Qualys VMDR Reviews

We use bother on-premise and cloud deployments of Qualys VM. For my clients in the cloud, we use a cloud solution, which is a bring your own license model. Additionally, We have our own deployment of Qualys VM.

We are using Qualys VM to provide a VM service.

The most valuable features of Qualys VM are its ability to do proper vulnerability assessment. It has a lot of updates for all the vulnerability databases from all over the globe.  It's an amazing solution when it comes to the versatility of the features it has. Additionally, the reports are very good. It generates very detailed reports about the vulnerabilities inside the environment

I have been using Qualys VM for approximately five years.

Qualys VM is a highly stable solution.

Qualys VM could improve by having more skilled support personnel.

The initial setup of Qualys VM is straightforward. The full implementation took us approximately one day.

We have approximately 100 people who are part of our technical team. We did the implementation of this solution.

There is a license for the use of this solution. We pay annually instead of monthly to receive a better discount on the price.

I would recommend this solution to others.

I rate Qualys VM a nine out of ten.

We are currently using Qualys for vulnerability detection, as part of our security solution. We're moving towards Defender ATP because I am looking more at the Operational Technology (OT) side of things than I am at the Information Technology (IT) side.

What I like best about this product is that it does what it is supposed to do, which is vulnerability scanning.

We are moving away from Qualys to Defender ATP because I find that Defender ATP is much better at prioritizing the vulnerabilities that I should be looking at.

In general, I would like to see some better analytics and prioritization of vulnerabilities.

We have been working with Qualys VM for three years.

Qualys VM is a stable solution.

This is a stable product.

Technical support is great and we've never really had a problem. They're always there if we need them.

We did not work with another similar solution prior to Qualys.

The initial setup is straightforward.

Our setup involved some on-premises deployments but ultimately, it uses the cloud.

They have recently changed the pricing model, which is now better than it was before.

Right now, we don't have anything in our OT environment, and this is what I am particularly interested in. I am currently having discussions about new solutions with Qualys, Tenable, and Forescout.

I would rate this solution a seven out of ten.

Our customers use Qualys for vulnerability management, it's a way for them to discover the kinds of vulnerabilities they have on their systems. We are a partner with Qualys and I'm an infrastructure security consultant. We currently have 20 clients using Qualys. 

The functionality continues to improve and knowing when there are security issues is very helpful. 

I like the Qualys Cloud Agent because it's very easy to use. It has a low impact and is supported on Windows, Linux, and others. I deploy process scanners, which are usually connected to core switches so customers can replicate all the connections. Almost all our customers try to use the agents because they're already installed and integrated into the cloud and communicate with Qualys management. There are no problems and it's really better than using some virtual appliance to scan the various kinds of assets. Qualys has a lot of information and it's great to integrate with the Central Management Database.

If you're not overly experienced and you're looking for something in their management, it can sometimes be quite difficult because they can move buttons around without sending an update. Previously, if you deployed the Cloud Agent, you could define which tech would be under the agent and where it would be deployed. It now requires some text preparation and the Cloud Agent then downloads the specific profile defined without any indication that this might happen. If you are not using vulnerability management, you are not able to create the correct patch process for all applications stored on the system.

It would be helpful if Qualys would integrate with more systems like ServiceNow, Jira, and so on, to create some tickets and integrate them into the active directory, because each group works differently and if you need to prepare a ticket, it must be defined to a specific group of people. Qualys just created a kit on ServiceNow, but it doesn't have the correct group of people in the active directory.

I've been using this solution for three years. 

The solution is scalable. If you need more resources they can be added to the backend, depending on the circumstances and requirements. If you are able to deploy in the VMDR licensing, you are able to deploy unlimited virtual active appliances to discounted appliances. It all depends on your resources. 

Each customer is different and if you need to deploy a more active virtual process that will affect the implementation. If a customer wants to use policy compliance on their machines that can add to deployment time too. I tend to deploy myself because I'm usually making the POCs of Qualys.

I believe the annual cost is approximately $40 per asset in VMDR, although it also depends on the circumstances. It contains all the features one needs although if you need synchronization with ServiceNow and CMDB, there is an additional cost. 

I constantly speak to other companies to find out what they're doing and what the differences are between the different products. My job is to find the best solution for my customers so it's important to know what's on the market.

I rate this solution eight out of 10. 

Our primary uses for this solution are security vulnerability detection and policy compliance.

It's been the chosen solution year after year for vulnerability management and our vulnerability management program is centered around this tool.

The most valuable features are vulnerability detection and the scanning capability to enable identification of vulnerabilities across our network.

I would like to see this solution more developed and competitive in the Cloud space.

We have been using Qualys VM for fifteen years.

