys provides tutorials and tools, but they could be enhanced to be more user-friendly and more helpful in deploying it. Qualys releases updates and enhancements regularly and the documentation is available for the new release, but Qualys video tutorials and hands-on labs are not always available or updated in parallel. Such resources are very helpful for new users in our organization in understanding the new features and the tool.

There is a significant return on investment with Qualys CSAM in terms of efficiency in vulnerability identification and management.

Qualys is competitively priced for its features. Its pricing is suitable for large organizations with more than 4,000 assets, but for smaller organizations with few assets, such as banks, the costs might be high. They should come up with packages that are suitable for small organizations.

For Attack Surface management, we are using other tools in our organization. Our threat tracking and threat intelligence teams are using other tools. They are not integrated with the Qualys CSAM. We are exploring opportunities to integrate everything into one solution.

We are planning to integrate Qualys CSAM with ServiceNow within a year. Everything will be automatically integrated with the ServiceNow module.

Overall, I would rate Qualys CSAM an eight out of ten. There are some areas for improvement.

We primarily use Qualys CyberSecurity Asset Management for zero-day vulnerabilities. Essentially, this is one of the critical aspects we maintain. The main point is that within Qualys, we receive solutions based on the criticality of the issue. Assuming it's a zero-day vulnerability, we have fixes that provide extensive information on addressing these issues.

I would rate Qualys ability to cover the entire attack surface a nine out of ten.

Previously, we used Tenable as our preferred tool but switched to Qualys for the cost-effectiveness. However, upon switching to Qualys, our primary concern was ensuring the seamless deployment of agents across our infrastructure. Fortunately, Qualys agents proved to be remarkably lightweight. Additionally, Qualys excels in network security, allowing us to identify vulnerabilities, track SSL and TSL certificates, and monitor their expiration dates. Qualys also offers robust password management capabilities, surpassing Tenable in this regard. Moreover, Qualys' reporting functionality is unparalleled, outperforming competitors like Tenable and other tools in the market.

Qualys identifies all risk factors for our assets. For example, assigning a globally traceable computer name or using easily compromised passwords can create vulnerabilities. Qualys provides immediate alerts if any compromise occurs in our environment, highlighting specific loopholes. Consider a scenario where a programmer in a testing environment uses a simple password instead of a complex one. Hackers can easily exploit this, and Qualys will immediately identify the issue, generate a report pinpointing the responsible individual, and notify us. This real-time identification and reporting capability surpasses traditional PAM solutions, allowing for swift remediation of potentially exploitable changes.

We use the risk scoring to prioritize the issues by criticality.

We use Qualys to convert deployed cloud agents into passive sensors for VM ESX. Whenever new servers or network devices are added, Qualys immediately detects them and flags them as unregistered assets on the network. Based on this information, other teams often reach out to us to onboard or install an agent for enhanced visibility and management within Qualys.

The most valuable aspect we receive from Qualys is the remediation. It provides detailed solutions in a user-friendly manner that our IT team finds easy to understand.

After exporting the reports, we used to receive them in CSV format. The most important aspect of these reports is their customization. While the reports are already good, they have the potential to be even better, which is what I expect. Additionally, the agent's processing speed and CPU utilization should be improved significantly. Currently, whenever the agent is running, it consumes over ten percent of my CPU, indicating that CPU consumption is another area Qualys needs to address.

The cost aspect of Qualys is an area of improvement.

I have been using Qualys CyberSecurity Asset Management for almost seven years.

I would rate Qualys' stability a seven and a half out of ten. Occasionally, there's slowness from an agent or potentially a network issue on our end when pushing data to the core server. This can cause slight delays, depending on the environment.

I would rate the scalability of Qualys ten out of ten.

The technical support is a major advantage of using Qualys. Whenever we encountered any difficulties with generating or scanning, they were quick to assist us.

Positive

We previously used Tenable but switched to Qualys primarily because of CPU utilization. Qualys also offers solutions that are much easier to use compared to Tenable, which simplifies our workflow. Although I'm unsure how Qualys delivers their solutions, it significantly improves our experience. This ease of use was the main factor in our decision to switch from Tenable to Qualys. Even though Tenable's results were very accurate, Qualys provided easier remediation solutions. Additionally, Qualys' security and detection timing were also favorable factors in our decision.

I strongly prefer Qualys over Tenable. I'm a huge fan of Qualys, and I believe people should recognize its capabilities.

The deployment in our environment was straightforward. The deployment took one week for over 4,000 servers. One person was enough for the deployment.

In a testing environment without the usual deployment setup, we might deploy hundreds of servers for testing. At that time, we lacked other tools and had to individually dump data and run scripts due to credentials and other factors. Domain-based environments linked through Azure are easier, but workgroups that don't communicate with public or private networks are more challenging. Fortunately, most of our machines were domain-related, simplifying Qualys deployment.

