Qualys CyberSecurity Asset Management Reviews

My current use cases for Qualys CyberSecurity Asset Management involve hunting for software that is end of sale or end of life. I also use it to identify where prohibited software is installed on a device. For example, I identify if software that shouldn't be on an endpoint exists. That includes the vulnerabilities associated with certain software.

Improve software inventory capabilities

What I appreciate most about Qualys CyberSecurity Asset Management is the inventory feature, where I can look up assets, software, applications, open ports, and similar items because it's very useful. For example, with assets, I can see all the devices that have the protection installed and access one of these endpoints to see all the information about it. On the software side, I can see a list of all software installed on all my platforms, referring to all my endpoints that have the client installed.

The comprehensive approach that Qualys offers is beneficial because it includes the TruRisk score, which summarizes all vectors influencing the risk of an asset. For example, it highlights exploitations for certain vulnerabilities and provides all the links if they are available or public. Furthermore, the integrated Threat Intelligence platform within the interface allows me to see if there's a trend for certain vulnerabilities and check if I have that vulnerability on my platform.

One downside of Qualys CyberSecurity Asset Management is that I would prefer to see a more interactive dashboard. For example, when I see unknown software in the inventory and try to get a list of assets with certain software, I have to go inside the software menu. If I could have something more interactive that doesn't require going inside multiple categories, it would help. Also, I think the filters should accept three or more queries together to get broader results. However, this could also be an issue stemming from my knowledge or lack thereof.

I have been using Qualys CyberSecurity Asset Management in this company for at least one to two years, but the implementation has been around for three years.

I have experienced a couple of instances with lagging, but nothing substantial that impacts reporting. There may be some delays on the dashboard, but nothing affects the functionality of reporting vulnerabilities from the endpoint.

The scalability of Qualys CyberSecurity Asset Management is significant because you can deploy it across physical endpoints, cloud enviroments and VDI using a configuration file. If someone uses Windows Server, they could use a GPO to deploy it. There are many options. I've seen large platforms with numerous endpoints and vulnerabilities, and that makes me think they have an impressive capability for handling large volumes, which is very scalable in my opinion.

I haven't contacted Qualys technical support or customer support because we have a team that possesses extensive information and they reach directly to the vendor.

In the past, I used some open-source solutions at another company, but I don't remember the name. I recalled using them occasionally, but they didn't have this kind of reach. The same principle applies; you install a client on the endpoint, and it reports to the server.

I find the initial deployment of Qualys CyberSecurity Asset Management overall easy, especially with support from the vendor and personnel who understand how to handle the integration and permissions with the firewall to allow traffic.

The initial deployment took around a month or possibly less to fully deploy Qualys CyberSecurity Asset Management for the first time, though I wasn't present during the implementation.

I don't have access to the pricing information, but I understand that Qualys CyberSecurity Asset Management is expensive compared to other brands or vendors, although the price is worth it.

I have the most experience with Qualys CyberSecurity Asset Management, VMDR, and CSAM, as well as CA. Besides VMDR, I also used the Threat Intelligence model extensively.

Regarding the CMDB Sync feature, I learned about it just a couple of weeks ago. Although we don't have the implementation, we would find it useful to share information from Qualys, such as vulnerabilities and all devices, and track the person in charge of a certain device by creating a ticket.

The TruRisk score is a very useful feature, as it summarizes all the factors influencing the importance of a vulnerability concerning an asset or an endpoint. It helps with the prioritization of remediation.

We have both the passive sensor and the cloud agent. We use the cloud agent by installing it on the devices, while the passive sensor allows us to detect devices that don't have the protection and can't have the protection, for example, the networking devices.

We don't manage maintenance for Qualys CyberSecurity Asset Management as it depends on the vendor because they sometimes deploy updates and upgrades, but nothing is required on our end.

On a scale of 1-10, I rate this solution a 7.

I primarily use it for a small, single-site, multi-source setup with multi-WAN inputs. I have a main fiber connection and a couple of failovers while managing different networks across different segments.

I really enjoy the flexibility of the interface setup configuration for my network VLANs, which makes it very easy to configure. When I'm doing multi-inputs with internet providers coming in, it's very easy to manage and set up with very little effort.

The technical support is super responsive; I generally get a response within an hour, two hours, or three hours. I've only had to contact them maybe two or three times for very minor issues, but there's no issue there. I think it's very responsive.

I think the one thing Qualys CyberSecurity Asset Management can do better is the package management and the updating process. Knowing that you can't update any of the packages until you've done the actual operating system update can be a bit confusing. Beyond that, I don't have any major issues. There are generally some user interface updates and tweaks here and there, but that's a lower priority in my opinion.

I've been using it for about eight years in my career.

For stability, I would give it a 10; I have no issues there.

Scalability works well; I would say it's probably going to be a nine.

The technical support is super responsive; I generally get a response within an hour, two hours, or three hours. I've only had to contact them maybe two or three times for very minor issues. I think it's very responsive.

Positive

I've used Unifi primarily in the last couple of years, probably three years now, at a separate site. It's nice, but it's not nearly as configurable. Qualys CyberSecurity Asset Management software's ability to do VPN, both with regard to Tailscale and OpenVPN, is really very easy to use, whereas Unifi is not ideal. Their security is open by default versus Qualys CyberSecurity Asset Management, which is closed, which is always going to be preferable.

