Qualys VMDR Reviews

Qualys VMDR is a vulnerability management and detection response tool. It belongs to the first generation of vulnerability assessment tools. It enables us to manually identify vulnerable keys and fix them. It is built as a cutting-edge continuous platform where we can detect and protect. With this product, we can respond to specific vulnerabilities, going beyond just using artificial intelligence features. We have implemented VMDR across our cloud, physical interfaces, endpoints, and log servers. It's a good digital product for our organization.

It has improved our organization in many ways. We needed to have a security solution that focuses on different types of things. We discussed budgeting for the cloud and the need for an alternative to taking care of malware. Additionally, we have to consider various attacks. Therefore, Qualys VMDR is a great tool that helps us improve.

The most valuable feature is automation.

Qualys VMDR is basically susceptible to false positives, and false negatives. We receive a lot of false positives in there. VMDR can be considered a complex solution, especially for enterprises with limited resources or organizations. It requires extensive knowledge as an engineer. So, when using this tool, you need to utilize other tools to remediate the false security issues.

So maybe it should also have the ability to automatically identify and address false positives. In additional features, an automated process for remediating false positives. We might be looking for new types of signatures that can help us identify and address specific issues.

I have been using Qualys VMDR for one last year. 

I would rate the stability an eight out of ten.

I would rate the scalability an eight out of ten.

It took us one month to set up.

I have seen an ROI.

The price is very reasonable, so you can definitely go with all the endpoints it offers.  

Just consider the licenses we have within VMware. They could replicate some of these features, which are used for premium customers. So, it might be useful to include those features in the subscription plans.

Overall, I would rate the solution a nine out of ten.

We use Qualys VMDR to scan our public websites and products, anywhere that is publicly available. We deploy it through Qualys's cloud scanner.

Qualys VMDR provides us with a quick response to threat findings through regular scheduled scanning, which improves our security operations. It also offers an impressive knowledge base for quick research results and coverage of all vulnerabilities.

The knowledge base is the most impressive feature because it provides quick research results and coverage of all vulnerabilities. Additionally, the real-time threat detection feature provides quick responses to threat findings.

Qualys VMDR should improve authenticated scanning capabilities. It currently only allows basic authorization tokens and preset parameters. In contrast, Burp's in-built browser works more like a proxy, which makes security testing easier and more accurate. Pricing is also an issue; it's high enough to deter mid-sized to small companies. Moreover, the technical support is slow and tends to just reference documentation rather than providing real technical assistance.

I have been using it personally for five years, while my company has been using it for three years.

The technical support is slow to respond. Most likely, they just provide reference links for documentation instead of offering in-depth technical guidance. This level of support doesn't compare well to others like Cisco, Juniper, or Avaya, which offer more hands-on assistance.

Neutral

This goes beyond my scope of responsibilities and is managed by my superior.

The pricing for Qualys products is too high, and the licensing model involves paying for the whole bundle, which may not be affordable for mid-sized to small companies.

We are currently looking for alternatives to Qualys by researching competitor products on the market.

For midsize to small-size companies, Qualys might not be the best choice if you don't have enough funding for security due to its high pricing. Qualys VMDR is still recommended for comprehensive vulnerability management but be prepared for slow technical support.

I'd rate the solution nine out of ten.

Our use cases are primarily on-premises vulnerability management and remediation, external attack surface management and vulnerability scanning.

The benefits I've seen are twofold. The biggest benefit is from a security operations perspective, where we are able to drive our security posture upwards by remediating any discovered vulnerabilities. We can also automate the remediation process. The other big benefit is executive reporting because it's very easy to produce trends over time to report on risk.

The most valuable features are vulnerability detection, patching capabilities, and remediation. Cloud security posture management is also very valuable. I find these features valuable because getting a unified view of your cloud security posture across different environments is not always easy. For example, you might have most of your resources sitting in Azure, but you might have a couple of workloads in AWS. Naturally, there are different tools that report on that, so it's invaluable to have those pulled into a single dashboard so you can drive your remediation from a single platform.

