- Ease of use and setup
- Visibility into our environment
Senior Security Systems Engineer at a computer software company with 501-1,000 employees
It showed us vulnerabilities that we were not aware of and did not know how to test for. The organization of the assets was a little confusing and overwhelming.
What is most valuable?
How has it helped my organization?
WAS gave us visibility into our externally exposed web applications and showed us vulnerabilities that we were not aware of and did not know how to test for. We didn't need any knowledge of these vulnerabilities or how they worked to scan for them and to gain the visibility.
What needs improvement?
The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.
For how long have I used the solution?
I have been using it for 18 months.
Buyer's Guide
Qualys Web Application Scanning
March 2025

Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.
What was my experience with deployment of the solution?
Scalability would be tough because of how the endpoints are organized. We did not have any issues with deployment or stability.
How are customer service and support?
We had a dedicated Technical Account Manager and the support was great.
Which solution did I use previously and why did I switch?
We did not previously use a different solution.
How was the initial setup?
Setup of WAS is pretty straightforward and only the organization of endpoints is a bit complex.
What about the implementation team?
Implementation was very simple because we were only using the cloud product and did not have any on-prem scanners.
What was our ROI?
Being able to gain visibility into our environment created a great ROI and licensing for us was competitive, but would have made it tough to scale to our whole internal environment.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Expert at a financial services firm with 1,001-5,000 employees
Premature product - not a proper product to be used for PCI approved Web Scanning
v2 Review: Premature product - not a proper product to be used for PCI approved web scanning
Having done numerous penetration tests using various manual and automated tools, today we are focusing on a new tool called QualysGuard Web Application Scanning v2.4.1. In the process of doing a pentest, we often use a quality automated tool to check for standard issues while we focus on the much more difficult issues of the testing. As this reduces the time it takes to do a full test, allows us to work more efficiently, and besides who wants to waste time doing monotonous simplistic checking. In this regard, I have used AppScan quite extensively, and HP WebInspect as well, and both are very good tools for the most part. They help out on the basic checks quite a bit.
Quite recently, I was introduced to QualysGuard Web Application Scanner (WAS) v2.4.1. This tool was very simple to use which is true to Qualys name. Point and click and you are done. Unfortunately, I found out that it didn't help with the standard checks either.
Problem #1
1. It couldn't even authenticate to basic web forms. I've used AppScan on hundreds of sites, and not once was there a problem in not being able to authenticate. A web security tools isn't very useful if it can't get passed the logon screen because that's where most of the application resides. How is it supposed to check anything if it doesn't get passed the logon screen' The Qualys product support/product manager's response to this is to use Selenium Scripting. Unfortunately, the current applications that are being tested only run on Internet Explorer (IE) and Selenium scripting automatic record and playback only works on FireFox. So one must learn a new scripting language in order to make it work with IE. This is hardly an easy point and click solution. Learning a new scripting language is time consuming and error prone. Other professional web scanners have this feature built in.
Problem #2
2. It cannot do a manual explore like other professional tools. For instance, manual explore is needed to fill in certain forms properly in order to get to the critical screens for testing. For example, you must fill in a proper social security number to look up the customer and get to the rest of the application. Qualys WAS does not support this feature. This web scanner doesn't allow the user to fill in the initial forms with proper data thereby never testing the whole application, which is critical. The Qualys product support/product manager's response was this is a simple point and click tool, "we don't support nor do we plan to support complex features such as manual explore."
Problem #3
3. Web service scanner has limited functionality in comparison to other professional tools. In this day and age, many web applications use web services. To not support this feature properly is ridiculous. The Qualys product support/product manager's response, "we only support web service fuzzing at this point." What about testing authenticated web service calls' It also doesn't support pre-populated data on web pages not web services other than the logon screen. This pretty much reduces their web service testing to a dummy tool. To make this work, you have to use tools like SOAPUI or Burp Suite Pro with scripting/plugins to pre-populate data, manual explore, and sequence test steps.
