We just raised a $30M Series A: Read our story

Qualys VM OverviewUNIXBusinessApplication

Qualys VM is the #5 ranked solution in our list of top Vulnerability Management tools. It is most often compared to Tenable Nessus: Qualys VM vs Tenable Nessus

What is Qualys VM?

Qualys Vulnerability Management (VM) is a cloud-based service that gives you immediate, global visibility into where your IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps you to continuously identify threats and monitor unexpected changes in your network before they turn into breaches.

Qualys VM is also known as QualysGuard VM.

Buyer's Guide

Download the Vulnerability Management Buyer's Guide including reviews and more. Updated: October 2021

Qualys VM Customers

Agrokor Group, American Specialty Health, American State Bank, Arval, Life:), Axway, Bank of the West, Blueport Commerce, BSkyB, Brinks, CaixaBank, Cartagena, Catholic Health System, CEC Bank, Cegedim, CIGNA, Clickability, Colby-Sawyer College, Commercial Bank of Dubai, University of Utah, eBay Inc., ING Singapore, National Theatre, OTP Bank, Sodexo, WebEx

Qualys VM Video

Archived Qualys VM Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Dr. SureshHungenahally
Chief Executive Officer at Suraksha Pty Ltd
Real User
An excellent solution for vulnerability management that's highly scalable and very stable

Pros and Cons

  • "Technical support is fantastic."
  • "It's quite complex on the way it is set up, so it takes a fair bit of time in order to get your head around it in order to deploy it. Once you've deployed it, then you're never confident on the versions of the browsers and the SSL certificates, etc. You have to always go back into Qualys and check."

What is our primary use case?

The primary use for the solution is vulnerability management.

What is most valuable?

The way we can maintain a current actual registry of all the IP assets within it is very good. The scanning of software assets on the endpoint machine is also useful. I've tried the scanning of similar asset vulnerabilities throughout different servers, including Unix and Windows. Qualys maintains a good intervention database. We have a service line that updates to the newest software, or whenever you set it up. The second service line has denominated my nodes across the globe. It's easy to deploy the solution.

What needs improvement?

The server application scanning has room for improvement.

It's quite complex on the way it is set up, so it takes a fair bit of time in order to get your head around it in order to deploy it. Once you've deployed it, then you're never confident on the versions of the browsers and the SSL certificates, etc. You have to always go back into Qualys and check.

They do talk about an agent-based scanning for non-IP machines. It sort of sits between server scanning and endpoint scanning. That's not very clear. If they can improve that and deploy, then it'll be such a nice package.

The solution should help its vendors more with renewals. For example, we had deployed the solution as a reseller to a client and then somebody else came along and we didn't end up getting the renewal licenses for the servers. I wasn't very happy about that. We put all the hard work to get it in, but the following years we didn't get the benefit of our low pricing in the first year. 

They should integrate with the dashboard and provide a plugins link for data that's coming into API on the dashboard. When the users buy the license, they can turn it items on. So, that way you know you've got the full solution. What you don't pay for is not switched on, and what you pay for can get switched on immediately.

For how long have I used the solution?

I've been using the solution for since 2005.

What do I think about the stability of the solution?

The solution is very stable. 

What do I think about the scalability of the solution?

The solution is highly scalable.

How are customer service and technical support?

Technical support is fantastic.

What other advice do I have?

I would advise others to always have a proof of concept version of the solution put into play. Then spend a good two months on it. Stabilize the solution and check out the features and then deploy it into production. Otherwise, you will spend money during the real project for what could have been done as a POC. Deploy the core solution, get the scanning done and all the critical components put it in a proof of concept and then move it into production.

I would rate the solution eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PD
Information Technology Analyst at Tata Consultancy Services
Real User
Patch supersedence has been an invaluable feature

What is our primary use case?

Datacenters which are in different locations.

How has it helped my organization?

Asset discovery Asset sanitization Scan scheduling Patch supersedence.

What is most valuable?

Patch supersedence.

What needs improvement?

Representation of the total number of vulnerabilities (with name) vs. the number of patches (with name).

For how long have I used the solution?

One to three years.

What is our primary use case?

Datacenters which are in different locations.

How has it helped my organization?

  • Asset discovery
  • Asset sanitization
  • Scan scheduling
  • Patch supersedence.

What is most valuable?

Patch supersedence.

What needs improvement?

Representation of the total number of vulnerabilities (with name) vs. the number of patches (with name).

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Find out what your peers are saying about Qualys, Rapid7, Tenable Network Security and others in Vulnerability Management. Updated: October 2021.
542,721 professionals have used our research since 2012.
KR
Senior Information Security Engineer at a financial services firm with 501-1,000 employees
Real User
It is a stable product. Tech support is quick to respond to any inquiries.

What is our primary use case?

It mainly scans the model against all of our online websites.

How has it helped my organization?

There are fewer false positives when using this solution. We are also cutting the need for news monitoring with this solution.

What is most valuable?

We find all of the features useful. 

What needs improvement?

One note for room for improvement is that all of the data is stored on the cloud. I think it would be better if they came up with a big box that could store the data and collect data from, it would be a huge improvement.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

It is an extremely impressive and stable product. I would give it a 99% out of 100%. It is very close to…

What is our primary use case?

It mainly scans the model against all of our online websites.

How has it helped my organization?

There are fewer false positives when using this solution. We are also cutting the need for news monitoring with this solution.

What is most valuable?

We find all of the features useful. 

What needs improvement?

