We are using Qualys for vulnerability detection in our IDC (International Data Center) on our web pages and world-wide-web applications and services.
Data Specialist at CHUN SHIN LIMITED
Easy to use for detection of WAS and VM vulnerabilities
Pros and Cons
- "It is easy to use."
- "It is a very stable solution."
- "The reporting contains too many false positives."
- "The virus code updates are not frequent enough."
- "Deployment can be complicated."
What is our primary use case?
What is most valuable?
The best thing about this product is that it is really easy to use.
What needs improvement?
We are concerned with the frequency of their virus code updates and reporting that contains false positives. We do not think that the accuracy of the reporting is as good as it should be.
It would be nice if Qualys would provide a solution after analyzing the data for us so we can understand what the cause of a vulnerability is and how to fix it. It would be good enough to provide something like just a download page that describes the problem and the steps to take to resolve the vulnerability.
We are researching open source software because Qualys needs to improve their reports and the documentation for the end-users in resolving scanned issues.
Sometimes the deployment is complicated. It is not so easy to deploy and that should be simplified. Something like Zap or other open-source software is often easier to deploy.
For how long have I used the solution?
I am in the IT department in our company and we have been using Qualys for three years.
Buyer's Guide
Qualys Web Application Scanning
March 2025

Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.
What do I think about the stability of the solution?
Qualys is a very stable solution for us. We have not had trouble with downtime.
What do I think about the scalability of the solution?
We get a license to use this application for up to a year and we file for a license every year to renew. We would need to renew this license in September of 2020, so we will need to make a decision whether we will be continuing to use Qualys as a solution.
How was the initial setup?
Sometimes the deployment is complicated. The deployment should be easier and more consistent.
What's my experience with pricing, setup cost, and licensing?
The cost of the solution should be lower. In our company now, we only have 200 employees. For us, the license fee is kind of expensive. The cost is $30,000 USD for one year to cover WAS (Web Application Security) and the VM (Virtual Machine) security. That price includes maintenance and any consulting with Qualys.
What other advice do I have?
I would recommend Qualys if the budget is not a problem. There may be other open-source solutions that could be used to perform a similar analysis.
On a scale from one to ten (where one is the worst and ten is the best), I would rate this solution as an eight-out-of-ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Cyber security specialist at a financial services firm with 10,001+ employees
Reliable tool for managing web application security with effective technical support services
Pros and Cons
- "Automated scanning has significantly improved our web application security management by reducing manual work."
- "One area for improvement is the user interface. The new UI, which was recently upgraded, feels more complex and less user-friendly than the old version."
What is our primary use case?
We use the platform for vulnerability management and website testing. It helps us identify and remediate web-based vulnerabilities in our applications, ensuring their security from potential attackers.
What is most valuable?
The solution offers several valuable features. It crawls through all pages quickly and provides fewer false positives than other tools. Additionally, the support team is highly responsive and supportive, addressing any issues promptly.
What needs improvement?
One area for improvement is the user interface. The new UI, which was recently upgraded, feels more complex and less user-friendly than the old version. However, as we continue to use it, we anticipate becoming more accustomed to it.
Additionally, improved scan scheduling options are needed, which Qualys is working on implementing.
For how long have I used the solution?
We have been using Qualys Web Application Scanning for five years.
What do I think about the stability of the solution?
Although we have encountered a few bugs over the past two years, they have been addressed effectively.
I rate the stability an eight.
What do I think about the scalability of the solution?
The product is scalable.
How are customer service and support?
The support team is very effective and responsive.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously used HCL AppScan. We switched to Qualys primarily because of its superior customer support and responsiveness.
How was the initial setup?
The initial deployment was straightforward. Switching from HCL AppScan to the Qualys solution took approximately six to eight months, including the planning and actual migration.
It does not require significant maintenance. We typically raise two to three cases monthly with the support team, who promptly address them. Otherwise, there are no regular maintenance tasks.
What was our ROI?
While I cannot provide an exact number of hours saved, the automation has reduced the time required for scanning and scheduling tasks by about 70% compared to our previous process.
Over the past five years, we have observed a significant reduction in the failure rate of web applications, from 20% to 2%.