Problem #4
4. Lack of details provided by Qualys.
a. Most professional tools have an audit log that shows exactly what tests were performed and how they were performed. Qualys does not provide an audit log of what tests they did. We are supposed to guess instead as to what might have actually transpired. Real reason behind not providing an audit log is more likely along the lines of they don't all the check they are supposed to and even if they did, it probably wasn't exhaustive testing of say XSS. Either way, we have no idea whether they did the work they claimed to have or not. A Big Mystery Here!
b. No details provided on the actual request/response when a vulnerability is found. True to Qualys name of simplicity. The vulnerability finding is so simplistic and lacking any details as to how it was tested, one wonders how to test whether this finding is a false positive or not. Well, I guess one is supposed to take Qualys word for it. :)
Problem #5
5. Missed critical session management vulnerabilities. Qualys missed a critical session management vulnerability that I had to find manually that AppScan would have found. The Qualys product support/product manager's response, "we are putting in a fix for this soon."
All in all, QualyGuard Web Application Scanner (WAS) v2 is lacking quite a bit in terms of quality and details. Do you want to risk the security of your enterprise by relying on a product like this' Currently, the product is premature and should not considered to be a proper product to used for PCI approved Web Scanning. In fact, it should not even be PCI approved until it matures quite a bit. Qualys needs to understand how a true web application scanner works before releasing a premature product to cash in on a exploding market.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Qualys Web Application Scanning
March 2025

Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.
Ex Senior Security Analyst and Onsite consultant at Paladion Networks
Its web-based scanner is very useful for performing external penetration and PCI scans from remote locations
Pros and Cons
- "QualysGuard web-based scanner is very useful for performing external penetration and PCI scans from remote locations."
- "By using QualysGuard, we are able to finish external scans with assured results in half the time."
- "This product is designed for easy scalability and can easily scale up without major challenges."
- "We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve issues."
- "They should try to include business logic vulnerabilities in the scanner testing."
- "In certain cases, this product does have false positives, which the company should work on."
What is our primary use case?
We use Qualys Internet-based scanners for external penetration testing as well as PCI scans for our clients. The tool being Internet based, it can be accessed from any location, and it does not have issues with updating the patches as well as versions (QualysGuard updates the tool at specific periods in a year with prior information). The report generated by QualysGuard is very detailed and easy to understand.
How has it helped my organization?
In order to finish a project, a penetration test in our company is on average five days, including documentation. Without this tool, the testing would take five days!
By using QualysGuard, we are able to finish external scans with assured results in half the time.
What is most valuable?
QualysGuard web-based scanner is very useful for performing external penetration and PCI scans from remote locations.
What needs improvement?
In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the scanner testing.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
The product that we used in our office under different environments is highly stable.
What do I think about the scalability of the solution?
This product is designed for easy scalability and can easily scale up without major challenges.
How is customer service and technical support?
We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve issues.
How was the initial setup?
It is a straightforward implementation. Once you register over the Internet, they assign you a set of static IP addresses which can be used to perform web-based scans. The administrator panel is easy to understand and create.
What's my experience with pricing, setup cost, and licensing?
It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.
Try the free trial of the product to understand the basic working mechanisms.
Which other solutions did I evaluate?
We did try Acutenix, but the quality of results and user interface of Qualys was excellent in comparison.
What other advice do I have?
We are an institutional partner of QualysGuard and buy bulk licenses.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Director at Benelec
Effective scanning, scalable, but scanning may result in false positives
Pros and Cons
- "The most valuable feature of Qualys Web Application Scanning is the effective scanning that can be done."
- "We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error."
What is our primary use case?
We are using Qualys Web Application Scanning for our customers. We have the expertise in the solution to provide our customers with the results.
We use the tool for scanning web applications for our clients.
What is most valuable?
The most valuable feature of Qualys Web Application Scanning is the effective scanning that can be done.
What needs improvement?
We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error.
For how long have I used the solution?
I have been using Qualys Web Application Scanning for approximately five years.
What do I think about the stability of the solution?
The stability of Qualys Web Application Scanning could be better.
I rate the stability of Qualys Web Application Scanning an eight out of ten.
What do I think about the scalability of the solution?
Qualys Web Application Scanning has been scalable we have not had any problems in our operations.
How was the initial setup?
