What is our primary use case?
The demo was mainly centered around vulnerability management. We were looking to find a tool which is able to do vulnerability management for internal assets and web applications which face the Internet and are exposed on it. We want a platform which can do vulnerability assessment for internal assets and also for assets which are published on the internet.
I did this demo for three to six months.
How has it helped my organization?
It gave us an idea of what lay in our network, and the vulnerabilities in it. Most IT admins are not aware of what is happening on the network. It was able to advise them of what's happening on the network. They could see the web-based applications and where attacks on the outside were coming from.
On the dashboard, you can see vulnerabilities that you have, as they are increasing or reducing over periods of time.
What is most valuable?
It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard. Usually, you have to purchase separate tools.
What needs improvement?
The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected.
Going forward, I would like it to scan for given vulnerabilities and add-ons, then confirm whether it is an actual threat or not without the false positives.
For how long have I used the solution?
What do I think about the stability of the solution?
It is a stable product, once it is implemented.
We haven't had any major errors or bugs. It runs quite well.
What do I think about the scalability of the solution?
The plans can be installed internally on the infrastructure or be used with a cloud-base scenario. If you have a cloud structure, the scalability is almost unlimited because it all depends on the number of assets that you want to manage. This can be done without any major configuration changes. In terms of scalability, Qualys has handled it quite well.
How is customer service and technical support?
Technical support was quite responsive and effective. If engaged on email, they got back to us on time.
How was the initial setup?
When setting up the solution, it was quite a challenge when trying to set up the internal VM. The guides were not able to give all the scenarios one might encounter when installing the product. At some point, we became stuck, not knowing what to do next.
Work closely with your network administrator. The challenge for us was when trying to connect the virtual machine to the cloud on Qualys, ensuring the firewall policy and rules are in line with the communication passing through without being dropped anywhere.
What about the implementation team?
Support was helpful during implementation. They also referred us to a third-party vendor who we could work with as a partner.
What's my experience with pricing, setup cost, and licensing?
Licensing was based on the number of assets that you want to scan on your network. You can also do licensing on subscription. On subscription, it is easier and more flexible. You tell Qualys that you want to move from the 1000 to 2000 band or the 3000 or 5000 band, then they will give you the quotation for it. Once you pay for it, applying the licensing is quite easy and effective.
Pricing was reasonable and competitive. It was not too far above the other products.
Which other solutions did I evaluate?
We have been evaluating the following: Rapid7, Tenable.io, Tenable SecurityCenter, and Acunetix for web applications.