Qualys VMDR Reviews

We have multiple modules, including Qualys VMDR solution and Qualys TotalCloud solution. We use them in our organization, like VMDR, for vulnerability management, detection, and response, as well as policy compliance to amend policies according to CIA benchmarks and other frameworks. 

We also use the web application module and the Qualys Gateway module to ensure that scanner appliances are functioning properly. These modules allow us to check various scenarios and initiate scans, either on-demand or as per a scheduled plan.

My primary work is with VMDR module. In my previous organization, I worked with TotalCloud, but right now, I am focused only on VMDR and other modules.

Sometimes, we receive CVIDs from customers who require vulnerability scans, but they are not available in the Qualys knowledge base. This makes it complicated because we need to contact Qualys to add the required QID and CVID to their knowledge base and provide the corresponding vulnerability criteria. It affects our business since, without that information, we can't identify or notify our teams about the vulnerabilities.

Compared to other tools, VMDR provides a clearer view and is easy to understand. It's also highly customizable, allowing us to tailor it to our needs. I find it to be better than tools like Belwix, Rapid7, and Tenable.

For asset management, there's a feature that tracks unused machines and purging mechansim. It informs us if a machine hasn’t been used for 180 days, or if it’s been idle for 368 days, allowing us to segregate the data. This reduces our active vulnerability count, which improves tracking and helps us provide more accurate information to customers. It gives more active grip on the information.

With continuous monitoring, we can customize dashboards according to customer needs. Whether they require reports on a daily, weekly, or quarterly basis, we can set up the dashboard to display the relevant data. It's essential to understand their requirements and adjust the Qualys Query Language (QQL) accordingly. A solid grasp of QQL is a plus when working with Qualys.

Sometimes, it can take more time than other tools to resolve certain issues. For example, if there's a problem with policy compliance, you might not get an immediate solution from Qualys' technical team. 

Occasionally, customers ask for RCA (Root Cause Analysis), and if Qualys doesn't provide it, we can't give a clear answer. This can be frustrating, but it doesn't happen in every case.

In terms of improvement for the web application console, in the older version, things were more segregated and presented in a brief format. However, in the latest version, you have to write a query to retrieve the kind of data you want. Sometimes, if you write the wrong query, you don't get the proper count or the right data, such as how many days a scan has been failing. This can be an issue if you're not familiar with the query language. So, they should offer an optional feature where, if someone isn't familiar with the query language, they can use tab buttons or other features to enable or disable options and get the correct data and information on time.

Qualys VMDR should enhance the EDR (Endpoint Detection and Response) part because there's a lack of information and features in Qualys EDR. Sometimes, organizations have to buy different EDR tools, like Carbon Black and others, to cover the gap.

From a learning perspective, Qualys VMDR needs to improve. Right now, they only provide information, but they don't offer any library or testing environment. Often, customers don't allow changes to be made in the live environment, and I don’t think it’s a good idea to make any changes directly there. It would be great if they could provide a lab environment for testing. That would be really useful.

Qualys is updating certain product modules. Sometimes, they need to provide clearer deadlines. Customers aren't always informed when Qualys updates a module from the backend, which can disrupt our work. For example, they recently updated the "Asset View" module and converted it to "Cybersecurity Asset Management." Customers weren’t aware of this change beforehand.

In situations like this, they need to ensure that they provide proper information, SOPs, or documents so we can share them with customers. Customers also have access to the tool, so they can use the SOPs to learn how the updates work. This would improve productivity because we wouldn't need to spend extra time learning how to use the updated tool.

I have been using it for around four years. 

It’s very stable. Qualys provides advisories faster than other tools when it comes to exploitable vulnerabilities. This helps ensure we can secure the environment promptly.

But, last year we did encounter an issue with the Qualys Gateway Console, where the gateway went down and it took around six hours to set up a new one. After that, we implemented two gateways to ensure we could switch to a secondary one if the primary failed.

Around 300 users work with Qualys, with different permission levels—leaders, managers, and regular users. We have over 50,000 hardware devices in total.

We have a dedicated person for support. She’s always available to help, or if she's on leave, she ensures someone else is aligned to handle our cases, so we don’t breach any timelines. I'd give the support a high rating.

Positive

In other tools, like Rapid7 and InsightVM, everything is done within a single module. In Qualys, we have separated modules with distinct functionalities. You can choose to purchase only the modules and licenses you need, which makes it cost-effective. You don’t have to pay for features you're not using, unlike other tools where everything is bundled.

It's not an issue with Qualys itself. We encountered some problems when migrating from physical scanners to virtual ones, but that was more on our network team’s side. Qualys provided excellent support in that scenario, which helped us identify and resolve the issue on time, and we provided the solution to our customer.

I work with the on-premises version. We updated from physical scanners to virtual scanners.

In my previous organization, I worked on deploying the solution. There, I customized the Windows OS image so that when you install the image on any machine, it prompts for a key that’s already embedded. Once the steps are completed, it automatically installs the Cloud Agent module on every machine. The agent syncs data every four hours, providing vulnerability data and security insights for each machine.

It’s not a one-person task. We had to coordinate with several teams, such as the network and system teams, for deployment. In total, we worked with about six teams during the process.

For about 1,400 machines, it took around three months to complete the deployment and resolve any issues. For example, sometimes policies weren't pushed properly from Ivanti or other tools, or users didn’t turn on their machines, which stopped Qualys services. We had to address these issues for each user, so it took some time. But we completed the deployment in about three months.

Maintenance isn't difficult, especially when working with the Cloud Agent. You just need to set up rules, like purging machines that haven’t connected to the network in three months. You write policies to manage this, which simplifies the decommissioning process and other tasks.

Qualys provides good value for the investment. Before using Qualys, we weren’t clear on how many assets needed purging or how many open vulnerabilities we had. Qualys gave us a clearer picture, so from a cost perspective, it’s been valuable.

I would recommend it. For enterprises, I’d suggest understanding how the tool works and which modules meet your needs. It’s important to coordinate with the customer team or Qualys technical team to figure out how many licenses you need and which modules will benefit your organization. Proper calculation and understanding are key before purchasing.

Overall, I would rate it a nine out of ten.