Qualys VMDR Reviews, Competitors and Pricing

reviewer1820922

President and CEO at a non-profit with 11-50 employees

Oct 7, 2022

Download

Excellent intelligence and real-time inventory of vulnerabilities

Pros and Cons

"Qualys VM has allowed us to know the vulnerabilities we need to prioritize based on the threat levels and the possible impact if there's an intrusion."

"Qualys VM's machine learning and artificial intelligence features could be improved."

What is our primary use case?

I mainly use Qualys VM for CSAM, to complement vulnerability management on our assets, and to check for intrusions through our email gateways.

How has it helped my organization?

Qualys VM has allowed us to know the vulnerabilities we need to prioritize based on the threat levels and the possible impact if there's an intrusion. It also provides a view of inventories and vulnerabilities in the containers running on my infrastructure, which helps me to do better roadmapping on where I need to put my resources.

What is most valuable?

Qualys VM's best features are its machine-learning-backed intelligence, real-time inventory of vulnerabilities, backup, threat intelligence exposure database, and that it doesn't hold on to infrastructure resources like memory.

What needs improvement?

Qualys VM's machine learning and artificial intelligence features could be improved.

Buyer's Guide

Qualys VMDR

January 2025

Free Report: Qualys VMDR Reviews and More

Learn what your peers think about Qualys VMDR. Get advice and tips from experienced pros sharing their opinions. Updated: January 2025.

DOWNLOAD NOW

832,138 professionals have used our research since 2012.

For how long have I used the solution?

I've been using Qualys VM for over a year.

What do I think about the stability of the solution?

I've had no issues with Qualys VM's stability.

What do I think about the scalability of the solution?

Qualys VM is scalable.

How are customer service and support?

Qualys has an impeccable, readily available technical support team.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup is very simple - it's just a deploy-and-run.

What's my experience with pricing, setup cost, and licensing?

Qualys VM is reasonably priced.

What other advice do I have?

I would rate Qualys VM as nine out of ten.

Which deployment model are you using for this solution?

On-premises

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Mahmoud Elhamaymy

Professional services team lead at a tech services company with 1,001-5,000 employees

Oct 10, 2021

Download

The reporting and GUI need improvement but it's reliable

Pros and Cons

"Qualys VM is very stable."

"The reporting and the GUI need improvements."

What is our primary use case?

It was responsible for vulnerability scanning. It enforces vulnerability management websites.

What needs improvement?

The reporting and the GUI need improvements. Tenable dominated in these two areas: reporting and graphical user interface.

For how long have I used the solution?

Qualys VM was used once for one of our customers.

We were using the latest version.

What do I think about the stability of the solution?

Qualys VM is very stable.

What do I think about the scalability of the solution?

I didn't have all of the necessary information regarding the scalability or how to scale this solution, but all vulnerability management solutions have the same idea.

I believe that it is easy to scale.

How are customer service and support?

I did not contact technical support.

Which solution did I use previously and why did I switch?

I have also used Rapid7, which is very similar to Qualys VM.

Scaling is more difficult with Rapid7. When it comes to scaling, Rapid7 is not my first choice.

How was the initial setup?

I did not implement this solution, I performed one scan for our client.

What other advice do I have?

We have regulations in place in Saudi Arabia and Egypt that require all vulnerability management solutions to be implemented on-premise.

I would recommend this solution to others but Tenable is my preferred option.

I would rate Qualys VM a five out of ten.

Which deployment model are you using for this solution?

On-premises

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide

Qualys VMDR

January 2025

Free Report: Qualys VMDR Reviews and More

Learn what your peers think about Qualys VMDR. Get advice and tips from experienced pros sharing their opinions. Updated: January 2025.

DOWNLOAD NOW

832,138 professionals have used our research since 2012.

it_user254973

Manager Information Security at a healthcare company with 10,001+ employees

Jun 16, 2015

Download

There are some stability issues with reporting, but it's straightforward to implement.

What is most valuable?

Vulnerability management.

