Qualys VMDR Reviews

Qualys VMDR is used as a vulnerability management tool. We have more than a thousand users in our company, and we have integrated Qualys with their machines to help update software and measure known or unknown risks, prioritize them, and patch the devices. We monitor and mitigate alerts, and we find vulnerabilities in specific machines or systems, which we then address.

Before implementing Qualys, we used third-party companies to conduct vulnerability audits and paid them separately for mitigation. With Qualys, we now conduct our vulnerability management and mitigation internally, saving both time and money since we can monitor every system and threat without requiring manual processes or third-party involvement. This has resulted in significant ROI and reduced the risk of breaches.

The best features of Qualys VMDR are its patch management capabilities and the ability to mitigate vulnerabilities automatically. The report export feature allows us to see how many incidents have been mitigated and which ones still need attention. The compliance dashboard helps us track and fix threats efficiently, ensuring all machines comply with security standards.

The user interface (UI) is quite complicated. Initial-stage engineers or analysts might miss something due to the complexity. Also, for hybrid users, the agent might get disconnected, requiring users to revisit the office to reinstall the agent. Additionally, the reports could be more interactive.

I have had five years of experience with cybersecurity platforms and have been using Qualys VMDR for that duration.

I would rate the stability of the solution nine out of ten. It is a robust platform that provides consistent performance.

For scalability, I would rate it nine or 9.5 out of ten. The cloud-based architecture allows us to deploy it across multiple locations seamlessly.

The technical support provided by Qualys is good. Queries are responded to promptly, and if needed, we can contact the TAM or any POCs directly. I would rate their support nine out of ten.

Positive

Before using Qualys, we used a third-party solution for vulnerability audits and mitigations. However, we switched to Qualys because it allows us to handle everything internally, avoiding the need for additional external services.

The initial setup is agent-based and straightforward, especially if you have necessary tools like Active Directory. Given the cloud-based nature of Qualys, deployment can be completed within a day with appropriate resources.

We have seen a significant ROI with Qualys, which is estimated to be around twenty to thirty percent. It has saved a lot of time and money by allowing us to mitigate issues without user interaction and preventing breaches.

Compared to Tenable, Qualys is quite expensive. However, its performance justifies the cost, making it a worthwhile investment.

We also use Tenable Solutions for vulnerability management. However, Tenable requires manual processes for mitigation, whereas Qualys allows for automated mitigation of vulnerabilities and threats.

I would definitely recommend Qualys to other users. Depending on the number of users and specific needs, Qualys is a good vulnerability management product that offers efficient solutions. I'd rate the solution nine out of ten.

Qualys VM is used for vulnerability scans for the internet and applications using application exchange. There are many applications. We also use the solution for asset management per team, and the network scan to discover the devices on our network.

We have an excellent relationship with the vendor, so we use the solution in our company and in two other companies. We have a communication program. Japanese people can't speak English, but most of the tools have only English support, Qualys VM offers support in other languages which are essential for our company.

The most valuable feature of the solution is the external channel. The cloud-based channel within the AWS, which we implement accordingly.

The vulnerability cycle feature of the solution is valuable.

I would like to have CSPM, a continuous scan-like cloud added to the solution.

I have been using the solution for one year.

The solution is stable.

The solution is scalable.

We have 25,000 storage devices that are currently using the solution.

We previously used an AWS scanner but switched to Qualys VM because of the Japanese support and the cost. 

The initial setup is straightforward.

Qualys environment is implemented very easily, within one or two months. However, setting up the standard devices, such as opening a firewall, and preparing the network can take up to four or five months. The entire deployment takes about six months.

The implementation was completed in-house.

I give the solution an eight out of ten.

The maintenance is not difficult and we don't have any problems or concerns.

Implementation of the solution is very easy, using the solution is very easy, and it is very efficient.

Qualys has many products. However, the prominent one is for scanning the vulnerabilities on endpoints, including servers and desktops. The other can be for using multiple other products, like taking the certificate, inventory, and software inventory of endpoints through scanning. 

Additionally, we use the solution for web application scanning. When they have web applications, they can scan applications for various vulnerabilities and give recommendations.

Almost all of the features are great. We use Qualys for vulnerability scanning of servers and web application scanning. These are the two prominent features that we often use.

The initial setup is very straightforward. 

It's stable and quite reliable.

The product can scale. 

