Qualys VM Review

Easy to deploy and manage but reporting and dashboards have room for improvement

It is a very good product in terms of ease of deployment and management and I have personally implemented the solution at a financial institution.

The latest release of ThreatProtect is a cloud-based service that correlates external threat data against an organization’s internal vulnerabilities & lets IT pros automatically prioritize remediation work, such as patch deployment & risk mitigation.The dashboard displays entire threat posture at a glance and provides stats such as assets with active zero-day vulnerabilities.The release of our Cloud agent allows organizations to continuously monitor their systems for vulnerabilities and compliance violations in real-time with active alerts.

Current in beta is IOC,FIM and the new release of WAF 2.0 and WAS 2.0.

Qualys is continuously improving their products which speaks to the Cyber Security Framework of continuous monitoring

We’re excited to share with you the first preview of our next-generation grading. This is something that’s long overdue but, due to lack of available time, we managed to keep up patching the first-generation grading to keep up with the times. Now, finally, we’re taking the next necessary steps to modernise how we grade servers based on our assessments.

SSL Labs Grading Redesign

Grading Redesign Goals

Before I show you the new version of the grading, I’d like to explain what we’re set out to achieve:

  • Cleanup. SSL Labs grading was initially designed around numerical scores in various categories. That approached worked for a period of time, back in the day when most cryptographic elements appeared to be relatively secure. This system is still employed at the core, but it’s now largely obsolete and complicates the work.
  • Simplification and assessment decoupling. Our new goal is make it easier to understand how grading is done and, perhaps more importantly, enable others to replicate our results. In other words, we wish to decouple the grading logic from our assessment implementation.
  • Meaningful grades. Although the A-F grading we have in place works great, we’re not making full use of the entire grade range. Additionally, the grades don’t have defined meanings, making it more difficult to keep the grading approach consistent over a period of time.
  • Even better security. Finally, we wish the next major update to further push security forward by requiring better security. This is something we’ve been doing regularly over the years, and this time is not going to be an exception.

Qualys compiles and continuously updates a complete IT asset inventory to give you instant visibility across your entire IT environment — on premises, on endpoints and in the clouds. AssetView, the platform’s central “single pane of glass” interface, is fully customizable and lets customers see all their IT security and compliance data, drill down into details, generate reports and search for any asset.  

The platform’s suite of more than 10 integrated, self-updating cloud apps serve the needs of all your security and compliance teams, such as those in charge of on-premises IT operations, web apps, DevSecOps, cloud services and endpoints.

The platform’s consolidated functionality includes vulnerability managementcontinuous monitoringpatching prioritizationindication of compromiseweb app securitypolicy compliance, file integrity monitoring, container securityvendor risk assessments and passive network analysis.

Use Of Solution:

More than 12 years

Valuable Features:

Asset Classification, Risk analysis,ThreatProtect, Cloud Agent, Patch management,Security Assessment Questionnaire (SAQ),Indicators of Compromise(IOC),File Integrity Monitoring and Activity(FIM/FIA)

Improvements To Organization:

We had no way of knowing what vulnerabilities was in our estate. By implementing the vulnerability solution allowed us to prioritize remediation efforts.

Room for Improvement:

Reporting and Dashboard

Deployment Issues:

None, it's very simple.

Stability Issues:


Scalability Issues:

None , if we needed additional scanning capability we added an additional device into the network.

Alternate Solutions:

Yes, I evaluated McAfee Foundstone

Customer Service:

Very good

Technical Support:


Initial Setup:

It was straightforward, once the appliance was allocated an IP address and configured the gateway the device was ready to start scanning.

Implementation Team:


Other Advice:

This product is very easy to manage with no hardware management overhead, ie patching etc. Qualys is a subscription based model, you pay per IP address and the appliance is owned by the vendor. If the device is faulty they swap it out.

Disclosure: I work for the vendor.
1 visitor found this review helpful
Orlee GillisConsultant

What would you like to see in the dashboard and/or reporting options that are currently not available?

28 September 16
Alireza GhahroodReal UserTOP 5LEADERBOARD


23 February 19
Sign Up with Email