One note for room for improvement is that all of the data is stored on the cloud. I think it would be better if they came up with a big box that could store the data and collect data from, it would be a huge improvement.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

It is an extremely impressive and stable product. I would give it a 99% out of 100%. It is very close to being perfect.

What do I think about the scalability of the solution?

I have had no issues with scalability. Initially, we had some issues with the dashboard, but eventually, it set and stabilized. There was an issue with the data dashing between the two models initially, but it was resolved.

How is customer service and technical support?

The tech support is helpful. When we initially open a ticket, we get response within five minutes. Then, they open a case and we receive input from tech support within 24-48 hours with a Q-ID.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
MW
Information Security Specialist at a manufacturing company with 10,001+ employees
Real User
This solution helps us fill out forms in a timely manner. It is more expensive than competitive products.

Pros and Cons

  • "It is quite easy to implement."
  • "When you want to cover yourself for scalability, you will be charged for the number you place on the scan itself."
  • "It is more expensive vs. other products on the market."

What is our primary use case?

My primary use case is to actually fill out forms, ensure that they are being closed in a timely manner. This is why we use these one point solutions.

What is most valuable?

I find most valuable to achieve a channel system and we can also use it to track when we actually close the ticketing of the sites.

In addition, it is quite easy to implement. We found it quite convenient.

What needs improvement?

I think it could improve asset imagery.  

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

I have not encountered issues with stability of the product.

What do I think about the scalability of the solution?

I have not encountered any issues of scalability function. We do have to pay extra according to the number we are placing on the scan. So, when you want to be covered for the scalability, you will have to pay more.

How was the initial setup?

The initial setup was straightforward. It was quite simple. We just needed to download the image from the website, and onto our service team.

What's my experience with pricing, setup cost, and licensing?

Qualys is considered more expensive versus other products on the market.

Which other solutions did I evaluate?

We were previously using McAfee. We had to switch because McAfee stopped producing the solution we needed. We considered Tenable Nessus, but we chose Qualys in the end.

What other advice do I have?

I advise that you see if this solution can fit your problems, and help your needs.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sujit Sharma
Information Security Engineer at a tech services company with 1,001-5,000 employees
MSP
The main purpose was to remove the granularity. It really helped us manage the security of our organization.

Pros and Cons

  • "It is a simple solution that makes scanning easy. You just give it a scheduled task, and it will do everything for you."
  • "The reporting is fine."
  • "The only improvement I can think of is on the implementation side. At times it is a bit slow."

What is our primary use case?

My primary use case is for the web application scans of websites. I also made some new search profiles and other scanning profiles.

How has it helped my organization?

Before using Qualys, we had other security tools. And, the main purpose was to remove the granularity. We had so many attacks every day. Qualys really helped us manage the security for our operations.

What is most valuable?

The most valuable features are that it is a simple solution that makes scanning easy. You just give it a scheduled task, and it will do everything for you. The reporting is fine, too. And, the knowledge base is pretty good, too.

What needs improvement?

The only improvement I can think of is on the implementation side, otherwise the operation is fine. At times it is a bit slow.

Qualys is really nice, but people only use Qualys for the VM and web scan. They just file the report, and send the report to the customer or client. They don't do anything with the reports. They will get the report, and there are usually 30 to 40 vulnerabilities, not in the web servers. And, of those 30 vulnerabilities, 10 or 15 were usually the first cases. In case of those vulnerabilities are around 50, in which around 50-60% of vulnerabilities are usually found worse. So, for those cases, was pretty low and in Qualys we have to look for them also. Whenever the report comes, we just send the report from the client. And that was one of the biggest issues. So, in this area, we only have to actually check the vulnerabilities in the report. You just have to catch a little bit of this, when we do the type or not. That was one of the issues we had with Qualys.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No, we have not experienced any issues with stability of the product at all.

What do I think about the scalability of the solution?

I have not encountered issues with scalability of the solution. I had scanned 77 servers at a time, and found no issues with scalability while doing so.

How are customer service and technical support?

I have not had a need to deal with Qualys tech support.

Which solution did I use previously and why did I switch?

I have previous experience with Tenable Nessus. I like Qualys better because there are so many nice features, it builds better.

What's my experience with pricing, setup cost, and licensing?

I am not personally involved with the pricing or licensing of the solution for our organization.

Which other solutions did I evaluate?

I have prior experience with Alert Logic CloudDefender, RSA, Odyssey and Forcepoint Websense (formerly Raytheon Websense). 

What other advice do I have?

A really nice feature of Qualys is the asset management. Some of the end users were using that function, and paid for that particular function. It is helpful to get a bit of history of all types of supports of scanning of particular servers.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
RaghunandanRaju
Senior Vulnerability Analyst at a comms service provider with 10,001+ employees
Real User
It has a quicker response time to incidents. And it has a stable performance record.

Pros and Cons

  • "I find the most valuable features are the continuous monitoring. Even on premises, there is constant monitoring."
  • "They have integrated with other third parties, but it is still not viable."
  • "When tested on Zero day, there were errors."

What is our primary use case?

It improves the continuous monitoring of the systems on-premises.

How has it helped my organization?

If any anomalies are there, we can easily detect with our agent based solutions, and we can isolate them quickly, and response time or any incident is much quicker than previous. Before we were taking eight hours, now we're taking around 30 minutes to respond to any incident, security and such.

What is most valuable?

I find the most valuable features are the continuous monitoring.  Even on premises, there is constant monitoring.

What needs improvement?

When tested on Zero day, there were errors.

