Qualys VMDR Reviews

We use the solution for vulnerability management.

The solution's best features are scanning and vulnerability management. By using them, we can obtain all critical reports.

They should improve the solution's pricing. Also, they should enhance the authentication feature. Presently, we face issues while scanning multiple assets. In cases of heavy workloads, it must scan assets properly.

We have been using the solution for more than six years.

It is a stable solution.

It is a scalable solution. We have more than 50,000 solution users in our organization globally.

The solution's technical support is excellent and responsive.

The solution's initial setup is straightforward.

We have over 30 administrators managing the solution in our organization. In addition to installing the solution internally, we receive assistance from other vendors.

The solution is expensive.

I recommend the solution to others. It is excellent. We can detect and mitigate all the vulnerabilities using it.

I rate the solution as an eight.

This is a virtual scanner appliance. We have both physical and virtual options. 

I'm still in training and getting the hang of the solution. I do not know what features the company uses the most. They generally use it to scan all the AWS workloads and Azure workloads.

We generally analyze everything at the OS level and application level, including the open ports, the OS, and older versions, including the packaged versions. We generate the scan, and then we generate the report, and then we will issue it to the application teams to clear off those. 

We have Java remediation happening, and if Java has, for example, multiple versions and when I run the scan, it is going to identify all Java versions that are really vulnerable so you can fix them. Therefore, it helps keep things secure and up-to-date. 

The reporting is good. We give reports to the application teams and we will ask them to either fix or remove applications. Once that is done, then we will read the scan, and if it comes back that we don't have any critical, we are assured of good safety. 

The solution shows us classic categories, including high, medium, and low risks. It also shows critical items, and that gives us the advantage of prioritizing things. 

It's very clear on what components need to be fixed. 

The initial setup is straightforward. 

It's stable.

Technical support is helpful. 

I can't speak to disadvantages since I am in training and still learning and have yet to run a scan. 

It would be nice to have an all-in-one solution that was automated and could handle the scanning and reports as well as the patching and updating. 

I am pretty new to this organization. However, the organization has been dealing with the solution for almost four or five years now.

The stability has been good. The company has been using it for a while and hasn't had issues. I use dit in a previous company as well and never hear of any problems. 

It's easy to scale. 

Technical support is good. We always get a quick response. 

The setup process is simple. It's not overly complex. 

I don't have any details about the licensing process. 

We're implementors. 

When it comes to security, my only advice is based on my experience. They always say to use multiple products due to the fact that, even if the vulnerability is missed in one product, it'll be identified in the other product so that you are safe. 

However, when it comes to implementation, if you have multiple products, pipelining is a big problem. For example, if I use the Qualys scanner, and then it gives me all the vulnerabilities: how do I fix it? Either I have to fix it manually, or I have to fix it automatically. 

I'd like to use one product, and, for example, use a vulnerability scanner from Qualys and have patch management as well. While the solution is still maturing, I like the tight integration and I like that the scanner can identify items and patch management can fix them. It simplifies things, instead of having to deal with multiple products and then maybe having to manually fix items on top of that. 

I'd rate the solution nine out of ten.

I primarily use Qualys VM to manage vulnerability tickets.

Qualys VM's most valuable feature is automatic detection.

Qualys VM should improve its methodology.

I've been working with Qualys VM for six months.

Qualys VM is stable but slow.

Qualys' technical support is quite good.

Positive

The initial setup was quite straightforward.

I would rate Qualys VM as seven out of ten.

We primarily use the solution for full enterprise visibility from both an asset detection perspective and vulnerability detection perspective. Basically, we are tracking all the devices over agents, including PCs and servers, et cetera. 

We are able to understand what our current situation is on the devices. At the second stage, we are able to catch the devices which do not have agents or which are not in the inventory, with on-premise scanners. 

We are running security configuration hardening assessments or compliance with CIA security benchmarks. 