Technical support is helpful, and the product provides a good amount of training. 

Qualys has evolved a lot. It is one of the services that has evolved a lot, and we do recommend Qualys to the specs tent. 

However, their products are very modular, so for customers, they need to provide some roadmap on how the customer can utilize their products. For example, starting with vulnerability scanning, they need to show how they can extend their products for multiple other use cases. They need to do a better job of educating customer more.

There needs to be better documentation. 

Maybe their price scheduler could be made simpler.

It's expensive.

We've been using Qualys for a long time. I've used it for more than five years.

It is stable. It is reliable. The solution doesn't have any bugs or glitches, and it doesn't crash or freeze.

It's scalable. It's easy to expand. 

Many people use the solution. There are likely more than 10,000 users.

The usage is based on the business requirements. It all depends on the service offering.

They do offer a lot of support in the form of training for users. They also offer labs. The technical teams are reachable. Technical support is quite good with them.

Positive

This is an easy product to set up. It's not very complex to implement.

The deployment was very fast. We could do it in about a week's time. It can be done very quickly. There are just some configurations on the cloud, and you can handle the agent deployment using some deployment tools. 

We pay an annual licensing fee. 

Prices do vary. If it is for a standard solution, they are the best. If a company goes for some advanced solutions, like web scanning, it does become pricey. However, the basic solution is good. It's just the advanced solutions that drive up the price.

I am a consultant. 

I'd recommend the solution to others. 

I would rate the product ten out of ten.

The primary use case for Qualys VMDR is for infrastructure vulnerability management. It assists devices, including all infrastructure devices like serverless network devices and development environments.

The solution has improved the organization significantly because it helps in assessing and prioritizing risk. Based on the results from Qualys, I can prioritize remediations with the remediation teams, thereby reducing the volume of vulnerabilities.

The most valuable feature is the QID part, especially of CentralList, which makes it easy to assess new critical vulnerabilities. It saves a lot in assessing and prioritizing risks to the organization.

Support could be improved since the response can be slow. There is always room for improvement to align with the latest content and technologies.

I have used the solution for three years.

The solution is stable. Anytime there is downtime or maintenance, Qualys ensures that we are well-informed with priority communications.

Scalability would be rated nine or nine point five out of ten. We have high satisfaction with this aspect.

Technical support response can sometimes be slow, leading to a rating of eight or nine out of ten.

Positive

I previously used a different tool. I switched to Qualys as it didn't have the same feature set.

The initial setup was straightforward. Deployment took two to three days.

The deployment was done by a different team, so I do not have specific details about the implementation team size.

I have used RapidSky before Qualys.

I would recommend Qualys VMDR because it ensures comprehensive coverage, including aspects like vulnerability management and PCI, providing good inputs and improvements over time.

I'd rate the solution nine out of ten.

We have multiple modules, including Qualys VMDR solution and Qualys TotalCloud solution. We use them in our organization, like VMDR, for vulnerability management, detection, and response, as well as policy compliance to amend policies according to CIA benchmarks and other frameworks. 

We also use the web application module and the Qualys Gateway module to ensure that scanner appliances are functioning properly. These modules allow us to check various scenarios and initiate scans, either on-demand or as per a scheduled plan.

My primary work is with VMDR module. In my previous organization, I worked with TotalCloud, but right now, I am focused only on VMDR and other modules.

Sometimes, we receive CVIDs from customers who require vulnerability scans, but they are not available in the Qualys knowledge base. This makes it complicated because we need to contact Qualys to add the required QID and CVID to their knowledge base and provide the corresponding vulnerability criteria. It affects our business since, without that information, we can't identify or notify our teams about the vulnerabilities.

Compared to other tools, VMDR provides a clearer view and is easy to understand. It's also highly customizable, allowing us to tailor it to our needs. I find it to be better than tools like Belwix, Rapid7, and Tenable.

For asset management, there's a feature that tracks unused machines and purging mechansim. It informs us if a machine hasn’t been used for 180 days, or if it’s been idle for 368 days, allowing us to segregate the data. This reduces our active vulnerability count, which improves tracking and helps us provide more accurate information to customers. It gives more active grip on the information.

With continuous monitoring, we can customize dashboards according to customer needs. Whether they require reports on a daily, weekly, or quarterly basis, we can set up the dashboard to display the relevant data. It's essential to understand their requirements and adjust the Qualys Query Language (QQL) accordingly. A solid grasp of QQL is a plus when working with Qualys.

