Qualys CyberSecurity Asset Management Reviews

Currently, I use Qualys CSAM for asset management. It allows me to search for assets and manage them by implementing license management, asset inventory discovery, and ensuring that no device goes unmanaged. 

Qualys CSAM improves my organization's asset posture by providing visibility on cybersecurity assets and streamlining asset management and inventory.

It can detect every asset in our network. It is able to detect network devices such as switches, printers, and servers. However, it may provide information that is not useful, and sometimes, tagging might also be incorrect.

We were able to realize its benefits within six months. It took us around two to three months to get a good understanding of it. We spent some time fine-tuning it based on our needs and understanding false positives. Overall, in about six months, we could properly see its benefits.

Qualys CSAM helps me prioritize vulnerabilities through Qualys Vulnerability Score (QVS), which combines various threat and impact factors. It enables me to prioritize vulnerabilities based on the criticality and risk posed to my organization. This is beneficial for efficiently managing vulnerabilities.

Qualys TruRisk Scoring helps prioritize vulnerabilities and assets. It helps understand what could be prioritized for further remediation and what could be kept on hold for some time based on the manpower availability and the needs of the business.

Qualys CSAM helps find all the assets. It categorizes information based on various criteria such as host and tenant version. It provides in-depth visibility into both hardware and software.

Initial scans can produce excess data that needs refining. This extra data is not always useful for us in terms of understanding. They should provide the exact information required by the end user. It sometimes produces false positives for configurations when it comes to identifying exact hostnames and DNS names pertaining to certain IPs. Sometimes, the tagging might be incorrect. It might incorrectly tag assets. This is something that should be fixed.

Software composition analysis capability at the source code level would also be helpful. Other tools can check JAR and WAR files for any vulnerabilities. This capability is missing in Qualys CSAM.

From the user experience perspective, we need a simpler interface and reduced complexity in certain features, particularly with the Qualys Query Language. I work for a bank. I am a part of the regional team. We ask branches to use this tool effectively, but the branch IT teams find it difficult in terms of user experience. It is not easy for them to understand and use Qualys Query Language to fetch some inputs. The user interface must be improved in terms of giving some examples through popups and other UI elements. Currently, our users are not able to use it easily based on the basic training that we are giving them. That is why we are now documenting step-by-step instructions for completing tasks.

Some of the users find the UI to be very cluttered. They should simplify the dashboard. They would also like more customizable navigation.

Some users have reported slow asset discovery. They should improve speed and efficiency. When we use some of the profile options within Qualys for scanning, it can take 40 to 50 minutes to scan a single asset. That time could be reduced.

Users would also like more customizable reports. Currently, after downloading the reports, the team has to format the data provided by Qualys CSAM. If there is an option to customize the reports directly before downloading them, it would be very helpful. They can directly deliver the report to higher management. They do not have to spend time formatting the report.

There could also be better integration with other tools. Based on my integration experience previously, not in this company, there were some limitations with the integration. The APIs and integration options can be improved making the integration with various tools such as ITSM tools a smooth experience.

My team is using some Python scripts. It would be great if Qualys could provide some custom scripts as a part of the subscription. It will help new users in terms of understanding the solution better. There should be better tagging and categorization. That would be helpful for us. The tagging system should be more intuitive and flexible. Currently, the dynamic grouping of these assets based on the conditions is not up to the mark. Some of them are incorrectly tagged.

In terms of the learning curve, some of the new users find it challenging to learn the full capabilities of the platform. In addition to supporting more customizations for dashboards, reporting, or navigation, there should be more resources for people to become familiar with the product. There should be more hands-on learning materials and a better onboarding experience. The current knowledge base is not up to date with the latest features. There should be updated learning material available along with a release. When they release any new features, it can take one or two months for the learning resources to be updated.

Vulnerability remediation recommendations need to be more appropriate and specific. There could also be improvements in terms of vulnerability context. Even though Qualys CSAM identifies vulnerabilities very well, it would be helpful to have more context. Currently, in some cases, Qualys is not able to fetch the right remediation solution or proper context. It gives a generic statement. At times, recommendations are also not appropriate.