For an entirely new site, the initial deployment would take some time to configure and set up. If you're coming from an existing setup or configuration, you effectively export the configuration, upload it, and make some minor updates. Even with the booting environments, it's easy in that if you make a mistake, you can go back or revert to an existing experience. It might take some time, but it's not overly complicated. I would say it requires minimal effort, especially if there's a plan in place ahead of what the structure will be.

One person can do this type of deployment, but you're going to need to be testing. Honestly, it's not nearly as complicated as a larger, more legacy offering, so I think it's very easy.

I'm not entirely sure about the pricing; I don't know.

Qualys CyberSecurity Asset Management does require some maintenance on my end, such as manual updates in terms of releases. Checking those out, doing some testing, and confirming it looks good in a non-prod environment is not that complicated. Even again, if you do the boot states, it's easy to manage. They come out about every 12 months, and I know that's one thing against Netgate—that they're a little bit slower on development—but honestly, that's probably preferable because it's not constantly updating. My review rating for this product is 9.

My use cases involve using Qualys CyberSecurity Asset Management to detect vulnerabilities and then passing on the information to our IT team that has to fix the vulnerabilities.

The External Attack Surface Management covers my entire attack surface, but the majority of it doesn't apply to us because our external assets are not owned by us. We just have the external assets that are hosting our web pages.

The dashboards are my favorite feature.

I can pull up information and create my own dashboards specifically for what I'm looking for.

In addition to vulnerabilities, Qualys CyberSecurity Asset Management identifies all other risk factors for my assets.

The TruRisk feature could help prioritize vulnerabilities and assets, but our issue currently is that we weren't provided with adequate information to set things up correctly. We have many configurations to fix, and if we get to that point, it could be useful, but currently it's not because of inaccurate data.

The downsides of this solution include needing more knowledgeable account managers, and there needs to be more guidance on how to use their solution because there's so much to it. We've received very poor guidance from them, especially after learning several things we need to fix during the Qualys conference. Additionally, we need a solution to be able to do application deployment, which they sold us on a year ago, saying it was coming, and we still keep hearing it's coming.

I have been using Qualys CyberSecurity Asset Management for approximately a year.

I have seen some lagging, crashing, and downtime, but it doesn't happen very often.

It seems to be suitable for scalability. We're considered more of a medium-sized company, and it seems to be working out fine.

Their technical support is pretty good. The tickets I've sent in, they've been able to help me. We have issues with our account manager who does more than he should be doing and should be referring us to somebody else instead of trying to fix everything for us when he clearly doesn't know as much as he thinks he does.

Positive

I used Endpoint Central through ManageEngine before Qualys CyberSecurity Asset Management. It didn't detect as much as Qualys CyberSecurity Asset Management did, but the ability for our IT people to easily find the vulnerabilities and set up jobs was beneficial because it also had a fully application management and patching solution, including all third-party apps. It made it easier for our IT to fix vulnerabilities. Currently with Qualys CyberSecurity Asset Management, the majority of it is manual installs, and when you have a small IT team with over 5,000 assets, that becomes difficult.

From what I was told, the initial deployment was difficult, but I wasn't involved in that as I was in a different role when we deployed it.

I need to talk with my architecture team because after the Qualys conference, we've discovered there are things that aren't configured correctly. This could possibly mean we might need to get with Qualys CyberSecurity Asset Management to get things in shape so that we're adequately detecting vulnerabilities.

On a scale from one to ten for support, I would give them a nine.

We're just a customer and do not have any partnerships with Qualys CyberSecurity Asset Management.

I rate Qualys CyberSecurity Asset Management a six out of ten.

We use it to gain complete visibility into our assets and monitor our security posture.

Our overall experience has been very good. It gives us a 360-degree view of our assets. It gives us the complete data such as the types of services running or applications installed. If an asset or software is end-of-life or end-of-support, it provides the status related to that. Apart from that, we get to know the ports and services that are running.

Previously, I did not have visibility over the complete inventory. Qualys CSAM gives me the complete inventory with the number of assets connected to the network. Based on the cloud agents that were deployed and remote scans, we can see the whole inventory in a single module. The CSAM module allows us to track the end-of-life or end-of-support status of the software on our assets. We get to know in advance that particular software is going to be end-of-life or end-of-support. Such a feature helps us to take action proactively.

It gives visibility into the domains or subdomains managed by my organization. I can track those very effectively. I can even perform lightweight scans which are completely managed or controlled by Qualys, unlike remote scans that are performed by the end user. It gives visibility into the vulnerabilities related to applications or assets on a real-time basis because these scans are performed once a day on a daily basis. With one click, the EASM module provides the domain names related to my organization. Qualys directly performs the scan and if any applications or assets are not in my CMDB because I missed updating the details, it highlights them, so I have complete visibility over my publicly exposed assets or applications.

It is able to discover different kinds of assets, such as web servers, DB servers, or application servers. It can identify network devices. I even have visibility over the devices managed by ISPs, and I am able to take action appropriately.

Asset tagging is one of the main features of the CSAM module. While creating asset tags or after creating asset tags, we can set the asset criticality. Based on the vulnerabilities identified in the assets, Qualys provides a detection or TruRisk scoring.

