- OWASP Top 10 scanning
- PCI-ASV scanning
Information Security Manager at a comms service provider with 1,001-5,000 employees
It's provided us with comprehensive, proactive, and automated vulnerability assessment.
What is most valuable?
How has it helped my organization?
It's provided us with comprehensive, proactive, and automated vulnerability assessment.
For how long have I used the solution?
I've used it for two years.
What was my experience with deployment of the solution?
No issues encountered.
Buyer's Guide
Qualys Web Application Scanning
December 2024
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
What do I think about the stability of the solution?
No issues encountered.
What do I think about the scalability of the solution?
No issues encountered.
How are customer service and support?
Customer Service:
It's good.
Technical Support:It's good.
Which solution did I use previously and why did I switch?
We switched due to there being a high number of false positives.
How was the initial setup?
It was straightforward.
What about the implementation team?
We used an integrato
Which other solutions did I evaluate?
- Nessus
- Acunetix
- Tripwire
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Consultant at a tech services company with 1,001-5,000 employees
Enables us to identify vulnerability levels and to enforce security credentials
Pros and Cons
- "The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level."
- "It should have better automatic reporting."
What is our primary use case?
My primary use case of this solution is to audit the security level of my customer's internet. We offer this as a service.
What is most valuable?
The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level.
What needs improvement?
They should improve the performance of the security scanning. It should have better performance.
For how long have I used the solution?
I have been using Qualys for fifteen years.
What do I think about the stability of the solution?
The stability is very good.
What do I think about the scalability of the solution?
The scalability is very good. It is very easy to expand this solution. We scan on an IP address basis. We have credit for 250 IP addresses, and we are free to use it in our user environment, or on the cloud.
We have around twenty users using this solution.
How are customer service and technical support?
Their technical support is good. We don't use them frequently because we offer that service.
Which solution did I use previously and why did I switch?
I also checked Rapid7 for internal scanning. I picked Qualys for a specific use. It's a SaaS service. We use it to audit the security level of my customer's internet.
How was the initial setup?
The initial setup is straightforward. A deployment that we did last week took four hours in order to launch it.
What about the implementation team?
I am an integrator. I work for an integration company. I do the deployments.
What's my experience with pricing, setup cost, and licensing?
Our licensing costs are on a yearly basis. We buy a group of IP addresses we can scan on a yearly basis.
What other advice do I have?
I would advise someone considering this product is to find a solution that is easy to use. We use this solution because we need to.
I would rate it an eight out of ten. Not a ten because the reporting needs improvement. It should have better automatic reporting.
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
Buyer's Guide
Qualys Web Application Scanning
December 2024
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
824,067 professionals have used our research since 2012.
Delivery Manager at a tech vendor with 1,001-5,000 employees
We can do scanning and submit reports straight to customers when there are new vulnerabilities
Pros and Cons
- "We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not."
- "In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us."
What is our primary use case?
We use it for external connection testing whenever we have a customer who utilizes post scanning tools for their main message. From the scanner's perspective, we use the scanner results to do manual testing.
How has it helped my organization?
We are looking for automation in our scanning activities or projects, because manual won't work. So, automation is required for us. As a result, using the Qualys scanner result is helpful for us.
What is most valuable?
We are using scanners and the PCI model. We do PCI scanning because we are a PCI vendor. We are using the tool to do the scanning on whatever the latest vulnerabilities there are, and Qualys is always providing us updates. We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not.
What needs improvement?
In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
It has been stable.
What do I think about the scalability of the solution?
It is good and scalable.
How are customer service and technical support?
Technical support is responsive.
Which solution did I use previously and why did I switch?
We were and still are using webMethods Professional. We use both in tandem to do manual testing. That is our process of doing things.
How was the initial setup?
We use the cloud instances for our setups. We have one setup, and it is on the cloud, so it is not complex. Actually, we don't have to do any set up.
We have applications located in our different offices, and so far there set up has not been a challenge.
What's my experience with pricing, setup cost, and licensing?
Qualys has an IT-based licensing based on a yearly license, which is a good way of handling it. However, in some cases, when we do the PCI scanning, the host will not like the scanning and we lose the IT license. So, this could be improved.
What other advice do I have?
It is a very much stable. If you have a good amount of calender-based activities, it is good for defining frequency. You can define the calendar internally, then you can do your scanning. Though, it has some triaging features which should finally be fixed.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Module Lead with 1,001-5,000 employees
It reports fewer false positives than other tools. The tool should have a live HTTP editor and more mature APIs.