The initial setup of Qualys Web Application Scanning is simple for us. However, we have trained engineers that are registered. The deployment did not take very long.
What about the implementation team?
We do the migration for our customers and provide them with testing results. One person can do the implementation of the solution.
What other advice do I have?
I would recommend this solution to others.
I rate Qualys Web Application Scanning a seven out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Consultant at a tech services company with 1,001-5,000 employees
Enables us to identify vulnerability levels and to enforce security credentials
Pros and Cons
- "The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level."
- "It should have better automatic reporting."
What is our primary use case?
My primary use case of this solution is to audit the security level of my customer's internet. We offer this as a service.
What is most valuable?
The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level.
What needs improvement?
They should improve the performance of the security scanning. It should have better performance.
For how long have I used the solution?
I have been using Qualys for fifteen years.
What do I think about the stability of the solution?
The stability is very good.
What do I think about the scalability of the solution?
The scalability is very good. It is very easy to expand this solution. We scan on an IP address basis. We have credit for 250 IP addresses, and we are free to use it in our user environment, or on the cloud.
We have around twenty users using this solution.
How are customer service and technical support?
Their technical support is good. We don't use them frequently because we offer that service.
Which solution did I use previously and why did I switch?
I also checked Rapid7 for internal scanning. I picked Qualys for a specific use. It's a SaaS service. We use it to audit the security level of my customer's internet.
How was the initial setup?
The initial setup is straightforward. A deployment that we did last week took four hours in order to launch it.
What about the implementation team?
I am an integrator. I work for an integration company. I do the deployments.
What's my experience with pricing, setup cost, and licensing?
Our licensing costs are on a yearly basis. We buy a group of IP addresses we can scan on a yearly basis.
What other advice do I have?
I would advise someone considering this product is to find a solution that is easy to use. We use this solution because we need to.
I would rate it an eight out of ten. Not a ten because the reporting needs improvement. It should have better automatic reporting.
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
Information Security Manager at a comms service provider with 1,001-5,000 employees
It's provided us with comprehensive, proactive, and automated vulnerability assessment.
What is most valuable?
- OWASP Top 10 scanning
- PCI-ASV scanning
How has it helped my organization?
It's provided us with comprehensive, proactive, and automated vulnerability assessment.
For how long have I used the solution?
I've used it for two years.
What was my experience with deployment of the solution?
No issues encountered.
What do I think about the stability of the solution?
No issues encountered.
What do I think about the scalability of the solution?
No issues encountered.
How are customer service and technical support?
Customer Service:
It's good.
Technical Support:It's good.
Which solution did I use previously and why did I switch?
We switched due to there being a high number of false positives.
How was the initial setup?
It was straightforward.
What about the implementation team?
We used an integrato
Which other solutions did I evaluate?
- Nessus
- Acunetix
- Tripwire
Disclosure: I am a real user, and this review is based on my own experience and opinions.
CEO at a tech services company with 51-200 employees
Has comprehensive SSL security measurements but the price should be lowered
Pros and Cons
- "The simplicity of exporting reports and the simplicity and clarity of the reports included with the product are good."
- "The pricing does not seem to be competitive."
What is our primary use case?
For some projects, we will need to use this on-premises. It depends on the confidentiality of our project. For other projects, we will also be deploying on the cloud or maybe a hybrid solution as well.
We are looking forward to having a relationship as a partner with this company and maybe one or two others. We are not just a customer. We have a bunch of freelancers that we are working with in three different companies in Slovenia, Australia, and other countries. We are looking for solutions to make our testing and security checks more affordable.
What is most valuable?
I am not the person who is actually directly testing this. One of the other people from our team is doing that. But I was involved in the selection of what we products we should compare based on available features, demos, and how products appear to meet our needs. What I remember from my experience with Qualys is that the simplicity of exporting reports and the simplicity and clarity of the reports included with the product is good. The website was also well-designed and easy to navigate. The SSL security measurements that the product offers seem comprehensive. But I can not say, at this preliminary phase, that I specifically think this or that from Qualys is the most valuable. It is intriguing enough to make our shortlist and POC efforts.
What needs improvement?
Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.
