What needs improvement with Qualys VMDR?

I'd suggest improvements in asset management. It would be helpful to have features for better tracking, including options for adding relevant owners or supporting groups for each asset.

One area for improvement is the simplification of the process to ignore certain vulnerabilities on specific devices. Currently, the process is quite long, requiring the creation of separate knowledge bases and lists. Simplifying this to one or two clicks would be beneficial. Additionally, enhancing patch management to support third-party tools and simplifying the creation of patch jobs would greatly improve usability. Improving the interconnection between multiple modules would also be helpful, making navigation and operations more straightforward.

The user interface (UI) is quite complicated. Initial-stage engineers or analysts might miss something due to the complexity. Also, for hybrid users, the agent might get disconnected, requiring users to revisit the office to reinstall the agent. Additionally, the reports could be more interactive.

Sometimes, it can take more time than other tools to resolve certain issues. For example, if there's a problem with policy compliance, you might not get an immediate solution from Qualys' technical team. Occasionally, customers ask for RCA (Root Cause Analysis), and if Qualys doesn't provide it, we can't give a clear answer. This can be frustrating, but it doesn't happen in every case. In terms of improvement for the web application console, in the older version, things were more segregated and presented in a brief format. However, in the latest version, you have to write a query to retrieve the kind of data you want. Sometimes, if you write the wrong query, you don't get the proper count or the right data, such as how many days a scan has been failing. This can be an issue if you're not familiar with the query language. So, they should offer an optional feature where, if someone isn't familiar with the query language, they can use tab buttons or other features to enable or disable options and get the correct data and information on time. Qualys VMDR should enhance the EDR (Endpoint Detection and Response) part because there's a lack of information and features in Qualys EDR. Sometimes, organizations have to buy different EDR tools, like Carbon Black and others, to cover the gap. From a learning perspective, Qualys VMDR needs to improve. Right now, they only provide information, but they don't offer any library or testing environment. Often, customers don't allow changes to be made in the live environment, and I don’t think it’s a good idea to make any changes directly there. It would be great if they could provide a lab environment for testing. That would be really useful. Qualys is updating certain product modules. Sometimes, they need to provide clearer deadlines. Customers aren't always informed when Qualys updates a module from the backend, which can disrupt our work. For example, they recently updated the "Asset View" module and converted it to "Cybersecurity Asset Management." Customers weren’t aware of this change beforehand. In situations like this, they need to ensure that they provide proper information, SOPs, or documents so we can share them with customers. Customers also have access to the tool, so they can use the SOPs to learn how the updates work. This would improve productivity because we wouldn't need to spend extra time learning how to use the updated tool.

From the application security perspective, Qualys has a way to go. We probably use it for infrastructure scanning, but I feel that Qualys can do better in application scanning as well. Infrastructure scanning is fine. It's doing good with that. However, there is room for improvement in application scanning.

There's a need to upgrade or fix the potential vulnerability rate. Around 20,000 potential vulnerabilities were showing in Qualys VMDR, but none of the other tools showed them. When we checked, it wasn't the case. Support explained that even small issues were being counted as vulnerabilities, causing issues in our audit. So, the security features could be improved to identify vulnerabilities accurately.

One area of the product that could be improved is the management of vulnerabilities detected on disabled applications. We currently face challenges with unnecessary alerts for Microsoft Defender, which we do not use. Additionally, enhancing the alerts for agent communication failures would be beneficial.

Qualys could improve the inbuilt dashboards. They could be advanced compared to competitors like Rapid7 and Tenable. They should include a faster reverse integration process. They could enhance its integration with ServiceNow CMDB to ensure that mapping IP addresses, domains, and net bias names is consistent and accurate.

If anything, I would like to see the user interface modernized a bit more. Also, there are a lot of various modules, and if they could be consolidated into fewer options, it would make the buying experience easier.

Support: It's often overseas and often following a script, basically asking us to redo what we opened the case with. Multiple APIs: There seems to be a lack of easy onboarding into Qualys. We had to use manual inputs and some API calls to get items in place. Dashboard: It is very rudimentary with very little customization. The Qualys Scripting Language (QSL) works differently in different Qualys modules, so when you get it working in one area you have to modify the syntax in others. User account management: We often have to give users more rights than needed just to give them what they need. Integration with the various Qualys Modules: You can tell the UI is different based on of the different teams that created them. QSL syntax same in all modules Responsiveness of some of the components: They time out, you get a blank screen, etc. Backend updates between the various modules: You update connectors and information takes a few minutes to show in VMDR or Global Asset View Connectors: Connectors have a throttling issue with AWS which causes them to frequently fail unless you manually run them again.

I do want to like Qualys but boy several areas need improvement.

1. Each module UI- QSL (Qualys Scripting Language) syntax is not always the same in each module UI- for example, VMDR vs CloudAgent have different syntax- and this seems to be the same in most Modules (VMDR, Connectors, CloudView, GAV, CloudAgent...).