I have been using Qualys CSAM for almost four years.

Qualys' technical support team is responsive. They have a good knowledge base and helpful resources. The resolution of complex issues may sometimes take longer due to various factors, but the community and forum support is strong. Plenty of forums and resources are available from the support perspective.

Positive

The initial setup was not easy or difficult; it was moderate. 

Qualys provides tutorials and tools, but they could be enhanced to be more user-friendly and more helpful in deploying it. Qualys releases updates and enhancements regularly and the documentation is available for the new release, but Qualys video tutorials and hands-on labs are not always available or updated in parallel. Such resources are very helpful for new users in our organization in understanding the new features and the tool.

There is a significant return on investment with Qualys CSAM in terms of efficiency in vulnerability identification and management.

Qualys is competitively priced for its features. Its pricing is suitable for large organizations with more than 4,000 assets, but for smaller organizations with few assets, such as banks, the costs might be high. They should come up with packages that are suitable for small organizations.

For Attack Surface management, we are using other tools in our organization. Our threat tracking and threat intelligence teams are using other tools. They are not integrated with the Qualys CSAM. We are exploring opportunities to integrate everything into one solution.

We are planning to integrate Qualys CSAM with ServiceNow within a year. Everything will be automatically integrated with the ServiceNow module.

Overall, I would rate Qualys CSAM an eight out of ten. There are some areas for improvement.

We primarily use Qualys CyberSecurity Asset Management for zero-day vulnerabilities. Essentially, this is one of the critical aspects we maintain. The main point is that within Qualys, we receive solutions based on the criticality of the issue. Assuming it's a zero-day vulnerability, we have fixes that provide extensive information on addressing these issues.

I would rate Qualys ability to cover the entire attack surface a nine out of ten.

Previously, we used Tenable as our preferred tool but switched to Qualys for the cost-effectiveness. However, upon switching to Qualys, our primary concern was ensuring the seamless deployment of agents across our infrastructure. Fortunately, Qualys agents proved to be remarkably lightweight. Additionally, Qualys excels in network security, allowing us to identify vulnerabilities, track SSL and TSL certificates, and monitor their expiration dates. Qualys also offers robust password management capabilities, surpassing Tenable in this regard. Moreover, Qualys' reporting functionality is unparalleled, outperforming competitors like Tenable and other tools in the market.

Qualys identifies all risk factors for our assets. For example, assigning a globally traceable computer name or using easily compromised passwords can create vulnerabilities. Qualys provides immediate alerts if any compromise occurs in our environment, highlighting specific loopholes. Consider a scenario where a programmer in a testing environment uses a simple password instead of a complex one. Hackers can easily exploit this, and Qualys will immediately identify the issue, generate a report pinpointing the responsible individual, and notify us. This real-time identification and reporting capability surpasses traditional PAM solutions, allowing for swift remediation of potentially exploitable changes.

We use the risk scoring to prioritize the issues by criticality.

We use Qualys to convert deployed cloud agents into passive sensors for VM ESX. Whenever new servers or network devices are added, Qualys immediately detects them and flags them as unregistered assets on the network. Based on this information, other teams often reach out to us to onboard or install an agent for enhanced visibility and management within Qualys.

The most valuable aspect we receive from Qualys is the remediation. It provides detailed solutions in a user-friendly manner that our IT team finds easy to understand.

After exporting the reports, we used to receive them in CSV format. The most important aspect of these reports is their customization. While the reports are already good, they have the potential to be even better, which is what I expect. Additionally, the agent's processing speed and CPU utilization should be improved significantly. Currently, whenever the agent is running, it consumes over ten percent of my CPU, indicating that CPU consumption is another area Qualys needs to address.

The cost aspect of Qualys is an area of improvement.

I have been using Qualys CyberSecurity Asset Management for almost seven years.

I would rate Qualys' stability a seven and a half out of ten. Occasionally, there's slowness from an agent or potentially a network issue on our end when pushing data to the core server. This can cause slight delays, depending on the environment.

