In our DLP operations, we use the tool to address stability issues and implement fixes suggested by it. This helps manage risk levels and decide whether to fix issues or implement workarounds.
Has tagging system and scanners, that doesn't overload
Pros and Cons
- "I like that we have many scanners and channels that don't overload. It helps us scan and track easily. Also, the tagging system is good for tagging. We can still use QualysAgent task ID tools even if tags aren't made."
- "There's a need to upgrade or fix the potential vulnerability rate. Around 20,000 potential vulnerabilities were showing in Qualys VMDR, but none of the other tools showed them. When we checked, it wasn't the case. Support explained that even small issues were being counted as vulnerabilities, causing issues in our audit. So, the security features could be improved to identify vulnerabilities accurately."
What is our primary use case?
What is most valuable?
I like that we have many scanners and channels that don't overload. It helps us scan and track easily. Also, the tagging system is good for tagging. We can still use QualysAgent task ID tools even if tags aren't made.
The asset inventory management feature has improved our security posture, which is good. It was introduced recently, and we've just started using it. In terms of management, I believe it's better than what we were using before.
Qualys VMDR is good at handling vulnerability management trends, especially with its policy module. Qualys VMDR offers customizable labels that fit the organization's needs, unlike other tools. This is important for enhancing security and meeting compliance requirements.
What needs improvement?
There's a need to upgrade or fix the potential vulnerability rate. Around 20,000 potential vulnerabilities were showing in Qualys VMDR, but none of the other tools showed them. When we checked, it wasn't the case. Support explained that even small issues were being counted as vulnerabilities, causing issues in our audit. So, the security features could be improved to identify vulnerabilities accurately.
For how long have I used the solution?
I have been working with the product for two years.
Buyer's Guide
Qualys VMDR
December 2024
Learn what your peers think about Qualys VMDR. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
What do I think about the stability of the solution?
The stability is generally good, but we did face issues during the pandemic due to connectivity problems with Qualys VMDR servers. There were syncing issues, and agents weren't getting updated. However, we later realized it was our issue because our software needed updating. We had to manually update the proxy settings, which Qualys VMDR should have done. We managed to tackle the challenge with the help of another team.
How are customer service and support?
Support should be faster and more customer-friendly. We often have to review a lot of documentation for issues we're already aware of and follow basic steps repeatedly. Additionally, we must wait for Qualys VMDR personnel to move scans into debug mode, which can be time-consuming. Getting notifications or updates on these processes more quickly would be helpful.
How was the initial setup?
Setting up the tool doesn't take long and doesn't require many people.
What's my experience with pricing, setup cost, and licensing?
We have an annual contract for Qualys VMDR. I believe it's for either two years or five years.
What other advice do I have?
I haven't personally done any integration, so I can't comment on it. However, I believe some integration was happening between Qualys VMDR and ServiceNow. Our asset management tool was also trying to integrate with Qualys VMDR, but I'm unsure about the details or how it works. I rate the overall product an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Apr 23, 2024
Flag as inappropriateRisk & Security Admin at Goodyear Tire & Rubber Company
It is scalable and has efficient features for scanning and detecting vulnerabilities
Pros and Cons
- "It is a stable solution."
- "We face issues while scanning multiple assets."
What is our primary use case?
We use the solution for vulnerability management.
What is most valuable?
The solution's best features are scanning and vulnerability management. By using them, we can obtain all critical reports.
What needs improvement?
They should improve the solution's pricing. Also, they should enhance the authentication feature. Presently, we face issues while scanning multiple assets. In cases of heavy workloads, it must scan assets properly.
For how long have I used the solution?
We have been using the solution for more than six years.
What do I think about the stability of the solution?
It is a stable solution.
What do I think about the scalability of the solution?
It is a scalable solution. We have more than 50,000 solution users in our organization globally.
How are customer service and support?
The solution's technical support is excellent and responsive.
How was the initial setup?
The solution's initial setup is straightforward.
What about the implementation team?
We have over 30 administrators managing the solution in our organization. In addition to installing the solution internally, we receive assistance from other vendors.
What's my experience with pricing, setup cost, and licensing?
The solution is expensive.
What other advice do I have?
I recommend the solution to others. It is excellent. We can detect and mitigate all the vulnerabilities using it.
I rate the solution as an eight.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Qualys VMDR
December 2024
Learn what your peers think about Qualys VMDR. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Security Architect at a tech vendor with 5,001-10,000 employees
Good analysis, helpful reports, and a straightforward setup
Pros and Cons
- "The solution shows us classic categories, including high, medium, and low risks. It also shows critical items, and that gives us the advantage of prioritizing things."
