Qualys CyberSecurity Asset Management Reviews

We primarily use it to collect asset information. Our primary value from it is in collecting on-premises assets, as well as the ability to tag those assets with custom tags. We are also using the external attack surface management portion a little bit. We have not fully operationalized it yet, but it looks intriguing.

Additionally, we are leveraging Qualys CSAM's capability to detect software and applications, as well as to identify unauthorized and authorized software in the environment.

From an inventory point of view, Qualys CSAM gets everything very well. We augment that with Qualys TotalCloud, so we get better insights into our cloud platform, but for our internal data centers, this is our source of truth for asset information.

Our favorite features are the tagging and the ability to quickly find assets in the portal. 

Additionally, I do like the fact that Qualys CSAM is integrated with the rest of our vulnerability scanning utilities. We use the full suite from Qualys. The fact that it is integrated makes it very easy to understand. It shares tagging information with VMDR. That is very nice.

Qualys CSAM has discovered assets not previously covered by our vulnerability management program. Primarily, if we have assets without vulnerabilities, they become less visible, but Qualys CSAM alerts us to them because they have IP addresses and are attached to our network. It could discover everything from printers to servers to endpoints. It could discover UPSs, network devices, and across all operating systems. It discovers our security badge readers and digital signage. We have to feed that the IP address ranges, but beyond that, it finds everything in our internal network.

We were able to realize its benefits within the first quarter of installing it. We did have to take some time to learn it and understand how to operationally leverage what it was telling us, but it was very quick.

In addition to vulnerabilities, Qualys CSAM helps identify other risk factors to a degree. For instance, we can see if servers or assets have incorrect naming standards. We have our network segmented into development model, test, and production, and we have server naming standards that identify which management they should be in. If a production server has the naming standard of a development model server, we can find that. That is one area we have used it for.

We are not fully using TruRisk, but we are using the Qualys detection score that is central to our corporate risk prioritization approach. It has completely replaced our homegrown one.

Some areas that would be helpful are more comprehensive tagging and the ability to set up better dynamic rules. 

Also, in the area of software categorization, having only three categories (approved, unapproved, unknown) is limiting. We would prefer more options, such as 'approved only for pilot' or 'approved for this line of business,' allowing for better granularity in categorizing software.

They do not yet have a built-in integration with the service management tool that we use. We do not use ServiceNow. We use a different one. We are using a product called Symphony Summit.

We started using it probably about a year and a half ago. It became operational around mid-2023.

We have encountered very little instability. I have subscribed to their update notifications, and I love getting the release notes because there is always something new in there that is exciting. They are constantly adding capabilities. I love that. It is a bit challenging to keep up at times, but if you want to maximize the value of the tool, you have to stay on top of release notes. As far as stability goes, there is almost nothing. Overall, there are almost no issues. If there are any issues, they usually affect the entire pod. It is not specific to CSAM.

With roughly 10,000 assets under management. We have not encountered any issues with scalability at all.

I have not personally contacted technical support, but I know we get a very good response. We have an excellent technical company who will escalate and support us. We have had a pretty good experience with technical support.

I used to have some involvement with a CMDB product from BMC called ADDM. It was similar to Qualys CSAM, but due to a lack of organizational appetite to support it, it was replaced. That is the closest thing to Qualys CSAM that I have ever played with.

It is a cloud solution. We do have cloud agents that reside on our endpoints or assets. I do like the fact that Qualys CSAM uses the same agent on the assets as all the other Qualys products. That was a big plus over other things that we looked at.  They required another agent to be installed.

Its initial setup was fairly easy. It takes a little bit of time to get things fully operational and standardized, but Qualys CSAM was easy to install and get up and running. We had to sit back and think about how we best wanted to represent the tagging. That took some time. We are still playing with that. The biggest challenge has been coming up with the best way for us to represent the assets and software discovered by Qualys CSAM.

We had to consider the best way to represent tagging in our system and ensure everything was standardized, but the setup process itself was straightforward.

It did not take us long to fully deploy it. It took less than a week because we already had the cloud agents installed for VMDR. We or our account manager flipped the switch to turn the license on, and we started collecting data right away.

