It's an enterprise-level tool. If we’re not putting it in everything, it's very expensive to maintain in terms of people and time. We need to dedicate time and resources to keep it running. It was hard to configure. We made some technology changes, and there were some technologies that we couldn’t scan with the product. So, we decided to reduce our footprint internally.

I feel that the reporting should be improved - especially the way it organizes the findings. I would like to have a real-time dashboard. The previous program I used, could tell me which of my systems were vulnerable when a new definitions file was uploaded, so I knew about the new vulnerabilities before scanning the systems. An exposure index would be great in reporting. 

Another thing that needs to be fixed, is the reporting. The remediation solution for Microsoft vulnerabilities, for example, gives me the CV number and then I have to search in Microsoft to find and download the patch. Other programs give me directly the KB article with a link to download the patch related to my case.

The technical support can also be better.

For IP360, unfortunately, scans for certain vulnerabilities often cause issues, as they are mainly false positive.

For instance, scanning Microsoft OS patches often leads to false positives, since they will identify patches that are missing, yet these missing patches are often superseded by newer patches that have been applied.

There are several more recommendations I could make, too.

The reporting functions can use improvement. There is room for growth because reporting functions differ a lot depending on what you're going to output. It depends on whether it's for technical or senior management and how it's interpreted. There could be growth within the reporting functionality side.

There are inconsistencies in some of the vulnerability findings when compared to similar tools. For example, a recent scan didn’t turn up any vulnerabilities related to SSL but when I used another tool, it found those vulnerabilities, which after some investigating were valid.

We would like to have better reporting capabilities and for them to be more granular.