- "It would be nice to have an all-in-one solution that was automated and could handle the scanning and reports as well as the patching and updating."
What is our primary use case?
This is a virtual scanner appliance. We have both physical and virtual options.
I'm still in training and getting the hang of the solution. I do not know what features the company uses the most. They generally use it to scan all the AWS workloads and Azure workloads.
What is most valuable?
We generally analyze everything at the OS level and application level, including the open ports, the OS, and older versions, including the packaged versions. We generate the scan, and then we generate the report, and then we will issue it to the application teams to clear off those.
We have Java remediation happening, and if Java has, for example, multiple versions and when I run the scan, it is going to identify all Java versions that are really vulnerable so you can fix them. Therefore, it helps keep things secure and up-to-date.
The reporting is good. We give reports to the application teams and we will ask them to either fix or remove applications. Once that is done, then we will read the scan, and if it comes back that we don't have any critical, we are assured of good safety.
The solution shows us classic categories, including high, medium, and low risks. It also shows critical items, and that gives us the advantage of prioritizing things.
It's very clear on what components need to be fixed.
The initial setup is straightforward.
It's stable.
Technical support is helpful.
What needs improvement?
I can't speak to disadvantages since I am in training and still learning and have yet to run a scan.
It would be nice to have an all-in-one solution that was automated and could handle the scanning and reports as well as the patching and updating.
For how long have I used the solution?
I am pretty new to this organization. However, the organization has been dealing with the solution for almost four or five years now.
What do I think about the stability of the solution?
The stability has been good. The company has been using it for a while and hasn't had issues. I use dit in a previous company as well and never hear of any problems.
What do I think about the scalability of the solution?
It's easy to scale.
How are customer service and support?
Technical support is good. We always get a quick response.
How was the initial setup?
The setup process is simple. It's not overly complex.
What's my experience with pricing, setup cost, and licensing?
I don't have any details about the licensing process.
What other advice do I have?
We're implementors.
When it comes to security, my only advice is based on my experience. They always say to use multiple products due to the fact that, even if the vulnerability is missed in one product, it'll be identified in the other product so that you are safe.
However, when it comes to implementation, if you have multiple products, pipelining is a big problem. For example, if I use the Qualys scanner, and then it gives me all the vulnerabilities: how do I fix it? Either I have to fix it manually, or I have to fix it automatically.
I'd like to use one product, and, for example, use a vulnerability scanner from Qualys and have patch management as well. While the solution is still maturing, I like the tight integration and I like that the scanner can identify items and patch management can fix them. It simplifies things, instead of having to deal with multiple products and then maybe having to manually fix items on top of that.
I'd rate the solution nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Implementer
Great automatic detection but slow performance
Pros and Cons
- "Qualys VM's most valuable feature is automatic detection."
- "Qualys VM should improve its methodology."
What is our primary use case?
I primarily use Qualys VM to manage vulnerability tickets.
What is most valuable?
Qualys VM's most valuable feature is automatic detection.
What needs improvement?
Qualys VM should improve its methodology.
For how long have I used the solution?
I've been working with Qualys VM for six months.
What do I think about the stability of the solution?
Qualys VM is stable but slow.
How are customer service and support?
Qualys' technical support is quite good.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup was quite straightforward.
What other advice do I have?
I would rate Qualys VM as seven out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cyber Security Director at a manufacturing company with 5,001-10,000 employees
Reliable with good technical support and good stability
Pros and Cons
- "The initial setup is straightforward."
- "The solution is a bit expensive if you do not have access to discounts."
What is our primary use case?
We primarily use the solution for full enterprise visibility from both an asset detection perspective and vulnerability detection perspective. Basically, we are tracking all the devices over agents, including PCs and servers, et cetera.
We are able to understand what our current situation is on the devices. At the second stage, we are able to catch the devices which do not have agents or which are not in the inventory, with on-premise scanners.
We are running security configuration hardening assessments or compliance with CIA security benchmarks.
In addition to that, we are also utilizing the cloud assessment solution of the Qualys, to ensure compliance with CIA security standards. For example, the Amazon cloud platform is configured compliantly with the CIA security benchmark. These are the four pillars utilized.
What is most valuable?
The prioritization mechanism is the most valuable aspect of the solution.
The initial setup is straightforward.
Technical support is great.
The stability and reliability are good.
What needs improvement?