The deployment of Qualys CSAM was a one-person job. We had an additional person for backup reasons, but the job primarily required only one person.

Its maintenance is being taken care of by Qualys. The software tagging is manual, so we have to go in and manually say that product XYZ is no longer approved. That is the only maintenance we do on that platform. It is just whether or not the software is approved or not.

The pricing is fair. I would love to see the price come down a little bit, but we do get a lot of value out of it. We are squeezing every ounce of value we can out of the tool.

Like every product, there are nuances. You have to understand that there are different categories of software. When it detects software, it puts it into various categories. It took us a little while to understand their taxonomy for the software side, so my advice would be to spend a little time understanding that.

We have had good luck with the API. To automate things, we are leveraging their CSAM API, and it is working fine, but there is a little bit of a learning curve. In terms of the core product, you turn it on and it just starts. If you have VMDR already in place, it starts to collect data for you right away, within minutes.

I would rate Qualys CSAM a nine out of ten. If they had a connector for the service management tool that we use, it would be a ten.

We use it for scanning, vulnerability management, a little bit of policy compliance, and some web application scanning.

We primarily implemented it for StateRamp compliance requirements with NIST 800-53.

There have been some instances where devices that were not known to be in a specific place were discovered. They were primarily EC2 instances deployed in an AWS account. Our systems are scalable. They scale in and out all the time, so it is hard to give a precise number of the devices discovered. It probably discovered 3% to 5% of the overall system.

In addition to vulnerabilities, it identifies other risk factors for our assets. It does not cover all, but it covers about 80%.

The scanning results are pretty good, and some of the insights are quite valuable. The fact that it is a largely cloud or SaaS product means that there is less management and maintenance required. Those are all benefits we like.

We have had challenges modifying the agent configuration. Particularly, when we want to change the tenant that the agent is pointing to, we have had difficulties making that reliable and working properly. For Windows agent installations, updates require more than a simple configuration change. It requires a download and install, which we find cumbersome, but once it is in place, it is pretty good.

We have been using the solution for about two years.

Our systems are scalable, so they scale in and out all the time.

It is above average. There have been issues where we had to bring in Qualys and other vendors. There was some finger-pointing back and forth about who was responsible, which is common, but overall, they are responsive and generally knowledgeable.

Neutral

For web application scans, we previously used WebInspect, but we changed due to scalability issues. WebInspect could not meet our frequent scan requirements without significant infrastructure improvements. Qualys seems to be able to handle it better.

We also used Tenable IO, which was not very cloud-aware, whereas Qualys has better AWS cloud integrations and capabilities.

It was a little time-consuming, but we did not find it overly complex.

The first time, it took about two weeks. Subsequently, because we worked out the kinks and figured out some things, we could get a new system up and running in a couple of days.

It requires regular patching maintenance, the same as any other OS. There is nothing outside of what I would consider normal. We have two people involved in maintenance.

Two people were involved full-time with a handful of support staff. Their roles included security vulnerability engineer, network engineer, and network architect. We also had some consulting professional services provided by Qualys.

It has reduced the amount of in-house development and configuration changes needed to make the scanners compatible with the AWS cloud. It has reduced the number of development and scripting hours along with maintenance hours. It has allowed fewer individuals to manage the system overall, providing some ROI benefits.

The pricing is market-competitive. We have large licenses through a corporation, but I am only involved with a small portion of it, so I do not know its price.

Defense-in-depth is very important. There are many layers to a network. There are many layers to an operating system, and there are many layers to applications. It is essential to provide security, detection, and prevention at each one of those layers.

To a colleague at another company who says they only need to add External Attack Surface Management to their vulnerability management detection/response program but they do not need the full depth of the CSAM offering, I would say that they are likely to get hacked.

We do not use Qualys CSAM for the entire attack surface. We primarily use it for production deployments. Our entire attack surface, corporate-wise, is managed elsewhere. It is competitive. It is not the best that I have seen, but it is competitive.