2. Dashboards- Limited and rudimentary and as you dive into the outputs, they go off on tangents not related to the scope of Queries.  

3. Authentication Records and Option Profiles- Compared to other vendors they are very complex. Why do I have to turn on an Option Profile to use an Authentication Record? This forces me to have more Option Profiles than needed. 

4. Backend Modules syncing- Qualys always seems to take several minutes to update from connectors updates, agent inputs, and Scans to Dashboards.  

Qualys is a promising product but after using it for over 2 years the company does seem very slow to update and address issues. 

Qualys VMDR is basically susceptible to false positives, and false negatives. We receive a lot of false positives in there. VMDR can be considered a complex solution, especially for enterprises with limited resources or organizations. It requires extensive knowledge as an engineer. So, when using this tool, you need to utilize other tools to remediate the false security issues. So maybe it should also have the ability to automatically identify and address false positives. In additional features, an automated process for remediating false positives. We might be looking for new types of signatures that can help us identify and address specific issues.

The solution's cloud agent is available only for limited operating systems such as Windows and Linux. They should make it accessible for more systems like FreeBSD. Also, it would be helpful if they made it available for Cisco or Juniper routers. Additionally, its price and support could be better as well.

The tool needs to improve the adding assets and report generation features. I would like to see the policy scan of offline appliances in the product's future releases.

They should improve the solution's pricing. Also, they should enhance the authentication feature. Presently, we face issues while scanning multiple assets. In cases of heavy workloads, it must scan assets properly.

I would like to have CSPM, a continuous scan-like cloud added to the solution.

I can't speak to disadvantages since I am in training and still learning and have yet to run a scan. It would be nice to have an all-in-one solution that was automated and could handle the scanning and reports as well as the patching and updating.

Qualys could be improved in its overall performance compared to other vulnerability management or scanning tools.

The disadvantage of working with Qualys is that the graphical interface is quite outdated. If you want to choose a scan result, or maybe configure an IP range or something similar, it opens up a lot of processes, or steps, which is somewhat bothersome. Because it opens several phases, it is not a single-window program.

Qualys has evolved a lot. It is one of the services that has evolved a lot, and we do recommend Qualys to the specs tent. However, their products are very modular, so for customers, they need to provide some roadmap on how the customer can utilize their products. For example, starting with vulnerability scanning, they need to show how they can extend their products for multiple other use cases. They need to do a better job of educating customer more. There needs to be better documentation. Maybe their price scheduler could be made simpler. It's expensive.

If you're not overly experienced and you're looking for something in their management, it can sometimes be quite difficult because they can move buttons around without sending an update. Previously, if you deployed the Cloud Agent, you could define which tech would be under the agent and where it would be deployed. It now requires some text preparation and the Cloud Agent then downloads the specific profile defined without any indication that this might happen. If you are not using vulnerability management, you are not able to create the correct patch process for all applications stored on the system. It would be helpful if Qualys would integrate with more systems like ServiceNow, Jira, and so on, to create some tickets and integrate them into the active directory, because each group works differently and if you need to prepare a ticket, it must be defined to a specific group of people. Qualys just created a kit on ServiceNow, but it doesn't have the correct group of people in the active directory.

Qualys VM's machine learning and artificial intelligence features could be improved.

Qualys VM's vulnerability scan could be improved, especially the number of CVE numbers it can manage at a time. It could also be more user-friendly. In the next release, Qualys VM should include threat intelligence and external test service management.

The IoT scan is not great and we would like to see some improvements to it.

This solution could be improved by extending the agent capabilities to different operating systems including Mac and Linux. We would also like the capability to easily check for vulnerability in assets in the IOTs. They have been adding additional features such as attack surface monitoring and intelligence to help managers detect additional risks. Adding intelligence is one of the most important features that we need.

They're still evolving their platform in terms of reporting capabilities. Every time they make a change, it's not always super smooth, and it's a little quirky with bugs sometimes. That said, they've been really responsive at helping resolve issues that we find. We've got a pretty close relationship with them and our account managers there. We’re working on it.

They have everything covered as far as features are concerned, but Qualys should improve their customer experience. They need to improve the tech support experience and the turnaround time.

The price could be better. Asset view is still a legacy feature. I'm not able to extract the information about the asset with complete details. It would be better if they fixed that in the next release. I know Qualys is already working on it, so I'm hopeful it will be available in the next five or six months. That would be something that's changed where I seek improvement.

Qualys VM should improve its methodology.

Qualys VM's scanner doesn't pick up every vulnerability, so we have to use multiple scanners to cover that gap. Their reporting could also be more user-friendly. In the next release, I would like Qualys to include basic policy and compliance checks in the basic licensing.

