Qualys VMDR Reviews

We use continuous monitoring to schedule scans for all the applications in our organization. We create a parent tag and sub-tags for each application and schedule scans based on our requirements, such as every alternate day, weekly, or monthly. This helps us identify vulnerabilities in the web applications, especially those that are public-facing.

Since implementing Qualys, we have seen a reduction in the time required to scan applications, as it automates the process. This efficiency is one of the key improvements we have noticed. Additionally, the tool is effective compared to others, particularly for automated scans.

In Qualys VMDR, there are multiple valuable features such as Continuous Monitoring, SFU Connector, and WebVPN. Continuous monitoring is a crucial feature that we use more frequently.

There are scenarios where a vulnerability is reported once yet not in subsequent scans, even if we have not fixed it. Sometimes, Qualys is unable to crawl certain URLs due to unspecified issues. Additionally, the report download option occasionally has problems.

I have been using Qualys for two years.

I would rate the stability as nine out of ten, indicating no significant issues with stability.

The scalability of Qualys is rated as eight to nine out of ten, and there are no problems with scalability.

The customer support system could be improved. While they respond, it takes them two to three days to address a concern, which is an issue. Overall, I would rate customer service as five or six.

Neutral

The setup process was not within my involvement, as it was part of the project I had joined and it was already set up.

I recommend Qualys VMDR as it effectively reduces the time required for vulnerability management and operates well with fewer people.

I'd rate the solution seven out of ten.

We do vulnerability management mostly with the agents and sometimes with the scanner.

We use it to install for around 20 or 30 clients right now so that we can remotely monitor their vulnerability status and help them improve their patch management processes. When certain critical things come up, we help clients with the Log4J, identifying where they need to remediate some of the super trendy critical things that come out and identifying end-of-life operating systems and software that need to be updated.

The reporting functionality is great. The most prominent feature that made us move from Nessus Professional was the scanner-based scanning to the Qualys agent-based scanning to move to work from home and remote.

If somebody's not connected to the network, you're not going to catch them with an appliance-based scan. However, if you have the agent on, as long as they're on the network, they're constantly checking in and constantly scanning.

It's more accurate and effective to get a picture of what the vulnerabilities are in a more distributed workforce.

The reporting capabilities that are available in Qualys are a work in progress. I know they're still evolving, and it's not always perfect. However, we only have so much flexibility to pinpoint a specific thing that we want to follow or monitor across all of our clients. We can set it up in a dashboard or report and do it quickly.

They're still evolving their platform in terms of reporting capabilities. Every time they make a change, it's not always super smooth, and it's a little quirky with bugs sometimes. That said, they've been really responsive at helping resolve issues that we find. We've got a pretty close relationship with them and our account managers there. We’re working on it.

We've been using it as a service provider for about a year or so.

The solution can sometimes be buggy.

The agent itself is stable. The reporting platform seems to go through quite a bit of change that they're trying to make it more robust and developing more things, and so we'll make customizations, and they make it update, and the customizations wipe out. I wouldn't say the reporting platform is super stable at the moment. However, it more than meets our needs far beyond what we had with Nessus Professional. The ability to monitor has been stable.

It's incredibly scalable. We've got it across 20 or 30 clients, and so we're pretty happy with how scalable it is from that aspect of a multi-client platform as an MSTP of that type of service.

However, the reporting doesn't seem to be as scalable. The more clients we add to it, the slower it runs with the reporting and dashboards.

Most of our clients are small and medium-sized businesses, so each of those clients has maybe anywhere from 30 to 1,000 agents.

We do plan to increase usage. We're only a year in. We touch a couple of hundred clients a year, so we're just learning the capabilities of it and growing with Qualys as we go. We're definitely all in with Qualys at this point.

I maybe had one meeting trying to understand how to build the dashboards, however, my colleague is the one that was selected to handle the solution and works closely with technical support. From what I heard, they've been great.