The user experience, the UI, needs to be improved. The technology is there and it is obvious it is able to do many things, however, from a user experience perspective, the UI design is a bit complicated. If the platform could have a bit more of a user-friendly environment, it could be easier for the admins and analysts to use it.
The solution is a bit expensive if you do not have access to discounts.
From a general perspective, SLA tracking capabilities could be improved with a building method. There was a tracking method to be able to see if this vulnerability for a while or maybe it was patched. However, an internal SLA mechanism could help with batch prioritization and issue detection.
I'd rate the solution at a nine out of ten.
For how long have I used the solution?
I've been using the solution for six months. I've used it for less than a year now.
What do I think about the stability of the solution?
The solution is stable. The passive scanning capabilities are advanced. I'm able to see all the missing paths and many vulnerabilities or many configuration mistakes at the same time. Due to its passive scanning, we don't see any stress or research consumption from agents.
Network scans are a bit more intense and they of course require research and can create some noise, however, for the most part, it is okay. There is no reliability issue from our perspective.
What do I think about the scalability of the solution?
I haven't really tried to scale the solution and therefore cannot really speak to it. We do have some activities happening on there, however, I'm not ready to provide feedback for the results. It's my understanding, however, that the API extensibility is great. I've just not seen anything yet that I can really comment on.
How are customer service and technical support?
Technical support is pretty good. It is very easy to get support from the global team, at least for us. We don't depend on local partners, which is great due to the fact that, whenever you are acting in 10 or 11 countries, local partners can be an issue. The language barriers, et cetera, can be an issue. That's why it is great to have responsible global support.
How was the initial setup?
The initial setup was very straightforward. We just deployed the agents and everything went very smoothly. There were no big issues.
What's my experience with pricing, setup cost, and licensing?
We pay a yearly fee for a license.
They have very good discounts. That's why the price is okay for us. Generally, if we talk about the price without discounts, I do see a big peak in vulnerability management solutions licenses. It is not only Qualys. All the vendors peaked at some point.
We do see over $100,000 in terms of price, for mid-size programs. You likely will pay more than $100,000 without any discount. It is a bit pricey. There's room to improve, however, I believe they're managing things with discount offerings. I'm saying this not only for Qualys. All the vulnerability management solutions do the same thing price-wise.
Which other solutions did I evaluate?
We did evaluate other solutions. We looked at most other vulnerability management solutions.
What other advice do I have?
We are just a customer and end-user.
We are using the latest version of the solution. I cannot speak to the exact version we are using, however.
We are using both the on-premises and cloud deployment models. We have on-premise sensors and we have a scan-over cloud service from Qualys. Qualys cloud has a scanning capability for pairing sensors, for scanning an external perimeter. Therefore, we are utilizing that and agents as well.
I'd recommend the solution.
If anybody looks forward to first perimeter security, if any conceptual work is done around perimeter security, they have to solve that agent issue first for their program. Companies need to select a solution that can work wherever the PC is.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
AVP - Information Security at a financial services firm with 10,001+ employees
Easy to use and scalable but needs to be priced more competitively
Pros and Cons
- "It is very easy to use and there are lots of options. We can usually easily go through it and all of the things we want to configure, and we can configure everything to our specifications very easily."
- "Sometimes we face a problem with accessing the tool and not getting an expected result. From a technology point of view, they need to look into this."
What is our primary use case?
We're primarily using the solution for vulnerability assessment of internal server as well as the external server.
What is most valuable?
The solution, overall, is very useful for our organization.
It is very easy to use and there are lots of options. We can usually easily go through it and all of the things we want to configure, and we can configure everything to our specifications very easily.
What needs improvement?
Sometimes we face a problem with accessing the tool and not getting an expected result. From a technology point of view, they need to look into this.
They need to consider how they can improve tool usability and different scanning options.
Sometimes we are facing issues while performing a scan and things are not correctly shown on the GUI. Even as we are doing a task, it may show up as completed, and then something is not visible. Sometimes we face other technical problems. For example, sometimes we can't go to the next page. It's limiting any positive results.
The solution needs to be easier to understand and configure.
The pricing is a bit on the higher side compared to other products in the industry.
For how long have I used the solution?
I've been dealing with the solution for the last five or six years now. It's been a while.
What do I think about the stability of the solution?
I haven't had any issues with stability. It's been okay.
What do I think about the scalability of the solution?
I don't see any issues with scalability. When we do multiple IP scans, when we require an increase in the number of IPs, we won't have any problem doing so.
How are customer service and technical support?