TruRisk scoring helps prioritize vulnerabilities and assets. This prioritization is very helpful for me. In an infrastructure with 300,000 assets, we might see millions of vulnerabilities in the assets. We need to prioritize vulnerability remediation because we cannot focus on remediating all the vulnerabilities at the same time. We can start with the assets that are critical in our organization. TruRisk scoring helps with that.

It makes us more secure and also helps us with our KPIs or KRI. We have had zero attacks since we enabled all the features in Qualys CSAM.

It fetches the asset details based on remote scans or the cloud agents that are deployed. With passive sensors, I am able to see the rogue assets that are passing through a particular switch wherever passive sensors are deployed. I can see what other assets are connected to the network. One of my goals is to identify the assets that are missing with the cloud agents so that I can get the cloud agents deployed and get them added to my asset inventory. Network devices obviously cannot be installed with the cloud agents, but at least I have visibility that these are the network devices, or these are the endpoints, or these are the servers, whereas rogue assets are a threat to the organization. They may even compromise other assets in the network, so with these passive sensors, I am getting complete visibility.

Even IoT devices can be scanned through these passive sensors. The passive sensors can read the configuration of the devices passing through a particular switch. Previously, I used to perform remote scans on IoT devices. This effort of performing the remote scan is minimized because these passive sensors are able to find the vulnerabilities related to any of the IoT devices by reading their configuration. This is another feature that is helping me as part of our operations.

The External Attack Surface Management (EASM) module, available within CSAM, is valuable. It helps track all the domains and subdomains related to our organization. It performs the discovery scans and provides the results of the domains or subdomains related to my organization. It also performs scans to identify any vulnerabilities, which helps to take proactive measures before those vulnerabilities are identified by any attacker.

The IoT or OT asset discovery feature is valuable. We can analyze the traffic that is passing through at the L2 switch level with the passive sensors. It provides information about any rogue asset connected to a switch or a network. We can see all the unmanaged or managed assets.

The ability to define a list of unauthorized software and create a rule to define software authorization is helpful. We have a diverse organization with a robust infrastructure of more than 300,000 assets. By creating unauthorized lists and rules in the Qualys CSAM module, I can block certain software from being used in the organization. When I create such a rule, I can see all the assets having unauthorized software installed. I can then immediately take action by blocking that asset or remotely uninstalling that particular software. Such actions can be taken directly from its interface when I have unauthorized software rules in place. This is an important and helpful feature for my organization.

The scanning function could be improved. Currently, in the EASM module, the scan frequency is limited to once daily, but allowing end users control over scan scheduling would be advantageous. Publicly exposed assets are very critical. If a remediation action is taken by the end-user or the auditor working on a vulnerability management program, that person must be given access to run the scan as and when required. This way they can immediately check whether that particular vulnerability is present or not.

Also, allowing more comprehensive scan configurations could be beneficial. The lightweight scan that it does is only based on the ports or services that are identified through the Discovery Scan. It would be helpful for the auditors to be able to run a more comprehensive scan.

Additionally, while downloadable asset information is available in the CSAM module, it lacks mapping of software to assets in a consolidated report format. For instance, if I want to download information about 100,000 assets along with the software mapped to those assets, this option is currently not available. If I download the SH details, it will have only the BIOS information, the serial number of the device, the hostname, the MAC address, and the IP address. Only these details are available. It does not give information about the software installed on those assets. The software mapping with assets is not given in a consolidated report. Enhancing this capability would elevate its usefulness.

I have been using the CSAM module for about four to five years. It was previously known as AssetView. We used AssetView for over 12 years and then shifted to using CSAM when it was introduced four to five years ago.

The platform is quite stable as it is able to handle data from various sources, such as cloud agents or the VMDR module. It has the EASM capability. It is pretty stable even though it holds a lot of data related to our assets or applications. I would rate it a ten out of ten for stability.

Scalability is impressive, supporting a myriad of features and substantial data from diverse modules. It offers a comprehensive view of asset management and is equipped to handle an extensive array of data efficiently.

Our organization has its presence in different geographical locations. We have about 300,000 assets installed with agents worldwide.

There are 50 to 60 people from the IT team and the information security team working with Qualys CSAM.

I am satisfied with their support. I would rate their customer support a ten out of ten.

Positive

I was using the AssetView module before migrating to Qualys CSAM. AssetView has very basic features. Other than the asset tagging feature, AssetView does not have other features available in Qualys CSAM, such as EOL detection and software version detection. 

Knowing the software version is very useful for me when any zero-day vulnerability is published. I can check the version of the software that is vulnerable to a zero-day CVE, and then with the Qualys CSAM module, I can see the assets that are using that particular vulnerable version. Without even performing the active scan, I can get visibility over the assets having vulnerable versions. I can then take the remediation action. This is the most important feature in the CSAM module as compared to AssetView. 

The initial setup was straightforward. Although I was not a part of the implementation team, I understand it did not take much time due to an efficient cloud agent deployment and network connectivity setup.

It does not require any maintenance from our side. There is almost zero-touch maintenance because it is a SaaS platform managed by Qualys itself. We might have to modify or create asset tags or dashboards. These are operational tasks that we might have to do on a regular basis. Other than that, no maintenance is required from our side.

