What is most valuable?
From my point of view all the Qualys products are valuable. From the clients' perspective, I believe vulnerability management is the most valuable one and it’s a must in every organization. After the client realize the risks from outside, and that the vulnerabilities are real, a proper compliance policy implementation using Qualys Policy Compliance (I'm using v8.4), the second product needed in any infrastructure, can be done. If the organization has public websites, Web Application Scanning (I'm using v4.1) is the third valuable product needed in an organization.
How has it helped my organization?
After the first scan of the servers at all the POCs QualysGuard discovered many vulnerabilities that are grouped from low to high impact. The ability to use asset management to scan the grouped servers from the vulnerability management feature with the policy compliance engine helps the security officer to perform the daily/monthly tasks faster and make them more organized.
What needs improvement?
One of the biggest issues from the clients' perspective is that all Qualys computing is on the cloud.
As last month ( this is when I found out) Qualys offers a On-Premise instalation for it's customers.
The issue with the private cloud is that is costs very much for a small firm.
For how long have I used the solution?
I have been using QualysGuard since 2012, and I have followed the certification from Qualys in class. After that, I implemented it for one of our clients, and did some POCs using Qualys. In the last month I had another PoC with Qualys and the client looks interested.
What was my experience with deployment of the solution?
need support from sysadmin to deploy the ovf file.
What do I think about the stability of the solution?
Qualys appliances are based on Linux OS, and they are very stable. I didn’t encounter any stability issues.
What do I think about the scalability of the solution?
The big advantage of using the virtual appliances is that you can increase the allocated hardware if you need more resources.
How are customer service and technical support?
The customer service level is very high. All the requests made to the reseller were fulfilled in a very short time. Technical Support
We didn’t need to use Qualys technical support as the product was very stable, and our knowledge of the product was enough to fulfil all the clients needs.
Which solution did I use previously and why did I switch?
I have used both Nessus and Rapid 7 Nexpose. I am working as a security consultant and I need to know the big players so I could present to my clients the pluses and minuses of the products they might choose.
How was the initial setup?
Qualys initial setup is straightforward and if you follow the manual you don’t have any problems. You receive the credentials, login to the Qualys website, download the virtual appliance, configure the IP, and, after defining the credentials and the assets, you can start scanning your environment. For the hardware appliance you have to connect it to the network and after the configuration you can start the scanning.
What about the implementation team?
I was part of the consultant team that implemented this solution to the client. We didn't have any complaints from him, and he used us to implement the rest of Qualys' components.
What's my experience with pricing, setup cost, and licensing?
Usually every implementation is different and the quote is in function of number of assets.
Which other solutions did I evaluate?
The clients are usually evaluating the top three vendors from Gartner. From my clients side, the vendors used in evaluation were Nexpose, McAfee Vulnerability Manager and Nessus. Also I have tried the open source VM OpenVAS
What other advice do I have?
Follow the vendor provided steps, and you will not have any problems during the initial implementation. If you don’t have experience with server policies, use a consultant that will be able to identify your business needs.