For how long have I used the solution?
We are in the process of analyzing several products over several months in this category for comparison and proof of concept.
How are customer service and technical support?
We have not yet had to contact technical support for any reason.
How was the initial setup?
I don't have information at this moment because we are in the process of discovery and we have not fully deployed. We do have a test deployment running.
What's my experience with pricing, setup cost, and licensing?
The pricing of Qualys is quite expensive in comparison with the other products in this category that are offering pretty much the same thing. Pricing is one area of the product that can be improved. At this stage of our discovery, we only know the initial cost is high.
Which other solutions did I evaluate?
We were testing a lot of products. We were looking for a good product for our needs and for the needs of our customers to scan vulnerabilities. Qualys was one of the products we chose to do further testing with. The testing with data is still continuing and is a process. As we are in the process of discovery now, we cannot exactly qualify our experience with the product.
What other advice do I have?
On a scale from one to ten where one is the worst ten is the best, I would rate Qualys as a seven at this point. It is difficult to rate Qualys — or even products from other companies — as better than this because we are hearing the same thing from all the product manufacturers before we went into testing. But based on the references from other users about Qualys, our current level of experience, the pricing as we know it and the services that are offered for free, Qualys is a seven.
What we have mostly found at this point is that you can't just install a free trial version of a product and get a complete impression immediately. With some products like Qualys or others in the category, the pricing may not be completely right because there are hidden costs. It could be one solution is not quick to deploy and that seems to make it difficult but in actual use, it is easier than everything else. Some products will be easy to set up and after 10 days of trying to work with it, I might be disappointed because of what I committed to.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Delivery Manager at a tech vendor with 1,001-5,000 employees
We can do scanning and submit reports straight to customers when there are new vulnerabilities
Pros and Cons
- "We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not."
- "In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us."
What is our primary use case?
We use it for external connection testing whenever we have a customer who utilizes post scanning tools for their main message. From the scanner's perspective, we use the scanner results to do manual testing.
How has it helped my organization?
We are looking for automation in our scanning activities or projects, because manual won't work. So, automation is required for us. As a result, using the Qualys scanner result is helpful for us.
What is most valuable?
We are using scanners and the PCI model. We do PCI scanning because we are a PCI vendor. We are using the tool to do the scanning on whatever the latest vulnerabilities there are, and Qualys is always providing us updates. We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not.
What needs improvement?
In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
It has been stable.
What do I think about the scalability of the solution?
It is good and scalable.
How are customer service and technical support?
Technical support is responsive.
Which solution did I use previously and why did I switch?
We were and still are using webMethods Professional. We use both in tandem to do manual testing. That is our process of doing things.
How was the initial setup?
We use the cloud instances for our setups. We have one setup, and it is on the cloud, so it is not complex. Actually, we don't have to do any set up.
We have applications located in our different offices, and so far there set up has not been a challenge.
What's my experience with pricing, setup cost, and licensing?
Qualys has an IT-based licensing based on a yearly license, which is a good way of handling it. However, in some cases, when we do the PCI scanning, the host will not like the scanning and we lose the IT license. So, this could be improved.
What other advice do I have?
It is a very much stable. If you have a good amount of calender-based activities, it is good for defining frequency. You can define the calendar internally, then you can do your scanning. Though, it has some triaging features which should finally be fixed.
Disclosure: I am a real user, and this review is based on my own experience and opinions.

Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Popular Comparisons
SonarQube Server (formerly SonarQube)
Checkmarx One
Fortify on Demand
Sonatype Lifecycle
GitHub Advanced Security
PortSwigger Burp Suite Professional
Tenable.io Web Application Scanning
Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between OWASP Zap and Qualys?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- We're evaluating Tripwire, what else should we consider?
- Which application security solutions include both vulnerability scans and quality checks?
- Is SonarQube the best tool for static analysis?
- Why Do I Need Application Security Software?
- Which Email Security enterprise solution would you choose: Cisco Secure Email vs Forcepoint Email Security vs Barracuda Email Security Gateway?
This is a review of their Web Application Scanning Product and not Vulnerability Management. Their Vulnerability Management Product is actually pretty good.