In addition, they have integrated with other third parties, but it is still not viable. They are using their own Q id's. This sometimes leads to a false positive. And, even the updating of signatures into Qualys is not that much quicker. Maybe for Windows and Linux, it is a little quicker or networks and other devices. The signature updating is not quicker.

What do I think about the stability of the solution?

I have not experienced issues with stability of the solution. There were a few bugs, but we reported it.

What do I think about the scalability of the solution?

I did not have any issues of scalability.

How are customer service and technical support?

The tech support acted quickly and responded quickly to our tickets. There was a good response time.

Which solution did I use previously and why did I switch?

I also have previous experience with Tennable Nessus, and I find Qualys is better than Nessus, which is slow in the security center and lags a bit.

What's my experience with pricing, setup cost, and licensing?

It's good. Yes, it's competitive. We got the best price.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Junior Information Security Analyst at Visma
Real User
Detects new hosts along with vulnerabilities

What is our primary use case?

Our primary use case is to manage vulnerabilities, scan web applications, and report assets throughout the network. Also, we create reports based on this data. 

How has it helped my organization?

Tracks workstations and servers. Monitors workstations and servers for vulnerabilities and creates reports. Performs automated, regular scans in the network. Detects new hosts along with vulnerabilities.

What is most valuable?

The Qualys Agent is most valuable for getting insight into what is happening on what device with all its metadata.

What needs improvement?

Improve the API speed.  Make some minimal dashboard improvements. Improve the user interface.

For how long have I used the solution?

Less than one year.

What is our primary use case?

Our primary use case is to manage vulnerabilities, scan web applications, and report assets throughout the network. Also, we create reports based on this data. 

How has it helped my organization?

  • Tracks workstations and servers.
  • Monitors workstations and servers for vulnerabilities and creates reports.
  • Performs automated, regular scans in the network.
  • Detects new hosts along with vulnerabilities.

What is most valuable?

The Qualys Agent is most valuable for getting insight into what is happening on what device with all its metadata.

What needs improvement?

  • Improve the API speed. 
  • Make some minimal dashboard improvements.
  • Improve the user interface.

For how long have I used the solution?

Less than one year.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
ITSM & AntiFraud Consultant with 51-200 employees
Consultant
Vulnerability management is the most valuable feature but it would be good if they could provide an internal computing appliance.

Pros and Cons

  • "Vulnerability management is the most valuable one and it’s a must in every organization."
  • "One of the biggest issues from the clients' perspective is that all Qualys computing is on the cloud."

What is most valuable?

From my point of view all the Qualys products are valuable. From the clients' perspective, I believe vulnerability management is the most valuable one and it’s a must in every organization. After the client realize the risks from outside, and that the vulnerabilities are real, a proper compliance policy implementation using Qualys Policy Compliance (I'm using v8.4), the second product needed in any infrastructure, can be done. If the organization has public websites, Web Application Scanning (I'm using v4.1) is the third valuable product needed in an organization.

How has it helped my organization?

After the first scan of the servers at all the POCs QualysGuard discovered many vulnerabilities that are grouped from low to high impact. The ability to use asset management to scan the grouped servers from the vulnerability management feature with the policy compliance engine helps the security officer to perform the daily/monthly tasks faster and make them more organized.

What needs improvement?

One of the biggest issues from the clients' perspective is that all Qualys computing is on the cloud.

As last month ( this is when I found out) Qualys offers a On-Premise instalation for it's customers.

https://www.qualys.com/enterprises/qualysguard/pri...

The issue with the private cloud is that is costs very much for a small firm.


For how long have I used the solution?

I have been using QualysGuard since 2012, and I have followed the certification from Qualys in class. After that, I implemented it for one of our clients, and did some POCs using Qualys. In the last month I had another PoC with Qualys and the client looks interested.

What was my experience with deployment of the solution?

need support from sysadmin to deploy the ovf file.

What do I think about the stability of the solution?

Qualys appliances are based on Linux OS, and they are very stable. I didn’t encounter any stability issues.

What do I think about the scalability of the solution?

The big advantage of using the virtual appliances is that you can increase the allocated hardware if you need more resources.

How are customer service and technical support?

Customer Service:

The customer service level is very high. All the requests made to the reseller were fulfilled in a very short time.

Technical Support:

We didn’t need to use Qualys technical support as the product was very stable, and our knowledge of the product was enough to fulfil all the clients needs.

Which solution did I use previously and why did I switch?

I have used both Nessus and Rapid 7 Nexpose. I am working as a security consultant and I need to know the big players so I could present to my clients the pluses and minuses of the products they might choose.

How was the initial setup?

Qualys initial setup is straightforward and if you follow the manual you don’t have any problems. You receive the credentials, login to the Qualys website, download the virtual appliance, configure the IP, and, after defining the credentials and the assets, you can start scanning your environment. For the hardware appliance you have to connect it to the network and after the configuration you can start the scanning.

What about the implementation team?

I was part of the consultant team that implemented this solution to the client. We didn't have any complaints from him, and he used us to implement the rest of Qualys' components.

What's my experience with pricing, setup cost, and licensing?

Usually every implementation is different and the quote is in function of number of assets.

Which other solutions did I evaluate?

The clients are usually evaluating the top three vendors from Gartner. From my clients side, the vendors used in evaluation were Nexpose, McAfee Vulnerability Manager and Nessus. Also I have tried the open source VM OpenVAS

What other advice do I have?

Follow the vendor provided steps, and you will not have any problems during the initial implementation. If you don’t have experience with server policies, use a consultant that will be able to identify your business needs.

