Qualys VMDR Room for Improvement
Support: It's often overseas and often following a script, basically asking us to redo what we opened the case with.
Multiple APIs: There seems to be a lack of easy onboarding into Qualys. We had to use manual inputs and some API calls to get items in place.
Dashboard: It is very rudimentary with very little customization. The Qualys Scripting Language (QSL) works differently in different Qualys modules, so when you get it working in one area you have to modify the syntax in others.
User account management: We often have to give users more rights than needed just to give them what they need.
Integration with the various Qualys Modules: You can tell the UI is different based on of the different teams that created them.
QSL syntax same in all modules
Responsiveness of some of the components: They time out, you get a blank screen, etc.
Backend updates between the various modules: You update connectors and information takes a few minutes to show in VMDR or Global Asset View
Connectors: Connectors have a throttling issue with AWS which causes them to frequently fail unless you manually run them again.
View full review »Presently, I am more of the technical part. I am allowed to just go through the details of the report, which has been very interesting. It is a struggle to be able to pull our report and to be able to do onboarding using automated tools. So basically, the aforementioned aspect of the report needs improvement.
Presently, whatever I'm working on has been quite fantastic to the best of my knowledge.
The user experience, the UI, needs to be improved. The technology is there and it is obvious it is able to do many things, however, from a user experience perspective, the UI design is a bit complicated. If the platform could have a bit more of a user-friendly environment, it could be easier for the admins and analysts to use it.
The solution is a bit expensive if you do not have access to discounts.
From a general perspective, SLA tracking capabilities could be improved with a building method. There was a tracking method to be able to see if this vulnerability for a while or maybe it was patched. However, an internal SLA mechanism could help with batch prioritization and issue detection.
I'd rate the solution at a nine out of ten.
View full review »Buyer's Guide
Qualys VMDR
March 2024
Learn what your peers think about Qualys VMDR. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
767,847 professionals have used our research since 2012.
They have everything covered as far as features are concerned, but Qualys should improve their customer experience. They need to improve the tech support experience and the turnaround time.
View full review »Qualys could improve the inbuilt dashboards. They could be advanced compared to competitors like Rapid7 and Tenable. They should include a faster reverse integration process. They could enhance its integration with ServiceNow CMDB to ensure that mapping IP addresses, domains, and net bias names is consistent and accurate.
View full review »MS
reviewer1324734
Information Security Manager at a outsourcing company with 51-200 employees
They're still evolving their platform in terms of reporting capabilities. Every time they make a change, it's not always super smooth, and it's a little quirky with bugs sometimes. That said, they've been really responsive at helping resolve issues that we find. We've got a pretty close relationship with them and our account managers there. We’re working on it.
MK
ManojKumar37
Information Security Engineer at a educational organization with 10,001+ employees
Qualys VMDR is basically susceptible to false positives, and false negatives. We receive a lot of false positives in there. VMDR can be considered a complex solution, especially for enterprises with limited resources or organizations. It requires extensive knowledge as an engineer. So, when using this tool, you need to utilize other tools to remediate the false security issues.
So maybe it should also have the ability to automatically identify and address false positives. In additional features, an automated process for remediating false positives. We might be looking for new types of signatures that can help us identify and address specific issues.
View full review »If anything, I would like to see the user interface modernized a bit more. Also, there are a lot of various modules, and if they could be consolidated into fewer options, it would make the buying experience easier.
View full review »MN
reviewer2019471
Security Expert at a insurance company with 10,001+ employees
I would like to have CSPM, a continuous scan-like cloud added to the solution.
View full review »This solution could be improved by extending the agent capabilities to different operating systems including Mac and Linux. We would also like the capability to easily check for vulnerability in assets in the IOTs.
They have been adding additional features such as attack surface monitoring and intelligence to help managers detect additional risks. Adding intelligence is one of the most important features that we need.
Qualys has evolved a lot. It is one of the services that has evolved a lot, and we do recommend Qualys to the specs tent.
However, their products are very modular, so for customers, they need to provide some roadmap on how the customer can utilize their products. For example, starting with vulnerability scanning, they need to show how they can extend their products for multiple other use cases. They need to do a better job of educating customer more.
There needs to be better documentation.
Maybe their price scheduler could be made simpler.
It's expensive.
