Qualys Web Application Scanning Reviews

• OWASP Top 10 scanning
• PCI-ASV scanning

It's provided us with comprehensive, proactive, and automated vulnerability assessment.

I've used it for two years.

No issues encountered.

No issues encountered.

No issues encountered.

It's good.

It's good.

We switched due to there being a high number of false positives.

It was straightforward.

We used an integrato

• Nessus
• Acunetix
• Tripwire

My primary use case of this solution is to audit the security level of my customer's internet. We offer this as a service.

The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level. 

They should improve the performance of the security scanning. It should have better performance. 

The stability is very good. 

The scalability is very good. It is very easy to expand this solution. We scan on an IP address basis. We have credit for 250 IP addresses, and we are free to use it in our user environment, or on the cloud. 

We have around twenty users using this solution. 

Their technical support is good. We don't use them frequently because we offer that service. 

I also checked Rapid7 for internal scanning. I picked Qualys for a specific use. It's a SaaS service. We use it to audit the security level of my customer's internet. 

The initial setup is straightforward. A deployment that we did last week took four hours in order to launch it. 

I am an integrator. I work for an integration company. I do the deployments. 

Our licensing costs are on a yearly basis. We buy a group of IP addresses we can scan on a yearly basis. 

I would advise someone considering this product is to find a solution that is easy to use. We use this solution because we need to.

I would rate it an eight out of ten. Not a ten because the reporting needs improvement. It should have better automatic reporting. 

We use it for external connection testing whenever we have a customer who utilizes post scanning tools for their main message. From the scanner's perspective, we use the scanner results to do manual testing.

We are looking for automation in our scanning activities or projects, because manual won't work. So, automation is required for us. As a result, using the Qualys scanner result is helpful for us.

We are using scanners and the PCI model. We do PCI scanning because we are a PCI vendor. We are using the tool to do the scanning on whatever the latest vulnerabilities there are, and Qualys is always providing us updates. We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not.

In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.

It has been stable.

It is good and scalable.

Technical support is responsive.

We were and still are using webMethods Professional. We use both in tandem to do manual testing. That is our process of doing things.

We use the cloud instances for our setups. We have one setup, and it is on the cloud, so it is not complex. Actually, we don't have to do any set up. 

We have applications located in our different offices, and so far there set up has not been a challenge.

Qualys has an IT-based licensing based on a yearly license, which is a good way of handling it. However, in some cases, when we do the PCI scanning, the host will not like the scanning and we lose the IT license. So, this could be improved.

It is a very much stable. If you have a good amount of calender-based activities, it is good for defining frequency. You can define the calendar internally, then you can do your scanning. Though, it has some triaging features which should finally be fixed. 

There is nothing out of the box in the Qualys web application scanning module. One good thing is that it reports fewer false positives.

We use many other products along with Qualys. In a way, Qualys dashboards are good to keep track of vulnerabilities found asset-wise.

The tool should have a live HTTP editor and more configuration options for some situations, such as handling applications that have URL rewriting enabled.

The tool should have more mature APIs for integration and automation. They should provide more flexible APIs to download reports.

I have been using it for almost four years now.

Qualys is good, stability-wise.

Qualys is perfect, scalability-wise.

On a scale of 1-5 with 5 being the highest, I would rate technical support at 3.

I have used Nessus, Burp Suite, and IBM AppScan. Cost- and functionality-wise, I find Burp Suite the best of them all. AppScan is good, but very expensive and reports more false positives.

Setup is straightforward.

Licensing could be cheaper. It is expensive at present.

Qualys is only a good product for in-house vulnerability management programs. It is not feasible to use Qualys for client-facing consulting engagements because of the cost.

With our vulnerabilities under control, it puts our services in compliance and minimizes our risk for exposure.

The vulnerability scanning and patching features are the most valuable parts of the solution.

The solution needs to adjust its pricing. They should make it more affordable.

The solution is stable.

The cloud service makes the solution very scalable. We have about ten users right now, however we don't intend to increase usage at this time.

Technical support is excellent. I would rate it ten out of ten.

We've never used a different solution.

The initial setup was straightforward. Deployment took about two weeks.

Our internal team handled the implementation.

We did not evaluate other options before choosing Qualys.

We are using the cloud deployment model.