Disclosure: My company has a business relationship with this vendor other than being a customer: We are a QualysGuard partner
ITCS user
Shared Information Security Officer at a university with 1,001-5,000 employees
Vendor
It is a totally vendor-managed appliance. It distributes administration functions based on access roles.

What is most valuable?

  • Totally vendor-managed appliance
  • Highly scalable and deployable portal interface
  • Ability to easily distribute administration functions based on access roles

How has it helped my organization?

It provides fully automated internal and external vulnerability management.

What needs improvement?

Streamline PCI integration and attestation.

For how long have I used the solution?

I have used it for five years.

What do I think about the scalability of the solution?

I have not encountered any scalability issues.

How are customer service and technical support?

Technical staff are excellent.

Which solution did I use previously and why did I switch?

We previously used Rapid 7. The product was not staying current with shifting trends, sales staff were pushy and management were arrogant.

How was the initial setup?

Initial setup was simple.

What's my experience with pricing, setup cost, and licensing?

Negotiate for the pricing model that fits your budget. The vendor is willing to customize pricing.

Which other solutions did I evaluate?

Before choosing this product, we evaluated Rapid 7, Nessus.

What other advice do I have?

Take your time and have each vendor set up an actual proof of concept, rather than just relying on a demo. Get your network and support staff engaged in the process early on because they will be instrumental in deployment and support. Know what you’re trying to accomplish.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user347139
Sr. Analyst- Security Testing with 1,001-5,000 employees
Vendor
The reports it generates give us a detailed description of and solution for all network and compliance-related violations, though I'd like an exploitation framework.

Valuable Features

QualysGuard provides a solution for network security, web application security and compliance.

Vulnerability management and policy/PCI compliance are the features that I have used which I think are the most valuable.

Improvements to My Organization

We use QualysGuard to identify all network and compliance-related violations of the assets. The report generated by the product will have a detailed description and solution. This has helped us to provide a certificate of compliance or a clean sheet for our vendors.

Room for Improvement

I'm looking forward to having an exploitation framework, a platform/framework that helps to cross verify the vulnerabilities like Metasploit.

Use of Solution

I've used it for four years.

Deployment Issues

No issues encountered.

Stability Issues

No issues encountered.

Scalability Issues

No issues encountered.

Customer Service and Technical Support

Customer Service:

7/10

Technical Support:

7/10

Other Solutions Considered

I have evaluated multiple products that include commercial as well as open source. There are different solutions available with other products, but I feel this is the integrated product which covers information security and compliance comprehensively.

Also, the results provided by the product are accurate and precise.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user298425
Network and Lotus Notes Administrator at a insurance company with 1,001-5,000 employees
Vendor
It updates quickly and works without its presence being felt, but the problem-solving documentation needs improvement.

What is most valuable?

It gets up to date very fast.

How has it helped my organization?

Users do not feel any QualysGuard presence.

What needs improvement?

Solution for fixing problems need to be better documented, such as in a step by step way.

For how long have I used the solution?

I've used it for three years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service: 8/10. Technical Support: 7/10.

Which solution did I use previously and why did I switch?

No previous solution was used.

What other advice do I

What is most valuable?

It gets up to date very fast.

How has it helped my organization?

Users do not feel any QualysGuard presence.

What needs improvement?

Solution for fixing problems need to be better documented, such as in a step by step way.

For how long have I used the solution?

I've used it for three years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

8/10.

Technical Support:

7/10.

Which solution did I use previously and why did I switch?

No previous solution was used.

What other advice do I have?

I strongly recommend that you use this solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user297117
Information Risk Analyst at a healthcare company with 1,001-5,000 employees
Vendor
We've gained insight into vulnerabilities across our environment, but reports should be more customizable.

What is most valuable?

The vulnerability scanning feature is valuable.

How has it helped my organization?

QualysGuard has provided us with a valuable insight into vulnerabilities across our environment. Before the use of this product, we had no way of identifying or tracking vulnerabilities.

What needs improvement?

The reporting capabilities are good but I would like to be able to make more customized reports. In addition, I would like to be able to assign a numerical asset value to critical hosts.

For how long have I used the solution?

I've used it for six years.

What was my experience with deployment of the solution?

No issues encountered, it went very smoothly.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No, as it's very easy to add additional hosts.

How are customer service and technical support?

Customer Service:

8/10.

Technical Support:

8/10.

Which solution did I use previously and why did I switch?

We didn't use a previous solution.

How was the initial setup?

It was straightforward.

What about the implementation team?

It was implemented in-house.

Which other solutions did I evaluate?

We also looked at Nessus.

What other advice do I have?

Make sure you take advantage of authenticated scans and it is also very helpful if you have a complete server inventory.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user268167
Senior System Engineer at a comms service provider with 1,001-5,000 employees
Vendor
It's easy to download/install the correct patch, but the reporting could be improved.

What is most valuable?

The feature where the solutions to issues are mentioned in the reports.

How has it helped my organization?

It's easy to reach the current location and download/install the correct patch.

What needs improvement?

The feature where the solutions to issues are mentioned in the reports could be improved.

For how long have I used the solution?

I've been using it for over three years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service: 7/10. Technical Support: 5/10,

Which solution did I use

What is most valuable?

The feature where the solutions to issues are mentioned in the reports.

How has it helped my organization?

It's easy to reach the current location and download/install the correct patch.

What needs improvement?

The feature where the solutions to issues are mentioned in the reports could be improved.

For how long have I used the solution?