How has it helped my organization?

It has helped to automate the vulnerability management program, increasing the security posture and helped us to identify the security risks in our infrastructure.

What needs improvement?

Web application security model needs some work.

For how long have I used the solution?

I've been using it for four years, including including VM, PCI, WAS and MDS features.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

There's been a few times, related to reporting, that we've had issues, but overall it's stable.

How are customer service and technical support?

Customer Service:

Excellent, the Qualys support team always helps on a priority basis.

Technical Support:

Excellent!

Which solution did I use previously and why did I switch?

No previous solution was used.

How was the initial setup?

It was straightforward.

What about the implementation team?

It was done in-house.

Which other solutions did I evaluate?

No other options were looked at.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user5130

Security Expert at a financial services firm with 1,001-5,000 employees

Feb 26, 2015

Makes many promises but in order to do so, Qualys requires the client to provide a backdoor to the system.

The QualysGuard Private Cloud Platform (QG PCP) makes many promises, one of which is that vulnerability scan data can be hosted by a private cloud platform in a client's data center and under the client's control. If taken at their word, this may seen promising, but the reality is that Qualys still will have to manage this platform remotely. By doing so, they will have access to this data remotely anyway and can pull it down to their site as needed. Needless to say, Qualys requires the client to provide a backdoor to the system.

The Qualys PCP equipment is leased and never sold to the customer. There are many legal issues with this which allows them to access their equipment. They require the customer to give them remote access in order for them to manage it remotely. That is a requirement and not an option. They keep it a big secret how it is managed.

Remote Access

What kind of remote access to the QG PCP do they require?

1. Persistent iVPN tunnel
2. VPN remote access account

Qualys still has the means to pull the data back to Qualys through SSH/SCP even though it is hosted on a customer site. In fact, Qualys does not allow the customer to monitor the network traffic being sent back to Qualys. Such requests were flat out refused during a security assessment. What they pull back is their business and the customer has no right to know.

Network Sniffer

Network monitoring had to be done outside of the QG PCP as Qualys did not allow internal network sniffing. This traffic analysis did show a few weaknesses.

1. Emails were being sent to email server UNENCRYPTED. Yes, one could see the message being sent as well as who the recipients were. Emails were being back to Qualys through the Internet. A lot of sensitive information were sent unencrypted including server names, configuration, scripts, running jobs, listening ports, full internal DNS names.

2. Internet connections from Indonesia were seen accessing the QG PCP even though it was supposed to be in a controlled access network in a data center

3. A lot of failed DNS requests to www.qualys.com and other qualys subdomains, looks like the system has not been fined tuned to be hosted at a client site. The interesting thing is that it tries to do windows updates on its own by accessing the Internet.

4. Undocumented protocols used by the Qualys PCP; namely AppleTalk, CMIP-Man, and Feixin

5. syslog messages sent across the network unencrypted.

Firewall Rule Analysis

Firewall rule analysis shows that SSH is allowed into the platform through VPN firewall as well as HTTP(S) protocols.

Internet Access

The Qualys PCP itself does access network traffic in and out of the controlled access network environment as seen in the diagram below.

1. The Qualys PCP Service Network requires outbound communication for

a. NTP – Time Synchronization

b. DNS – Name Resolution

c. SMTP – Email

d. WHOIS – External Internet

e. Daily Vulnerability Updates - External Internet.

WHOIS pulls information from the Internet and Daily Signature Updates are pulled from Qualys through the Internet on port 443. In effect, the PCP is pulling information from Qualys through the Internet to retrieve updates. A man-in-the-middle attack could intercept the update and instead return a malware update to the Qualys PCP provided that a vulnerability exists in the platform.

2. The physical scanners communicate to the Qualys PCP. This requires that inbound port 443 be opened on the PCP. Physical scanners in the DMZ also need to communicate to the PCP on port 443. Access to the PCP from the DMZ increases the risk.