I would recommend other users to use Qualys Application Scanning for application security. If you're serious about security you need a service or a solution that does continuous scanning of your application and infrastructure. There are always vulnerabilities being introduced.

I would rate the solution eight out of ten.

We use Qualys Internet-based scanners for external penetration testing as well as PCI scans for our clients. The tool being Internet based, it can be accessed from any location, and it does not have issues with updating the patches as well as versions (QualysGuard updates the tool at specific periods in a year with prior information). The report generated by QualysGuard is very detailed and easy to understand.

In order to finish a project, a penetration test in our company is on average five days, including documentation. Without this tool, the testing would take five days! 

By using QualysGuard, we are able to finish external scans with assured results in half the time.

QualysGuard web-based scanner is very useful for performing external penetration and PCI scans from remote locations.

In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the scanner testing.

The product that we used in our office under different environments is highly stable.

This product is designed for easy scalability and can easily scale up without major challenges.

We have experienced quick customer support. They have a complete list of our previous issues along with our history, which makes it faster for them to solve issues.

It is a straightforward implementation. Once you register over the Internet, they assign you a set of static IP addresses which can be used to perform web-based scans. The administrator panel is easy to understand and create.

It is best to be an institutional buyer and directly contact the sales team, as they can provide over-the-top discounts for bulk orders.

Try the free trial of the product to understand the basic working mechanisms.

We did try Acutenix, but the quality of results and user interface of Qualys was excellent in comparison.

We are an institutional partner of QualysGuard and buy bulk licenses. 

For some projects, we will need to use this on-premises. It depends on the confidentiality of our project. For other projects, we will also be deploying on the cloud or maybe a hybrid solution as well.  

We are looking forward to having a relationship as a partner with this company and maybe one or two others. We are not just a customer. We have a bunch of freelancers that we are working with in three different companies in Slovenia, Australia, and other countries. We are looking for solutions to make our testing and security checks more affordable.  

I am not the person who is actually directly testing this. One of the other people from our team is doing that. But I was involved in the selection of what we products we should compare based on available features, demos, and how products appear to meet our needs. What I remember from my experience with Qualys is that the simplicity of exporting reports and the simplicity and clarity of the reports included with the product is good. The website was also well-designed and easy to navigate. The SSL security measurements that the product offers seem comprehensive. But I can not say, at this preliminary phase, that I specifically think this or that from Qualys is the most valuable. It is intriguing enough to make our shortlist and POC efforts.  

Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.   

We are in the process of analyzing several products over several months in this category for comparison and proof of concept.  

We have not yet had to contact technical support for any reason.  

I don't have information at this moment because we are in the process of discovery and we have not fully deployed. We do have a test deployment running.  

The pricing of Qualys is quite expensive in comparison with the other products in this category that are offering pretty much the same thing. Pricing is one area of the product that can be improved. At this stage of our discovery, we only know the initial cost is high.  

We were testing a lot of products. We were looking for a good product for our needs and for the needs of our customers to scan vulnerabilities. Qualys was one of the products we chose to do further testing with. The testing with data is still continuing and is a process. As we are in the process of discovery now, we cannot exactly qualify our experience with the product.  

On a scale from one to ten where one is the worst ten is the best, I would rate Qualys as a seven at this point. It is difficult to rate Qualys — or even products from other companies — as better than this because we are hearing the same thing from all the product manufacturers before we went into testing. But based on the references from other users about Qualys, our current level of experience, the pricing as we know it and the services that are offered for free, Qualys is a seven.  

What we have mostly found at this point is that you can't just install a free trial version of a product and get a complete impression immediately. With some products like Qualys or others in the category, the pricing may not be completely right because there are hidden costs. It could be one solution is not quick to deploy and that seems to make it difficult but in actual use, it is easier than everything else. Some products will be easy to set up and after 10 days of trying to work with it, I might be disappointed because of what I committed to.  

It protects against zero-day vulnerabilities, like Heartbleed.

It's missing some zero-day patches.

I've used it for a few months.

No issues encountered.

No issues encountered.

No issues encountered.

It's high.

It's high.

I used Rapid7 NeXpose in another shop.

The product was already installed when I got there, I just added more scanning jobs and used the reports for remediation, etc.

I evaluated and selected Rapid7 NeXpose in a previous job (over QualysGuard) because the compliance department there vetoed using “an external service”. Also, we wanted to get Metasploit later.