I've been using it for over three years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

7/10.

Technical Support:

5/10,

Which solution did I use previously and why did I switch?

No previous solution was used.

What about the implementation team?

It was implemented by the vendor.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user259977
Analista de Seguridad TI at a manufacturing company with 1,001-5,000 employees
Vendor
It's worth the investment, but score calculation needs to be improved. I had to manually re-calculate scoring at times.

What is most valuable?

The interface is pretty good, as all the instructions are clear enough. The way you can create groups or scheduling scans and reports is a very good feature, and the CSV reports have very good information.

How has it helped my organization?

In this case, my last employer was a Qualys partner and the consultancy was extra. But, the reports and the way the information is, helped a lot. Also, with this information concise presentations were sent to the CIO every month.

What needs improvement?

I think the only area to improve it is the way the scores are calculated. That was the only problem I had and because of that, all scores had to be rectified manually.

For how long have I used the solution?

I was using both Multimedios Redes (Enterprise version) and Lamosa for three years. I also used PC, PCI, and WAS.

What was my experience with deployment of the solution?

No issues were encountered.

What do I think about the stability of the solution?

Maybe one or two times, but they were caused by scheduled windows, but these problems were fixed very quickly.

What do I think about the scalability of the solution?

No issues were encountered.

How are customer service and technical support?

Customer Service:

Very good! I think I would give them 10/10 because in Latin America the service was excellent.

Technical Support:

Again, I would give them 10/10, as the documentation is so good and all is clear, but if you have a doubt, technical support was always concise and had a quick answer. Also the community helps a lot.

Which solution did I use previously and why did I switch?

I did not personally, but the technical contacts that worked for my customers tried another solutions, and they chose Qualys for the easy way it manages the processes.

How was the initial setup?

The initial setup was very easy, with no complications found when the instructions were followed. Also, this activity was done with a physical and virtual appliance, and both ways were very easy to follow.

What was our ROI?

I was the vendor team, but I can give you the answer from the actual companies I worked for. The administrators, before Qualys, did not care so much about security, patching, etc.; but, after Qualys they changed their minds. Security took a very important role and of course they reduced, a lot, the chances of being hacked or attacked. It also helped, at this point, to be verified by auditors.

What's my experience with pricing, setup cost, and licensing?

It's worth it, really, when you see the complete picture and see all the factors. It is a very good investment. Qualys is a very good tool and very easy to use and it is also better to have an annual subscription rather than paying for a scan.

Which other solutions did I evaluate?

My customers evaluated Foundstone and Rapid7, and possibly others.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user259962
Manager System Security at a comms service provider with 1,001-5,000 employees
Vendor
The installation of the local hardware scanner appliance is easy, but the asset tagging needs lots of improvements.

What is most valuable?

  • Vulnerability management
  • Policy compliance
  • Scalability

How has it helped my organization?

As a leading IT services organization, it is very important for us to have a proactive identification/assessment of vulnerabilities. We also need to be able to remedy them in a timely manner before they exploit our security configuration compliance, and then harden our security for both system/network devices and applications. We need to do this both before and after placing them in production environment.

With QualsyGuard we have been able to achieve this by utilizing its modules, such as vulnerability management, policy compliance, web scanning, malware detection, and asset tagging.

What needs improvement?

As users of Qualys for the last three years, we have identified and shared many areas where Qualys needed to have improvements, including --

  • Vulnerability database having some false positives, although this is rare;
  • Web scan module requires authentication to access basic web forms;
  • Asset tagging needs lots of improvements as it's currently a complex technique; and
  • For policy compliance, they need to add more leading IT standards with regards to all the leading IT service provides like Juniper, Cisco, Microsoft, etc.

For how long have I used the solution?

I've been using this product for the last three years.

What do I think about the stability of the solution?

This is a very stable product and we haven't faced any issues since its deployment apart from announced downtimes for upgrades and improvements.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

Support is available 24/7 via phone and e-mail. Remote session support is also available.

Technical Support:

They have excellent expertise.

Which solution did I use previously and why did I switch?

No previous solution was used.

How was the initial setup?

It's easy as it is a SaaS, cloud-based service. The installation of the local hardware scanner appliance is also easy.

What about the implementation team?

We used a vendor team who was excellent.

What was our ROI?

I cannot give you the exact ROI on this, but as a large information and communication technology service provider, a 24/7 service availability that leads to customer satisfaction is our key goal. Regular VM and compliance assessment results in the complete hardening of our critical assets defending us against any exploits that leads to unavailability of our services.

Which other solutions did I evaluate?

No, because it was already in use at our parent company and it was providing good results for a low price as well.

What other advice do I have?

  • Collect complete asset inventory details (asset type, service/application details, administrator details etc.).
  • Provide awareness session to the support team about Qualys, its usage, and functionality.
  • Prepare OLAs and SOPs for better co-ordination between the teams.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user254613
Security Consultant at Cyber Intelligence Sdn Bhd
Consultant
The reporting features needs to be improved, but you don't need to spend a lot of time on the deployment.

What is most valuable?

The fact that it's on the cloud, so there's no configuration whatsoever on my physical machine except for the VM scanner.

How has it helped my organization?

It now takes less time to run a vulnerability assessment for our client. I do not have to bring two laptops anymore to my clients sites.

What needs improvement?

Maybe the reporting features. It is too granular, so that if someone new wants to get familiar with it, they will have a hard time. A few more tutorials or guide on screen would also be appreciated.

For how long have I used the solution?

I've been using the consultant edition for two years.

