Qualys VMDR Reviews

We use continuous monitoring to schedule scans for all the applications in our organization. We create a parent tag and sub-tags for each application and schedule scans based on our requirements, such as every alternate day, weekly, or monthly. This helps us identify vulnerabilities in the web applications, especially those that are public-facing.

Since implementing Qualys, we have seen a reduction in the time required to scan applications, as it automates the process. This efficiency is one of the key improvements we have noticed. Additionally, the tool is effective compared to others, particularly for automated scans.

In Qualys VMDR, there are multiple valuable features such as Continuous Monitoring, SFU Connector, and WebVPN. Continuous monitoring is a crucial feature that we use more frequently.

There are scenarios where a vulnerability is reported once yet not in subsequent scans, even if we have not fixed it. Sometimes, Qualys is unable to crawl certain URLs due to unspecified issues. Additionally, the report download option occasionally has problems.

I have been using Qualys for two years.

I would rate the stability as nine out of ten, indicating no significant issues with stability.

The scalability of Qualys is rated as eight to nine out of ten, and there are no problems with scalability.

The customer support system could be improved. While they respond, it takes them two to three days to address a concern, which is an issue. Overall, I would rate customer service as five or six.

Neutral

The setup process was not within my involvement, as it was part of the project I had joined and it was already set up.

I recommend Qualys VMDR as it effectively reduces the time required for vulnerability management and operates well with fewer people.

I'd rate the solution seven out of ten.

We are managing hundreds of AWS and several on-premises accounts using Qualys agents and scanners to provide data inputs for Qualys. We are using several of the Qualys modules, VMDR, Cloud Agents, Connectors along with Global Asset View (GAV).  GAV dynamic tagging is valuable for tracking owners of assets.   

Qualys' main function is to provide us with vulnerability management information for our end users and is a major input to our CMDB.  We rely on a combination of agents and scans to provide us with the system data.   

We are seeing more of the issues we suspected were there. Qualys is allowing us to get an overall picture of our Risk posture. It has enabled us to identify assets we did not know existed.  

However, Qualys has not enabled us to get a complete picture of our risk posture, due to our own limitations in our deployments and limitations in the Qualys back end, dashboards, UI, connector reliability, and the limitations of the Qualys Scripting Language (QSL).  

Qualys implementation requires dedicated back-end support from various teams which was not clearly explained to us or planned for. 

Cloud Agents: lots of control available and very trouble-free. It pulls all systems information, including installed software and open ports. It's very configurable to adjust impact to systems.  

Connectors: Pulls all the cloud information per account and helps to build a CMDB.  Qualys connectors do some control evaluations to help manage these accounts. 

Global Asset View (GAV): With the ability to establish dynamic tagging and perform queries GAV has become a very valuable research tool to our teams. 

Support: It's often overseas and often following a script, basically asking us to redo what we opened the case with. 

Multiple APIs: There seems to be a lack of easy onboarding into Qualys. We had to use manual inputs and some API calls to get items in place. 

Dashboard: It is very rudimentary with very little customization. The Qualys Scripting Language (QSL) works differently in different Qualys modules, so when you get it working in one area you have to modify the syntax in others.  

User account management: We often have to give users more rights than needed just to give them what they need. 

Integration with the various Qualys Modules: You can tell the UI is different based on of the different teams that created them. 

QSL syntax same in all modules

Responsiveness of some of the components: They time out, you get a blank screen, etc.

Backend updates between the various modules: You update connectors and information takes a few minutes to show in VMDR or Global Asset View

Connectors: Connectors have a throttling issue with AWS which causes them to frequently fail unless you manually run them again. 

I've used the solution for three years.

Stability is not the issue. However, the reliably of the different modules is a concern. I have never seen all of Qualys go down. 

The solution is very scalable (with a matching cost, in that, it gets expensive as you grow). 

Our CSM has awesome, however, support is often overseas at conflicting hours.  Support seems to follow scripts and forces us to go through the same scripts. Some solutions required months from Qualys to implement. 