View full review »They should improve the solution's pricing. Also, they should enhance the authentication feature. Presently, we face issues while scanning multiple assets. In cases of heavy workloads, it must scan assets properly.
View full review »I can't speak to disadvantages since I am in training and still learning and have yet to run a scan.
It would be nice to have an all-in-one solution that was automated and could handle the scanning and reports as well as the patching and updating.
View full review »JT
Jerome TOUTEE
Former Employee of Orange Business Services as Head of Security Engineering at a comms service provider with 5,001-10,000 employees
The solution's cloud agent is available only for limited operating systems such as Windows and Linux. They should make it accessible for more systems like FreeBSD. Also, it would be helpful if they made it available for Cisco or Juniper routers. Additionally, its price and support could be better as well.
View full review »AZ
AvaisZaidi
Assistant Manager Solutions at Mutex Systems Pvt. Ltd.
The price could be better. Asset view is still a legacy feature. I'm not able to extract the information about the asset with complete details. It would be better if they fixed that in the next release.
I know Qualys is already working on it, so I'm hopeful it will be available in the next five or six months. That would be something that's changed where I seek improvement.
JO
reviewer1145985
Manager, Info Security Planning & Architecture at a comms service provider with 10,001+ employees
Sometimes the scanning can get overwhelmed and start to drag when a lot of users are trying to scan at once. I think cloud-based solutions like Qualys VM should be prepared to throw more resources in to ensure they don't get overwhelmed like this.
View full review »Qualys VM should improve its methodology.
View full review »KD
reviewer1421982
AVP - Information Security at a financial services firm with 10,001+ employees
Sometimes we face a problem with accessing the tool and not getting an expected result. From a technology point of view, they need to look into this.
They need to consider how they can improve tool usability and different scanning options.
Sometimes we are facing issues while performing a scan and things are not correctly shown on the GUI. Even as we are doing a task, it may show up as completed, and then something is not visible. Sometimes we face other technical problems. For example, sometimes we can't go to the next page. It's limiting any positive results.
The solution needs to be easier to understand and configure.
The pricing is a bit on the higher side compared to other products in the industry.
View full review »The tool needs to improve the adding assets and report generation features. I would like to see the policy scan of offline appliances in the product's future releases.
View full review »AL
AntonyLai
Sr Security Engineer at Jardine Matheson Limited
Qualys VM's vulnerability scan could be improved, especially the number of CVE numbers it can manage at a time. It could also be more user-friendly. In the next release, Qualys VM should include threat intelligence and external test service management.
View full review »PK
reviewer1708782
Senior Security Consultant at a tech services company with 10,001+ employees
The dashboard itself could be improved, while we can customize it, they can create different tabs where we can see the trending vulnerabilities, how many there are, or how many have been fixed, as in the most recent scan report, so that trend analysis is a little easier.
Aside from that, the solution itself is fairly generic in nature. What they can do is pretty much customize everything and provide a relevant solution for everything. For example, because Qualys has a Cloud Agent that scans a system's entire inventory. As a result, they can test their use cases to determine whether or not a vulnerability has been confirmed. If they can do so, they can also provide us with a straightforward solution to a specific problem rather than a generic one. That could be one area where they can improve.
Qualys does not currently have an IoT, SCADA vulnerability assessment, they can significantly improve their IoT, SCADA, and ICS (Industrial Control Systems) vulnerability assessment technique. When you compare with Tenable SC it has more features than Qualys VM.
If you see power grids, large oil stations, they fall under SCADA and Industrial Control Systems. These systems are very different from standard IT systems. Qualys currently does not have any features for scanning SCADA, IoT, and Industrial Control Systems.
I believe they can improve on the addition of devices. Assume I have two lakhs of devices that cannot all be added at the same time. For example, if I have two lakhs of devices, and two lakhs of those devices have a Cloud Agent, adding all of those devices at once is not easy. We have to add it 1,000 at a time, which takes a long time when there are two lakhs of assets to add. If we do 1,000 at a time, we'll have to do it for around two lakhs, which is quite difficult.
They can increase their frequency of working faster, similar to the time constraint they currently have. The second thing they can improve is the addition of assets. They can almost completely automate the process of adding assets, or they can increase the maximum number of assets that can be added in one go. They are only allowed to add 1,000 assets. If I want to add two lakh assets, it will be extremely difficult to do so by adding 1,000, at a time.