I would rate the scalability of Qualys ten out of ten.

The technical support is a major advantage of using Qualys. Whenever we encountered any difficulties with generating or scanning, they were quick to assist us.

Positive

We previously used Tenable but switched to Qualys primarily because of CPU utilization. Qualys also offers solutions that are much easier to use compared to Tenable, which simplifies our workflow. Although I'm unsure how Qualys delivers their solutions, it significantly improves our experience. This ease of use was the main factor in our decision to switch from Tenable to Qualys. Even though Tenable's results were very accurate, Qualys provided easier remediation solutions. Additionally, Qualys' security and detection timing were also favorable factors in our decision.

I strongly prefer Qualys over Tenable. I'm a huge fan of Qualys, and I believe people should recognize its capabilities.

The deployment in our environment was straightforward. The deployment took one week for over 4,000 servers. One person was enough for the deployment.

In a testing environment without the usual deployment setup, we might deploy hundreds of servers for testing. At that time, we lacked other tools and had to individually dump data and run scripts due to credentials and other factors. Domain-based environments linked through Azure are easier, but workgroups that don't communicate with public or private networks are more challenging. Fortunately, most of our machines were domain-related, simplifying Qualys deployment.

The cost for Qualys CyberSecurity Asset Management is high.

I would rate Qualys CyberSecurity Asset Management nine out of ten.

No maintenance is required from our end other than managing our database.

I recommend running Qualys in a test environment first before deploying it to production. This process is simpler in an agentless environment.

This is the main product that we are using for managing assets, including  hardware assets and software assets.

There are multiple features that are very useful. The first one would be the inventory that allows us to actually manage those assets and see the assets based on the cloud agents and based on the scanning that is performed periodically. 

Another useful feature would be the tags. Tags are very useful for us since we can tag virus applications in infrastructure types such as databases, operating systems, or web platforms. 

On top of that, there are software rules that we can define. Some of those rules can outline which mandatory agents need to be on an asset before going into production, for example. Some emphasize potential software that can potentially cause cyber security challenges. Having those rules in place is very useful.

The external attack surface management covers the entire attack surface. This is one of the newest features, and this is extremely useful. It allows us to see the external posture from an attacker's perspective, and we are broadly using that. We have been able to find domains that were previously not covered. We did find a few domains that were supposed to be shut down. We can better keep track of these now to validate that the domains that are listed for us are the correct ones. We can go over the newly discovered assets to validate which belong to us and which do not. 

It identifies all other risk factors for our assets. Now, it identifies the assets. It also identifies the end-of-life and end-of-life support software, and that allows us to plan ahead in terms of what needs to be upgraded or if we have to budget for a software change. That's both from an operating system perspective and also from a third-party software perspective.

This more thorough identification of risk factors has positively affected our security. Qualys is one of the main pillars that we use for monitoring our cybersecurity posture. Being on top of inventory-related operating systems or types of clients has been very helpful. The inventory features also allow us to monitor any new asset. We use this together with another platform from Qualys for network passive sensors. We can see in the inventory, including new assets identified that were connected to the network anywhere in the network. This includes workstations, laptops, cell phones, et cetera.

We leverage the solution's ability to convert already deployed Qualys Cloud agents into passive sensors that may be detected and connected to the network in real time.

Most of the assets, the ones that the ones that have CloudAgent, we monitor that. They are also discovered by the passive sensor. On top of that, they are periodically IP scanned. The cloud agent and the IP scanners complement each other and discover different types of vulnerabilities. The inventory shows up from one of three main sources: the CloudAgent, the passive sensor, and the IP scanner.

The passive sensors affected our ability to identify potential risks in real time. They dramatically improve our ability to monitor risk in real time as they show the assets connected to the network in real time. We are validating those findings with the appropriate teams in order to address issues accordingly.

We use the CMDB sync feature. That is one of the features that allows us to reconcile the inventory between Qualys and CMDB. This is also the feature that actually showed us some of the discrepancies between our two platforms. The integration allows us to automatically assign vulnerabilities and monitor the SLA. That integration is one of the main operational integrations that we are using in order to make sure that the vulnerabilities are remediated in a timely manner.