The implementation involved a small team of about five to six members who collaborated with the Qualys vendor.

Though the solution is considered expensive, if bundled with other services such as VMDR or cloud agents, its value would significantly increase. It is currently a bit costly, but with bundling, it could become attractive to more customers.

I would highly recommend this solution to other users looking to enhance their asset inventory visibility. Asset inventory is the primary source of truth for any IT team or information security team. Qualys CSAM provides that visibility. With the integration of CMDB, you get even better visibility over the asset inventory. You also get EOL information about the assets and applications. These are the main reasons for recommending it. I am pretty happy with it.

I would rate Qualys CSAM a ten out of ten.

At our Android development company, Qualys CyberSecurity Asset Management safeguards our development environment and digital assets, including sensitive codebases, APIs, databases, and cloud-based infrastructure. By continuously monitoring these assets, Qualys helps us detect vulnerabilities, misconfigurations, and potential malware, protecting both our proprietary technology and client projects from threats like ransomware and malicious activity. Furthermore, it ensures compliance with industry standards through real-time insights and automated security patches, fostering trust between us and our valued customers.

Qualys Cybersecurity Asset Management offers comprehensive features to cover our entire attack surface. Its cloud-based platform provides full compliance management, ensuring infrastructures align with databases and standards. Cloud storage enables easy data retrieval and recovery. Additionally, it utilizes AI-powered features to monitor and manage security patches, enhancing overall security posture.

Qualys Cybersecurity Asset Management utilizes advanced deep neural networks and AI to identify previously undiscovered assets and threats, crucial to our company's security. We discovered an additional 120 assets with Qualys CSAM.

It has significantly enhanced our company's security by providing real-time visibility into all access points across our development ecosystems, improving vulnerability detection and risk management. This allows us to address security gaps quickly before they escalate into critical threats. The automated discovery of misconfigurations ensures continuous compliance with industry and government standards, reducing manual efforts and freeing our team to focus on innovation. This comprehensive approach has fortified our infrastructure, protecting sensitive code, client data, and cloud management from cyberattacks. Consequently, we have faced fewer security threats, allowing us to focus on other areas for improvement within the company.

The Asset Management helps us identify all risk factors, including vulnerabilities and malicious attacks, along with various other aspects of asset management.

This advanced cloud system utilizes APIs to connect and retrieve data, while passive sensors track the code bases of our applications.

Passive sensors hinder the real-time identification of potential risks, as they transmit real-time data and additional information with a delay. However, the system's speed, combined with AI, deep learning, and robotic process automation, enables efficient risk identification despite this limitation.

The most valuable feature is the real-time visibility Qualys CyberSecurity Asset Management provides into all assets across our development and operational environments. As an app development company dealing with multiple platforms, servers, APIs, and mobile data, each becomes a significant target for cyber threats. 

Qualys CyberSecurity Asset Management ensures a comprehensive inventory of all assets, regardless of their distribution. This allows us to detect vulnerabilities, misconfigurations, and outdated systems before they become security issues. The automated vulnerability scanning and patch management features, with automatic risk identification and remediation, are also invaluable. By reducing manual intervention, these features increase efficiency and allow our team to focus on other priorities.

There are a few areas Qualys CyberSecurity Asset Management can improve. First, the UI needs improvement as it can become overwhelming after prolonged use. A more intuitive design with simplified navigation would be beneficial for all team members, especially beginners. 

Second, the reporting feature could offer more customizable templates and easier-to-digest visualizations. This would help in creating targeted reports for different stakeholders, such as technical teams and executives. 

Lastly, integration capabilities with third-party tools and platforms should be expanded. While some integrations are supported, more options like CI/CD pipelines, which are integral for app deployment, would be advantageous.

I have been using Qualys CyberSecurity Asset Management for one year.

I would rate the stability of Qualys CyberSecurity Asset Management eight out of ten.

I would rate the scalability of Qualys CyberSecurity Asset Management ten out of ten.

Once we needed to contact their customer support, we received timely assistance. The support team was knowledgeable and offered a variety of quick resolution options. They also provided extensive documentation and access to community forums, allowing us to find solutions independently.

Positive

I previously evaluated Nessus, but while it offers effective vulnerability scanning, it lacked the comprehensive asset management and continuous monitoring capabilities necessary for expanding our application management system. We needed a solution that provided deeper visibility into our digital assets, including cloud infrastructure and mobile applications. 

Qualys offered a more integrated approach by combining vulnerability management, compliance checks, and real-time inventory in a single platform, simplifying processes, improving collaboration between development and security teams, and offering greater scalability.

The initial setup was smooth and easy to follow, aided by guidance from the Qualys team.

The deployment took three to four hours.

The implementation was performed with assistance from the Qualys team, who helped with platform configuration and integration into existing systems.

Our return on investment includes a significant reduction in security incidents, decreasing potential costs related to data breaches, system downtime, and compliance fines. This was achieved through streamlined vulnerability management, which reduced labor costs by approximately $109,000 annually. Additionally, enhanced client and company trust led to approximately $99,000 in new contracts. These improvements to our security infrastructure contributed to overall business growth of approximately 150 percent over the past year.