Negative

We used Tenable.IO which we found very limited. However, in our other cloud environment, we had to use Teanble.SC with which we were able to use a Lambda function and a few API calls to make it operate very well in the cloud. 

The setup is complex in many ways, from setting up agents and connectors to trying to create dashboards that fit our needs.  

We managed the setup in-house.

Management is very concerned about the cost of using Qualys; it keeps going up as we pursue 100% deployment. 

The price is very high and escalates quickly based on the number of appliances you need. 

We evaluated Tenable.SC and Rapid7.

If you're going to deploy Qualys it is key to have someone dedicated to supporting the back end, making sure all the components are working as expected.  This is not a fire-and-forget solution. 

The primary focus of this solution is to identify and detect vulnerabilities in real time and use that information to patch them using Qualys VMDR task management module. We have a variety of devices within our network, including network devices, firewalls, vCenters, VMs, web applications, and endpoints. We deploy cloud agents on workstations and servers where possible, and we scan network devices using a virtual scanner where we cannot deploy the cloud agent. Additionally, we perform web application scanning for our web apps. We also use the tool to manage our cloud security and container security.

With the help of Qualys VMDR, we were able to get real-time knowledge base updates from Qualys and perform scans on all devices to identify vulnerable devices. This allowed us to plan the next course of action for mitigating vulnerabilities. For example, during the zero-day events, such as the Log4j vulnerability, we received critical real-time information from Qualys, enabling us to identify and plan for mitigation while the rest of the world was still struggling. This capability has tremendously helped us maintain the cybersecurity posture within our organization.

The most valuable features of Qualys VMDR include CSAM, Qualys Gateway Service, Web Application Scanning, patch management and the use of virtual scanners to scan appliances and devices, especially those provided by vendors. 

The ability to run a map scan and identify all assets within our network is extremely beneficial for medium to large organizations. Real-time asset discovery and patch management have also been vital features for us.

One area for improvement is the simplification of the process to ignore certain vulnerabilities on specific devices. Currently, the process is quite long, requiring the creation of separate knowledge bases and lists. Simplifying this to one or two clicks would be beneficial. Additionally, enhancing patch management to support third-party tools and simplifying the creation of patch jobs would greatly improve usability. Improving the interconnection between multiple modules would also be helpful, making navigation and operations more straightforward.

I have been using Qualys VMDR for more than two - three years now.

I would rate the stability of Qualys VMDR as eight. It is a stable solution with minimal issues.

The scalability of Qualys VMDR is good. If we add additional resources, the tool can scale efficiently, ingesting new data seamlessly. Qualys has auto-scaling enabled for their cloud platform, which ensures performance remains high, even with increased resources.

Technical support from Qualys needs some improvement. There are instances where Level 2 support is not able to assist, requiring escalation, which can take time. Overall, basic troubleshooting and issue resolution are straightforward.

Neutral

I have worked with other vulnerability management solutions prior to Qualys. In my current organization, we selected Qualys after a POC. Other tools have not evolved well as Qualys has over the years, making Qualys the preferred solution.

The initial setup of Qualys VMDR is straightforward. The setup's complexity depends on the organization’s size and collaboration with various teams. For organizations with a clear device inventory, the deployment can be completed within a month.

In-house

We evaluated other tools available in the market during our POC process yet found Qualys to be the best solution.

I would recommend Qualys VMDR to other users if they want a comprehensive solution for real-time vulnerability detection and mitigation. The tool is easy to implement, backed by a reliable knowledge base, and offers quick updates during zero-day events. While there are areas for improvement, such as simplifications in handling certain features, the overall solution is robust and effective.

I'd rate the solution eight out of ten.

Qualys VMDR is used as a vulnerability management tool. We have more than a thousand users in our company, and we have integrated Qualys with their machines to help update software and measure known or unknown risks, prioritize them, and patch the devices. We monitor and mitigate alerts, and we find vulnerabilities in specific machines or systems, which we then address.