In addition to that, we are also utilizing the cloud assessment solution of the Qualys, to ensure compliance with CIA security standards. For example, the Amazon cloud platform is configured compliantly with the CIA security benchmark. These are the four pillars utilized.

The prioritization mechanism is the most valuable aspect of the solution.

The initial setup is straightforward. 

Technical support is great.

The stability and reliability are good.

The user experience, the UI, needs to be improved. The technology is there and it is obvious it is able to do many things, however, from a user experience perspective, the UI design is a bit complicated. If the platform could have a bit more of a user-friendly environment, it could be easier for the admins and analysts to use it.

The solution is a bit expensive if you do not have access to discounts. 

From a general perspective, SLA tracking capabilities could be improved with a building method. There was a tracking method to be able to see if this vulnerability for a while or maybe it was patched. However, an internal SLA mechanism could help with batch prioritization and issue detection. 

I'd rate the solution at a nine out of ten.

I've been using the solution for six months. I've used it for less than a year now. 

The solution is stable. The passive scanning capabilities are advanced. I'm able to see all the missing paths and many vulnerabilities or many configuration mistakes at the same time. Due to its passive scanning, we don't see any stress or research consumption from agents.

Network scans are a bit more intense and they of course require research and can create some noise, however, for the most part, it is okay. There is no reliability issue from our perspective.

I haven't really tried to scale the solution and therefore cannot really speak to it. We do have some activities happening on there, however, I'm not ready to provide feedback for the results. It's my understanding, however, that the API extensibility is great. I've just not seen anything yet that I can really comment on.

Technical support is pretty good. It is very easy to get support from the global team, at least for us. We don't depend on local partners, which is great due to the fact that, whenever you are acting in 10 or 11 countries, local partners can be an issue. The language barriers, et cetera, can be an issue. That's why it is great to have responsible global support.

The initial setup was very straightforward. We just deployed the agents and everything went very smoothly. There were no big issues.

We pay a yearly fee for a license. 

They have very good discounts. That's why the price is okay for us. Generally, if we talk about the price without discounts, I do see a big peak in vulnerability management solutions licenses. It is not only Qualys. All the vendors peaked at some point. 

We do see over $100,000 in terms of price, for mid-size programs. You likely will pay more than $100,000 without any discount. It is a bit pricey. There's room to improve, however, I believe they're managing things with discount offerings. I'm saying this not only for Qualys. All the vulnerability management solutions do the same thing price-wise.

We did evaluate other solutions. We looked at most other vulnerability management solutions.

We are just a customer and end-user.

We are using the latest version of the solution. I cannot speak to the exact version we are using, however. 

We are using both the on-premises and cloud deployment models. We have on-premise sensors and we have a scan-over cloud service from Qualys. Qualys cloud has a scanning capability for pairing sensors, for scanning an external perimeter. Therefore, we are utilizing that and agents as well.

I'd recommend the solution.

If anybody looks forward to first perimeter security, if any conceptual work is done around perimeter security, they have to solve that agent issue first for their program. Companies need to select a solution that can work wherever the PC is. 

We're primarily using the solution for vulnerability assessment of internal server as well as the external server.

The solution, overall, is very useful for our organization.

It is very easy to use and there are lots of options. We can usually easily go through it and all of the things we want to configure, and we can configure everything to our specifications very easily.

Sometimes we face a problem with accessing the tool and not getting an expected result. From a technology point of view, they need to look into this. 

They need to consider how they can improve tool usability and different scanning options. 

Sometimes we are facing issues while performing a scan and things are not correctly shown on the GUI. Even as we are doing a task, it may show up as completed, and then something is not visible. Sometimes we face other technical problems. For example, sometimes we can't go to the next page. It's limiting any positive results.

The solution needs to be easier to understand and configure.

The pricing is a bit on the higher side compared to other products in the industry.

I've been dealing with the solution for the last five or six years now. It's been a while.

I haven't had any issues with stability. It's been okay.

I don't see any issues with scalability. When we do multiple IP scans, when we require an increase in the number of IPs, we won't have any problem doing so.