TruRisk Scoring helps prioritize vulnerabilities and assets, but we do not use it all that much. Our reporting requirements are tied to CVE rankings. While we sometimes take a look at it, we do not rely on it.

We use the solution's CMDB Sync feature, but we use it more as a confirmation of an existing CMDB tool we have.

I would rate Qualys CSAM an eight out of ten.

The use cases for Qualys CyberSecurity Asset Management (CSAM) include getting software details, such as identifying software that is reaching end-of-life (EOL) or has already become EOL, and getting asset details.

Additionally, the integration with Shodan through External Attack Surface Management (EASM) helps get asset details of public-facing assets.

I also use its reporting capabilities. I can generate reports related to software with queries.

I also used the web application to see potential web-hosted assets for our subscription.

ESAM covers the entire attack surface. Earlier, we were using a third-party vendor, but we now completely rely on Qualys for ESAM. It scans the assets and also tags them based on the domain and subdomain. It discovers more and provides complete details about the assets, such as the external interface and internal interface. It correlates them, and we get the complete details of the assets, which were not given by the other solution. It just gave the IPs. We had to take the IP, put it in Qualys, and check the details. With Qualys, it is very easy to get the asset details.

We were able to realize its benefits immediately after the deployment. 

We use the TruRisk score, but based on the QDS and ACS, we have also derived our own severity for the organization. We assess whether it is really exploitable and being exploited in the wild.

We had some issues with the agents and detections until May, but after the version upgrade to 5.4, we saw a tremendous improvement in detection. We have 99.9% detections, and we were also able to achieve 84% patching and compliance in five days because of the detections.

I like the EASM part because it provides visibility into unmanaged assets that are public-facing. Previously, we had to log in to Shodan and get the details. Instead of that, Qualys has an external scanner that scans the assets belonging to, for example, Infosys. We give the domain, subdomains, and any related subsidiaries in the configuration. Based on that, it scans the domain and gives correlated results with the public-facing IP and the internal IP used in Infosys for an asset. I can see both interfaces in EASM. I can see the software details for all the assets and any ports that are open on the assets.

For some of the software, there was no life cycle or general information. We wanted them to give details in the database as and when the software comes. I raised a ticket for that, and after that, they updated the details for more than one million software.

They should address the false positives generated in EASM. It is fetching assets that have Infosys as the keyword. They should fix that.

When we click on the web application, it only shows potential web assets. The application details are not there.

Overall, CSAM has matured a lot. These are the few enhancements that need to be done.

I have been using the solution for three years. I use it regularly for my day-to-day activities.

We have not seen any issues with stability such as lagging, crashing, or downtime.

Qualys CSAM is highly scalable. I would rate its scalability a ten out of ten.

Customer service is efficient, with a support executive being assigned within 24 hours. They respond based on ticket severity. The support team actively involves themselves in resolving raised issues.

We also have governance calls where we raise tickets and troubleshoot and resolve any concerns.

For EASM, we were previously using another solution. They only provided basic details like IP addresses. With CSAM, we have comprehensive asset details, including enumeration and routing details. We also have TruRisk details.

The other vendor only gives me the ID. They do not tell me who the owner is. Qualys gives me all the information about the assets, software, vulnerabilities, open ports, and interfaces. We get the network summary and asset summary in one place.

Its initial setup was relatively straightforward. The deployment did not take much time.

Its maintenance is taken care of by Qualys.

The deployment was done in-house by one person, without the need for an external integrator or consultant.

The pricing for Qualys CSAM is nominal.

I would rate Qualys CSAM a ten out of ten. I am very satisfied with its features, including dynamic and static tagging, and the comprehensive details it provides for asset management. I am happy with it.

We use Qualys CyberSecurity Asset Management to improve asset tracking and manage our security posture, thereby minimizing security risk. Enhanced visibility into our asset inventory enables us to implement appropriate security measures to protect against potential incidents and threats.

The major challenge in security today is that many organizations still have an extreme problem: they are not aware of how many assets they have. As businesses grow, their assets grow as well. However, asset tracking has traditionally been a manual and cumbersome process. Due to this, many assets were mismanaged. Nobody tracked them properly, and assets were not updated with OS patching or application patching. This was particularly problematic for data sets, as many people across the organization were unfamiliar with those assets, which led to security issues. This is why we implemented Qualys CyberSecurity Asset Management.

