Qualys VMDR Reviews

• Vulnerability management
• Policy compliance
• Scalability

As a leading IT services organization, it is very important for us to have a proactive identification/assessment of vulnerabilities. We also need to be able to remedy them in a timely manner before they exploit our security configuration compliance, and then harden our security for both system/network devices and applications. We need to do this both before and after placing them in production environment.

With QualsyGuard we have been able to achieve this by utilizing its modules, such as vulnerability management, policy compliance, web scanning, malware detection, and asset tagging.

As users of Qualys for the last three years, we have identified and shared many areas where Qualys needed to have improvements, including --

• Vulnerability database having some false positives, although this is rare;
• Web scan module requires authentication to access basic web forms;
• Asset tagging needs lots of improvements as it's currently a complex technique; and
• For policy compliance, they need to add more leading IT standards with regards to all the leading IT service provides like Juniper, Cisco, Microsoft, etc.

I've been using this product for the last three years.

This is a very stable product and we haven't faced any issues since its deployment apart from announced downtimes for upgrades and improvements.

No issues encountered.

Customer Service:

Support is available 24/7 via phone and e-mail. Remote session support is also available.

Technical Support:

They have excellent expertise.

No previous solution was used.

It's easy as it is a SaaS, cloud-based service. The installation of the local hardware scanner appliance is also easy.

We used a vendor team who was excellent.

I cannot give you the exact ROI on this, but as a large information and communication technology service provider, a 24/7 service availability that leads to customer satisfaction is our key goal. Regular VM and compliance assessment results in the complete hardening of our critical assets defending us against any exploits that leads to unavailability of our services.

No, because it was already in use at our parent company and it was providing good results for a low price as well.

• Collect complete asset inventory details (asset type, service/application details, administrator details etc.).
• Provide awareness session to the support team about Qualys, its usage, and functionality.
• Prepare OLAs and SOPs for better co-ordination between the teams.

Integrity of scanners; never do I need to worry….“Is this scanner going to bring down a host?”.

Higher frequency of scans, better aggregation of scan results, abundance of different reports (can be scheduled and automated), delivering metrics to senior management.

Ticket management

5 + years

No

No

No

Customer Service: Good – 4 out of 5Technical Support: Good – 4 out of 5

Straightforward. Assuming you know your network layout, # of devices and other basic information it is pretty simple to figure out what you need. Qualys ships you the scanners, you rack them, set them up and technically could start scanning. Though, there is other recommended tasks to complete via the QualysGuard Vulnerability Management web portal such as defining asset groups, setting up scan rules, turning ticketing on, generating reports, etc.

In-house

I do not have a specific quantitative number to provide but from a qualitative perspective it has been enormous. Once you are set up properly and have proper acceptance from support teams, device owners and senior management you can start to scan your environment much more often which increases your organizations ability to detect vulnerabilities more often reducing your overall vulnerability footprint and corresponding business risk.

The original setup cost was about $10,000 and the day-to-day costs is less than $100 per day with one caveat. Our parent company is large and has allowed us to fall under their pricing model. If we were not under their model our costs would be about 40% higher.

No, we had a 3rd party running the scans for us. We were very happy with Qualys but wanted to bring it “in-house”. We brought it in-house 5 years ago and never looked back.

Take the time to properly identify your network and as importantly get approval and acceptance from the group up – especially senior management. In addition, it is very important to have your scan schedule, profiles, reporting, metrics, expectations, etc. documented so that everyone in the company understands your expectations.

I mainly use Qualys VM for CSAM, to complement vulnerability management on our assets, and to check for intrusions through our email gateways.

Qualys VM has allowed us to know the vulnerabilities we need to prioritize based on the threat levels and the possible impact if there's an intrusion. It also provides a view of inventories and vulnerabilities in the containers running on my infrastructure, which helps me to do better roadmapping on where I need to put my resources.

Qualys VM's best features are its machine-learning-backed intelligence, real-time inventory of vulnerabilities, backup, threat intelligence exposure database, and that it doesn't hold on to infrastructure resources like memory.