Sometimes, it can take more time than other tools to resolve certain issues. For example, if there's a problem with policy compliance, you might not get an immediate solution from Qualys' technical team. 

Occasionally, customers ask for RCA (Root Cause Analysis), and if Qualys doesn't provide it, we can't give a clear answer. This can be frustrating, but it doesn't happen in every case.

In terms of improvement for the web application console, in the older version, things were more segregated and presented in a brief format. However, in the latest version, you have to write a query to retrieve the kind of data you want. Sometimes, if you write the wrong query, you don't get the proper count or the right data, such as how many days a scan has been failing. This can be an issue if you're not familiar with the query language. So, they should offer an optional feature where, if someone isn't familiar with the query language, they can use tab buttons or other features to enable or disable options and get the correct data and information on time.

Qualys VMDR should enhance the EDR (Endpoint Detection and Response) part because there's a lack of information and features in Qualys EDR. Sometimes, organizations have to buy different EDR tools, like Carbon Black and others, to cover the gap.

From a learning perspective, Qualys VMDR needs to improve. Right now, they only provide information, but they don't offer any library or testing environment. Often, customers don't allow changes to be made in the live environment, and I don’t think it’s a good idea to make any changes directly there. It would be great if they could provide a lab environment for testing. That would be really useful.

Qualys is updating certain product modules. Sometimes, they need to provide clearer deadlines. Customers aren't always informed when Qualys updates a module from the backend, which can disrupt our work. For example, they recently updated the "Asset View" module and converted it to "Cybersecurity Asset Management." Customers weren’t aware of this change beforehand.

In situations like this, they need to ensure that they provide proper information, SOPs, or documents so we can share them with customers. Customers also have access to the tool, so they can use the SOPs to learn how the updates work. This would improve productivity because we wouldn't need to spend extra time learning how to use the updated tool.

I have been using it for around four years. 

It’s very stable. Qualys provides advisories faster than other tools when it comes to exploitable vulnerabilities. This helps ensure we can secure the environment promptly.

But, last year we did encounter an issue with the Qualys Gateway Console, where the gateway went down and it took around six hours to set up a new one. After that, we implemented two gateways to ensure we could switch to a secondary one if the primary failed.

Around 300 users work with Qualys, with different permission levels—leaders, managers, and regular users. We have over 50,000 hardware devices in total.

We have a dedicated person for support. She’s always available to help, or if she's on leave, she ensures someone else is aligned to handle our cases, so we don’t breach any timelines. I'd give the support a high rating.

Positive

In other tools, like Rapid7 and InsightVM, everything is done within a single module. In Qualys, we have separated modules with distinct functionalities. You can choose to purchase only the modules and licenses you need, which makes it cost-effective. You don’t have to pay for features you're not using, unlike other tools where everything is bundled.

It's not an issue with Qualys itself. We encountered some problems when migrating from physical scanners to virtual ones, but that was more on our network team’s side. Qualys provided excellent support in that scenario, which helped us identify and resolve the issue on time, and we provided the solution to our customer.

I work with the on-premises version. We updated from physical scanners to virtual scanners.

In my previous organization, I worked on deploying the solution. There, I customized the Windows OS image so that when you install the image on any machine, it prompts for a key that’s already embedded. Once the steps are completed, it automatically installs the Cloud Agent module on every machine. The agent syncs data every four hours, providing vulnerability data and security insights for each machine.

It’s not a one-person task. We had to coordinate with several teams, such as the network and system teams, for deployment. In total, we worked with about six teams during the process.

For about 1,400 machines, it took around three months to complete the deployment and resolve any issues. For example, sometimes policies weren't pushed properly from Ivanti or other tools, or users didn’t turn on their machines, which stopped Qualys services. We had to address these issues for each user, so it took some time. But we completed the deployment in about three months.

Maintenance isn't difficult, especially when working with the Cloud Agent. You just need to set up rules, like purging machines that haven’t connected to the network in three months. You write policies to manage this, which simplifies the decommissioning process and other tasks.

Qualys provides good value for the investment. Before using Qualys, we weren’t clear on how many assets needed purging or how many open vulnerabilities we had. Qualys gave us a clearer picture, so from a cost perspective, it’s been valuable.