The external attack surface refers to the externally visible endpoints hosted by any company. External scanning can be performed to identify the number of publicly-facing assets. CSM provides functionality to scan these external assets, and based on the scanning results, patching can be performed to address any identified vulnerabilities.

The best part about Qualys CSAM is that it continuously pulls data. We can either install a cloud agent on all our machines or use IP wave scanning to identify the IP subnet. Qualys CSAM will identify any machine that spins up within that IT subnet during its scheduled scans. Once it finds a new machine within the subnet, it will register it as a new asset and populate it on the dashboard.

Qualys CyberSecurity Asset Management was able to identify an additional 50 to 100 assets that were not part of our vulnerability management program.

The key functionality of CSAM is a new feature update that Qualys releases periodically. It provides organizations and IT professionals with key metrics to understand how assets behave within their infrastructure, addressing the issue of unfamiliarity. CSAM focuses on efficacy, efficiency, and improved asset tracking. Better asset tracking enhances security posture, enabling timely patching and streamlining the entire vulnerability management lifecccccycle. Asset management is the first phase, and when asset tracking is simplified, the entire vulnerability management cycle becomes easier.

When discussing additional risk factors, CSAM provides crucial insights into the nature of the host, including basic information like hostname, IP address, operating system, installed applications, initial discovery date by Qualys, and current online/offline status. Leveraging risk factors like initial discovery date and the presence of malicious or outdated applications allows for collaboration with patch management teams to assess machine compliance. Effective asset management lifecycle practices empower organizations to comprehensively address many risk factors.

The True Risk Scoring was accurate. While false positives are always possible, they were minimal in Qualys, making it nearly perfect.

I have leveraged active and passive sensors, such as Qualys Cloud Agent models, to gain better visibility into our assets.

Qualys will send a probe whenever we have passive sensors and an established IP connection. This probing timeline indicates how frequently the network needs to be probed—for example, every 30 minutes. Based on the timeline, the sensor will probe the entire IP range and detect any new machines that appear, improving our visibility.

The best feature is asset discovery through their cloud agent or IP-based scanning. It provides detailed information about each asset, including its operating system, applications, power status, and improved asset polling. These are some key metrics provided by Qualys CyberSecurity Asset Management.

In our reporting, we faced a challenge syncing with cloud devices. The issue arose because, let's say, we have 250 licenses and use AWS cloud with its auto-scaling feature. As the load increases, the server count automatically scales up. The cloud agent was installed on the new devices, but when the old devices were decommissioned, it wasn't uninstalling from the asset as it should have been. This made asset tracking with cloud auto-scaling quite challenging, as we had difficulty uninstalling the sensor.

I have been using Qualys CyberSecurity Asset Management for five years.

I would rate the stability of Qualys CyberSecurity Asset Management nine out of ten.

I would rate the scalability of Qualys CyberSecurity Asset Management nine out of ten.

I have used Tenable Nessus, Greenbone, and Rapid7, but my confidence in Qualys is far greater than that in the others.

Some of the reasons we chose Qualys were its user interface, ease of problem-solving, and straightforward explanations of use cases. The deployment facility, deployment guidelines, post-deployment management, and Qualys support team assistance we receive after purchasing the product are excellent. These factors influenced me to choose Qualys over other products.

The deployment is straightforward, and Qualys is easy to understand. The transition from on-premises to the cloud was smooth, and overall, it was a positive experience.

The transition from on-premises to the cloud, including around 5,000 devices, took me one month to complete.

We have observed a return on investment of approximately 95 percent, and Qualys CyberSecurity Asset Management has also reduced our costs by 35 percent.

Qualys CyberSecurity Asset Management provided an excellent return on investment. It offered comprehensive visibility into the security lifecycle across our organization, providing clarity on the state of our security infrastructure. Furthermore, it stands out as one of the top vulnerability management tools currently available.