Before implementing Qualys, we used third-party companies to conduct vulnerability audits and paid them separately for mitigation. With Qualys, we now conduct our vulnerability management and mitigation internally, saving both time and money since we can monitor every system and threat without requiring manual processes or third-party involvement. This has resulted in significant ROI and reduced the risk of breaches.

The best features of Qualys VMDR are its patch management capabilities and the ability to mitigate vulnerabilities automatically. The report export feature allows us to see how many incidents have been mitigated and which ones still need attention. The compliance dashboard helps us track and fix threats efficiently, ensuring all machines comply with security standards.

The user interface (UI) is quite complicated. Initial-stage engineers or analysts might miss something due to the complexity. Also, for hybrid users, the agent might get disconnected, requiring users to revisit the office to reinstall the agent. Additionally, the reports could be more interactive.

I have had five years of experience with cybersecurity platforms and have been using Qualys VMDR for that duration.

I would rate the stability of the solution nine out of ten. It is a robust platform that provides consistent performance.

For scalability, I would rate it nine or 9.5 out of ten. The cloud-based architecture allows us to deploy it across multiple locations seamlessly.

The technical support provided by Qualys is good. Queries are responded to promptly, and if needed, we can contact the TAM or any POCs directly. I would rate their support nine out of ten.

Positive

Before using Qualys, we used a third-party solution for vulnerability audits and mitigations. However, we switched to Qualys because it allows us to handle everything internally, avoiding the need for additional external services.

The initial setup is agent-based and straightforward, especially if you have necessary tools like Active Directory. Given the cloud-based nature of Qualys, deployment can be completed within a day with appropriate resources.

We have seen a significant ROI with Qualys, which is estimated to be around twenty to thirty percent. It has saved a lot of time and money by allowing us to mitigate issues without user interaction and preventing breaches.

Compared to Tenable, Qualys is quite expensive. However, its performance justifies the cost, making it a worthwhile investment.

We also use Tenable Solutions for vulnerability management. However, Tenable requires manual processes for mitigation, whereas Qualys allows for automated mitigation of vulnerabilities and threats.

I would definitely recommend Qualys to other users. Depending on the number of users and specific needs, Qualys is a good vulnerability management product that offers efficient solutions. I'd rate the solution nine out of ten.

Our primary use case of the product is comprehensive vulnerability management and asset inventory across a hybrid environment consisting of both cloud and on-premises deployments. We manage approximately 45,000 endpoints spread across multiple geographical locations.

The platform's most valuable features include its robust vulnerability detection capabilities and automated remediation workflows. These features not only help us identify vulnerabilities promptly but also enable us to prioritize and remediate them efficiently.

While Qualys VMDR is comprehensive, improvements in asset management functionality would be beneficial. Additionally, reducing dependency on multiple agents for data collection across different endpoints could simplify management and resource utilization.

In the next release, enhancements in reporting and analytics would be appreciated. Advanced analytics capabilities for trend analysis and predictive insights could further empower proactive decision-making in cybersecurity management.

I have been using Qualys VMDR for approximately two years now.

The product is stable. I rate the stability a seven. 

I rate the product scalability an eight. 

The technical support services are good. 

Positive

The initial setup was relatively straightforward. They provided comprehensive documentation and support during deployment, which helped streamline the process. 

I would rate the process a seven or eight. 

We implemented the product with the help of in-house resources and support from Qualys.

We evaluated other options such as Tenable and Rapid7.

I rate Qualys VMDR a nine out of ten. 

I primarily use Qualys VMDR for daily scans, onboarding assets, scanning, reporting, and managing the entire vulnerability management process, including test management.

VMDR has significantly improved our organization by simplifying asset discovery and management. We can easily identify and categorize assets, ensuring comprehensive scanning and reporting.

Qualys Patch Management is excellent for keeping our critical servers and third-party applications updated efficiently.