If anything, I would like to see the user interface modernized a bit more. Also, there are a lot of various modules, and if they could be consolidated into fewer options, it would make the buying experience easier.

I've been working with Qualys VMDR for the last three years or so.

We haven’t faced any issues, the solution is very stable.

Because the management sits in the cloud, you don't have to worry about management appliances or anything like that on-premise, so the solution is very scalable. You can split your assets into asset groups and delegate management to different teams. Around 1,000 users are using Qualys in my organization across 60 locations.

We've had very few technical issues, and the customer support team has quickly resolved issues we've had.

Positive

In the first step, Qualys provisions your cloud-based management instance. From there, you get a small, lightweight agent deployed by deployment technology like Microsoft Intune, in our case, SCCM, or any deployment technology.

We worked with BCX Namibia and the Qualys team in South Africa while deploying the solution. It took two weeks to deploy the solution. The solution is not difficult to maintain because the management component is cloud-based and is taken care of by Qualys. Any agent upgrades that might be necessary are very seamless.

We have seen an ROI using Qualys. Most breaches nowadays are because of a vulnerability that is exploited. By virtue of being able to identify and remediate these vulnerabilities, I believe we are significantly driving our cybersecurity risk downwards.

The pricing is very competitive, especially because Qualys is integrated and does vulnerability management and remediation patching in one solution, so there's no need for a separate patching solution. You can also get very granular with the amount of IP addresses you can cover. You can go from as few as 16 IP addresses to many more. And the Qualys team is also willing to work with organizations to make the solution make commercial sense. The prices are fixed. We have a yearly subscription model based on the number of IP addresses we’re scanning.

We evaluated vulnerability management in Microsoft Defender, but we found the reporting and functionality lacking compared to Qualys. And then the Microsoft licensing costs were also a bit of a dealbreaker.

If you're considering implementing Qualys in your organization, work with a strong pre-sales partner. Evaluate the product, make sure it does what you need, make sure you buy the features that you need, and make sure to use the training and onboarding material that Qualys has made available on its website so you can leverage the solution's full capability from the start. I rate Qualys VMDR a nine out of ten.

We use this solution to manage compliance and to verify the gap between the policy defined by the company and the ones that are implemented in the system. We also use Qualys for vulnerability management of assets in the cloud or on-prem. 

The most valuable feature is the ability to run different capabilities with the same agent. With only one agent, we can have EDR, vulnerability management, compliance and some basic SaaS security capabilities.

This solution could be improved by extending the agent capabilities to different operating systems including Mac and Linux. We would also like the capability to easily check for vulnerability in assets in the IOTs. 

They have been adding additional features such as attack surface monitoring and intelligence to help managers detect additional risks. Adding intelligence is one of the most important features that we need.

We have been using this solution for two years. 

This is a stable solution. 

For a company with over 100,000 assets, there are challenges with scalability. 

We haven't often needed support from Qualys but when we have needed it, they have been quick to respond and resolve our issues. 

Positive

If we compare Qualys VM to other vulnerability management solutions like Tenable, Qualys is only for agents. Their on-prem capabilities are pretty limited so it is very easy to manage assets that are cloud connected, but if they are not cloud connected, it is challenging. Tenable is better at managing non-cloud connected agents.

The initial setup is straightforward. After the cloud tenant is available and the agents are installed, the first scans can be done in one to two days.

There is maintenance required for the agents but it is completely controlled by the cloud and is done automatically. There is a necessity for human intervention when there is a new agent or new feature that must be tested before it is implemented.

We implemented the solution in-house. 

Return of investment is difficult to assess because it's a tool that helps to reduce risks but doesn't have a direct feature on ROI.

It is a high cost product. Compared to the other solutions, it is around 15 to 20% higher in cost. Qualys VMDR has multiple features in addition to vulnerability management and there is an additional cost for these features. 

The initial setup is not straightforward and it's important to have the agent connectivity linked to the cloud and available all the time.

If you have assets that are not connected to the cloud, you will need help from a service provider or integrator because the introduction of passive scanning is not straightforward.

I would rate this solution a seven out of ten.