We previously used Nessus Professional. We switched when we could no longer go use our paid scanner on a client environment due to COVID and not actually going to client offices and nobody being there. Therefore, at that time, it wouldn't have been an effective vulnerability scan, and we had to look at other options. While one of our larger clients does have Nessus iOS through the city government, and it's a great tool, the pricing model was just cost prohibitive for our users across so many clients, and so that's why we were looking at other tools.

It's straightforward as long as the clients have any technical know-how or central management of their devices.

The agents update themselves. There isn’t maintenance necessary once it is deployed.

I’m not clear on the pricing. We don't use it as an in-house tool, and we use it more as a managed service provider. We provide information security consulting services for many companies. When they don't have vulnerability management, we'll offer to support Qualys for them. We've got the MSP platform, and so it's not the typical pricing structure or platform. Therefore, I can’t speak to the exact pricing or typical licensing.

We pay for the Qualys platform, and we will maintain the vulnerability management for our clients until they get their own vulnerability management solution.

I’d recommend the solution to others.

In a world of the hybrid workforce and work from home, if you're looking for a more effective vulnerability management tool, you have to go to the agent-based vulnerability management tools that are out there, and we've been extremely happy with Qualys. We were also delighted with Nessus in terms of their ability to identify things. However, an agent-based scanner is above an appliance base for known devices. Ideally, you have both of them together so you can scan your network for devices that might have an agent on it. However, for known devices, we definitely have been switching and really appreciate the switch to agent-based in Qualys.

I’d rate the solution eight out of ten. The only downside is that reporting can be slow, knowing that we're dealing with trying to load dashboards with 20,000 to 30,000 agents.

The primary focus of this solution is to identify and detect vulnerabilities in real time and use that information to patch them using Qualys VMDR task management module. We have a variety of devices within our network, including network devices, firewalls, vCenters, VMs, web applications, and endpoints. We deploy cloud agents on workstations and servers where possible, and we scan network devices using a virtual scanner where we cannot deploy the cloud agent. Additionally, we perform web application scanning for our web apps. We also use the tool to manage our cloud security and container security.

With the help of Qualys VMDR, we were able to get real-time knowledge base updates from Qualys and perform scans on all devices to identify vulnerable devices. This allowed us to plan the next course of action for mitigating vulnerabilities. For example, during the zero-day events, such as the Log4j vulnerability, we received critical real-time information from Qualys, enabling us to identify and plan for mitigation while the rest of the world was still struggling. This capability has tremendously helped us maintain the cybersecurity posture within our organization.

The most valuable features of Qualys VMDR include CSAM, Qualys Gateway Service, Web Application Scanning, patch management and the use of virtual scanners to scan appliances and devices, especially those provided by vendors. 

The ability to run a map scan and identify all assets within our network is extremely beneficial for medium to large organizations. Real-time asset discovery and patch management have also been vital features for us.

One area for improvement is the simplification of the process to ignore certain vulnerabilities on specific devices. Currently, the process is quite long, requiring the creation of separate knowledge bases and lists. Simplifying this to one or two clicks would be beneficial. Additionally, enhancing patch management to support third-party tools and simplifying the creation of patch jobs would greatly improve usability. Improving the interconnection between multiple modules would also be helpful, making navigation and operations more straightforward.

I have been using Qualys VMDR for more than two - three years now.

I would rate the stability of Qualys VMDR as eight. It is a stable solution with minimal issues.

The scalability of Qualys VMDR is good. If we add additional resources, the tool can scale efficiently, ingesting new data seamlessly. Qualys has auto-scaling enabled for their cloud platform, which ensures performance remains high, even with increased resources.

Technical support from Qualys needs some improvement. There are instances where Level 2 support is not able to assist, requiring escalation, which can take time. Overall, basic troubleshooting and issue resolution are straightforward.

Neutral

I have worked with other vulnerability management solutions prior to Qualys. In my current organization, we selected Qualys after a POC. Other tools have not evolved well as Qualys has over the years, making Qualys the preferred solution.

The initial setup of Qualys VMDR is straightforward. The setup's complexity depends on the organization’s size and collaboration with various teams. For organizations with a clear device inventory, the deployment can be completed within a month.