The primary use for the solution is vulnerability management.

The way we can maintain a current actual registry of all the IP assets within it is very good. The scanning of software assets on the endpoint machine is also useful. I've tried the scanning of similar asset vulnerabilities throughout different servers, including Unix and Windows. Qualys maintains a good intervention database. We have a service line that updates to the newest software, or whenever you set it up. The second service line has denominated my nodes across the globe. It's easy to deploy the solution.

The server application scanning has room for improvement.

It's quite complex on the way it is set up, so it takes a fair bit of time in order to get your head around it in order to deploy it. Once you've deployed it, then you're never confident on the versions of the browsers and the SSL certificates, etc. You have to always go back into Qualys and check.

They do talk about an agent-based scanning for non-IP machines. It sort of sits between server scanning and endpoint scanning. That's not very clear. If they can improve that and deploy, then it'll be such a nice package.

The solution should help its vendors more with renewals. For example, we had deployed the solution as a reseller to a client and then somebody else came along and we didn't end up getting the renewal licenses for the servers. I wasn't very happy about that. We put all the hard work to get it in, but the following years we didn't get the benefit of our low pricing in the first year. 

They should integrate with the dashboard and provide a plugins link for data that's coming into API on the dashboard. When the users buy the license, they can turn it items on. So, that way you know you've got the full solution. What you don't pay for is not switched on, and what you pay for can get switched on immediately.

The solution is very stable. 

The solution is highly scalable.

Technical support is fantastic.

I would advise others to always have a proof of concept version of the solution put into play. Then spend a good two months on it. Stabilize the solution and check out the features and then deploy it into production. Otherwise, you will spend money during the real project for what could have been done as a POC. Deploy the core solution, get the scanning done and all the critical components put it in a proof of concept and then move it into production.

I would rate the solution eight out of ten.

My primary use case is to actually fill out forms, ensure that they are being closed in a timely manner. This is why we use these one point solutions.

I find most valuable to achieve a channel system and we can also use it to track when we actually close the ticketing of the sites.

In addition, it is quite easy to implement. We found it quite convenient.

I think it could improve asset imagery.  

I have not encountered issues with stability of the product.

I have not encountered any issues of scalability function. We do have to pay extra according to the number we are placing on the scan. So, when you want to be covered for the scalability, you will have to pay more.

The initial setup was straightforward. It was quite simple. We just needed to download the image from the website, and onto our service team.

Qualys is considered more expensive versus other products on the market.

We were previously using McAfee. We had to switch because McAfee stopped producing the solution we needed. We considered Tenable Nessus, but we chose Qualys in the end.

I advise that you see if this solution can fit your problems, and help your needs.

• Vulnerability management
• Policy compliance
• Scalability

As a leading IT services organization, it is very important for us to have a proactive identification/assessment of vulnerabilities. We also need to be able to remedy them in a timely manner before they exploit our security configuration compliance, and then harden our security for both system/network devices and applications. We need to do this both before and after placing them in production environment.

With QualsyGuard we have been able to achieve this by utilizing its modules, such as vulnerability management, policy compliance, web scanning, malware detection, and asset tagging.

As users of Qualys for the last three years, we have identified and shared many areas where Qualys needed to have improvements, including --

• Vulnerability database having some false positives, although this is rare;
• Web scan module requires authentication to access basic web forms;
• Asset tagging needs lots of improvements as it's currently a complex technique; and
• For policy compliance, they need to add more leading IT standards with regards to all the leading IT service provides like Juniper, Cisco, Microsoft, etc.

I've been using this product for the last three years.

This is a very stable product and we haven't faced any issues since its deployment apart from announced downtimes for upgrades and improvements.

No issues encountered.

Support is available 24/7 via phone and e-mail. Remote session support is also available.

They have excellent expertise.

No previous solution was used.

It's easy as it is a SaaS, cloud-based service. The installation of the local hardware scanner appliance is also easy.

We used a vendor team who was excellent.

I cannot give you the exact ROI on this, but as a large information and communication technology service provider, a 24/7 service availability that leads to customer satisfaction is our key goal. Regular VM and compliance assessment results in the complete hardening of our critical assets defending us against any exploits that leads to unavailability of our services.

No, because it was already in use at our parent company and it was providing good results for a low price as well.

• Collect complete asset inventory details (asset type, service/application details, administrator details etc.).
• Provide awareness session to the support team about Qualys, its usage, and functionality.
• Prepare OLAs and SOPs for better co-ordination between the teams.

The integrations for this solution are very good. I use a different product for virtual patching of vulnerabilities and Qualys integrates well with that product.

Qualys does have an on-prem solution, but it is very expensive. 

I have used this solution for six months. 

I would rate this solution a nine out of ten.