We use it for vulnerability management and report generation mostly. I am trying to solve the issue wherein the stakeholders can get automated vulnerability reports to their mailbox.

Using this product, we now have a vulnerability management cycle wherein VMDR plays a major role. It has greatly increased the capability on the detection aspect of the vulnerability and improved our scope and visibility on all other endpoints.

I like the automated report generation and vulnerability report generation.

I don't have any improvement requests on top of my mind right now. The response time of technical support takes a while.

It's been more than two years now.

I would rate the stability as nine out of ten. It's quite stable.

The solution is scalable.

My rating for the technical support for Qualys is six out of ten. The response time takes a while.

Neutral

I personally didn't use a different solution before Qualys.

Although I was not present during the initial deployment process, it's pretty straightforward. It's just an agent installation, which automatically connects it to the cloud platform, so the implementation won't take as long.

I would recommend Qualys VMDR to the other stakeholders because it already has its place in the market, and it's very reliable.

I'd rate the solution eight out of ten.

The use cases would be for scanning purposes, for identifying assets, identifying and viewing assets, and setting up scan schedules. I use it primarily as a vulnerability management and scanning tool.

When you have everything in one place, the job is very easy. Qualys VMDR having a Russian nesting doll sort of environment does take a steep learning curve, but having everything in one place is quite neat.

The most valuable feature is the asset view where I can find individual assets and take a deeper dive into their information gathering section, potential vulnerabilities, and confirmed vulnerabilities. I also value the scheduling of scans and reports as per the desired timeframes.

The reporting section needs improvement as running reports can take several hours. A more intuitive way to configure reports settings to reduce run time would be helpful. Improvements are needed for sorting QIDs and findings during the reporting section without downloading the entire report. 

Additionally, there is a need to address the issue of retaining report sections when they exceed one or two GBs. For asset management, adding a notification for unscanned assets or those missing CVE ratings would help.

I have been using it for close to three and a half to four years now.

There are rarely any stability issues. Discrepancies are usually anticipated due to the downtime and maintenance window provided in advance. It's a technological tool, and random anomalies may happen, but they are manageable.

Qualys offers one of the best scalability capabilities for large-scale deployments. Its tools and solutions work effectively with large corporations. VMDR helps club multiple vulnerabilities into one QID, which assists with remediation cycles.

Customer support is fast, although there can be a lot of back and forth. However, the overall service is satisfactory and of great quality.

Positive

I have used Nessus and Burp Suite, however, Burp Suite isn't in close proximity with Qualys for scanning purposes. Microsoft Defender offers some advantages with real-time, agent-based scanning that consumes fewer resources.

The initial setup was quite simple and straightforward. Setting up Qualys was fairly easy with clear documentation and guidance.

I am not familiar with the pricing side as I am not a part of that aspect. However, it is on the higher side, but it provides large-scale scalability for vulnerability management.

I have evaluated Nessus and Microsoft Defender for vulnerability management.

Users should go through the training offered by Qualys for all VMDR modules and take an introductory call on how to use and schedule tasks. Setting up one thing at a time and testing the desired results before moving on is advised.

I'd rate the solution eight out of ten.

We're using the entire suite except for Patch Management. I use Qualys VM for my production environment on Amazon AWS. I also use it for my endpoints and some BDI solutions that require on-premise solutions, and I use it for both.

I find Qualys VM very robust, and it's very useful for vulnerability management and patch management. The value that it brings to my environment is economies of scale. There is no limitation on adding any endpoints. You go by the rule, and it's added once another endpoint is added to our environment. It's automatically installed, and it's less work from our end. It frees up my license automatically if I don't need an endpoint or if my machine is decommissioned.

I like the dashboard displays because I don't see any duplication. The most important part is vulnerability management and prioritization. Unlike Symantec, it shows the kind of vulnerability I would want to patch first. It provides a holistic view of the kind of vulnerabilities and the ones I should remediate first.

I don't have to do a scan; it just brings up those critical kinds of vulnerabilities like zero-day vulnerabilities and tells me to prioritize them. You have to prioritize these vulnerabilities first and go on with the rest. The dashboard shows me the ones that have been fixed, so I don't have to complete an aging report.