In-house

We evaluated other tools available in the market during our POC process yet found Qualys to be the best solution.

I would recommend Qualys VMDR to other users if they want a comprehensive solution for real-time vulnerability detection and mitigation. The tool is easy to implement, backed by a reliable knowledge base, and offers quick updates during zero-day events. While there are areas for improvement, such as simplifications in handling certain features, the overall solution is robust and effective.

I'd rate the solution eight out of ten.

Our primary use case of the product is comprehensive vulnerability management and asset inventory across a hybrid environment consisting of both cloud and on-premises deployments. We manage approximately 45,000 endpoints spread across multiple geographical locations.

The platform's most valuable features include its robust vulnerability detection capabilities and automated remediation workflows. These features not only help us identify vulnerabilities promptly but also enable us to prioritize and remediate them efficiently.

While Qualys VMDR is comprehensive, improvements in asset management functionality would be beneficial. Additionally, reducing dependency on multiple agents for data collection across different endpoints could simplify management and resource utilization.

In the next release, enhancements in reporting and analytics would be appreciated. Advanced analytics capabilities for trend analysis and predictive insights could further empower proactive decision-making in cybersecurity management.

I have been using Qualys VMDR for approximately two years now.

The product is stable. I rate the stability a seven. 

I rate the product scalability an eight. 

The technical support services are good. 

Positive

The initial setup was relatively straightforward. They provided comprehensive documentation and support during deployment, which helped streamline the process. 

I would rate the process a seven or eight. 

We implemented the product with the help of in-house resources and support from Qualys.

We evaluated other options such as Tenable and Rapid7.

I rate Qualys VMDR a nine out of ten. 

Qualys has many products. However, the prominent one is for scanning the vulnerabilities on endpoints, including servers and desktops. The other can be for using multiple other products, like taking the certificate, inventory, and software inventory of endpoints through scanning. 

Additionally, we use the solution for web application scanning. When they have web applications, they can scan applications for various vulnerabilities and give recommendations.

Almost all of the features are great. We use Qualys for vulnerability scanning of servers and web application scanning. These are the two prominent features that we often use.

The initial setup is very straightforward. 

It's stable and quite reliable.

The product can scale. 

Technical support is helpful, and the product provides a good amount of training. 

Qualys has evolved a lot. It is one of the services that has evolved a lot, and we do recommend Qualys to the specs tent. 

However, their products are very modular, so for customers, they need to provide some roadmap on how the customer can utilize their products. For example, starting with vulnerability scanning, they need to show how they can extend their products for multiple other use cases. They need to do a better job of educating customer more.

There needs to be better documentation. 

Maybe their price scheduler could be made simpler.

It's expensive.

We've been using Qualys for a long time. I've used it for more than five years.

It is stable. It is reliable. The solution doesn't have any bugs or glitches, and it doesn't crash or freeze.

It's scalable. It's easy to expand. 

Many people use the solution. There are likely more than 10,000 users.

The usage is based on the business requirements. It all depends on the service offering.

They do offer a lot of support in the form of training for users. They also offer labs. The technical teams are reachable. Technical support is quite good with them.

Positive

This is an easy product to set up. It's not very complex to implement.

The deployment was very fast. We could do it in about a week's time. It can be done very quickly. There are just some configurations on the cloud, and you can handle the agent deployment using some deployment tools. 

We pay an annual licensing fee. 

Prices do vary. If it is for a standard solution, they are the best. If a company goes for some advanced solutions, like web scanning, it does become pricey. However, the basic solution is good. It's just the advanced solutions that drive up the price.

I am a consultant. 

I'd recommend the solution to others. 

I would rate the product ten out of ten.

We use the product for enterprise network infrastructure scanning.

The product has multiple valuable areas. The process of defining and discovering scans is organized efficiently. It has an effective tagging system and authentication mechanism compared to other tools. Its integration with AD helps us a lot. Additionally, I like the report generation feature.