What's my experience with pricing, setup cost, and licensing?
The product pricing is fair and reasonably priced.
What other advice do I have?
We implemented the platform to identify web-based vulnerabilities in our applications, allowing us to address these issues proactively. It helps protect our web applications from potential attackers and secure them against loopholes.
Automated scanning has significantly improved our web application security management by reducing manual work. It has also streamlined the process, saving us considerable time. Previously, scheduling scans for many applications would take about a week, but automation makes this process much quicker and more efficient.
Regarding incident reduction, we have seen about a 20 % decrease. Cost-wise, there has been no significant difference compared to our previous tool. However, the speed of response and reduced false positives have been valuable.
I would recommend it to others for its excellent customer support, scanning efficiency, and scalability. It is a reliable tool for managing web application security.
Overall, I rate it an eight.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Sep 17, 2024
Flag as inappropriateBuyer's Guide
Qualys Web Application Scanning
March 2025

Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.
Senior Software Developer at a tech vendor with 1,001-5,000 employees
Has a good progressive scan feature but the data server needs improvement
Pros and Cons
- "The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours."
- "The UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs."
What is our primary use case?
I think we have the fastest version, and they always upgrade it. I think it's the $2 or $3-a-month version. They have multiple engines inside it, but it's a site-based service. It is not on-demand, so Qualys will host it. It's the pay as you go service that is on the software-as-a-service.
We use the DAST, dynamic application scan test.
What is most valuable?
The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours.
What needs improvement?
One area that could be improved is the a data server. That's probably what I most noticed in comparison with the Rapid7. Also, the UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs. This is not good.
Additionally, you don't have a recording feature, where you can record your screen navigation. Like a macro, you want to create the full screen, and they don't provide a tool which can record your navigation and then do a replay.
In terms of what should be included in the next release, like I mentioned, just the UI, the user interface screen. Also, it would be good If they could improve and enrich the reports. These are the fundamental differences with Rapid7.
For how long have I used the solution?
I have been using Qualys Web Application Scanning for five years.
What do I think about the stability of the solution?
Qualys Web Application Scanning is very stable and reliable. But the reporting does not look that great.
What do I think about the scalability of the solution?
In terms of scalability, it is very easy to expand. It's very fast and visible.
We don't have many people working on the solution. But our applications are big applications. We are using six components in different applications.
How are customer service and technical support?
Support is very good.
How was the initial setup?
Because of tasking, the initial setup is very straightforward. We didn't have to purchase any hardware for the installation. It is task-based. The cloud provision is there. It is good. I think nowadays everyone is going with the cloud provisioning. That way you can subscribe for any number of years to use the software.
I think the initial setup took a couple of hours because there were no plugins and nothing to be installed.
What about the implementation team?
We implemented it ourselves and there was no installation expert here.
Which other solutions did I evaluate?
Yes, we are still comparing it with Rapid7. We want to first make assessments of what advantages we can get with Rapid7.
What other advice do I have?
My advice for anyone considering this solution is, "Go for it."
On a scale of one to ten, I would give Qualys Web Application Scanning a seven.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cyber Security Engineer at Alexis Company
Provides the best web application vulnerability audit with a lot of integrations but doesn’t allow users to upload their payloads
Pros and Cons
- "Licensing is the most valuable. Qualys provides the best licensing for companies. It is the best product for the development purposes of web applications. The product has a lot of integrations."
- "The product should allow users to upload their payloads."
What is our primary use case?
Our customers use the solution to audit their web-application before releasing them to the Internet.
What is most valuable?
Licensing is the most valuable. Qualys provides the best licensing for companies. It is the best product for the development purposes of web applications. The product has a lot of integrations.
What needs improvement?
The product should allow users to upload their payloads.
For how long have I used the solution?
I have been using the solution for three years.
What do I think about the stability of the solution?
I rate the product’s stability an eight out of ten.
What do I think about the scalability of the solution?
I rate the product’s scalability a nine out of ten.
How was the initial setup?
We did not face any issues while deploying the solution. The product provides good documentation for deployment.
What's my experience with pricing, setup cost, and licensing?
The product has a very good licensing model.