That is a fairly technical issue. Most of the false positives reported by Qualys or the inability to detect a cumulative patch update, if any, are the few things that they can improve and incorporate.
As I previously stated, it would be extremely beneficial if they could implement scanning, vulnerability scanning of IoT systems, Industrial Control Systems, and SCADA devices.
View full review »NS
Nagaraj Sheshachalam
Lead Cyber Security engineer at a manufacturing company with 10,001+ employees
One thing that can be improved is the flexibility and the fact that Qualys Asset Inventory provides too much detail, which makes it not very easy to understand. It's not very user-friendly at times and requires in-depth understanding. So, a layman or someone new to Qualys won't be able to easily understand it. You need education to use the solution.
As for additional features, the first thing would be providing call support whenever we require any kind of help with issues that have been identified. The second would be a simple reporting structure.
View full review »If you're not overly experienced and you're looking for something in their management, it can sometimes be quite difficult because they can move buttons around without sending an update. Previously, if you deployed the Cloud Agent, you could define which tech would be under the agent and where it would be deployed. It now requires some text preparation and the Cloud Agent then downloads the specific profile defined without any indication that this might happen. If you are not using vulnerability management, you are not able to create the correct patch process for all applications stored on the system.
It would be helpful if Qualys would integrate with more systems like ServiceNow, Jira, and so on, to create some tickets and integrate them into the active directory, because each group works differently and if you need to prepare a ticket, it must be defined to a specific group of people. Qualys just created a kit on ServiceNow, but it doesn't have the correct group of people in the active directory.
AP
Anusha Patnaik
IRM Technical Consultant at Shell
Customer support needs to be improved because it was not to our SLA standards.
Suddenly, the scan engine will go down. We don't know what the reason is, or how it goes down. Because of that, the business is impacted.
I had a look at the PCI reports (policy compliance reports) and I have heard that most memberships have been taken by Azure, although I was not aware of that. I would like to see more documentation or awareness.
View full review »RR
RaghunandanRaju
Senior Vulnerability Analyst at a comms service provider with 10,001+ employees
When tested on Zero day, there were errors.
In addition, they have integrated with other third parties, but it is still not viable. They are using their own Q id's. This sometimes leads to a false positive. And, even the updating of signatures into Qualys is not that much quicker. Maybe for Windows and Linux, it is a little quicker or networks and other devices. The signature updating is not quicker.
View full review »Endpoint stability and fault resolution could be improved.
I would like to see the solution's footprint expanded to include iOS and iPads in the next release.
One example of how it could be better would be better handling of end-of-life systems and better feedback on job failures.
View full review »BM
reviewer1248798
Sr. Manager, Vulnerability Management at a transportation company with 10,001+ employees
The Patch Identifications, which are supersedence identifications, need improvement.
I would like to see more accuracy in detections, better reporting capabilities, and better dashboard download capabilities. These are things that are definitely needed.
View full review »BV
reviewer2004561
Security Specialist at a financial services firm with 1,001-5,000 employees
The disadvantage of working with Qualys is that the graphical interface is quite outdated.
If you want to choose a scan result, or maybe configure an IP range or something similar, it opens up a lot of processes, or steps, which is somewhat bothersome. Because it opens several phases, it is not a single-window program.
View full review »Qualys could be improved in its overall performance compared to other vulnerability management or scanning tools.
View full review »The IoT scan is not great and we would like to see some improvements to it.
View full review »Qualys does have an on-prem solution, but it is very expensive.
View full review »I think the only area to improve it is the way the scores are calculated. That was the only problem I had and because of that, all scores had to be rectified manually.
View full review »SH
Dr. SureshHungenahally
Chief Executive Officer at Suraksha
The server application scanning has room for improvement.
It's quite complex on the way it is set up, so it takes a fair bit of time in order to get your head around it in order to deploy it. Once you've deployed it, then you're never confident on the versions of the browsers and the SSL certificates, etc. You have to always go back into Qualys and check.
They do talk about an agent-based scanning for non-IP machines. It sort of sits between server scanning and endpoint scanning. That's not very clear. If they can improve that and deploy, then it'll be such a nice package.
The solution should help its vendors more with renewals. For example, we had deployed the solution as a reseller to a client and then somebody else came along and we didn't end up getting the renewal licenses for the servers. I wasn't very happy about that. We put all the hard work to get it in, but the following years we didn't get the benefit of our low pricing in the first year.