Qualys could improve the inbuilt dashboards. They could be advanced compared to competitors like Rapid7 and Tenable. They should include a faster reverse integration process. They could enhance its integration with ServiceNow CMDB to ensure that mapping IP addresses, domains, and net bias names is consistent and accurate.

We have been using Qualys VMDR for nearly two and a half years.

I rate the product's stability a nine out of ten. I have rarely seen any stability issues with Qualys.

I rate the product's scalability an eight out of ten. We only recommend some people use Qualys in our organization. It is a limited audience. It is used by the vulnerability management team and a few critical resources from different parts of the cybersecurity department. We have 50 users in total. They should provide role-based access for managers, reviewers, and scanners.

The initial setup process is simple as I have prior experience working on two full-time projects with it. I find it simple as I have enough background knowledge of it.

The product is more expensive than that of any other vendor.

I did work on Tenable's POC and some other vendors. It has some limitations in detecting different types of vulnerabilities or false positives. Qualys is on the higher side when compared to the other tools.

I rate the product an eight out of ten.

Using the solution, I go through the reports and advise my organization on what needs to be done and how to go about it.

I find the solution's dashboard interesting since we get a proper view to streamline our findings and assist in prioritizing the schedule for patching or any other related incidents we believe have already been worked on.

Presently, I am more of the technical part. I am allowed to just go through the details of the report, which has been very interesting. It is a struggle to be able to pull our report and to be able to do onboarding using automated tools. So basically, the aforementioned aspect of the report needs improvement.

Presently, whatever I'm working on has been quite fantastic to the best of my knowledge.

I have been using Qualys VMDR. I have been using it on my own site as a client. I am just a consultant. I work with Qualys VMDR due to my understanding of the product so that I can help my clients check one or two things that can help improve the digital infrastructure part.

The stability of the tool is okay. Most of the time, you need to do the updates online to be able to get off from any vulnerability. As long as you are online since it's on the cloud, it's just as software of which the update has been handled on the cloud as well.

The response time is fine. You can pull up reports without dragging or consuming bandwidth.

The scalability of the tool is okay. Scalability-wise, I rate the solution an eight out of ten. I have not been able to have the solution function at a large scale. Hence, I will be able to categorically say that everything is fantastic.

Presently on my own part, I've not been able to experience the support, but I can search the technical algorithm of which I've not yet got any reports. 

The initial setup phase has been quite interesting because of our experience when we had to use the agents on most of the endpoints, which means it was okay for us.

The solution is deployed on the cloud.

I would tell those planning to use it that it is definitely not about the technology. However, at the same time, if you have the technology, make sure you have the right person with the ability to assist you in addressing the advantages of the product.

I rate the overall product an eight out of ten.

Qualys has a continuous endpoint monitoring feature for agent-based scanning. Once you deploy the solution, it monitors everything that is happening every 30 minutes. Then, if there are any vulnerabilities, they are reported. Plus, the dashboards are amazing. There are so many dashboards and things in the console that you can explore, which I think other solutions, Tenable.io for example, are still working on. 

They have everything covered as far as features are concerned, but Qualys should improve their customer experience. They need to improve the tech support experience and the turnaround time. 

I've been working with this solution for one to two years.

This solution is definitely stable.

The solution is scalable. 

I am not happy with the technical support because I had a very bad experience with them. On a scale of one to five, I would give Qualys tech support a two.

Neutral

There were a few challenges. I had an integration issue with Qualys where they had to enable the data privacy from the back end because I couldn't integrate it with the SIEM.

The ROI is definitely good for this solution. 

Qualys is a pay-as-you-go model, so there's flexibility to the pricing. 

Everything is well-documented by Qualys. Their white paper is published and they have much visibility across the globe and on different platforms. If you look into their educational YouTube channel, you get a lot of information. There are a lot of seminars and talks on Qualys VMDR features.

The advantage with Qualys is that you get a lot of features because it has been a market leader for quite a long time. The solution has an agent-based approach and I think it is highly evolved when compared to Tenable, for example. However, Qualys is a bit highly priced so if you're looking strictly at pricing, I think you will get a better value with Tenable. 

I would rate this solution as a nine out of ten.