What was my experience with deployment of the solution?

During the internal scanner deployment, but the issue was mostly not the product, but more the network architecture of our client.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

9/10

Technical Support:

9/10

Which solution did I use previously and why did I switch?

Rapid 7 Nexpose. To use the software, it takes a whole laptop just to run it, and the results have too much redundancy. Additionally, the scan rate is very slow compared to Qualys, and furthermore it is too expensive when compared to Qualys.

How was the initial setup?

It's very straightforward. Basically you can scan anything external/internet facing within five minutes. For internal scans you have to deploy the internal scanner which can be done in five minutes if the network architecture is not too complex.

What about the implementation team?

It was done In-house, but the help we get from their Singapore support team is awesome.

Which other solutions did I evaluate?

  • Nessus
  • Nexpose

What other advice do I have?

Use it. It is a great product. Many people are sceptical that their scan results are in the cloud. But if you want something affordable and that works like a charm, go for Qualys. Less headaches and easy to achieve ROI as you don't spend much on the deployment or maintenance.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: We have been doing some road-shows, & conferences in Malaysia to introduce Qualys.
it_user255882
Customer Technical Leader for Galeries Lafayette at a tech company with 10,001+ employees
MSP
The GUI needs work, but the vulnerabilities are kept up to date.

What is most valuable?

The top one for me is that the vulnerabilities are kept up to date.

How has it helped my organization?

It has reduced the cost of ownership for the engineers who can launch scans on the customers’ networks.

What needs improvement?

I’m convinced it could be possible to do a simpler interface.

For how long have I used the solution?

I used it for about four years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

There is an issue with the web browser, but it's not an issue with the product itself.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service: 9/10. Technical…

What is most valuable?

The top one for me is that the vulnerabilities are kept up to date.

How has it helped my organization?

It has reduced the cost of ownership for the engineers who can launch scans on the customers’ networks.

What needs improvement?

I’m convinced it could be possible to do a simpler interface.

For how long have I used the solution?

I used it for about four years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

There is an issue with the web browser, but it's not an issue with the product itself.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

9/10.

Technical Support:

8/10.

Which solution did I use previously and why did I switch?

I switched due to the cost.

How was the initial setup?

It was simple because it's only used for external scans.

What's my experience with pricing, setup cost, and licensing?

You have to find the best solution regarding functions and cost.

Which other solutions did I evaluate?

  • Tripwire
  • Nessus
  • Accunetix
  • OIpenvas

What other advice do I have?

  • Take your time
  • Study all the functionalities of the product
  • Try to set it up in a lab first before your production environment.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user254973
Manager Information Security at a healthcare company with 10,001+ employees
Vendor
There are some stability issues with reporting, but it's straightforward to implement.

What is most valuable?

Vulnerability management.

How has it helped my organization?

It has helped to automate the vulnerability management program, increasing the security posture and helped us to identify the security risks in our infrastructure.

What needs improvement?

Web application security model needs some work.

For how long have I used the solution?

I've been using it for four years, including including VM, PCI, WAS and MDS features.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

There's been a few times, related to reporting, that we've had issues, but overall it's stable.

How are customer service and technical support?

Customer Service: Excellent, the Qualys support team…

What is most valuable?

Vulnerability management.

How has it helped my organization?

It has helped to automate the vulnerability management program, increasing the security posture and helped us to identify the security risks in our infrastructure.

What needs improvement?

Web application security model needs some work.

For how long have I used the solution?

I've been using it for four years, including including VM, PCI, WAS and MDS features.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

There's been a few times, related to reporting, that we've had issues, but overall it's stable.

How are customer service and technical support?

Customer Service:

Excellent, the Qualys support team always helps on a priority basis.

Technical Support:

Excellent!

Which solution did I use previously and why did I switch?

No previous solution was used.

How was the initial setup?

It was straightforward.

What about the implementation team?

It was done in-house.

Which other solutions did I evaluate?

No other options were looked at.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user254970
Technical Services Manager at a tech company with 10,001+ employees
MSP
It is very simple and yet an effective way to do vulnerability assessment.

What is most valuable?

  • Vulnerability assessment
  • Asset management
  • WAS

How has it helped my organization?

Since this is a SaaS based solution, the vulnerability scan with the external scanners as well as the reporting has improved a lot. The reporting is very granular and you can please higher management with your reports.

What needs improvement?

None, as the product is great.

For how long have I used the solution?

I've used it for four years.

What do I think about the stability of the solution?

Stability of the product is very high, I have never seen it unavailable.

How are customer service and technical support?

Customer Service:

The support needs to improve a lot, their response is absolutely slow. I have had terrible experience with support over the years.

Technical Support:

I would rate it great because of its improvement since I have had terrible experiences in the past.

Which solution did I use previously and why did I switch?

We used McAfee Vulnerability Manager/Foundstone and had to switch because this is a SaaS based solution and has more features/capabilities.

How was the initial setup?

The initial setup is very simple in terms of configuring the appliance.

What about the implementation team?

We installed it ourselves,

What other advice do I have?

I would definitely recommmend using this product, as this is very simple and yet an effective way to do vulnerability assessment.

.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user254967
Linux Administrator at a comms service provider with 501-1,000 employees
Vendor
The users on the forums are very knowledgeable, but the reporting in the solution is lacking.

What is most valuable?

The reporting and vulnerability analysis features.

How has it helped my organization?

Vulnerability scans are easily managed and maintained using Qualys. What used to be a manual process is now automatic. When we have an issue, I can easily see what production systems are affected and I can easily pinpoint a solution to mitigate the issue.