The user experience and the graphical interface are good. As it's user-friendly and understandable on an executive level, it brings real value. We also use this solution because it's robust and flexibile. 

The price could be better. Asset view is still a legacy feature. I'm not able to extract the information about the asset with complete details. It would be better if they fixed that in the next release.

I know Qualys is already working on it, so I'm hopeful it will be available in the next five or six months. That would be something that's changed where I seek improvement.

I have been working with Qualys VM for the past six months.

Qualys VM is a stable solution.

Qualys VM is a scalable solution. We currently have about 4500 users in our organization.

Support could be a little bit faster. I haven't been granted access to their support portal, but I have a technical support engineer who's always available, and there is only one person I can talk to. But the problem is if he's absent, I'm left waiting for access to his portal. 

I used Symantec before but switched to Qualys VM as there's no limitation to adding endpoints. The other reason everyone moved to Qualys VM was its robustness and flexibility. I think that's something that's there, and there was no hassle in deploying the agent. All I had to do was get these machines that were enrolled in our MDM solutions.

As it's a cloud agent, there wasn't any specific setup. It's also managed centrally by Qualys, and when they always release a new update, all we have to do is push it. So, the maintenance requirement is minimum at best.

We deployed this solution by ourselves.

Qualys VM is quite expensive. It's a subscription-based license, and it's yearly. Right now, it's open for me, and I don't have any limitations or caps on the licenses. They are seeing if the product is viable for 4500 users. I can add as much as I want, and at the end of the subscription, they'll let me know how many licenses were actually used and bill me accordingly.

On a scale from one to five, I would give their pricing a three. It's still expensive.

If you're going for an on-premises solution, you should dive into the POC. Because I wasn't procuring an on-premises solution, it was pretty easy for me, and the support was quite helpful. But if you're going to deploy it on-premises, you should go through a proper procedure of going through the POC and getting to know the product. I would rate it at the top because it's better than Nexpose, it's better than Tenable, and it's better than Symantec.

On a scale from one to ten, I would give Qualys VM an eight. 

In our DLP operations, we use the tool to address stability issues and implement fixes suggested by it. This helps manage risk levels and decide whether to fix issues or implement workarounds.

I like that we have many scanners and channels that don't overload. It helps us scan and track easily. Also, the tagging system is good for tagging. We can still use QualysAgent task ID tools even if tags aren't made.

The asset inventory management feature has improved our security posture, which is good. It was introduced recently, and we've just started using it. In terms of management, I believe it's better than what we were using before.

Qualys VMDR is good at handling vulnerability management trends, especially with its policy module. Qualys VMDR offers customizable labels that fit the organization's needs, unlike other tools. This is important for enhancing security and meeting compliance requirements.

There's a need to upgrade or fix the potential vulnerability rate. Around 20,000 potential vulnerabilities were showing in Qualys VMDR, but none of the other tools showed them. When we checked, it wasn't the case. Support explained that even small issues were being counted as vulnerabilities, causing issues in our audit. So, the security features could be improved to identify vulnerabilities accurately.

I have been working with the product for two years. 

The stability is generally good, but we did face issues during the pandemic due to connectivity problems with Qualys VMDR servers. There were syncing issues, and agents weren't getting updated. However, we later realized it was our issue because our software needed updating. We had to manually update the proxy settings, which Qualys VMDR should have done. We managed to tackle the challenge with the help of another team.

Support should be faster and more customer-friendly. We often have to review a lot of documentation for issues we're already aware of and follow basic steps repeatedly. Additionally, we must wait for Qualys VMDR personnel to move scans into debug mode, which can be time-consuming. Getting notifications or updates on these processes more quickly would be helpful.

Setting up the tool doesn't take long and doesn't require many people.

We have an annual contract for Qualys VMDR. I believe it's for either two years or five years.

I haven't personally done any integration, so I can't comment on it. However, I believe some integration was happening between Qualys VMDR and ServiceNow. Our asset management tool was also trying to integrate with Qualys VMDR, but I'm unsure about the details or how it works. I rate the overall product an eight out of ten.