What other advice do I have?
I am using the latest version of the solution.
Tenable makes us wait 90 days to delete the test web application, and Rapid7 does not allow us to delete it as well as Acunetix (once a year).
I will recommend the solution to others. Overall, I rate the solution an eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Assistant Manager - Cyber & Cloud Security at a financial services firm with 1,001-5,000 employees
It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard
Pros and Cons
- "It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard. Usually, you have to purchase separate tools."
- "The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected."
What is our primary use case?
The demo was mainly centered around vulnerability management. We were looking to find a tool which is able to do vulnerability management for internal assets and web applications which face the Internet and are exposed on it. We want a platform which can do vulnerability assessment for internal assets and also for assets which are published on the internet.
I did this demo for three to six months.
How has it helped my organization?
It gave us an idea of what lay in our network, and the vulnerabilities in it. Most IT admins are not aware of what is happening on the network. It was able to advise them of what's happening on the network. They could see the web-based applications and where attacks on the outside were coming from.
On the dashboard, you can see vulnerabilities that you have, as they are increasing or reducing over periods of time.
What is most valuable?
It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard. Usually, you have to purchase separate tools.
What needs improvement?
The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected.
Going forward, I would like it to scan for given vulnerabilities and add-ons, then confirm whether it is an actual threat or not without the false positives.
For how long have I used the solution?
Trial/evaluations only.
What do I think about the stability of the solution?
It is a stable product, once it is implemented.
We haven't had any major errors or bugs. It runs quite well.
What do I think about the scalability of the solution?
The plans can be installed internally on the infrastructure or be used with a cloud-base scenario. If you have a cloud structure, the scalability is almost unlimited because it all depends on the number of assets that you want to manage. This can be done without any major configuration changes. In terms of scalability, Qualys has handled it quite well.
How is customer service and technical support?
Technical support was quite responsive and effective. If engaged on email, they got back to us on time.
How was the initial setup?
When setting up the solution, it was quite a challenge when trying to set up the internal VM. The guides were not able to give all the scenarios one might encounter when installing the product. At some point, we became stuck, not knowing what to do next.
Work closely with your network administrator. The challenge for us was when trying to connect the virtual machine to the cloud on Qualys, ensuring the firewall policy and rules are in line with the communication passing through without being dropped anywhere.
What about the implementation team?
Support was helpful during implementation. They also referred us to a third-party vendor who we could work with as a partner.
What's my experience with pricing, setup cost, and licensing?
Licensing was based on the number of assets that you want to scan on your network. You can also do licensing on subscription. On subscription, it is easier and more flexible. You tell Qualys that you want to move from the 1000 to 2000 band or the 3000 or 5000 band, then they will give you the quotation for it. Once you pay for it, applying the licensing is quite easy and effective.
Pricing was reasonable and competitive. It was not too far above the other products.
Which other solutions did I evaluate?
We have been evaluating the following: Rapid7, Tenable.io, Tenable SecurityCenter, and Acunetix for web applications.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Lead Cyber Security engineer at a tech services company with 201-500 employees
Thorough detection, good visual interface, scalable
Pros and Cons
- "I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews."
- "When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem."
What is our primary use case?
My company works for another company called Ecolab here in Bangalore. We are an Ecolab digital center, we develop mobile application. We use Vericode and this solution for testing these web applications before going live. This includes the full testing periods and the production phase. Once it has been tested, we then get them ready to go live.
What is most valuable?
I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews.
What needs improvement?
When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem.
In the future, customer support could improve and the output report needs to be simplified for better understanding.
For how long have I used the solution?
I have been using the solution for the last 12 months.
What do I think about the scalability of the solution?
We have expanded the solution in a few areas and it was scalable. We have approximately 50 people using the solution in my organization.
How are customer service and technical support?
There is some improvement needed for the technical support.
Which solution did I use previously and why did I switch?
We have used Veracode previously and we are currently still using it.
How was the initial setup?
The installation is complex and it took approximately one month which included the customization.
What's my experience with pricing, setup cost, and licensing?
We are on an annual license for the solution and the pricing could be more affordable.
Which other solutions did I evaluate?