Endpoint stability and fault resolution could be improved. I would like to see the solution's footprint expanded to include iOS and iPads in the next release. One example of how it could be better would be better handling of end-of-life systems and better feedback on job failures.

Some of the older features could be polished instead of focusing on releasing new features.

Sometimes the scanning can get overwhelmed and start to drag when a lot of users are trying to scan at once. I think cloud-based solutions like Qualys VM should be prepared to throw more resources in to ensure they don't get overwhelmed like this.

Qualys does have an on-prem solution, but it is very expensive.

The reporting and dashboards could improve in Qualys VM. However, they have improved since the previous versions.

Certain integration factors between different options could be improved.

The dashboard itself could be improved, while we can customize it, they can create different tabs where we can see the trending vulnerabilities, how many there are, or how many have been fixed, as in the most recent scan report, so that trend analysis is a little easier. Aside from that, the solution itself is fairly generic in nature. What they can do is pretty much customize everything and provide a relevant solution for everything. For example, because Qualys has a Cloud Agent that scans a system's entire inventory. As a result, they can test their use cases to determine whether or not a vulnerability has been confirmed. If they can do so, they can also provide us with a straightforward solution to a specific problem rather than a generic one. That could be one area where they can improve. Qualys does not currently have an IoT, SCADA vulnerability assessment, they can significantly improve their IoT, SCADA, and ICS (Industrial Control Systems) vulnerability assessment technique. When you compare with Tenable SC it has more features than Qualys VM. If you see power grids, large oil stations, they fall under SCADA and Industrial Control Systems. These systems are very different from standard IT systems. Qualys currently does not have any features for scanning SCADA, IoT, and Industrial Control Systems. I believe they can improve on the addition of devices. Assume I have two lakhs of devices that cannot all be added at the same time. For example, if I have two lakhs of devices, and two lakhs of those devices have a Cloud Agent, adding all of those devices at once is not easy. We have to add it 1,000 at a time, which takes a long time when there are two lakhs of assets to add. If we do 1,000 at a time, we'll have to do it for around two lakhs, which is quite difficult. They can increase their frequency of working faster, similar to the time constraint they currently have. The second thing they can improve is the addition of assets. They can almost completely automate the process of adding assets, or they can increase the maximum number of assets that can be added in one go. They are only allowed to add 1,000 assets. If I want to add two lakh assets, it will be extremely difficult to do so by adding 1,000, at a time. That is a fairly technical issue. Most of the false positives reported by Qualys or the inability to detect a cumulative patch update, if any, are the few things that they can improve and incorporate. As I previously stated, it would be extremely beneficial if they could implement scanning, vulnerability scanning of IoT systems, Industrial Control Systems, and SCADA devices.

The reporting and the GUI need improvements. Tenable dominated in these two areas: reporting and graphical user interface.

The user experience, the UI, needs to be improved. The technology is there and it is obvious it is able to do many things, however, from a user experience perspective, the UI design is a bit complicated. If the platform could have a bit more of a user-friendly environment, it could be easier for the admins and analysts to use it. The solution is a bit expensive if you do not have access to discounts. From a general perspective, SLA tracking capabilities could be improved with a building method. There was a tracking method to be able to see if this vulnerability for a while or maybe it was patched. However, an internal SLA mechanism could help with batch prioritization and issue detection. I'd rate the solution at a nine out of ten.

I felt hindered sometimes within reports in that they were lacking somewhat on the customization side in terms of making use of the data. The cloud user interface could be a little more responsive. It was a click and then a wait.

It's too early for me to say if there is any room for improvement since we're in the first couple of months of using this solution. So far, we've been pretty happy about it. Nothing comes to mind that is negative. Given that it's really new, we're really trying to use all of the features and get a good comfort level and gain more experience in it. For this reason, I can't speak negatively of it, yet.

I'd like to see additional security for the app. The product lacks integrations for third party solutions or automation integration for other tools.

The Patch Identifications, which are supersedence identifications, need improvement. I would like to see more accuracy in detections, better reporting capabilities, and better dashboard download capabilities. These are things that are definitely needed.

Its integration with ServiceNow and other similar products is complicated and can be improved. It should also have virtual batching. They should support more standards and compliance requirements and more customizations. For policy compliance, they can add the standards required by the countries in the Middle East. Each country generates its own standards and frameworks, and those frameworks should be there in all products, not only in Qualys. The market here is huge, especially in the cybersecurity field. Qatar has a framework for Qatar 2022, and each and every company in the public or private sector has to follow the Qatar 2022 framework.

We are moving away from Qualys to Defender ATP because I find that Defender ATP is much better at prioritizing the vulnerabilities that I should be looking at. In general, I would like to see some better analytics and prioritization of vulnerabilities.