What is most valuable?
There is nothing out of the box in the Qualys web application scanning module. One good thing is that it reports fewer false positives.
How has it helped my organization?
We use many other products along with Qualys. In a way, Qualys dashboards are good to keep track of vulnerabilities found asset-wise.
What needs improvement?
The tool should have a live HTTP editor and more configuration options for some situations, such as handling applications that have URL rewriting enabled.
The tool should have more mature APIs for integration and automation. They should provide more flexible APIs to download reports.
For how long have I used the solution?
I have been using it for almost four years now.
What do I think about the stability of the solution?
Qualys is good, stability-wise.
What do I think about the scalability of the solution?
Qualys is perfect, scalability-wise.
How are customer service and technical support?
On a scale of 1-5 with 5 being the highest, I would rate technical support at 3.
Which solution did I use previously and why did I switch?
I have used Nessus, Burp Suite, and IBM AppScan. Cost- and functionality-wise, I find Burp Suite the best of them all. AppScan is good, but very expensive and reports more false positives.
How was the initial setup?
Setup is straightforward.
What's my experience with pricing, setup cost, and licensing?
Licensing could be cheaper. It is expensive at present.
What other advice do I have?
Qualys is only a good product for in-house vulnerability management programs. It is not feasible to use Qualys for client-facing consulting engagements because of the cost.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Puts our services in compliance and minimizes our risk for exposure
Pros and Cons
- "With our vulnerabilities under control, it's putting our services in compliance and minimizing our risk for exposure."
- "The solution needs to adjust its pricing. They should make it more affordable."
How has it helped my organization?
With our vulnerabilities under control, it puts our services in compliance and minimizes our risk for exposure.
What is most valuable?
The vulnerability scanning and patching features are the most valuable parts of the solution.
What needs improvement?
The solution needs to adjust its pricing. They should make it more affordable.
For how long have I used the solution?
I've been using the solution for over five years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The cloud service makes the solution very scalable. We have about ten users right now, however we don't intend to increase usage at this time.
How are customer service and technical support?
Technical support is excellent. I would rate it ten out of ten.
Which solution did I use previously and why did I switch?
We've never used a different solution.
How was the initial setup?
The initial setup was straightforward. Deployment took about two weeks.
What about the implementation team?
Our internal team handled the implementation.
Which other solutions did I evaluate?
We did not evaluate other options before choosing Qualys.
What other advice do I have?
We are using the cloud deployment model.
I would recommend other users to use Qualys Application Scanning for application security. If you're serious about security you need a service or a solution that does continuous scanning of your application and infrastructure. There are always vulnerabilities being introduced.
I would rate the solution eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Ex Senior Security Analyst and Onsite consultant at Paladion Networks
Its web-based scanner is very useful for performing external penetration and PCI scans from remote locations
Pros and Cons
- "QualysGuard web-based scanner is very useful for performing external penetration and PCI scans from remote locations."
- "By using QualysGuard, we are able to finish external scans with assured results in half the time."
- "This product is designed for easy scalability and can easily scale up without major challenges."
- "We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve issues."
- "They should try to include business logic vulnerabilities in the scanner testing."
- "In certain cases, this product does have false positives, which the company should work on."
What is our primary use case?
We use Qualys Internet-based scanners for external penetration testing as well as PCI scans for our clients. The tool being Internet based, it can be accessed from any location, and it does not have issues with updating the patches as well as versions (QualysGuard updates the tool at specific periods in a year with prior information). The report generated by QualysGuard is very detailed and easy to understand.
How has it helped my organization?
In order to finish a project, a penetration test in our company is on average five days, including documentation. Without this tool, the testing would take five days!
By using QualysGuard, we are able to finish external scans with assured results in half the time.
What is most valuable?
QualysGuard web-based scanner is very useful for performing external penetration and PCI scans from remote locations.
What needs improvement?
In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the scanner testing.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
The product that we used in our office under different environments is highly stable.
What do I think about the scalability of the solution?
This product is designed for easy scalability and can easily scale up without major challenges.
How is customer service and technical support?
We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve issues.
How was the initial setup?
It is a straightforward implementation. Once you register over the Internet, they assign you a set of static IP addresses which can be used to perform web-based scans. The administrator panel is easy to understand and create.
What's my experience with pricing, setup cost, and licensing?
It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.
Try the free trial of the product to understand the basic working mechanisms.
Which other solutions did I evaluate?
We did try Acutenix, but the quality of results and user interface of Qualys was excellent in comparison.
What other advice do I have?