The technical support has been fine. We're getting the required support we need when we need it. I'd say we're pretty satisfied in that regard.
What's my experience with pricing, setup cost, and licensing?
I find the pricing to be a bit high, especially compared to the competition.
Which other solutions did I evaluate?
While we didn't evaluate other options previously, currently, we are looking at all sorts of vulnerability management solutions and that's including Kenna and RiskSense.
Although Qualys has come up with the model, I've not really looked that far into their other offerings. There is the possibility of upgrading the model on the part of vulnerability management. We'll see if we change solutions or decide to upgrade instead.
We've also looked at Tenable, which is easier to understand and configure.
What other advice do I have?
We are a Qualys customer. We aren't a reseller or partner.
Overall I'd rate the solution seven out of ten.
We are currently looking at other options, to see if there's a better solution out there. This one has pretty good technical support and is easy to use, however, there are other issues associated with it.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Reliable solution with good vulnerability management
Pros and Cons
- "Qualys VM's best features are vulnerability management and customizable scoring."
- "Qualys VM's vulnerability scan could be improved, especially the number of CVE numbers it can manage at a time."
What is our primary use case?
I use Qualys VM for vulnerability scanning, enterprise management, web application scanning, and patch deployment.
What is most valuable?
Qualys VM's best features are vulnerability management and customizable scoring.
What needs improvement?
Qualys VM's vulnerability scan could be improved, especially the number of CVE numbers it can manage at a time. It could also be more user-friendly. In the next release, Qualys VM should include threat intelligence and external test service management.
For how long have I used the solution?
I've been using Qualys VM for around six months.
What do I think about the stability of the solution?
Qualys VM is stable and reliable.
What do I think about the scalability of the solution?
Qualys VM is quite easy to scale.
How are customer service and support?
Qualys' customer service could be better.
How would you rate customer service and support?
Neutral
How was the initial setup?
The initial setup was not user-friendly.
Which other solutions did I evaluate?
I evaluated Tenable but chose Qualys VM because of its management features.
What other advice do I have?
I would rate Qualys VM eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Security Consultant at a tech services company with 10,001+ employees
Excellent continuous monitoring, helpful technical support, easy to scale, and simple to install
Pros and Cons
- "The most recent is VMDR, which provides a comprehensive overview of how to detect, patch, and remediate specific vulnerabilities."
- "Qualys currently does not have any features for scanning SCADA, IoT, and Industrial Control Systems."
What is our primary use case?
Qualys' main function is to scan IT systems. It does the scanning of computer systems.
What is most valuable?
Continuous Monitoring is excellent because it is entirely dependent on the agent, and the Agent Scan, is also quite good.
I also like the asset tagging, asset grouping features, and the dashboard, because we can customize and create our own dashboard. That's quite good.
The most recent is VMDR, which provides a comprehensive overview of how to detect, patch, and remediate specific vulnerabilities. That is also an excellent module.
What needs improvement?
The dashboard itself could be improved, while we can customize it, they can create different tabs where we can see the trending vulnerabilities, how many there are, or how many have been fixed, as in the most recent scan report, so that trend analysis is a little easier.
Aside from that, the solution itself is fairly generic in nature. What they can do is pretty much customize everything and provide a relevant solution for everything. For example, because Qualys has a Cloud Agent that scans a system's entire inventory. As a result, they can test their use cases to determine whether or not a vulnerability has been confirmed. If they can do so, they can also provide us with a straightforward solution to a specific problem rather than a generic one. That could be one area where they can improve.
Qualys does not currently have an IoT, SCADA vulnerability assessment, they can significantly improve their IoT, SCADA, and ICS (Industrial Control Systems) vulnerability assessment technique. When you compare with Tenable SC it has more features than Qualys VM.
If you see power grids, large oil stations, they fall under SCADA and Industrial Control Systems. These systems are very different from standard IT systems. Qualys currently does not have any features for scanning SCADA, IoT, and Industrial Control Systems.
I believe they can improve on the addition of devices. Assume I have two lakhs of devices that cannot all be added at the same time. For example, if I have two lakhs of devices, and two lakhs of those devices have a Cloud Agent, adding all of those devices at once is not easy. We have to add it 1,000 at a time, which takes a long time when there are two lakhs of assets to add. If we do 1,000 at a time, we'll have to do it for around two lakhs, which is quite difficult.