What needs improvement?

The reporting is lacking a little, and it would be nice to have reports sent via email. Often times we have to manually generate the reports after a vulnerability is fixed and a scan has to be re-run.

For how long have I used the solution?

I've used it for three years.

What was my experience with deployment of the solution?

We did not.

What do I think about the stability of the solution?

Our Qualys box is hardware and it's very easy to set up and maintain. It's very little maintenance, and the most time consuming part is setting up everything initially, such as what subnets you want to scan, what reports you want to run, etc.

What do I think about the scalability of the solution?

We have over 15,000 devices and had no issues with scaling up our Qualys infrastructure.

How are customer service and technical support?

Customer Service:

I have never had to interact with them. I get most of the information on the forums, and even there the responses are lighting fast. As far as actually talking to someone, I personally have never had to speak to Qualys support.

Technical Support:

It's great. The users on the forums are very knowledgeable and eager to help. If I need a quick answer I will always get one from the support forum.

Which solution did I use previously and why did I switch?

We used Nessus before. It was a manual process and very time consuming. I like Nessus, but it was very tedious to get it to function automatically.

How was the initial setup?

There are always complexities to every setup. I think the biggest issue was the learning curve. Having to learn all the new pieces and how they fit into our environment was probably the single biggest hurdle we had to face.

What about the implementation team?

We did it in-house.

Which other solutions did I evaluate?

We looked at Metasploit Expose but the price was too much for what we needed.

What other advice do I have?

Do your research and see how this product would best fit into your environment.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user251121
Senior IT Security Analyst at a tech services company with 501-1,000 employees
Consultant
The IT infrastructure needs work but WAF has improved our vulnerability identification.

What is most valuable?

WAF integration is valuable.

How has it helped my organization?

We can now perform vulnerability scans with WAF integration. The WAF has improved the vulnerability identification and reports to the SOC and CSO.

What needs improvement?

The IT infrastructure, especially server administration, needs to be improved.

For how long have I used the solution?

I've used it for two years.

What was my experience with deployment of the solution?

There was only one related, and that need work on our technology. As the solution is cloud based, we needed to adapt our internal policies.

What do I think about the stability of the solution?

There were no issues.

What do I think about the scalability of the solution?

This been done without a problem.

How are

What is most valuable?

WAF integration is valuable.

How has it helped my organization?

We can now perform vulnerability scans with WAF integration. The WAF has improved the vulnerability identification and reports to the SOC and CSO.

What needs improvement?

The IT infrastructure, especially server administration, needs to be improved.

For how long have I used the solution?

I've used it for two years.

What was my experience with deployment of the solution?

There was only one related, and that need work on our technology. As the solution is cloud based, we needed to adapt our internal policies.

What do I think about the stability of the solution?

There were no issues.

What do I think about the scalability of the solution?

This been done without a problem.

How are customer service and technical support?

Customer Service:

It's good.

Technical Support:

It's good.

Which solution did I use previously and why did I switch?

There was no previous solution, but I did execute several POCs.

How was the initial setup?

It was a regular setup for the configuration, but the official training was necessary.

What's my experience with pricing, setup cost, and licensing?

We also looked at Nessus and GFI Languard.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user247242
Consultant with 501-1,000 employees
Vendor
Using the vulnerability management module you can track the list of vulnerabilities.

What is most valuable?

I have mostly used vulnerability management so I would recommend it for the same.

How has it helped my organization?

Most of my clients uses it for the vulnerability scanning of their internal & external network devices. Using the vulnerability management module you can track the list of vulnerabilities and can take action to remediate them. You can also see the list of vulnerability by severities and various other stuff.

What needs improvement?

I can't say as I have worked mostly on its vulnerability management module.

For how long have I used the solution?

I've used it for two years.

What was my experience with deployment of the solution?

I didn't work on the deployment.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

Which solution did I use previously and why did I switch?

I didn't use a previous solution, but the vulnerability management helped me to find out about it.

Which other solutions did I evaluate?

I have seen other products like Nessus, Nmap, iDefense and so on but I found this one much better.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user5130
Security Expert at a financial services firm with 1,001-5,000 employees
Vendor
Makes many promises but in order to do so, Qualys requires the client to provide a backdoor to the system.
The QualysGuard Private Cloud Platform (QG PCP) makes many promises, one of which is that vulnerability scan data can be hosted by a private cloud platform in a client's data center and under the client's control. If taken at their word, this may seen promising, but the reality is that Qualys still will have to manage this platform remotely. By doing so, they will have access to this data remotely anyway and can pull it down to their site as needed. Needless to say, Qualys requires the client to provide a backdoor to the system. The Qualys PCP equipment is leased and never sold to the customer. There are many legal issues with this which allows them to access their equipment. They require the customer to give them remote access in order for them to manage it remotely…

The QualysGuard Private Cloud Platform (QG PCP) makes many promises, one of which is that vulnerability scan data can be hosted by a private cloud platform in a client's data center and under the client's control. If taken at their word, this may seen promising, but the reality is that Qualys still will have to manage this platform remotely. By doing so, they will have access to this data remotely anyway and can pull it down to their site as needed. Needless to say, Qualys requires the client to provide a backdoor to the system.

The Qualys PCP equipment is leased and never sold to the customer. There are many legal issues with this which allows them to access their equipment. They require the customer to give them remote access in order for them to manage it remotely. That is a requirement and not an option. They keep it a big secret how it is managed.