The pricing for Qualys Cybersecurity Asset Management is reasonable, with an annual subscription costing around $1,000 per year or a monthly subscription starting at approximately $72 per month, depending on the specific package and features included.

I would rate Qualys CyberSecurity Asset Management eight out of ten.

We use Qualys CyberSecurity Asset Management in six locations across the country.

Qualys CyberSecurity Asset Management does not require any maintenance.

I would advise fostering security awareness through regular review and updates to security policies and protocols. Staying informed about other platforms is important, but Qualys CyberSecurity Asset Management is a fit for our company due to its reasonable cost, scalability, stability, and excellent integration and deployment features.

We use it for scanning, vulnerability management, a little bit of policy compliance, and some web application scanning.

We primarily implemented it for StateRamp compliance requirements with NIST 800-53.

There have been some instances where devices that were not known to be in a specific place were discovered. They were primarily EC2 instances deployed in an AWS account. Our systems are scalable. They scale in and out all the time, so it is hard to give a precise number of the devices discovered. It probably discovered 3% to 5% of the overall system.

In addition to vulnerabilities, it identifies other risk factors for our assets. It does not cover all, but it covers about 80%.

The scanning results are pretty good, and some of the insights are quite valuable. The fact that it is a largely cloud or SaaS product means that there is less management and maintenance required. Those are all benefits we like.

We have had challenges modifying the agent configuration. Particularly, when we want to change the tenant that the agent is pointing to, we have had difficulties making that reliable and working properly. For Windows agent installations, updates require more than a simple configuration change. It requires a download and install, which we find cumbersome, but once it is in place, it is pretty good.

We have been using the solution for about two years.

Our systems are scalable, so they scale in and out all the time.

It is above average. There have been issues where we had to bring in Qualys and other vendors. There was some finger-pointing back and forth about who was responsible, which is common, but overall, they are responsive and generally knowledgeable.

Neutral

For web application scans, we previously used WebInspect, but we changed due to scalability issues. WebInspect could not meet our frequent scan requirements without significant infrastructure improvements. Qualys seems to be able to handle it better.

We also used Tenable IO, which was not very cloud-aware, whereas Qualys has better AWS cloud integrations and capabilities.

It was a little time-consuming, but we did not find it overly complex.

The first time, it took about two weeks. Subsequently, because we worked out the kinks and figured out some things, we could get a new system up and running in a couple of days.

It requires regular patching maintenance, the same as any other OS. There is nothing outside of what I would consider normal. We have two people involved in maintenance.

Two people were involved full-time with a handful of support staff. Their roles included security vulnerability engineer, network engineer, and network architect. We also had some consulting professional services provided by Qualys.

It has reduced the amount of in-house development and configuration changes needed to make the scanners compatible with the AWS cloud. It has reduced the number of development and scripting hours along with maintenance hours. It has allowed fewer individuals to manage the system overall, providing some ROI benefits.

The pricing is market-competitive. We have large licenses through a corporation, but I am only involved with a small portion of it, so I do not know its price.

Defense-in-depth is very important. There are many layers to a network. There are many layers to an operating system, and there are many layers to applications. It is essential to provide security, detection, and prevention at each one of those layers.

To a colleague at another company who says they only need to add External Attack Surface Management to their vulnerability management detection/response program but they do not need the full depth of the CSAM offering, I would say that they are likely to get hacked.

We do not use Qualys CSAM for the entire attack surface. We primarily use it for production deployments. Our entire attack surface, corporate-wise, is managed elsewhere. It is competitive. It is not the best that I have seen, but it is competitive.

TruRisk Scoring helps prioritize vulnerabilities and assets, but we do not use it all that much. Our reporting requirements are tied to CVE rankings. While we sometimes take a look at it, we do not rely on it.

We use the solution's CMDB Sync feature, but we use it more as a confirmation of an existing CMDB tool we have.

I would rate Qualys CSAM an eight out of ten.

We primarily use it to collect asset information. Our primary value from it is in collecting on-premises assets, as well as the ability to tag those assets with custom tags. We are also using the external attack surface management portion a little bit. We have not fully operationalized it yet, but it looks intriguing.

Additionally, we are leveraging Qualys CSAM's capability to detect software and applications, as well as to identify unauthorized and authorized software in the environment.

From an inventory point of view, Qualys CSAM gets everything very well. We augment that with Qualys TotalCloud, so we get better insights into our cloud platform, but for our internal data centers, this is our source of truth for asset information.

Our favorite features are the tagging and the ability to quickly find assets in the portal. 

Additionally, I do like the fact that Qualys CSAM is integrated with the rest of our vulnerability scanning utilities. We use the full suite from Qualys. The fact that it is integrated makes it very easy to understand. It shares tagging information with VMDR. That is very nice.

Qualys CSAM has discovered assets not previously covered by our vulnerability management program. Primarily, if we have assets without vulnerabilities, they become less visible, but Qualys CSAM alerts us to them because they have IP addresses and are attached to our network. It could discover everything from printers to servers to endpoints. It could discover UPSs, network devices, and across all operating systems. It discovers our security badge readers and digital signage. We have to feed that the IP address ranges, but beyond that, it finds everything in our internal network.