I would recommend it. For enterprises, I’d suggest understanding how the tool works and which modules meet your needs. It’s important to coordinate with the customer team or Qualys technical team to figure out how many licenses you need and which modules will benefit your organization. Proper calculation and understanding are key before purchasing.

Overall, I would rate it a nine out of ten. 

Qualys has a continuous endpoint monitoring feature for agent-based scanning. Once you deploy the solution, it monitors everything that is happening every 30 minutes. Then, if there are any vulnerabilities, they are reported. Plus, the dashboards are amazing. There are so many dashboards and things in the console that you can explore, which I think other solutions, Tenable.io for example, are still working on. 

They have everything covered as far as features are concerned, but Qualys should improve their customer experience. They need to improve the tech support experience and the turnaround time. 

I've been working with this solution for one to two years.

This solution is definitely stable.

The solution is scalable. 

I am not happy with the technical support because I had a very bad experience with them. On a scale of one to five, I would give Qualys tech support a two.

Neutral

There were a few challenges. I had an integration issue with Qualys where they had to enable the data privacy from the back end because I couldn't integrate it with the SIEM.

The ROI is definitely good for this solution. 

Qualys is a pay-as-you-go model, so there's flexibility to the pricing. 

Everything is well-documented by Qualys. Their white paper is published and they have much visibility across the globe and on different platforms. If you look into their educational YouTube channel, you get a lot of information. There are a lot of seminars and talks on Qualys VMDR features.

The advantage with Qualys is that you get a lot of features because it has been a market leader for quite a long time. The solution has an agent-based approach and I think it is highly evolved when compared to Tenable, for example. However, Qualys is a bit highly priced so if you're looking strictly at pricing, I think you will get a better value with Tenable. 

I would rate this solution as a nine out of ten.

The primary focus of this solution is to identify and detect vulnerabilities in real time and use that information to patch them using Qualys VMDR task management module. We have a variety of devices within our network, including network devices, firewalls, vCenters, VMs, web applications, and endpoints. We deploy cloud agents on workstations and servers where possible, and we scan network devices using a virtual scanner where we cannot deploy the cloud agent. Additionally, we perform web application scanning for our web apps. We also use the tool to manage our cloud security and container security.

With the help of Qualys VMDR, we were able to get real-time knowledge base updates from Qualys and perform scans on all devices to identify vulnerable devices. This allowed us to plan the next course of action for mitigating vulnerabilities. For example, during the zero-day events, such as the Log4j vulnerability, we received critical real-time information from Qualys, enabling us to identify and plan for mitigation while the rest of the world was still struggling. This capability has tremendously helped us maintain the cybersecurity posture within our organization.

The most valuable features of Qualys VMDR include CSAM, Qualys Gateway Service, Web Application Scanning, patch management and the use of virtual scanners to scan appliances and devices, especially those provided by vendors. 

The ability to run a map scan and identify all assets within our network is extremely beneficial for medium to large organizations. Real-time asset discovery and patch management have also been vital features for us.

One area for improvement is the simplification of the process to ignore certain vulnerabilities on specific devices. Currently, the process is quite long, requiring the creation of separate knowledge bases and lists. Simplifying this to one or two clicks would be beneficial. Additionally, enhancing patch management to support third-party tools and simplifying the creation of patch jobs would greatly improve usability. Improving the interconnection between multiple modules would also be helpful, making navigation and operations more straightforward.

I have been using Qualys VMDR for more than two - three years now.

I would rate the stability of Qualys VMDR as eight. It is a stable solution with minimal issues.

The scalability of Qualys VMDR is good. If we add additional resources, the tool can scale efficiently, ingesting new data seamlessly. Qualys has auto-scaling enabled for their cloud platform, which ensures performance remains high, even with increased resources.

Technical support from Qualys needs some improvement. There are instances where Level 2 support is not able to assist, requiring escalation, which can take time. Overall, basic troubleshooting and issue resolution are straightforward.

Neutral

I have worked with other vulnerability management solutions prior to Qualys. In my current organization, we selected Qualys after a POC. Other tools have not evolved well as Qualys has over the years, making Qualys the preferred solution.

The initial setup of Qualys VMDR is straightforward. The setup's complexity depends on the organization’s size and collaboration with various teams. For organizations with a clear device inventory, the deployment can be completed within a month.

In-house

We evaluated other tools available in the market during our POC process yet found Qualys to be the best solution.