We are an institutional partner of QualysGuard and buy bulk licenses.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
CEO at a tech services company with 51-200 employees
Has comprehensive SSL security measurements but the price should be lowered
Pros and Cons
- "The simplicity of exporting reports and the simplicity and clarity of the reports included with the product are good."
- "The pricing does not seem to be competitive."
What is our primary use case?
For some projects, we will need to use this on-premises. It depends on the confidentiality of our project. For other projects, we will also be deploying on the cloud or maybe a hybrid solution as well.
We are looking forward to having a relationship as a partner with this company and maybe one or two others. We are not just a customer. We have a bunch of freelancers that we are working with in three different companies in Slovenia, Australia, and other countries. We are looking for solutions to make our testing and security checks more affordable.
What is most valuable?
I am not the person who is actually directly testing this. One of the other people from our team is doing that. But I was involved in the selection of what we products we should compare based on available features, demos, and how products appear to meet our needs. What I remember from my experience with Qualys is that the simplicity of exporting reports and the simplicity and clarity of the reports included with the product is good. The website was also well-designed and easy to navigate. The SSL security measurements that the product offers seem comprehensive. But I can not say, at this preliminary phase, that I specifically think this or that from Qualys is the most valuable. It is intriguing enough to make our shortlist and POC efforts.
What needs improvement?
Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.
For how long have I used the solution?
We are in the process of analyzing several products over several months in this category for comparison and proof of concept.
How are customer service and technical support?
We have not yet had to contact technical support for any reason.
How was the initial setup?
I don't have information at this moment because we are in the process of discovery and we have not fully deployed. We do have a test deployment running.
What's my experience with pricing, setup cost, and licensing?
The pricing of Qualys is quite expensive in comparison with the other products in this category that are offering pretty much the same thing. Pricing is one area of the product that can be improved. At this stage of our discovery, we only know the initial cost is high.
Which other solutions did I evaluate?
We were testing a lot of products. We were looking for a good product for our needs and for the needs of our customers to scan vulnerabilities. Qualys was one of the products we chose to do further testing with. The testing with data is still continuing and is a process. As we are in the process of discovery now, we cannot exactly qualify our experience with the product.
What other advice do I have?
On a scale from one to ten where one is the worst ten is the best, I would rate Qualys as a seven at this point. It is difficult to rate Qualys — or even products from other companies — as better than this because we are hearing the same thing from all the product manufacturers before we went into testing. But based on the references from other users about Qualys, our current level of experience, the pricing as we know it and the services that are offered for free, Qualys is a seven.
What we have mostly found at this point is that you can't just install a free trial version of a product and get a complete impression immediately. With some products like Qualys or others in the category, the pricing may not be completely right because there are hidden costs. It could be one solution is not quick to deploy and that seems to make it difficult but in actual use, it is easier than everything else. Some products will be easy to set up and after 10 days of trying to work with it, I might be disappointed because of what I committed to.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Info-Security Consultant at a financial services firm with 1,001-5,000 employees
It protects against zero-day vulnerabilities, like Heartbleed.
What is most valuable?
It protects against zero-day vulnerabilities, like Heartbleed.
What needs improvement?
It's missing some zero-day patches.
For how long have I used the solution?
I've used it for a few months.
What was my experience with deployment of the solution?
No issues encountered.
What do I think about the stability of the solution?
No issues encountered.
What do I think about the scalability of the solution?
No issues encountered.
How are customer service and technical support?
Customer Service:
It's high.
Technical Support:It's high.
Which solution did I use previously and why did I switch?
I used Rapid7 NeXpose in another shop.
How was the initial setup?
The product was already installed when I got there, I just added more scanning jobs and used the reports for remediation, etc.
Which other solutions did I evaluate?
I evaluated and selected Rapid7 NeXpose in a previous job (over QualysGuard) because the compliance department there vetoed using “an external service”. Also, we wanted to get Metasploit later.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Updated: December 2024
Popular Comparisons
SonarQube Server (formerly SonarQube)
Checkmarx One
Fortify on Demand
Sonatype Lifecycle
PortSwigger Burp Suite Professional
Tenable.io Web Application Scanning
Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between OWASP Zap and Qualys?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- Which application security solutions include both vulnerability scans and quality checks?
- We're evaluating Tripwire, what else should we consider?
- Is SonarQube the best tool for static analysis?
- Why Do I Need Application Security Software?
- Which Email Security enterprise solution would you choose: Cisco Secure Email vs Forcepoint Email Security vs Barracuda Email Security Gateway?