We were able to realize its benefits within the first quarter of installing it. We did have to take some time to learn it and understand how to operationally leverage what it was telling us, but it was very quick.

In addition to vulnerabilities, Qualys CSAM helps identify other risk factors to a degree. For instance, we can see if servers or assets have incorrect naming standards. We have our network segmented into development model, test, and production, and we have server naming standards that identify which management they should be in. If a production server has the naming standard of a development model server, we can find that. That is one area we have used it for.

We are not fully using TruRisk, but we are using the Qualys detection score that is central to our corporate risk prioritization approach. It has completely replaced our homegrown one.

Some areas that would be helpful are more comprehensive tagging and the ability to set up better dynamic rules. 

Also, in the area of software categorization, having only three categories (approved, unapproved, unknown) is limiting. We would prefer more options, such as 'approved only for pilot' or 'approved for this line of business,' allowing for better granularity in categorizing software.

They do not yet have a built-in integration with the service management tool that we use. We do not use ServiceNow. We use a different one. We are using a product called Symphony Summit.

We started using it probably about a year and a half ago. It became operational around mid-2023.

We have encountered very little instability. I have subscribed to their update notifications, and I love getting the release notes because there is always something new in there that is exciting. They are constantly adding capabilities. I love that. It is a bit challenging to keep up at times, but if you want to maximize the value of the tool, you have to stay on top of release notes. As far as stability goes, there is almost nothing. Overall, there are almost no issues. If there are any issues, they usually affect the entire pod. It is not specific to CSAM.

With roughly 10,000 assets under management. We have not encountered any issues with scalability at all.

I have not personally contacted technical support, but I know we get a very good response. We have an excellent technical company who will escalate and support us. We have had a pretty good experience with technical support.

Positive

I used to have some involvement with a CMDB product from BMC called ADDM. It was similar to Qualys CSAM, but due to a lack of organizational appetite to support it, it was replaced. That is the closest thing to Qualys CSAM that I have ever played with.

It is a cloud solution. We do have cloud agents that reside on our endpoints or assets. I do like the fact that Qualys CSAM uses the same agent on the assets as all the other Qualys products. That was a big plus over other things that we looked at.  They required another agent to be installed.

Its initial setup was fairly easy. It takes a little bit of time to get things fully operational and standardized, but Qualys CSAM was easy to install and get up and running. We had to sit back and think about how we best wanted to represent the tagging. That took some time. We are still playing with that. The biggest challenge has been coming up with the best way for us to represent the assets and software discovered by Qualys CSAM.

We had to consider the best way to represent tagging in our system and ensure everything was standardized, but the setup process itself was straightforward.

It did not take us long to fully deploy it. It took less than a week because we already had the cloud agents installed for VMDR. We or our account manager flipped the switch to turn the license on, and we started collecting data right away.

The deployment of Qualys CSAM was a one-person job. We had an additional person for backup reasons, but the job primarily required only one person.

Its maintenance is being taken care of by Qualys. The software tagging is manual, so we have to go in and manually say that product XYZ is no longer approved. That is the only maintenance we do on that platform. It is just whether or not the software is approved or not.

The pricing is fair. I would love to see the price come down a little bit, but we do get a lot of value out of it. We are squeezing every ounce of value we can out of the tool.

Like every product, there are nuances. You have to understand that there are different categories of software. When it detects software, it puts it into various categories. It took us a little while to understand their taxonomy for the software side, so my advice would be to spend a little time understanding that.

We have had good luck with the API. To automate things, we are leveraging their CSAM API, and it is working fine, but there is a little bit of a learning curve. In terms of the core product, you turn it on and it just starts. If you have VMDR already in place, it starts to collect data for you right away, within minutes.

I would rate Qualys CSAM a nine out of ten. If they had a connector for the service management tool that we use, it would be a ten.

We are using Qualys CyberSecurity Asset Management for daily activities such as identifying new assets through network scanning and agent-based scanning for newly provisioned assets. When any new asset enters the network, we can identify it. We follow up with the team if any Windows device or other device does not have an agent installed, as we can still maintain visibility. We have established a process where if any machine that supports agents is not installed with a Qualys agent, we can follow up with the team appropriately using that particular data.

We use the True Risk Score for vulnerability prioritization, though we do not solely rely upon it since some assets may be decommissioned soon or not in use. From Qualys CyberSecurity Asset Management, we primarily focus on internet-facing assets. We have created separate tasks for internet-facing assets and track the True Risk dashboard specifically for these assets. If the True Risk Score is higher for any internet-facing assets, then we take action accordingly. The True Risk Score is very helpful for prioritization.

The initial setup was straightforward and easy. We needed to create customized tags, group them twice, and validate whether the operating system detection was true positive or false positive. We encountered some false positives, which required coordination with the IT team for verification. In six months, we had approximately 20-25 machines that needed verification on a weekly basis. We coordinated with the IT team to identify the exact operating system specifications.

Qualys CyberSecurity Asset Management helps us prioritize assets according to operating system, kernel version, installed software, and current version information. The ASM assists with attack surface management from an outside perspective, showing how the environment appears, including misconfigured assets or end-of-life/support assets. This information is visible in both ASM and Qualys CyberSecurity Asset Management. I would suggest purchasing Qualys CyberSecurity Asset Management instead of ASM for better results.