They should integrate with the dashboard and provide a plugins link for data that's coming into API on the dashboard. When the users buy the license, they can turn it items on. So, that way you know you've got the full solution. What you don't pay for is not switched on, and what you pay for can get switched on immediately.
View full review »PW
reviewer1460919
Global Infrastructure Architect at a energy/utilities company with 5,001-10,000 employees
We are moving away from Qualys to Defender ATP because I find that Defender ATP is much better at prioritizing the vulnerabilities that I should be looking at.
In general, I would like to see some better analytics and prioritization of vulnerabilities.
View full review »AK
reviewer1228836
Solutions Architect at a tech services company with 10,001+ employees
I would like to see this solution simplified to work more easily in a multi-cloud environment. One of our customers has more than 3,000 servers across multiple regions, and they were asking about security and vulnerability checking in an automated fashion. This could be done with a cloud-based service that monitors all of the deployments, pulls the data from the containers, and checks for compliance.
View full review »BM
reviewer1248798
Sr. Manager, Vulnerability Management at a transportation company with 10,001+ employees
I would like to see this solution more developed and competitive in the Cloud space.
View full review »Qualys Container Security can improve the interface. It could be easier to navigate and be enriched.
In a future release, it would be beneficial if the network and port policies we provided with some kind of automation AML script files. Having configuration files related to Kubernetes environments would be helpful.
View full review »Representation of the total number of vulnerabilities (with name) vs. the number of patches (with name).
View full review »Expanding the template library would be very useful.
View full review »As users of Qualys for the last three years, we have identified and shared many areas where Qualys needed to have improvements, including --
- Vulnerability database having some false positives, although this is rare;
- Web scan module requires authentication to access basic web forms;
- Asset tagging needs lots of improvements as it's currently a complex technique; and
- For policy compliance, they need to add more leading IT standards with regards to all the leading IT service provides like Juniper, Cisco, Microsoft, etc.
Ticket management
View full review »
FG
reviewer1820922
President and CEO at a non-profit with 11-50 employees
Qualys VM's machine learning and artificial intelligence features could be improved.
View full review »SS
Sujit Sharma
Information Security Engineer at a tech services company with 1,001-5,000 employees
The only improvement I can think of is on the implementation side, otherwise the operation is fine. At times it is a bit slow.
Qualys is really nice, but people only use Qualys for the VM and web scan. They just file the report, and send the report to the customer or client. They don't do anything with the reports. They will get the report, and there are usually 30 to 40 vulnerabilities, not in the web servers. And, of those 30 vulnerabilities, 10 or 15 were usually the first cases. In case of those vulnerabilities are around 50, in which around 50-60% of vulnerabilities are usually found worse. So, for those cases, was pretty low and in Qualys we have to look for them also. Whenever the report comes, we just send the report from the client. And that was one of the biggest issues. So, in this area, we only have to actually check the vulnerabilities in the report. You just have to catch a little bit of this, when we do the type or not. That was one of the issues we had with Qualys.
View full review »VK
reviewer1405830
Technical Architect at a outsourcing company with 1,001-5,000 employees
Qualys VM's scanner doesn't pick up every vulnerability, so we have to use multiple scanners to cover that gap. Their reporting could also be more user-friendly. In the next release, I would like Qualys to include basic policy and compliance checks in the basic licensing.
View full review »PK
Piotr Koryczan
Technology Security Expert at T-Mobile Polska (Deutsche Telekom)
The reporting in this solution can be improved.
View full review »MW
SecuritySpec783
Information Security Specialist at a manufacturing company with 10,001+ employees
I think it could improve asset imagery.
View full review »Web application security model needs some work.
View full review »JS
reviewer1781004
GM Network Information Security at a tech services company with 1,001-5,000 employees
The reporting and dashboards could improve in Qualys VM. However, they have improved since the previous versions.
View full review »Maybe the reporting features. It is too granular, so that if someone new wants to get familiar with it, they will have a hard time. A few more tutorials or guide on screen would also be appreciated.
View full review »MM
reviewer1258674
Director for global support at a tech vendor with 1,001-5,000 employees
Certain integration factors between different options could be improved.
