Our use cases for Qualys vary depending on the client. I work for a Paris-based French company that provides cybersecurity and metadata services to multiple clients. We primarily use Qualys to check the core infrastructure that hosts everything, scanning and remediating vulnerabilities.
We work with multiple teams, so if we identify a patching issue using Qualys, we might need to escalate it to another department. For example, if we identify a vulnerability in a CI/CD tool the DevOps team uses in Terraform, we're not supposed to touch it. We recommend a time frame for the DevOps team to apply the patch. If the issue is high-severity, they may need to address it as soon as possible. We run the scans, get the reports, and create recommendations.
We have integrated Qualys with our homegrown ticketing tool, but we plan to migrate to ServiceNow. It's a gradual process. Microsoft Sentinel, our SIEM solution, sends alerts to our internal detection and monitoring tool, which ServiceNow will soon replace. Our SIEM tool is responsible for monitoring the overall risk, while we use Qualys to report vulnerabilities that need to be patched.
Qualys improved productivity and efficiency after we became certified and familiar with the tool. However, our efficiency ultimately doesn't rely on us. We're not free to do whatever we want because we need to wait for the approval of our bosses or clients. We only note everything on our customized reports inspired by Qualys' core reporting.
Our clients typically have a 30 percent security score, and we aim to raise that to at least 90 percent through patch management and vulnerability monitoring and detection so their infrastructure security improves daily.
Qualys' best feature is its reporting. At first, it may seem a little complicated to a beginning user, but it's helpful once you get used to it. Most of these scans run automatically. We set the scans up for the client to run at daily, weekly, or monthly intervals, depending on how critical the server or other hardware is.
According to the scan target, we adopt a risk-based or patch-based approach. Our company has a large SOC team that covers more than just the scanning aspect. Qualys is one tool we use. Regarding the managerial component, we have documentation and a set of steps to follow. We must also follow all the protocols, regulations, and standards, such as ISO-27000 or GDPR if you are in Europe.
Qualys could improve its capacity to fix vulnerabilities on VMware and other virtualized environments. The reporting could also be enhanced to make it more user-friendly. It's difficult for beginners to learn.
I have used Qualys for two and a half years.
We've had no stability issues with Qualys because most clients use high-speed fiber optic connections.
I rate Qualys support nine out of 10. I've contacted Qualys support four or five times. They're highly efficient. There were some delays and technical issues the first time I called them, but the rest of my experiences went smoothly.
We used Nessus, but we switched. It was a company decision because it has a partnership with Qualys' parent company. Before that, we used Metasploit
Deploying Qualys was initially overwhelming, but after a lot of tutorials and testing, we got used to it. Three people were involved in the first six months, but now I'm the only one using it. We had some help from Qualys in the first few months.
I'm unaware of Qualys' exact price, but it's more expensive than Nessus. With technological products, you need to pay to get the best.
I rate Qualys eight out of 10. It's a great tool, and if I consulted for a client, I would recommend it.