One area of the product that could be improved is the management of vulnerabilities detected on disabled applications. We currently face challenges with unnecessary alerts for Microsoft Defender, which we do not use. Additionally, enhancing the alerts for agent communication failures would be beneficial.

I have been using Qualys VMDR for approximately three years.

The product has been very reliable in our day-to-day operations.

I would rate the product scalability a ten. It easily scales with our organization's growth, allowing us to add new assets and expand our coverage seamlessly. We are considering expanding our deployment to include 500 assets next year.

The initial setup was straightforward, taking less than a week to configure and generate reports. The deployment process was smooth, and we were able to integrate it effectively into our hybrid environment.

Within three months of deployment, we began seeing improvements in vulnerability management. This helped us significantly reduce vulnerabilities and streamline our patch management processes, providing a notable return on investment.

The solution is reasonably priced for the value it provides. Our contract renewal was approximately 2.5 million ZAR for three years, including managed services.

Before selecting Qualys VMDR, we evaluated other options but ultimately chose Qualys due to its comprehensive features and effective proof of concept.

We integrate Qualys VMDR with our infrastructure, conducting weekly scans and generating reports based on the findings. This provides daily views of vulnerabilities, and we use Qualys' patch management to deploy patches promptly, starting with the most severe vulnerabilities, thus reducing our threat exposure. Conducting a thorough proof of concept is essential to evaluate its effectiveness in your environment and to see how it integrates with your existing systems and handles your specific security needs.

I rate it a ten out of ten. 

The primary use case for Qualys VMDR is for infrastructure vulnerability management. It assists devices, including all infrastructure devices like serverless network devices and development environments.

The solution has improved the organization significantly because it helps in assessing and prioritizing risk. Based on the results from Qualys, I can prioritize remediations with the remediation teams, thereby reducing the volume of vulnerabilities.

The most valuable feature is the QID part, especially of CentralList, which makes it easy to assess new critical vulnerabilities. It saves a lot in assessing and prioritizing risks to the organization.

Support could be improved since the response can be slow. There is always room for improvement to align with the latest content and technologies.

I have used the solution for three years.

The solution is stable. Anytime there is downtime or maintenance, Qualys ensures that we are well-informed with priority communications.

Scalability would be rated nine or nine point five out of ten. We have high satisfaction with this aspect.

Technical support response can sometimes be slow, leading to a rating of eight or nine out of ten.

Positive

I previously used a different tool. I switched to Qualys as it didn't have the same feature set.

The initial setup was straightforward. Deployment took two to three days.

The deployment was done by a different team, so I do not have specific details about the implementation team size.

I have used RapidSky before Qualys.

I would recommend Qualys VMDR because it ensures comprehensive coverage, including aspects like vulnerability management and PCI, providing good inputs and improvements over time.

I'd rate the solution nine out of ten.

Qualys VM is used for vulnerability scans for the internet and applications using application exchange. There are many applications. We also use the solution for asset management per team, and the network scan to discover the devices on our network.

We have an excellent relationship with the vendor, so we use the solution in our company and in two other companies. We have a communication program. Japanese people can't speak English, but most of the tools have only English support, Qualys VM offers support in other languages which are essential for our company.

The most valuable feature of the solution is the external channel. The cloud-based channel within the AWS, which we implement accordingly.

The vulnerability cycle feature of the solution is valuable.

I would like to have CSPM, a continuous scan-like cloud added to the solution.

I have been using the solution for one year.

The solution is stable.

The solution is scalable.

We have 25,000 storage devices that are currently using the solution.

We previously used an AWS scanner but switched to Qualys VM because of the Japanese support and the cost. 

The initial setup is straightforward.

Qualys environment is implemented very easily, within one or two months. However, setting up the standard devices, such as opening a firewall, and preparing the network can take up to four or five months. The entire deployment takes about six months.

The implementation was completed in-house.

I give the solution an eight out of ten.

The maintenance is not difficult and we don't have any problems or concerns.

Implementation of the solution is very easy, using the solution is very easy, and it is very efficient.