Qualys VM's machine learning and artificial intelligence features could be improved.

I've been using Qualys VM for over a year.

I've had no issues with Qualys VM's stability.

Qualys VM is scalable.

Qualys has an impeccable, readily available technical support team.

Positive

The initial setup is very simple - it's just a deploy-and-run.

Qualys VM is reasonably priced.

I would rate Qualys VM as nine out of ten.

On-premises

My primary use case is for the web application scans of websites. I also made some new search profiles and other scanning profiles.

Before using Qualys, we had other security tools. And, the main purpose was to remove the granularity. We had so many attacks every day. Qualys really helped us manage the security for our operations.

The most valuable features are that it is a simple solution that makes scanning easy. You just give it a scheduled task, and it will do everything for you. The reporting is fine, too. And, the knowledge base is pretty good, too.

The only improvement I can think of is on the implementation side, otherwise the operation is fine. At times it is a bit slow.

Qualys is really nice, but people only use Qualys for the VM and web scan. They just file the report, and send the report to the customer or client. They don't do anything with the reports. They will get the report, and there are usually 30 to 40 vulnerabilities, not in the web servers. And, of those 30 vulnerabilities, 10 or 15 were usually the first cases. In case of those vulnerabilities are around 50, in which around 50-60% of vulnerabilities are usually found worse. So, for those cases, was pretty low and in Qualys we have to look for them also. Whenever the report comes, we just send the report from the client. And that was one of the biggest issues. So, in this area, we only have to actually check the vulnerabilities in the report. You just have to catch a little bit of this, when we do the type or not. That was one of the issues we had with Qualys.

One to three years.

No, we have not experienced any issues with stability of the product at all.

I have not encountered issues with scalability of the solution. I had scanned 77 servers at a time, and found no issues with scalability while doing so.

I have not had a need to deal with Qualys tech support.

I have previous experience with Tenable Nessus. I like Qualys better because there are so many nice features, it builds better.

I am not personally involved with the pricing or licensing of the solution for our organization.

I have prior experience with Alert Logic CloudDefender, RSA, Odyssey and Forcepoint Websense (formerly Raytheon Websense). 

A really nice feature of Qualys is the asset management. Some of the end users were using that function, and paid for that particular function. It is helpful to get a bit of history of all types of supports of scanning of particular servers.

Our primary use case is vulnerability assessment.

This solution has provided information about existing vulnerabilities, and helped with quick remediation in case of global malware attacks.

The most valuable feature is the certificate management. The reason is the limited license provided by the mother company.

The reporting in this solution can be improved.

I have been using this solution for five years.

My primary use case is to actually fill out forms, ensure that they are being closed in a timely manner. This is why we use these one point solutions.

I find most valuable to achieve a channel system and we can also use it to track when we actually close the ticketing of the sites.

In addition, it is quite easy to implement. We found it quite convenient.

I think it could improve asset imagery.  

Less than one year.

I have not encountered issues with stability of the product.

I have not encountered any issues of scalability function. We do have to pay extra according to the number we are placing on the scan. So, when you want to be covered for the scalability, you will have to pay more.

The initial setup was straightforward. It was quite simple. We just needed to download the image from the website, and onto our service team.

Qualys is considered more expensive versus other products on the market.

We were previously using McAfee. We had to switch because McAfee stopped producing the solution we needed. We considered Tenable Nessus, but we chose Qualys in the end.

I advise that you see if this solution can fit your problems, and help your needs.

Vulnerability management.

It has helped to automate the vulnerability management program, increasing the security posture and helped us to identify the security risks in our infrastructure.

Web application security model needs some work.

I've been using it for four years, including including VM, PCI, WAS and MDS features.

No issues encountered.

There's been a few times, related to reporting, that we've had issues, but overall it's stable.

Customer Service:

Excellent, the Qualys support team always helps on a priority basis.

Technical Support:

Excellent!

No previous solution was used.

It was straightforward.

It was done in-house.

No other options were looked at.