Qualys offers excellent value for money. Its pricing model is transparent and fair, with no hidden fees. It provides flexible options tailored to our specific needs. Its pricing structure is easy to understand, and its team will work with us to find the best solution. It's open to discussions and committed to offering competitive pricing. Compared to similar products on the market, Qualys is priced competitively.

I would rate Qualys CyberSecurity Asset Management nine out of ten.

We hosted Qualys CyberSecurity Asset Management in a single location, not multiple locations. From a security perspective, we utilized availability zones, but there was only one physical location. I served as the administrator, and in addition to me, there were four to five other individuals who used Qualys for enhanced monitoring.

From a maintenance perspective, if the Qualys platform requires maintenance, customers will receive prior notification. This ensures that customers are aware of any potential service interruptions. Every software system needs maintenance, whether for an upgrade or to implement significant changes.

I highly recommend Qualys to others.

Qualys Cybersecurity Asset Management helps us manage our technical debt by identifying end-of-life and end-of-service software and hardware within our IT infrastructure.

Qualys CSAM is primarily a cloud-based solution. The only optional on-premise component is a passive sensor that monitors network traffic at our egress point. This sensor collects data and sends it to the Qualys Cloud interface for analysis, but it's not essential for using CSAM.

The external attack surface management identified unexpected assets, suggesting some exist outside our known inventory. While these may not be directly managed by us, the process has brought valuable awareness to the fact that our core servers are externally hosted, prompting a review of similar situations.

An external attack surface management scan revealed several outsourced name services, along with one unexpected third-party-linked IP. It's unclear if this was due to past consulting work or a registration error, but since it wasn't relevant to our company, it was easily excluded from future scans.

The benefits of Qualys CyberSecurity Asset Management are immediate. We already had the cloud agents installed. They were already on all the servers and workstations. Once we upgraded from the VMDR included GAV (Global AssetView) to CSAM, it was no time before I could see the end-of-life, end-of-service software, and hardware.

In addition to vulnerabilities, CSAM provides a better view of other risk factors, but VMDR is very powerful. VMDR was already seeing our limitations in hardening our vulnerabilities. CSAM enhanced our view by adding more visibility and insight into what we have.

TruRisk scoring goes beyond traditional vulnerability scoring like CVSS to prioritize both vulnerabilities and assets based on real-world exploitability and industry targeting. This provides a clearer picture of our actual risk by considering factors like published exploits and what attackers are currently focusing on, allowing us to quickly identify critical issues and avoid wasting time on vulnerabilities with a high theoretical risk but low real-world threat.

Qualys Cloud Agents can now be configured as passive sensors to discover all devices on our network in real-time, eliminating the requirement for separate virtual or physical passive sensor appliances. These cloud agent sensors monitor network broadcasts instead of egress traffic, and they can even designate a secondary sensor to take over if the primary becomes unavailable, ensuring continuous asset discovery and populating our CSAM platform with managed and unmanaged devices.

The end-of-life and end-of-service software and hardware are some of my favorite features. The insight into the endpoints with the cloud agent is also valuable. We get more value than we do with the global asset view that comes with VMDR.

The CMDB Sync feature currently only works with ServiceNow, which is common in larger organizations. If the feature could integrate with other, more affordable CMDB options, like those used by smaller businesses, we would be more likely to use it.

Qualys CyberSecurity Asset Management could be more cost-effective by offering a much lower price point or including it with existing VMDR subscriptions. Additionally, providing more pre-built reports would improve accessibility for organizations by reducing the need for custom report creation.

I have been using Qualys CyberSecurity Asset Management for one year.  however, I have been using Qualys solutions for over 20 years.

Qualys CyberSecurity Asset Management has been very reliable, with only occasional syncing issues following major updates, which is common for cloud-based software. Overall, I've been impressed with its stability.

Qualys CyberSecurity Asset Management is designed to scale effectively for environments of all sizes. While our environment may be on the smaller side, the solution is proven to handle deployments ranging from just a hundred devices to well over ten thousand, ensuring smooth operation regardless of our specific needs.