They can increase their frequency of working faster, similar to the time constraint they currently have. The second thing they can improve is the addition of assets. They can almost completely automate the process of adding assets, or they can increase the maximum number of assets that can be added in one go. They are only allowed to add 1,000 assets. If I want to add two lakh assets, it will be extremely difficult to do so by adding 1,000, at a time.
That is a fairly technical issue. Most of the false positives reported by Qualys or the inability to detect a cumulative patch update, if any, are the few things that they can improve and incorporate.
As I previously stated, it would be extremely beneficial if they could implement scanning, vulnerability scanning of IoT systems, Industrial Control Systems, and SCADA devices.
For how long have I used the solution?
I have been working with Qualys VM for approximately four years.
We have been using multiple Qualys modules, such as VMDR, Cloud Agent, AssetView, and Continuous Monitoring. The most recent version that we are using is 4.14.
What do I think about the stability of the solution?
It's reasonably steady. When we say stable version, there is also room for improvement in that Qualys will not be able to handle large amounts of data at once. When you do billions of scans, such as a scan for millions of devices, it becomes extremely slow, and gathering data and populating the report becomes extremely tedious.
What do I think about the scalability of the solution?
Scalability is quite good. We can pretty much rely on the tool. It is easy to scale.
If the organization grows, we can pretty much scale it to most of the areas. The only problem is that they must primarily work on Industrial Control Systems and lightweight devices such as CCTV cameras, and lightweight devices. As a result, they are required to work in that field, otherwise, it is pretty good.
Based on my previous experience, there were approximately 300 or more users using Qualys in organizations with a population of more than two lakh people. Currently, I see that approximately 400 users are using it, and the size of the organization is significantly larger than the previous one.
We use this solution daily.
How are customer service and support?
Technicals support is pretty good. Since I've been working in this, they've been friendly and straightforward, and we were able to get the most out of them.
We have suggested areas for improvement, and they have been working on them. They always make a good impression on us.
Which solution did I use previously and why did I switch?
As a consultant, I've worked on a variety of projects in a variety of organizations.
How was the initial setup?
The initial setup is simple and straightforward.
What about the implementation team?
We initially had assistance from the vendor, but once we had a good understanding of it, we scaled it in our organization.
Which other solutions did I evaluate?
Because I've been using Qualys for quite some time, I was looking for a comparison of several solutions such as Tenable SC, Rapid7, InsightVM, and Tenable Nessus. I was curious to know if there were any other tools that were better than Qualys.
I was looking for more information about Tenable SC and wanted to compare it to Qualys in more detail, with parameters such as, how the false positives are detected in Tenable SC and how good it is in comparison to Qualys. In a similar manner, in comparison to Qualys, we learn about its usability, interface, and how user-friendly it is. Those are the few things I was looking for, and I'm still looking for more information about Tenable right now.
What other advice do I have?
They have the ability to improve SCADA. SCADA stands for Supervisory Control and Data Acquisition, and IoT stands for Internet of Things scanning.
Recommending this solution would depend on the organization, the requirements, and the devices they have.
For a typical IT system, it is very good to go with this solution. Microsoft, Deloitte, and the majority of organizations still use it, it is pretty much good to go. But, once again, it is entirely dependent on how the organization is, what type of devices they have, and what kind of scans they would like to have, it is entirely dependent.
In a broad sense, it is a good solution to go with.
I would rate Qualys VM an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Qualys VMDR Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Product Categories
Vulnerability Management IT Asset Management Configuration Management Databases Container Security Risk-Based Vulnerability ManagementPopular Comparisons
Tenable Nessus
Tenable Security Center
Tanium
Tenable Vulnerability Management
SentinelOne Singularity Cloud Security
Orca Security
Pentera
Acunetix
JFrog Xray
Lacework FortiCNAPP
Skybox Security Suite
Check Point CloudGuard CNAPP
Trend Vision One - Cloud Security
Microsoft Defender Vulnerability Management
Buyer's Guide
Download our free Qualys VMDR Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Qualys VM vs Tenable Nessus: Comparison
- How does Tenable Nessus compare with Qualys VM?
- How does Pentera compare with Qualys VMDR?
- What are the main differences between Qualys VMDR and Tenable Nessus?
- How inadvisable is it to use a single vulnerability analysis tool?
- What are the benefits of continuous scanning for vulnerability management?
- When evaluating Vulnerability Management, what aspect do you think is the most important to look for?
- What is a more effective approach to cyber defense: risk-based vulnerability management or vulnerability assessment?
- What are the main KPIs that need to be implemented to have better posture in vulnerability projects?
- Which is the best vulnerability scanner tool?