The cost for Qualys CyberSecurity Asset Management is high.

I would rate Qualys CyberSecurity Asset Management nine out of ten.

No maintenance is required from our end other than managing our database.

I recommend running Qualys in a test environment first before deploying it to production. This process is simpler in an agentless environment.

This is the main product that we are using for managing assets, including  hardware assets and software assets.

There are multiple features that are very useful. The first one would be the inventory that allows us to actually manage those assets and see the assets based on the cloud agents and based on the scanning that is performed periodically. 

Another useful feature would be the tags. Tags are very useful for us since we can tag virus applications in infrastructure types such as databases, operating systems, or web platforms. 

On top of that, there are software rules that we can define. Some of those rules can outline which mandatory agents need to be on an asset before going into production, for example. Some emphasize potential software that can potentially cause cyber security challenges. Having those rules in place is very useful.

The external attack surface management covers the entire attack surface. This is one of the newest features, and this is extremely useful. It allows us to see the external posture from an attacker's perspective, and we are broadly using that. We have been able to find domains that were previously not covered. We did find a few domains that were supposed to be shut down. We can better keep track of these now to validate that the domains that are listed for us are the correct ones. We can go over the newly discovered assets to validate which belong to us and which do not. 

It identifies all other risk factors for our assets. Now, it identifies the assets. It also identifies the end-of-life and end-of-life support software, and that allows us to plan ahead in terms of what needs to be upgraded or if we have to budget for a software change. That's both from an operating system perspective and also from a third-party software perspective.

This more thorough identification of risk factors has positively affected our security. Qualys is one of the main pillars that we use for monitoring our cybersecurity posture. Being on top of inventory-related operating systems or types of clients has been very helpful. The inventory features also allow us to monitor any new asset. We use this together with another platform from Qualys for network passive sensors. We can see in the inventory, including new assets identified that were connected to the network anywhere in the network. This includes workstations, laptops, cell phones, et cetera.

We leverage the solution's ability to convert already deployed Qualys Cloud agents into passive sensors that may be detected and connected to the network in real time.

Most of the assets, the ones that the ones that have CloudAgent, we monitor that. They are also discovered by the passive sensor. On top of that, they are periodically IP scanned. The cloud agent and the IP scanners complement each other and discover different types of vulnerabilities. The inventory shows up from one of three main sources: the CloudAgent, the passive sensor, and the IP scanner.

The passive sensors affected our ability to identify potential risks in real time. They dramatically improve our ability to monitor risk in real time as they show the assets connected to the network in real time. We are validating those findings with the appropriate teams in order to address issues accordingly.

We use the CMDB sync feature. That is one of the features that allows us to reconcile the inventory between Qualys and CMDB. This is also the feature that actually showed us some of the discrepancies between our two platforms. The integration allows us to automatically assign vulnerabilities and monitor the SLA. That integration is one of the main operational integrations that we are using in order to make sure that the vulnerabilities are remediated in a timely manner.

It's a superior solution as we can monitor both on-prem and on the cloud. Having the ability to manage the inventory, the hybrid inventory, in one platform, is very, very important.

It is automatically exporting the vulnerabilities and the assets. However, it would be useful to have the ability to select or filter which we would like to export. As of now, anything and everything is automatically exported. We cannot choose. 

I've used the solution for the last five years. 

It's usually very stable. However, sometimes some of the queries crash. I have opened a few support cases. Some of those support cases were solved right away. Some of those were pending a new release. Generally, it's working most of the time.

I've never had issues with scalability. You do have to choose the right sizing, however, it can scale out of the box. 

Most of the time, the technical support is very effective and responsive. They have a nice feature that allow you give feedback after a case was opened. The knowledge of the team is good. They also have the appropriate documentation to they can direct you to when needed.

Positive

We did previously use a different solution. However, there were a number of drawbacks. We were not able to both monitor and discover. After CSAM, we were able to access a full inventory and a fuller understanding.

The deployment is straightforward. You can use add-on features of cloud agents or passive sensors, once it's deployed and assets are IP-scanned, the system can automatically share the asset details. The modules are automatically activated for the agent. The cloud agents are deployed by the infrastructure teams. They are responsible for deploying the cloud agent. The network passive sensors are deployed together with the network team. Activating the modules and monitoring is handled by Qualys.

Once everything is up and running, no maintenance is needed. It's just monitoring and reporting once it's implemented. 

The pricing is fair. We don't have any objection to the current pricing model.

I'm an end-user.

When we first started using the solution it had fewer features than it has today. That said, it still was the platform that allowed us to manage hardware and software assets on-prem and in the cloud.

I'd rate the solution nine out of ten. 

It's a good idea to start with Qualys training, and I have to say their training is outstanding. Their training provides the best way for a new user to learn how to work with the platform. The platform itself can be very complex and there are many features that might affect one another.