It's a superior solution as we can monitor both on-prem and on the cloud. Having the ability to manage the inventory, the hybrid inventory, in one platform, is very, very important.

It is automatically exporting the vulnerabilities and the assets. However, it would be useful to have the ability to select or filter which we would like to export. As of now, anything and everything is automatically exported. We cannot choose. 

I've used the solution for the last five years. 

It's usually very stable. However, sometimes some of the queries crash. I have opened a few support cases. Some of those support cases were solved right away. Some of those were pending a new release. Generally, it's working most of the time.

I've never had issues with scalability. You do have to choose the right sizing, however, it can scale out of the box. 

Most of the time, the technical support is very effective and responsive. They have a nice feature that allow you give feedback after a case was opened. The knowledge of the team is good. They also have the appropriate documentation to they can direct you to when needed.

Positive

We did previously use a different solution. However, there were a number of drawbacks. We were not able to both monitor and discover. After CSAM, we were able to access a full inventory and a fuller understanding.

The deployment is straightforward. You can use add-on features of cloud agents or passive sensors, once it's deployed and assets are IP-scanned, the system can automatically share the asset details. The modules are automatically activated for the agent. The cloud agents are deployed by the infrastructure teams. They are responsible for deploying the cloud agent. The network passive sensors are deployed together with the network team. Activating the modules and monitoring is handled by Qualys.

Once everything is up and running, no maintenance is needed. It's just monitoring and reporting once it's implemented. 

The pricing is fair. We don't have any objection to the current pricing model.

I'm an end-user.

When we first started using the solution it had fewer features than it has today. That said, it still was the platform that allowed us to manage hardware and software assets on-prem and in the cloud.

I'd rate the solution nine out of ten. 

It's a good idea to start with Qualys training, and I have to say their training is outstanding. Their training provides the best way for a new user to learn how to work with the platform. The platform itself can be very complex and there are many features that might affect one another. 

I use Qualys CSAM to gain better visibility into all my endpoints. It is easier to find devices through Qualys CSAM rather than using our other asset inventories, as it gives me access to a single pane of glass.

Qualys CSAM helps manage external attack surfaces. I get daily emails about our external endpoints and potential vulnerabilities or ports that can be used for attacks. We work on securing them or hardening their configurations.

We do not have a lot of external-facing assets, but it gives us everything that we need to know. We have a developers team that works on the web pages on our new domain. Recently, they entered a new subdomain. Qualys CSAM found that and reported it as vulnerable because of the certificates. I reported that to upper management, and it is now taken care of.

Qualys CSAM's risk tools prioritize risks. Qualys CSAM in conjunction with patch management and vulnerability management helps to mitigate those vulnerabilities.

There is a good logic behind TruRisk. When we add things, we can rely on it. That is what is going to be important.

We have a network passive sensor. Some of our endpoints are work-from-home stations, and some of them are in the office. The network passive sensor finds everything that is connected to the office, and then it merges with the cloud agent.

Qualys CSAM is valuable for providing end-of-life and end-of-sale information. It gives me visibility into the number of products or hardware items that are end-of-life. This is a beneficial feature. I like that about it. That is a very good thing.

Qualys CSAM is not super responsive, and there can be delays sometimes, especially with the network passive sensor. You might see duplicate objects which eventually disappear but it takes time. If that can be done faster, it will be great.

I have been using Qualys CSAM for approximately one and a half years.

Qualys CSAM appears to be scalable. We do not have a lot of endpoints, but I know of a company with 60,000 endpoints. They seem to be doing fine. We have 500 to 600 endpoints, and it is working well.

Most of the time, they are fast. We submitted some bugs, and they seem to have been resolved.

Positive

I used Manage Engine before. It is not very similar, but it can give you some details about the endpoints, such as if they are end-of-life. They also pull the database from somewhere to compare our hardware or software, but Qualys CSAM gives a lot more information than that product. Qualys CSAM does a lot more.