We are planning on moving to Veracode because we are getting better results and is easier to use than this solution.
What other advice do I have?
My advice to those wanting to implement this solution is if you have experience and knowledge with vulnerability management and reading through all the threats, this could be a good platform for you. If you are a new starter this solution is not a good place to start.
I rate Qualys Web Application Scanning an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Application Security Engineer at a real estate/law firm with 501-1,000 employees
Automated scanning enhanced by detailed reporting and integration
Pros and Cons
- "The most valuable features are the scheduled scanning, detailed reports, asset management, the knowledge database, and the overall product framework."
- "The authenticated scanning feature could be improved by adding support for real-time scanning tokens and authorization tokens."
What is our primary use case?
We have been using Qualys Web Application Scanning for automated web architecture scanning in an enterprise environment.
How has it helped my organization?
The solution integrates well with our database and asset management, providing a detailed framework that connects products and shares knowledge across them.
What is most valuable?
The most valuable features are the scheduled scanning, detailed reports, asset management, the knowledge database, and the overall product framework. The integration with other tools is also a significant advantage.
What needs improvement?
The authenticated scanning feature could be improved by adding support for real-time scanning tokens and authorization tokens. For example, after sessions, having tokens valid for applications allowing automated authenticated scanning, similar to what Burp offers with proxy support, would be beneficial.
What do I think about the scalability of the solution?
The enterprise-level deployment was scalable and supported our business growth well.
Which solution did I use previously and why did I switch?
We were looking at alternatives like Burp and Acunetix, particularly from the security research side, for better results and accuracy.
What's my experience with pricing, setup cost, and licensing?
Pricing is a significant consideration. Although the product is good for certain details and automated processes, it may not be as cost-effective for some tasks.
Which other solutions did I evaluate?
We evaluated other solutions like Burp and Acunetix.
What other advice do I have?
For specific web applications, Burp may provide better results, however, for integration of tools, Qualys Web Application Scanning is a good choice.
I'd rate the solution eight out of ten.
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Sep 29, 2024
Flag as inappropriateCyber Security Sales Specialist at a tech services company with 1,001-5,000 employees
Stable and reliable solution with good performance
Pros and Cons
- "It is a cloud-based solution, so it is easy to scale."
- "There should be better visibility into the application."
What is our primary use case?
The primary use case includes scanning the web applications that are public facing.
What is most valuable?
The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera.
What needs improvement?
There should be better visibility into the application.
For how long have I used the solution?
Our customers have been using this solution for more than three years now.
What do I think about the stability of the solution?
It is a stable solution.
What do I think about the scalability of the solution?
It is a cloud-based solution, so it is easy to scale.
We work with enterprise-level clients with over 2500 endpoints.
How are customer service and support?
The customer service and support are good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I would say Qualys is on the better side. It's more about the performance and the quality of the product because it's been around for a long time.
How was the initial setup?
The initial setup is relatively easy. The installation process is quite straightforward, making it user-friendly.
What about the implementation team?
The duration of deployment varies depending on the complexity of the customer's environment and their implementation status. We ensure to accommodate the customer's preferred implementation pace.
What's my experience with pricing, setup cost, and licensing?
We normally purchase an annual license. There are additional costs. From Qualys, it's for the license and maintenance, which includes patches and stuff like that. Additionally, we have our own service delivery costs.
What other advice do I have?
Qualys is a stable and reliable solution. It has been around for a long time.
Overall, I would rate the solution an eight out of ten. There is scope for improvement. It is still an early technology.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller

Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Popular Comparisons
SonarQube Server (formerly SonarQube)
Checkmarx One
Fortify on Demand
Sonatype Lifecycle
GitHub Advanced Security
PortSwigger Burp Suite Professional
Tenable.io Web Application Scanning
Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between OWASP Zap and Qualys?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- We're evaluating Tripwire, what else should we consider?
- Which application security solutions include both vulnerability scans and quality checks?
- Is SonarQube the best tool for static analysis?
- Why Do I Need Application Security Software?
- Which Email Security enterprise solution would you choose: Cisco Secure Email vs Forcepoint Email Security vs Barracuda Email Security Gateway?