Remote Access

What kind of remote access to the QG PCP do they require?

1. Persistent iVPN tunnel
2. VPN remote access account


Qualys still has the means to pull the data back to Qualys through SSH/SCP even though it is hosted on a customer site. In fact, Qualys does not allow the customer to monitor the network traffic being sent back to Qualys. Such requests were flat out refused during a security assessment. What they pull back is their business and the customer has no right to know.

Network Sniffer

Network monitoring had to be done outside of the QG PCP as Qualys did not allow internal network sniffing. This traffic analysis did show a few weaknesses.

1. Emails were being sent to email server UNENCRYPTED. Yes, one could see the message being sent as well as who the recipients were. Emails were being back to Qualys through the Internet. A lot of sensitive information were sent unencrypted including server names, configuration, scripts, running jobs, listening ports, full internal DNS names.

2. Internet connections from Indonesia were seen accessing the QG PCP even though it was supposed to be in a controlled access network in a data center


3. A lot of failed DNS requests to www.qualys.com and other qualys subdomains, looks like the system has not been fined tuned to be hosted at a client site. The interesting thing is that it tries to do windows updates on its own by accessing the Internet.


4. Undocumented protocols used by the Qualys PCP; namely AppleTalk, CMIP-Man, and Feixin


5. syslog messages sent across the network unencrypted.

Firewall Rule Analysis

Firewall rule analysis shows that SSH is allowed into the platform through VPN firewall as well as HTTP(S) protocols.

Internet Access

The Qualys PCP itself does access network traffic in and out of the controlled access network environment as seen in the diagram below.

1. The Qualys PCP Service Network requires outbound communication for

a. NTP – Time Synchronization

b. DNS – Name Resolution

c. SMTP – Email

d. WHOIS – External Internet

e. Daily Vulnerability Updates - External Internet.

WHOIS pulls information from the Internet and Daily Signature Updates are pulled from Qualys through the Internet on port 443. In effect, the PCP is pulling information from Qualys through the Internet to retrieve updates. A man-in-the-middle attack could intercept the update and instead return a malware update to the Qualys PCP provided that a vulnerability exists in the platform.

2. The physical scanners communicate to the Qualys PCP. This requires that inbound port 443 be opened on the PCP. Physical scanners in the DMZ also need to communicate to the PCP on port 443. Access to the PCP from the DMZ increases the risk.

3. Qualys SOC accesses the PCP through iVPN and VPN connections from the Internet for maintenance and support.

Virtual Scanners

A sniffer placed on a virtual scanner showed that it chose to use SSLv3, which is deprecated, by default on some servers to communicate to the Qualys PCP. In particular, it uses SSLv3 with RC4-MD5. MD5 is obsolete. Qualys documentation claims they use TLSv1 and the latest modern secure protocols.

Application Analysis

Perl API

Application analysis was done by running Perl scripts against the qualysapi server and testing for vulnerabilities. The server itself was found to be vulnerable by accepting login credentials for API requests via base64 encoding and passed through plaintext HTTP. This could result of loss and capture of Qualys Admin credentials which could result in access to vulnerability scan results.


Web Application
The Qualys Web Application tests resulted in a number of vulnerabilities.

Qualys PCP Internal

Additional vulnerabilities were found inside the Qualys PCP infrastructure itself. It was found to be very insecure.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user147540
Security Compliance Analyst at a healthcare company with 501-1,000 employees
Vendor
Delivers higher frequency of scans & better aggregation of results. Ticket management has room for improvement.

Valuable Features

Integrity of scanners; never do I need to worry….“Is this scanner going to bring down a host?”.

Improvements to My Organization

Higher frequency of scans, better aggregation of scan results, abundance of different reports (can be scheduled and automated), delivering metrics to senior management.

Room for Improvement

Ticket management

Use of Solution

5 + years

Deployment Issues

No

Stability Issues

No

Scalability Issues

No

Customer Service and Technical Support

Customer Service: Good – 4 out of 5Technical Support: Good – 4 out of 5

Initial Setup

Straightforward. Assuming you know your network layout, # of devices and other basic information it is pretty simple to figure out what you need. Qualys ships you the scanners, you rack them, set them up and technically could start scanning. Though, there is other recommended tasks to complete via the QualysGuard Vulnerability Management web portal such as defining asset groups, setting up scan rules, turning ticketing on, generating reports, etc.

Implementation Team

In-house

ROI

I do not have a specific quantitative number to provide but from a qualitative perspective it has been enormous. Once you are set up properly and have proper acceptance from support teams, device owners and senior management you can start to scan your environment much more often which increases your organizations ability to detect vulnerabilities more often reducing your overall vulnerability footprint and corresponding business risk.

Pricing, Setup Cost and Licensing

The original setup cost was about $10,000 and the day-to-day costs is less than $100 per day with one caveat. Our parent company is large and has allowed us to fall under their pricing model. If we were not under their model our costs would be about 40% higher.

Other Solutions Considered

No, we had a 3rd party running the scans for us. We were very happy with Qualys but wanted to bring it “in-house”. We brought it in-house 5 years ago and never looked back.

Other Advice

Take the time to properly identify your network and as importantly get approval and acceptance from the group up – especially senior management. In addition, it is very important to have your scan schedule, profiles, reporting, metrics, expectations, etc. documented so that everyone in the company understands your expectations.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Product Categories
Vulnerability Management
Buyer's Guide
Download our free Vulnerability Management Report and find out what your peers are saying about Qualys, Rapid7, Tenable Network Security, and more!