The technical support has been fine. We're getting the required support we need when we need it. I'd say we're pretty satisfied in that regard.

I find the pricing to be a bit high, especially compared to the competition.

While we didn't evaluate other options previously, currently, we are looking at all sorts of vulnerability management solutions and that's including Kenna and RiskSense. 

Although Qualys has come up with the model, I've not really looked that far into their other offerings. There is the possibility of upgrading the model on the part of vulnerability management. We'll see if we change solutions or decide to upgrade instead.

We've also looked at Tenable, which is easier to understand and configure.

We are a Qualys customer. We aren't a reseller or partner.

Overall I'd rate the solution seven out of ten.

We are currently looking at other options, to see if there's a better solution out there. This one has pretty good technical support and is easy to use, however, there are other issues associated with it.

I use Qualys VM for vulnerability scanning, enterprise management, web application scanning, and patch deployment.

Qualys VM's best features are vulnerability management and customizable scoring.

Qualys VM's vulnerability scan could be improved, especially the number of CVE numbers it can manage at a time. It could also be more user-friendly. In the next release, Qualys VM should include threat intelligence and external test service management.

I've been using Qualys VM for around six months.

Qualys VM is stable and reliable.

Qualys VM is quite easy to scale.

Qualys' customer service could be better.

Neutral

The initial setup was not user-friendly.

I evaluated Tenable but chose Qualys VM because of its management features.

I would rate Qualys VM eight out of ten.

Qualys' main function is to scan IT systems. It does the scanning of computer systems.

Continuous Monitoring is excellent because it is entirely dependent on the agent, and the Agent Scan, is also quite good. 

I also like the asset tagging, asset grouping features, and the dashboard, because we can customize and create our own dashboard. That's quite good. 

The most recent is VMDR, which provides a comprehensive overview of how to detect, patch, and remediate specific vulnerabilities. That is also an excellent module.

The dashboard itself could be improved, while we can customize it, they can create different tabs where we can see the trending vulnerabilities, how many there are, or how many have been fixed, as in the most recent scan report, so that trend analysis is a little easier.

Aside from that, the solution itself is fairly generic in nature. What they can do is pretty much customize everything and provide a relevant solution for everything. For example, because Qualys has a Cloud Agent that scans a system's entire inventory. As a result, they can test their use cases to determine whether or not a vulnerability has been confirmed. If they can do so, they can also provide us with a straightforward solution to a specific problem rather than a generic one. That could be one area where they can improve. 

Qualys does not currently have an IoT, SCADA vulnerability assessment, they can significantly improve their IoT, SCADA, and ICS (Industrial Control Systems) vulnerability assessment technique. When you compare with Tenable SC it has more features than Qualys VM.

If you see power grids, large oil stations, they fall under SCADA and Industrial Control Systems. These systems are very different from standard IT systems. Qualys currently does not have any features for scanning SCADA, IoT, and Industrial Control Systems.

I believe they can improve on the addition of devices. Assume I have two lakhs of devices that cannot all be added at the same time. For example, if I have two lakhs of devices, and two lakhs of those devices have a Cloud Agent, adding all of those devices at once is not easy. We have to add it 1,000 at a time, which takes a long time when there are two lakhs of assets to add. If we do 1,000 at a time, we'll have to do it for around two lakhs, which is quite difficult.

They can increase their frequency of working faster, similar to the time constraint they currently have. The second thing they can improve is the addition of assets. They can almost completely automate the process of adding assets, or they can increase the maximum number of assets that can be added in one go. They are only allowed to add 1,000 assets. If I want to add two lakh assets, it will be extremely difficult to do so by adding 1,000, at a time.

That is a fairly technical issue. Most of the false positives reported by Qualys or the inability to detect a cumulative patch update, if any, are the few things that they can improve and incorporate. 

As I previously stated, it would be extremely beneficial if they could implement scanning, vulnerability scanning of IoT systems, Industrial Control Systems, and SCADA devices.