We have been using the solution for approximately six months, not quite reaching one year yet.

We have never experienced instability issues. The system is stable with excellent responsiveness and user interface. We have never encountered slowness issues.

The scalability is excellent as we manage more than one hundred thousand assets, including over one hundred thousand endpoints, approximately 2,600 servers, and more than 1,200 network devices. It is very easy to use, and the categorization never fails to display accurate information.

The support is extremely helpful, deserving a 10 out of 10 rating. They resolve issues within one day, possibly because customers are purchasing this product, so they may be focusing more attention on Qualys CyberSecurity Asset Management.

The deployment took less than one week. After the purchase, everything was set up and completed within that timeframe.

We have only used Qualys CyberSecurity Asset Management. For asset management, there are alternatives such as Rapid7 and CrowdStrike, but Qualys has a wider range of categorizations in their Asset Management solution, making it superior.

We have contacted customer support when identifying false positive operating systems. When IT teams report discrepancies in operating system identification, we coordinate with support. Registry key changes were implemented to correct these issues, which helped the agent identify the exact operating system. Some registry keys were preventing the agent from identifying the correct operating system.

Regarding integration, we need additional customized dashboards based on software versions or organization-specific software. The agent can collect the data, but we need customized dashboard capabilities for internal software specific to our organization.

Qualys CSAM covers the entire attack surface, including assets in the cloud, public-facing assets, and private hosting. We can create categorizations and analyze True Risk for these assets before prioritizing vulnerability remediation.

Regarding CMDB integration, the service now team is working on the integration, which is expected to complete within two months. We have provided the required attributes and requirements.

This review rates Qualys CyberSecurity Asset Management 10 out of 10.

The use cases for Qualys CyberSecurity Asset Management (CSAM) include getting software details, such as identifying software that is reaching end-of-life (EOL) or has already become EOL, and getting asset details.

Additionally, the integration with Shodan through External Attack Surface Management (EASM) helps get asset details of public-facing assets.

I also use its reporting capabilities. I can generate reports related to software with queries.

I also used the web application to see potential web-hosted assets for our subscription.

ESAM covers the entire attack surface. Earlier, we were using a third-party vendor, but we now completely rely on Qualys for ESAM. It scans the assets and also tags them based on the domain and subdomain. It discovers more and provides complete details about the assets, such as the external interface and internal interface. It correlates them, and we get the complete details of the assets, which were not given by the other solution. It just gave the IPs. We had to take the IP, put it in Qualys, and check the details. With Qualys, it is very easy to get the asset details.

We were able to realize its benefits immediately after the deployment. 

We use the TruRisk score, but based on the QDS and ACS, we have also derived our own severity for the organization. We assess whether it is really exploitable and being exploited in the wild.

We had some issues with the agents and detections until May, but after the version upgrade to 5.4, we saw a tremendous improvement in detection. We have 99.9% detections, and we were also able to achieve 84% patching and compliance in five days because of the detections.

I like the EASM part because it provides visibility into unmanaged assets that are public-facing. Previously, we had to log in to Shodan and get the details. Instead of that, Qualys has an external scanner that scans the assets belonging to, for example, Infosys. We give the domain, subdomains, and any related subsidiaries in the configuration. Based on that, it scans the domain and gives correlated results with the public-facing IP and the internal IP used in Infosys for an asset. I can see both interfaces in EASM. I can see the software details for all the assets and any ports that are open on the assets.

For some of the software, there was no life cycle or general information. We wanted them to give details in the database as and when the software comes. I raised a ticket for that, and after that, they updated the details for more than one million software.

They should address the false positives generated in EASM. It is fetching assets that have Infosys as the keyword. They should fix that.

When we click on the web application, it only shows potential web assets. The application details are not there.

Overall, CSAM has matured a lot. These are the few enhancements that need to be done.

I have been using the solution for three years. I use it regularly for my day-to-day activities.

We have not seen any issues with stability such as lagging, crashing, or downtime.

Qualys CSAM is highly scalable. I would rate its scalability a ten out of ten.

Customer service is efficient, with a support executive being assigned within 24 hours. They respond based on ticket severity. The support team actively involves themselves in resolving raised issues.

We also have governance calls where we raise tickets and troubleshoot and resolve any concerns.

For EASM, we were previously using another solution. They only provided basic details like IP addresses. With CSAM, we have comprehensive asset details, including enumeration and routing details. We also have TruRisk details.

The other vendor only gives me the ID. They do not tell me who the owner is. Qualys gives me all the information about the assets, software, vulnerabilities, open ports, and interfaces. We get the network summary and asset summary in one place.

Its initial setup was relatively straightforward. The deployment did not take much time.

Its maintenance is taken care of by Qualys.

The deployment was done in-house by one person, without the need for an external integrator or consultant.

The pricing for Qualys CSAM is nominal.

I would rate Qualys CSAM a ten out of ten. I am very satisfied with its features, including dynamic and static tagging, and the comprehensive details it provides for asset management. I am happy with it.

We use Qualys CyberSecurity Asset Management to improve asset tracking and manage our security posture, thereby minimizing security risk. Enhanced visibility into our asset inventory enables us to implement appropriate security measures to protect against potential incidents and threats.