I've been a long-time Qualys user, so my technical support interactions tend to involve complex issues. For example, when the CSAM component was new and I encountered a bug, their team promptly cleared the back-end database, resolving the problem. Their expertise and willingness to help have been consistently impressive.

Positive

The initial deployment is easy, especially if a client is already on VMDR, to enable CSAM we only need a license.

One person can deploy VMDR and CSAM if they have the necessary access and permissions. For complex deployments with separate network management duties, involving the right personnel for whitelisting is crucial. Deployment time varies: for existing VMDR users, it's nearly immediate; for new implementations, it can take a bit longer, depending on team size and experience. Working with experienced professionals can expedite the process.

Qualys CyberSecurity Asset Management can be expensive since it is an add-on to VMDR. The cost seems to be a barrier to entry for some organizations, and a lower price point might lead to more automatic adoption of CSAM.

I would rate Qualys CyberSecurity Asset Management ten out of ten.

Qualys Cybersecurity Asset Management seems to offer a more comprehensive solution than what I've seen from competitors like Tenable and Rapid7. While I haven't reviewed their offerings recently, in the past they primarily focused on vulnerability scanning, which isn't as extensive as Qualys CSAM's asset management capabilities.

No maintenance is required. Everything is self-updating from Qualys. From cloud agents to sensors, all of those are automatically updated.

Organizations that rely solely on external attack surface management for vulnerability management are making a dangerous assumption. This approach presumes complete knowledge of their assets, which is unrealistic without full visibility into internal and external environments. Companies with a 'we're secure' attitude often have poor security, while those welcoming security assessments tend to have a strong security posture.

CSAM's tagging features, especially dynamic tagging with its easy-to-use rules, can significantly improve your efficiency across various tasks like patch and vulnerability management. By automating manual work, dynamic tags free up your time. Take advantage of the free CSAM training and consider consulting a trusted partner to accelerate your learning and implementation – their experience can save you weeks of effort.

Qualys Cybersecurity Asset Management provides complete visibility of network assets, identifies vulnerable software, and helps prioritize them based on criticality. This facilitates effective patch management, offering valuable insights and reducing the attack surface.

To enhance network efficiency and minimize our vulnerability to cyberattacks, we have adopted Qualys Cybersecurity Asset Management.

The primary purpose of the external attack surface management is to provide clear insight into the data and infrastructure assets exposed to the internet. Qualys Cybersecurity Asset Management offers detailed information about these exposed assets, including websites, authentication methods, and MFA implementation. By considering all relevant risk factors, it provides a clear picture of vulnerabilities and prioritizes remediation efforts, enabling proactive risk mitigation. It also frequently scans our environment to re-evaluate the risk factors.

Qualys CyberSecurity Asset Management has helped to improve the organization's security posture significantly. It lets us confidently communicate with clients by showcasing a better security posture. We can evaluate and compare our security scores against vendor scores when onboarding vendors, enhancing understanding and transparency about our security landscape.

Qualys TruRisk scoring helps us prioritize vulnerabilities and identify the number of assets in our environment with a high-risk score.

Cybersecurity Asset Management's CMDB sync feature reduces our mean time to remediate from our three-day service level agreement to just 12 hours.

Qualys CyberSecurity Asset Management offers valuable features such as continuous vendor support, rapid response times, dedicated vendor partnerships, and advanced technical capabilities for risk identification. Moreover, it provides insightful suggestions for effective and efficient risk mitigation.

Further research and development are needed to enhance integration with other cloud agents and products, particularly improving communication with external products and vendors. Additionally, platform upgrades have presented challenges with slowness and other difficulties.

I have been using the solution for six years.

The stability rating for Qualys Cybersecurity Asset Management is six out of ten. This is mainly due to some disconnections and slowness issues, likely because we have integrated a large volume of machines.

The scalability of Qualys Cybersecurity Asset Management is rated nine out of ten.

The support is generally good, offering pre-communication for updates and providing training for analysts.

Neutral

The initial setup involved collaborating with the vendor on the proof of concept, configuration, and fine-tuning. This process presented some initial challenges, but once we gained a deeper understanding of the backend systems, it became straightforward.