3. Qualys SOC accesses the PCP through iVPN and VPN connections from the Internet for maintenance and support.

Virtual Scanners

A sniffer placed on a virtual scanner showed that it chose to use SSLv3, which is deprecated, by default on some servers to communicate to the Qualys PCP. In particular, it uses SSLv3 with RC4-MD5. MD5 is obsolete. Qualys documentation claims they use TLSv1 and the latest modern secure protocols.

Application Analysis

Perl API

Application analysis was done by running Perl scripts against the qualysapi server and testing for vulnerabilities. The server itself was found to be vulnerable by accepting login credentials for API requests via base64 encoding and passed through plaintext HTTP. This could result of loss and capture of Qualys Admin credentials which could result in access to vulnerability scan results.

Web Application
The Qualys Web Application tests resulted in a number of vulnerabilities.

Qualys PCP Internal

Additional vulnerabilities were found inside the Qualys PCP infrastructure itself. It was found to be very insecure.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

Absar Shaik

DevOps Engineer at a financial services firm with 501-1,000 employees

Oct 15, 2022

Download

Detailed reports and the remediation, but interface needs improvements

Pros and Cons

"The most valuable feature of Qualys Container Security is the detailed information in the reports and the remediation. This is done to make sure there are no vulnerabilities."

"Qualys Container Security can improve the interface. It could be easier to navigate and be enriched."

What is our primary use case?

Qualys Container Security scans similar to a runtime container and it scans the entire cluster.

What is most valuable?

The most valuable feature of Qualys Container Security is the detailed information in the reports and the remediation. This is done to make sure there are no vulnerabilities.

What needs improvement?

Qualys Container Security can improve the interface. It could be easier to navigate and be enriched.

In a future release, it would be beneficial if the network and port policies we provided with some kind of automation AML script files. Having configuration files related to Kubernetes environments would be helpful.

For how long have I used the solution?

I have been using one year.

What do I think about the stability of the solution?

Qualys Container Security is stable.

What do I think about the scalability of the solution?

The scalability of Qualys Container Security is good.

How are customer service and support?

I have used the support from Qualys Container Security and they could improve their knowledge.

I rate the support from Qualys Container Security a two out of five.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I have not used another similar solution prior to Qualys Container Security.

How was the initial setup?

The initial setup of Qualys Container Security is complex. The documentation could improve.

I rate the initial setup of Qualys Container Security a three out of five.

What other advice do I have?

I rate Qualys Container Security a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user875820

Junior Information Security Analyst at Visma

May 30, 2018

Download

Detects new hosts along with vulnerabilities

Pros and Cons

"Monitors workstations and servers for vulnerabilities and creates reports."
"Performs automated, regular scans in the network."
"Detects new hosts along with vulnerabilities."

"Improve the API speed."
"Make some minimal dashboard improvements."
"Improve the user interface."

What is our primary use case?

Our primary use case is to manage vulnerabilities, scan web applications, and report assets throughout the network. Also, we create reports based on this data.

How has it helped my organization?

Tracks workstations and servers.
Monitors workstations and servers for vulnerabilities and creates reports.
Performs automated, regular scans in the network.
Detects new hosts along with vulnerabilities.

What is most valuable?

The Qualys Agent is most valuable for getting insight into what is happening on what device with all its metadata.

What needs improvement?

Improve the API speed.
Make some minimal dashboard improvements.
Improve the user interface.

For how long have I used the solution?

Less than one year.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

reviewer1258674

Director for global support at a tech vendor with 1,001-5,000 employees

Jan 24, 2022

Download

A comprehensive, scalable, and easy-to-deploy platform with a nice UI

Pros and Cons

"The vulnerability management feature is what I used the most. It is a good SaaS product. It is easy to use. It has a nice UI where you can see all the assets and vulnerabilities."

"Certain integration factors between different options could be improved."

What is our primary use case?

It is for vulnerability management. I used it in my previous company, and I also used it for my home network.

It is a SaaS platform. So, there is always the latest version.

What is most valuable?