The major challenge in security today is that many organizations still have an extreme problem: they are not aware of how many assets they have. As businesses grow, their assets grow as well. However, asset tracking has traditionally been a manual and cumbersome process. Due to this, many assets were mismanaged. Nobody tracked them properly, and assets were not updated with OS patching or application patching. This was particularly problematic for data sets, as many people across the organization were unfamiliar with those assets, which led to security issues. This is why we implemented Qualys CyberSecurity Asset Management.

The external attack surface refers to the externally visible endpoints hosted by any company. External scanning can be performed to identify the number of publicly-facing assets. CSM provides functionality to scan these external assets, and based on the scanning results, patching can be performed to address any identified vulnerabilities.

The best part about Qualys CSAM is that it continuously pulls data. We can either install a cloud agent on all our machines or use IP wave scanning to identify the IP subnet. Qualys CSAM will identify any machine that spins up within that IT subnet during its scheduled scans. Once it finds a new machine within the subnet, it will register it as a new asset and populate it on the dashboard.

Qualys CyberSecurity Asset Management was able to identify an additional 50 to 100 assets that were not part of our vulnerability management program.

The key functionality of CSAM is a new feature update that Qualys releases periodically. It provides organizations and IT professionals with key metrics to understand how assets behave within their infrastructure, addressing the issue of unfamiliarity. CSAM focuses on efficacy, efficiency, and improved asset tracking. Better asset tracking enhances security posture, enabling timely patching and streamlining the entire vulnerability management lifecccccycle. Asset management is the first phase, and when asset tracking is simplified, the entire vulnerability management cycle becomes easier.

When discussing additional risk factors, CSAM provides crucial insights into the nature of the host, including basic information like hostname, IP address, operating system, installed applications, initial discovery date by Qualys, and current online/offline status. Leveraging risk factors like initial discovery date and the presence of malicious or outdated applications allows for collaboration with patch management teams to assess machine compliance. Effective asset management lifecycle practices empower organizations to comprehensively address many risk factors.

The True Risk Scoring was accurate. While false positives are always possible, they were minimal in Qualys, making it nearly perfect.

I have leveraged active and passive sensors, such as Qualys Cloud Agent models, to gain better visibility into our assets.

Qualys will send a probe whenever we have passive sensors and an established IP connection. This probing timeline indicates how frequently the network needs to be probed—for example, every 30 minutes. Based on the timeline, the sensor will probe the entire IP range and detect any new machines that appear, improving our visibility.

The best feature is asset discovery through their cloud agent or IP-based scanning. It provides detailed information about each asset, including its operating system, applications, power status, and improved asset polling. These are some key metrics provided by Qualys CyberSecurity Asset Management.

In our reporting, we faced a challenge syncing with cloud devices. The issue arose because, let's say, we have 250 licenses and use AWS cloud with its auto-scaling feature. As the load increases, the server count automatically scales up. The cloud agent was installed on the new devices, but when the old devices were decommissioned, it wasn't uninstalling from the asset as it should have been. This made asset tracking with cloud auto-scaling quite challenging, as we had difficulty uninstalling the sensor.

I have been using Qualys CyberSecurity Asset Management for five years.

I would rate the stability of Qualys CyberSecurity Asset Management nine out of ten.

I would rate the scalability of Qualys CyberSecurity Asset Management nine out of ten.

I have used Tenable Nessus, Greenbone, and Rapid7, but my confidence in Qualys is far greater than that in the others.

Some of the reasons we chose Qualys were its user interface, ease of problem-solving, and straightforward explanations of use cases. The deployment facility, deployment guidelines, post-deployment management, and Qualys support team assistance we receive after purchasing the product are excellent. These factors influenced me to choose Qualys over other products.

The deployment is straightforward, and Qualys is easy to understand. The transition from on-premises to the cloud was smooth, and overall, it was a positive experience.

The transition from on-premises to the cloud, including around 5,000 devices, took me one month to complete.

We have observed a return on investment of approximately 95 percent, and Qualys CyberSecurity Asset Management has also reduced our costs by 35 percent.

Qualys CyberSecurity Asset Management provided an excellent return on investment. It offered comprehensive visibility into the security lifecycle across our organization, providing clarity on the state of our security infrastructure. Furthermore, it stands out as one of the top vulnerability management tools currently available.

Qualys offers excellent value for money. Its pricing model is transparent and fair, with no hidden fees. It provides flexible options tailored to our specific needs. Its pricing structure is easy to understand, and its team will work with us to find the best solution. It's open to discussions and committed to offering competitive pricing. Compared to similar products on the market, Qualys is priced competitively.

I would rate Qualys CyberSecurity Asset Management nine out of ten.

We hosted Qualys CyberSecurity Asset Management in a single location, not multiple locations. From a security perspective, we utilized availability zones, but there was only one physical location. I served as the administrator, and in addition to me, there were four to five other individuals who used Qualys for enhanced monitoring.

From a maintenance perspective, if the Qualys platform requires maintenance, customers will receive prior notification. This ensures that customers are aware of any potential service interruptions. Every software system needs maintenance, whether for an upgrade or to implement significant changes.

I highly recommend Qualys to others.