I would recommend Qualys VMDR to other users if they want a comprehensive solution for real-time vulnerability detection and mitigation. The tool is easy to implement, backed by a reliable knowledge base, and offers quick updates during zero-day events. While there are areas for improvement, such as simplifications in handling certain features, the overall solution is robust and effective.

I'd rate the solution eight out of ten.

We do vulnerability management mostly with the agents and sometimes with the scanner.

We use it to install for around 20 or 30 clients right now so that we can remotely monitor their vulnerability status and help them improve their patch management processes. When certain critical things come up, we help clients with the Log4J, identifying where they need to remediate some of the super trendy critical things that come out and identifying end-of-life operating systems and software that need to be updated.

The reporting functionality is great. The most prominent feature that made us move from Nessus Professional was the scanner-based scanning to the Qualys agent-based scanning to move to work from home and remote.

If somebody's not connected to the network, you're not going to catch them with an appliance-based scan. However, if you have the agent on, as long as they're on the network, they're constantly checking in and constantly scanning.

It's more accurate and effective to get a picture of what the vulnerabilities are in a more distributed workforce.

The reporting capabilities that are available in Qualys are a work in progress. I know they're still evolving, and it's not always perfect. However, we only have so much flexibility to pinpoint a specific thing that we want to follow or monitor across all of our clients. We can set it up in a dashboard or report and do it quickly.

They're still evolving their platform in terms of reporting capabilities. Every time they make a change, it's not always super smooth, and it's a little quirky with bugs sometimes. That said, they've been really responsive at helping resolve issues that we find. We've got a pretty close relationship with them and our account managers there. We’re working on it.

We've been using it as a service provider for about a year or so.

The solution can sometimes be buggy.

The agent itself is stable. The reporting platform seems to go through quite a bit of change that they're trying to make it more robust and developing more things, and so we'll make customizations, and they make it update, and the customizations wipe out. I wouldn't say the reporting platform is super stable at the moment. However, it more than meets our needs far beyond what we had with Nessus Professional. The ability to monitor has been stable.

It's incredibly scalable. We've got it across 20 or 30 clients, and so we're pretty happy with how scalable it is from that aspect of a multi-client platform as an MSTP of that type of service.

However, the reporting doesn't seem to be as scalable. The more clients we add to it, the slower it runs with the reporting and dashboards.

Most of our clients are small and medium-sized businesses, so each of those clients has maybe anywhere from 30 to 1,000 agents.

We do plan to increase usage. We're only a year in. We touch a couple of hundred clients a year, so we're just learning the capabilities of it and growing with Qualys as we go. We're definitely all in with Qualys at this point.

I maybe had one meeting trying to understand how to build the dashboards, however, my colleague is the one that was selected to handle the solution and works closely with technical support. From what I heard, they've been great.

We previously used Nessus Professional. We switched when we could no longer go use our paid scanner on a client environment due to COVID and not actually going to client offices and nobody being there. Therefore, at that time, it wouldn't have been an effective vulnerability scan, and we had to look at other options. While one of our larger clients does have Nessus iOS through the city government, and it's a great tool, the pricing model was just cost prohibitive for our users across so many clients, and so that's why we were looking at other tools.

It's straightforward as long as the clients have any technical know-how or central management of their devices.

The agents update themselves. There isn’t maintenance necessary once it is deployed.

I’m not clear on the pricing. We don't use it as an in-house tool, and we use it more as a managed service provider. We provide information security consulting services for many companies. When they don't have vulnerability management, we'll offer to support Qualys for them. We've got the MSP platform, and so it's not the typical pricing structure or platform. Therefore, I can’t speak to the exact pricing or typical licensing.

We pay for the Qualys platform, and we will maintain the vulnerability management for our clients until they get their own vulnerability management solution.

I’d recommend the solution to others.

In a world of the hybrid workforce and work from home, if you're looking for a more effective vulnerability management tool, you have to go to the agent-based vulnerability management tools that are out there, and we've been extremely happy with Qualys. We were also delighted with Nessus in terms of their ability to identify things. However, an agent-based scanner is above an appliance base for known devices. Ideally, you have both of them together so you can scan your network for devices that might have an agent on it. However, for known devices, we definitely have been switching and really appreciate the switch to agent-based in Qualys.

I’d rate the solution eight out of ten. The only downside is that reporting can be slow, knowing that we're dealing with trying to load dashboards with 20,000 to 30,000 agents.