The vulnerability management feature is what I used the most. It is a good SaaS product. It is easy to use. It has a nice UI where you can see all the assets and vulnerabilities.

What needs improvement?

Certain integration factors between different options could be improved.

For how long have I used the solution?

I worked with this solution for two years.

What do I think about the stability of the solution?

Its stability and performance are good.

What do I think about the scalability of the solution?

People use it for hundreds and thousands of assets, so it is definitely scalable.

How are customer service and support?

I used to run technical support there. So, I didn't need to go for support.

How was the initial setup?

It is easy and straightforward to set it up. It takes 5 to 10 minutes to set up a new asset.

What's my experience with pricing, setup cost, and licensing?

I used to work there, so I never paid for the product. As an employee, we get a lifetime license for personal use, and that's what I'm using.

It is a comprehensive platform, so there is a lot more to it. There could be other solutions that are probably a little bit cheaper, but it depends on what people need. Different people have different needs. It offers many things on the same platform. If you add all the things up, it should be cheaper, but I have not done any analysis specifically.

What other advice do I have?

It is a good product. I would recommend it to others. It had whatever I needed for my personal use case. There are a lot of features that I have not explored. Some of the features are applicable for corporate networks, and they can't be used for personal use cases.

I would rate it a nine out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

it_user924705

Information Security Officer at Zamil

Aug 29, 2019

Download

Threat detection tells us which machines are infected with a vulnerability

Pros and Cons

"They also have threat detection which maps threats. There is a feed that comes from Qualys when a new vulnerability is found. It tells us which machines are infected with that vulnerability."

"What we have found is that the solution is not closely tied with the patch management. It is okay with newer ones, like Windows 10 machines; it gives the correct patch. But for Windows 7 or Windows Server 2008, it does not give us the correct patch so we have to manually identify the patches. This is a major problem."

What is most valuable?

The first thing we like is the scanner, the device which checks vulnerability management.

They also have threat detection which maps threats. There is a feed that comes from Qualys when a new vulnerability is found. It tells us which machines are infected with that vulnerability. If there is a new attack, we definitely know that it is happening, what is happening in our environment.

What needs improvement?

What we have found is that the solution is not closely tied with the patch management. It is okay with newer ones, like Windows 10 machines; it gives the correct patch. But for Windows 7 or Windows Server 2008, it does not give us the correct patch so we have to manually identify the patches. This is a major problem.

For how long have I used the solution?

This is the third year we are using Qualys. This year we included one more module, the patching module.

What do I think about the stability of the solution?

It's stable. Every month we scan more than 5,000 IP addresses and we are able to detect vulnerabilities.

How are customer service and technical support?

Our experience is that the problems we send them take too much time to resolve. For example, we opened a case for the problem I mentioned earlier, the vulnerabilities with Windows 7 and Server 2008 where it's trying the wrong patch. It took them a long time to even give us the correct explanation. So this is a problem.

How was the initial setup?

The initial setup was very easy. We just needed to download the virtual machine. There is a key and we just needed to provide a proxy setting. That's it.

We did all the configuration as a one-time job where we defined our subnet and mapped. We needed to schedule the scan and the map and we needed to schedule a group of, say, Windows. It was just a one-time job where needed to configure the query and run it. It created a report and sent it to the administrators. After that one-time job, everything happens automatically.

What about the implementation team?

We did it on our own.

What other advice do I have?

I would recommend Qualys because it's very easy to use. It does not require many specific skills. We are always on the latest version because Qualys provides automatic updates.

We have a virtual appliance in each site and that sends the logs to the cloud. We have the consoles on the cloud which enable us to query and scan. All this happens through the cloud.

We only have one administrator for the solution who monitors and checks if there is anything to be aware of. It sends the reports to all the different administrators, such as network, Linux, and Windows administrators and they take it from there.

We also have Qualys configuration management module. If there are any particular issues in any servers or in any network, it gives us a report to suggest and rectify the issues. It tells us what changes are needed to on that device.

Disclosure: I am a real user, and this review is based on my own experience and opinions.