The deployment spanned six to eight months.

Around ten people were involved in the deployment process.

Qualys CyberSecurity Asset Management has definitely saved time and resources, particularly from a security management perspective. By automating tasks, it significantly reduces the human resources required, leading to increased efficiency and productivity.

We have evaluated other products, including Trend Micro and Microsoft solutions. However, Qualys stands out in quickly identifying vulnerabilities and gaps within our network.

I would rate Qualys CyberSecurity Asset Management seven out of ten. To improve the rating, Qualys must address the issues of lagging and updating.

Our Qualys CyberSecurity Asset Management platform currently has three administrators and 12 end-users.

Qualys Cybersecurity Asset Management requires regular maintenance, including license renewals and software updates.

Qualys Cybersecurity Asset Management is centrally deployed and can be used in multiple locations.

The initial implementation of Qualys CyberSecurity Asset Management was protracted, taking two to three years to realize its benefits fully. This delay was attributed to the extensive time spent on the proof of concept, configuration, and subsequent fine-tuning to address the initial difficulties encountered.

Currently, we have 70,000 to 80,000 assets in our infrastructure. We have installed Qualys agents and started receiving vulnerability details. We use the TruRisk score and send reports to respective stakeholders and ask them to close them on priority. If they do not address vulnerabilities promptly, we quarantine the assets from the infrastructure. We also use Qualys CSAM along with VRM for handling vulnerabilities.

Qualys CSAM has provided insights into critical application vulnerabilities in our assets, which has helped us quarantine machines to prevent them from getting attacked. It has improved our ability to handle asset vulnerabilities efficiently in our infrastructure. It helped detect about 10,000 vulnerabilities so far. We do not have any high-risk vulnerability.

It discovered any open source, end-of-life, or end-of-support applications with critical or high vulnerabilities. Everything was discovered. We got them remediated.

We use the TruRisk score, but we also have our own criteria or formula for risk levels. We are using both.

With Qualys CSAM, we can see which assets have critical application vulnerabilities. This feature helps us prioritize and address these vulnerabilities more efficiently.

All required features are available in Qualys CSAM. However, it would be helpful if Qualys CSAM started incorporating AI models. An inclusion of threat details for AI and LLM-related risks would be beneficial.

We are not facing any issues with stability. Everything is smoothly managed by a different team, and our scheduled scans run without interruptions. The reports are automated, and the scans are scheduled. The reports are automatically sent to respective stakeholders. 

If there is going to be any downtime, they inform us in advance.

I have no issues with scalability. Everything is fine, and all necessary processes are in place.

We recently had some issues related to the continuous monitoring of the SaaS module. I am working with someone from the Qualys support team. He is helping us to resolve all the issues. One request is still open with the team because the risk scan was not happening at the application level. We opened a ticket and requested them to schedule a call. It might happen next week.

The support provided by Qualys is good. Their SMEs have sufficient knowledge, and if they are not the right contact, they quickly redirect us to someone who can help resolve issues. The only minor issue is occasionally being redirected to multiple teams, causing slight delays. I would rate their support a ten out of ten.

Positive

We have not used any alternatives to Qualys CSAM. Qualys CSAM is our primary tool.

A separate team within our organization manages its initial setup, deployment, and administration, so I do not have visibility on this process.

It is our main tool, and I find it better than others. 

I would rate Qualys CSAM a ten out of ten.

Qualys CyberSecurity Asset Management serves multiple purposes. It provides comprehensive asset details, including serial numbers, UALs, UASs, and DTLSs, which are crucial for tracking updates and configurations. We can access detailed information like BIOS UI and installed software, enabling us to identify authorized, unauthorized, and missing applications. This comprehensive approach to asset management ensures that we have a clear understanding of our IT environment.

Qualys is a vulnerability management tool that utilizes agent scans to gather in-depth information about assets. This data includes details like installed software, their versions, and locations, which can be used for various purposes such as asset inventory, identifying end-of-life software, or tracking specific applications. By downloading this information in list format, Qualys helps address a range of asset management and security needs.