Qualys Container Security can improve the interface. It could be easier to navigate and be enriched. In a future release, it would be beneficial if the network and port policies we provided with some kind of automation AML script files. Having configuration files related to Kubernetes environments would be helpful.

Integration could be better. When you think about scanning, it's not used just with this product alone but with other Qualys products. If you think about the bundle, the product itself is good. But integration with other products and packages has space for improvement. They should also offer a better price for bundles.

One thing that can be improved is the flexibility and the fact that Qualys Asset Inventory provides too much detail, which makes it not very easy to understand. It's not very user-friendly at times and requires in-depth understanding. So, a layman or someone new to Qualys won't be able to easily understand it. You need education to use the solution. As for additional features, the first thing would be providing call support whenever we require any kind of help with issues that have been identified. The second would be a simple reporting structure.

The ability to manage user accounts and give rights to the operator to know about abnormalities of applications is something that needs improvement. The pricing is also expensive.

Sometimes we face a problem with accessing the tool and not getting an expected result. From a technology point of view, they need to look into this. They need to consider how they can improve tool usability and different scanning options. Sometimes we are facing issues while performing a scan and things are not correctly shown on the GUI. Even as we are doing a task, it may show up as completed, and then something is not visible. Sometimes we face other technical problems. For example, sometimes we can't go to the next page. It's limiting any positive results. The solution needs to be easier to understand and configure. The pricing is a bit on the higher side compared to other products in the industry.

Reporting can be improved more. It should generate much more stuff like field reports. Though the reports generally meet our need we hope we can customize it better.

Customer support needs to be improved because it was not to our SLA standards. Suddenly, the scan engine will go down. We don't know what the reason is, or how it goes down. Because of that, the business is impacted. I had a look at the PCI reports (policy compliance reports) and I have heard that most memberships have been taken by Azure, although I was not aware of that. I would like to see more documentation or awareness.

I would like to see this solution simplified to work more easily in a multi-cloud environment. One of our customers has more than 3,000 servers across multiple regions, and they were asking about security and vulnerability checking in an automated fashion. This could be done with a cloud-based service that monitors all of the deployments, pulls the data from the containers, and checks for compliance.

I would like to see this solution more developed and competitive in the Cloud space.

The reporting in this solution can be improved.

The server application scanning has room for improvement. It's quite complex on the way it is set up, so it takes a fair bit of time in order to get your head around it in order to deploy it. Once you've deployed it, then you're never confident on the versions of the browsers and the SSL certificates, etc. You have to always go back into Qualys and check. They do talk about an agent-based scanning for non-IP machines. It sort of sits between server scanning and endpoint scanning. That's not very clear. If they can improve that and deploy, then it'll be such a nice package. The solution should help its vendors more with renewals. For example, we had deployed the solution as a reseller to a client and then somebody else came along and we didn't end up getting the renewal licenses for the servers. I wasn't very happy about that. We put all the hard work to get it in, but the following years we didn't get the benefit of our low pricing in the first year. They should integrate with the dashboard and provide a plugins link for data that's coming into API on the dashboard. When the users buy the license, they can turn it items on. So, that way you know you've got the full solution. What you don't pay for is not switched on, and what you pay for can get switched on immediately.

What we have found is that the solution is not closely tied with the patch management. It is okay with newer ones, like Windows 10 machines; it gives the correct patch. But for Windows 7 or Windows Server 2008, it does not give us the correct patch so we have to manually identify the patches. This is a major problem.

Representation of the total number of vulnerabilities (with name) vs. the number of patches (with name).

Expanding the template library would be very useful.

One note for room for improvement is that all of the data is stored on the cloud. I think it would be better if they came up with a big box that could store the data and collect data from, it would be a huge improvement.

I think it could improve asset imagery.

The only improvement I can think of is on the implementation side, otherwise the operation is fine. At times it is a bit slow. Qualys is really nice, but people only use Qualys for the VM and web scan. They just file the report, and send the report to the customer or client. They don't do anything with the reports. They will get the report, and there are usually 30 to 40 vulnerabilities, not in the web servers. And, of those 30 vulnerabilities, 10 or 15 were usually the first cases. In case of those vulnerabilities are around 50, in which around 50-60% of vulnerabilities are usually found worse. So, for those cases, was pretty low and in Qualys we have to look for them also. Whenever the report comes, we just send the report from the client. And that was one of the biggest issues. So, in this area, we only have to actually check the vulnerabilities in the report. You just have to catch a little bit of this, when we do the type or not. That was one of the issues we had with Qualys.

When tested on Zero day, there were errors. In addition, they have integrated with other third parties, but it is still not viable. They are using their own Q id's. This sometimes leads to a false positive. And, even the updating of signatures into Qualys is not that much quicker. Maybe for Windows and Linux, it is a little quicker or networks and other devices. The signature updating is not quicker.

* Improve the API speed. * Make some minimal dashboard improvements. * Improve the user interface.