I have been working with Qualys VM for approximately four years.

We have been using multiple Qualys modules, such as VMDR, Cloud Agent, AssetView, and Continuous Monitoring. The most recent version that we are using is 4.14.

It's reasonably steady. When we say stable version, there is also room for improvement in that Qualys will not be able to handle large amounts of data at once. When you do billions of scans, such as a scan for millions of devices, it becomes extremely slow, and gathering data and populating the report becomes extremely tedious. 

Scalability is quite good. We can pretty much rely on the tool. It is easy to scale. 

If the organization grows, we can pretty much scale it to most of the areas. The only problem is that they must primarily work on Industrial Control Systems and lightweight devices such as CCTV cameras, and lightweight devices. As a result, they are required to work in that field, otherwise, it is pretty good.

Based on my previous experience, there were approximately 300 or more users using Qualys in organizations with a population of more than two lakh people. Currently, I see that approximately 400 users are using it, and the size of the organization is significantly larger than the previous one.

We use this solution daily.

Technicals support is pretty good. Since I've been working in this, they've been friendly and straightforward, and we were able to get the most out of them.

We have suggested areas for improvement, and they have been working on them. They always make a good impression on us.

As a consultant, I've worked on a variety of projects in a variety of organizations.

The initial setup is simple and straightforward.

We initially had assistance from the vendor, but once we had a good understanding of it, we scaled it in our organization.

Because I've been using Qualys for quite some time, I was looking for a comparison of several solutions such as Tenable SC, Rapid7, InsightVM, and Tenable Nessus. I was curious to know if there were any other tools that were better than Qualys.

I was looking for more information about Tenable SC and wanted to compare it to Qualys in more detail, with parameters such as, how the false positives are detected in Tenable SC and how good it is in comparison to Qualys. In a similar manner, in comparison to Qualys, we learn about its usability, interface, and how user-friendly it is. Those are the few things I was looking for, and I'm still looking for more information about Tenable right now.

They have the ability to improve SCADA. SCADA stands for Supervisory Control and Data Acquisition, and IoT stands for Internet of Things scanning.

Recommending this solution would depend on the organization, the requirements, and the devices they have.

For a typical IT system, it is very good to go with this solution. Microsoft, Deloitte, and the majority of organizations still use it, it is pretty much good to go. But, once again, it is entirely dependent on how the organization is, what type of devices they have, and what kind of scans they would like to have, it is entirely dependent.

In a broad sense, it is a good solution to go with.

I would rate Qualys VM an eight out of ten.

We use Qualys VMDR for vulnerability management and operations, such as scanning assets to identify vulnerabilities and updating the reports for different teams.

We identified and resolved many vulnerabilities by using Qualys VMDR. It has been helpful in detecting externally facing asset vulnerabilities and coordinating patching or remediation with different teams.

I find the scans portion of VMDR to be valuable. Authenticated scans provide different options, including those using or not using the FactSet and adding option profiles. Another good feature is the Knowledge Base, which provides detailed information on vulnerabilities, period scores, solutions, issues, and mitigation.

I'd suggest improvements in asset management. It would be helpful to have features for better tracking, including options for adding relevant owners or supporting groups for each asset.

I have been using Qualys VMDR for about three years.

The solution is stable. I would rate it eight out of ten.

Scalability is rated at 7.5 out of ten.

When you raise a report, it will be generated in VMDR and shared with the respective team. Depending on client requests, reports can be in PDF or Excel format.

Positive

I did not use any previous vulnerability solutions; I started directly with Qualys.

The setup for Qualys VMDR is easy since it's a cloud tool. Access is provided through different inboxes, and deployment is straightforward.

I am not aware of the actual cost or pricing as it is managed by the client.

Compared to other solutions like Nexus, Qualys provides more options and is a better tool.

I recommend using Qualys as it offers many valuable features and options. It is better compared to solutions like Nexus.

I'd rate the solution nine out of ten.