We use Qualys CyberSecurity Asset Management to manage our entire external attack surface. We've integrated our primary domain and all its subdomains into EASM, leveraging its full functionality. This integration allows us to gather crucial data. While we utilize existing features, we anticipate a new filter that will reduce noise from agent-based scans. This will help us identify vulnerabilities in any external-facing assets with public IPs and exposed ports. By pinpointing these vulnerabilities, we gain a clearer understanding of our infrastructure's security posture from an external perspective.

Some of the assets discovered by EASM include IP addresses, DNS lookups associated with those IPs, and the corresponding domain. EASM captures information based on the integrated ESAM profile. If an agent is already present, EASM merges the scan information with the agent data, and an ESAM symbol indicates this source. In addition to cloud-based assets, EASM also identifies on-premise assets with publicly exposed IPs.

Customers using Qualys CyberSecurity Asset Management for organizational purposes and formal reporting can submit requests to management, whether related to administrative or organizational perspectives. These requests are reviewed with consideration for their potential benefit to other Qualys customers. Therefore, any enhancements or requests made for our organization are also considered by the vendor providing the solution.

Qualys provides risk and threat intelligence monitoring with a built-in prioritization mechanism. This mechanism helps us prioritize exposed risk factors, such as vulnerabilities with varying levels of severity, low, ongoing, or emerging. The system monitors these vulnerabilities and allows for prioritized support. Additionally, the Qualys score increases based on the risk factor, ensuring that users are notified of critical vulnerabilities.

Qualys' TrueRisk scoring helps prioritize vulnerabilities in assets by considering multiple factors. These factors include asset criticality, which is determined by the asset's importance, e.g., critical server vs. UAT server and can be customized through tagging mechanisms. The scoring also incorporates Qualys' QDS code, vulnerability severity, and the presence of unpatched software. Additionally, factors like public IP exposure and the potential impact of even low-critical vulnerabilities are evaluated. By combining these elements, Qualys provides a comprehensive TrueRisk score that accurately reflects the overall risk posed by each asset.

Qualys Cybersecurity Asset Management utilizes deployed cloud agents as passive sensors, enabling real-time detection of network-connected assets. This functionality identified numerous devices sharing identical multicast or broadcast IP addresses and revealed asset details like hostname, IP address, MAC address, and operating system, contingent on protocol availability, e.g., DNS.

My favorite feature of Qualys CyberSecurity Asset Management is its ability to target missing software. Instead of applying the tool to all assets, we can tag specific groups of assets that require a certain application. This allows us to generate a QQL query to identify any assets missing from the software. By correlating this with QDS scores, we can accurately assess the risk level of high or low QDS scores associated with each asset and monitor them accordingly.

Qualys could improve by enhancing its dynamic tagging and role-based access control features, and by refining its user interface for a more intuitive and efficient user experience.

Qualys is currently not able to identify assets lacking DNS information. Collaboration with Qualys is underway to explore alternative protocols for hostname identification and enhance asset visibility.

I have been using Qualys CyberSecurity Asset Management for two years.

This platform demonstrates excellent stability with consistent 100 percent uptime and no glitches observed. Qualys CyberSecurity Asset Management is a reliable and stable choice.

I would rate the scalability of Qualys CyberSecurity Asset Management a nine point five out of ten.

We receive excellent technical support from Qualys, characterized by quick response times and the dedicated assistance of a Technical Account Manager who ensures the prompt resolution of critical issues.

Positive

The initial deployment of Qualys CyberSecurity Asset Management is straightforward.

I would rate Qualys CyberSecurity Asset Management ten out of ten.

We have Qualys Cybersecurity Asset Management deployed in multiple locations on various operating systems in a large scale environment.

I recommend Qualys Cybersecurity Asset Management due to its superior asset information collection capabilities, including comprehensive hardware and software inventorying. CSAM is continuously updated to encompass new technologies like GPUs and provides increased stability with reduced network noise. These ongoing enhancements make CSAM the optimal choice for effective asset management.

I suggest going for a full package that includes both external attack surface management and CyberSecurity Asset Management. The combination offers comprehensive protection and asset management.