View full review »HS
reviewer1636329
Senior Vice President | Information Security at a financial services firm with 1,001-5,000 employees
I felt hindered sometimes within reports in that they were lacking somewhat on the customization side in terms of making use of the data. The cloud user interface could be a little more responsive. It was a click and then a wait.
One of the biggest issues from the clients' perspective is that all Qualys computing is on the cloud.
As last month ( this is when I found out) Qualys offers a On-Premise instalation for it's customers.
https://www.qualys.com/enterprises/qualysguard/pri...
The issue with the private cloud is that is costs very much for a small firm.
RJ
reviewer1135389
CTO Latam at a tech services company with 201-500 employees
Integration could be better. When you think about scanning, it's not used just with this product alone but with other Qualys products. If you think about the bundle, the product itself is good. But integration with other products and packages has space for improvement. They should also offer a better price for bundles.
ME
reviewer1674711
Senior Cyber Security Specialist at a tech services company with 1,001-5,000 employees
The reporting and the GUI need improvements. Tenable dominated in these two areas: reporting and graphical user interface.
View full review »MM
reviewer1500162
Chief Information Officer/Senior Vice President at a tech services company with 51-200 employees
It's too early for me to say if there is any room for improvement since we're in the first couple of months of using this solution. So far, we've been pretty happy about it. Nothing comes to mind that is negative.
Given that it's really new, we're really trying to use all of the features and get a good comfort level and gain more experience in it. For this reason, I can't speak negatively of it, yet.
View full review »The reporting is lacking a little, and it would be nice to have reports sent via email. Often times we have to manually generate the reports after a vulnerability is fixed and a scan has to be re-run.
View full review »Streamline PCI integration and attestation.
View full review »None, as the product is great.
View full review »LH
reviewer1399569
Senior Consultant at a tech services company with 11-50 employees
Some of the older features could be polished instead of focusing on releasing new features.
View full review »- Improve the API speed.
- Make some minimal dashboard improvements.
- Improve the user interface.
The reporting capabilities are good but I would like to be able to make more customized reports. In addition, I would like to be able to assign a numerical asset value to critical hosts.
View full review »The feature where the solutions to issues are mentioned in the reports could be improved.
View full review »I’m convinced it could be possible to do a simpler interface.
View full review »The IT infrastructure, especially server administration, needs to be improved.
View full review »KR
Reviewer214
Senior Information Security Engineer at a financial services firm with 501-1,000 employees
One note for room for improvement is that all of the data is stored on the cloud. I think it would be better if they came up with a big box that could store the data and collect data from, it would be a huge improvement.
View full review »What we have found is that the solution is not closely tied with the patch management. It is okay with newer ones, like Windows 10 machines; it gives the correct patch. But for Windows 7 or Windows Server 2008, it does not give us the correct patch so we have to manually identify the patches. This is a major problem.
View full review »HH
Engineer10496
Network and security Pre-sales Engineer at a tech services company with 51-200 employees
Its integration with ServiceNow and other similar products is complicated and can be improved. It should also have virtual batching.
They should support more standards and compliance requirements and more customizations. For policy compliance, they can add the standards required by the countries in the Middle East. Each country generates its own standards and frameworks, and those frameworks should be there in all products, not only in Qualys. The market here is huge, especially in the cybersecurity field. Qatar has a framework for Qatar 2022, and each and every company in the public or private sector has to follow the Qatar 2022 framework.
View full review »Solution for fixing problems need to be better documented, such as in a step by step way.
View full review »RB
reviewer1342815
Consultant at a media company with 51-200 employees
The ability to manage user accounts and give rights to the operator to know about abnormalities of applications is something that needs improvement.
The pricing is also expensive.
PL
reviewer1307133
IT Consultant Supervisor at a financial services firm with 5,001-10,000 employees
Reporting can be improved more. It should generate much more stuff like field reports. Though the reports generally meet our need we hope we can customize it better.
View full review »I can't say as I have worked mostly on its vulnerability management module.
View full review »VM
reviewer1189266
Consultant at a tech services company with 11-50 employees
I'd like to see additional security for the app. The product lacks integrations for third party solutions or automation integration for other tools.
I'm looking forward to having an exploitation framework, a platform/framework that helps to cross verify the vulnerabilities like Metasploit.
View full review »Buyer's Guide
Qualys VMDR
March 2024
Learn what your peers think about Qualys VMDR. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
767,847 professionals have used our research since 2012.