Its deployment is modular. Everything that we have is in the cloud. The cloud agent is installed on the endpoint, and there we have everything. The cloud agent collects all the information, drops it into the cloud, and syncs it in the database. Patch management and vulnerability management all do their work together.

The initial setup was seamless. It is at their back end. We paid for it, and they just turned it on. We saw results immediately once the module was turned on. Things in the cloud are done faster than on-prem, and this is not an on-prem solution. It is a cloud solution.

Its maintenance is taken care of by Qualys. We get the product 100% working and operational. We only have to work on the information in it. If we see something wrong, we try to do something. If it is easily fixable, we do it. If it is not, we get support.

When I went to a Qualys conference, I understood the value of it, and I asked our management to get hold of it and purchase it. We were able to realize its benefits immediately.

To a colleague at another company who says they only need to add External Attack Surface Management to their vulnerability management detection/response program but they don’t need the full depth of the CSAM offering, I would recommend going for the whole CSAM. Only the external attack service management will not be enough. If they have visibility into their external stuff, they should also have visibility into their internal stuff. Otherwise, they will only see the external stuff. They will not see how it links to internal stuff in terms of hardware, IP, and port.

New users need to spend a lot of time in order to understand it well. My advice would be to try searching, finding assets, and uploading tags to get accustomed to it.

I would rate Qualys CSAM a ten out of ten. It is a great product.

We use it to identify all our assets, including those on our premises, cloud, and remote environments. It continuously monitors our assets, collects details like installed software, configurations, and vulnerabilities, and also assesses asset criticality and risk level. It prioritizes our vulnerabilities based on the business impact.

Qualys CyberSecurity Asset Management has given us a view into all portions of our assets, including printers and others, enabling us to uncover many previously unknown assets. Some of the assets were not shown by other solutions. There were some assets that were not registered in our CMDB. Teams had some assets that were connected to the network but were not registered. With the help of Qualys CyberSecurity Asset Management, we got a view of our complete posture. We were able to view all the assets.

We were able to see its benefits within a few weeks of deployment. We uncovered many assets that were previously unknown. It gives an overview of assets daily. 

It does its job of covering the attack surface, but we also use other solutions.

In addition to vulnerabilities, it also identifies all the other risk factors for our assets.

TruRisk Scoring helps prioritize vulnerabilities and assets, but its effectiveness varies from organization to organization. For us, it works, but sometimes, we have to manually prioritize assets.

We have leveraged the solution's ability to convert already-deployed Qualys Cloud Agents into passive sensors that detect assets connected to the network in real-time. It is pretty good in terms of insights or visibility.

The CMDB Sync feature has reduced our mean time to remediation by 15% to 20%.

The integration with different third-party tools, such as cloud providers like Azure and AWS, and asset management tools like CMDB systems, is valuable. 

It also helps detect shadow IT groups and enforce policies and compliance, ensuring that assets adhere to regulatory and internal security policies. It helps our team to maintain an accurate and up-to-date asset inventory.

The deployment is somewhat complicated and could be made more user-friendly for most users. It is currently not user-friendly for all users. It is good but can be improved. It is a new product, and they are working on it.

There is limited coverage for non-IT assets; although effective for IT assets, it may struggle with OT technologies, IoTs, and some non-traditional assets without proper integrations. 

It is dependent on the Qualys ecosystem. It works only with Qualys VMDR and other Qualys modules. If an organization relies on multiple security vendors, integration would require additional customization. Improving the integration part would be beneficial.

I have used the solution for two years.

It is stable. I would rate it an eight out of ten for stability.

It is scalable. I would rate its scalability a nine out of ten.

They are good.

Positive

For us, it was easy because we had experienced professionals. They did not face any issues. If it was done by someone with two, three, or four years of prior experience, they would struggle a bit. 

We already had other Qualys subscriptions, such as patch management, so we just bought the CSAM solution and started activating CABS. Though it is never fully done, as we develop it every day, after purchasing, it was mostly done within two weeks.

We had a team of five, consisting of two senior and three junior members.

Overall, I would give Qualys CyberSecurity Asset Management a nine out of ten.