Qualys CyberSecurity Asset Management Reviews

I use Qualys CyberSecurity Asset Management for vulnerability management and patch management, as it gives me a global view of our infrastructure, including what is installed and what assets we have. As we always say, before securing your infrastructure, you need to know what you have. I use Qualys CyberSecurity Asset Management to obtain this global view of our infrastructure.

I recently implemented external attack surface management and have not yet explored it extensively. I'm in the process of discovering its features over time; I began monitoring our subdomains and websites from an external view about a month ago. Therefore, I don't have a detailed answer regarding its effectiveness yet. I am still in the early stages of implementing the external attack surface management solution. We haven't reached a point to provide feedback or evaluate how well it has helped us discover any previously uncovered assets in the vulnerability management program. I am currently working on this and plan to present my findings to our IT leadership.

In addition to identifying vulnerabilities, Qualys CyberSecurity Asset Management monitors our infrastructure, including tracking certificates and user access to assets. This information is useful in our IT department for compliance purposes.

The TruRisk scoring feature of Qualys CyberSecurity Asset Management helps prioritize vulnerabilities and assets, offering more information than traditional metrics, where we usually focus only on severities four and five. By examining TruRisk, we find vulnerabilities of severity five that might not be as dangerous as they appear, allowing us to target the exact vulnerabilities we need to fix better than just relying on severity alone. However, not all IT departments may focus on TruRisk, as most tend to adhere to traditional approaches.

I utilize the CMDB sync feature in Qualys CyberSecurity Asset Management. I want to mention that previously, in my last position, we used traditional CMDBs, but now we synchronize the CMDB with Qualys. This correlation with other information in Qualys, the VMDR module, gives us better visibility and correlation between our asset inventory and our vulnerability inventory.

The correlation between the VMDR and CMDB in Qualys CyberSecurity Asset Management affects our meantime to remediation significantly. If there is a vulnerability in one software, the CMDB correlation can provide all assets with this vulnerable software, allowing us to deploy remediation efforts efficiently and focus on the exact assets that require attention.

One of the useful cases for Qualys CyberSecurity Asset Management is during compliance or audit missions, where we need to report on assets with specific software. For instance, if we need to confirm how many assets comply with our software whitelist, Qualys CyberSecurity Asset Management greatly assists us in obtaining these reports quickly and with enhanced visibility of information.

I mainly appreciate Qualys CyberSecurity Asset Management for its patch management capabilities, which are essential in my job for deploying patches and remediating vulnerabilities. While deploying patches, I utilize Qualys CyberSecurity Asset Management to identify exactly which assets are vulnerable and which require new software installations or updates. One thing I appreciate about Qualys CyberSecurity Asset Management is that it is user-friendly; the interface is easy to navigate, and it provides extensive information. Before using Qualys CyberSecurity Asset Management, I relied on multiple applications for information, but it consolidates all that information from different platforms into one solution.

Qualys CyberSecurity Asset Management continues to improve and get better day by day, particularly with enhancements dashboards. I encountered a few problems while using Qualys CyberSecurity Asset Management, particularly regarding software inventory management. I primarily check for deployed updates; however, sometimes both updates and software types appear together on one list, making it hard to differentiate. For example, when I review what's deployed on my laptop, I see Microsoft software, Windows updates, and other software mixed together, resulting in noisy reports. 

Additionally, I find that while information is available regarding which users have access to our servers, retrieving it often requires checking servers individually rather than obtaining a consolidated extraction when needed. These two use cases are beneficial, but improvements in these features would be greatly appreciated.

I have been using Qualys CyberSecurity Asset Management for two years.

The scalability of Qualys CyberSecurity Asset Management system is satisfactory. It is indeed scalable. 

I have previously worked with Qualys technical support, and they were quite helpful and responsive, providing us with the exact solutions we needed when we reached out for assistance. I would rate the tech support of Qualys a perfect ten out of ten for their performance.

Positive

I have worked with different solutions associated with the CMDB, and for patch management.

We utilize the cloud version of Qualys, which is hosted on AWS. I haven't been involved in the purchasing or initial setup of this part.

Regarding the deployment of Qualys CyberSecurity Asset Management, I did not work directly on the project. I typically find that the project is already completed, so my role involves deploying the Qualys agent. I think this process is smooth, as my colleagues who manage the project have not reported any significant problems.

To a colleague at another company who believes they only need external attack surface management for their vulnerability management and detection response program, I would advise them to fully utilize Qualys CyberSecurity Asset Management for a better experience. By using all its features, rather than limiting themselves to just external attack surface information, they can gather more comprehensive information that can enhance their job performance.

For organizations considering Qualys CyberSecurity Asset Management, my advice is to fully utilize all the features available to maximize the experience. By leveraging all information provided, IT professionals can enhance their operations since every detail matters, and more information generally leads to better outcomes.

I would rate Qualys CyberSecurity Asset Management an eight out of ten.

We use it to collect all software-related information, including external attack surface information. All of this information is validated here.

We were facing issues with collecting information about external facing assets and getting vulnerabilities for assets not managed by us. We also wanted visibility into particular IP address configurations or domain-based information. Qualys CyberSecurity Asset Management helps us with visibility into the assets that we do not know about or that someone is misusing.

Other than that, we are using it for software inventory purposes. We can see whether any unauthorized software is registered on any machine or whether any required security tool is not installed on the machine. We can also see if any specific assets are critical and if there is anything we need to focus on from a network perspective. From the portal, we can get all this information as a report.

The visibility into all the assets is the main improvement. We are able to see any new external-facing assets, as well as the assets that we do not manage. For example, for the asset that we do not manage, we could get information about a particular port being open on an IP address or operating system. It helped us with about 20% of our assets.

Management of unmanaged assets enhances the organization's risk assessment capabilities.

The TruRisk mechanism helps us in some scenarios by giving an asset criticality score. It helps us focus on critical assets.

Qualys CyberSecurity Asset Management helps us identify any end-of-life software or unmanaged assets. With the CAPS mechanism, the Qualys agent can validate unmanaged assets and provide information.

Authorized and unauthorized software visibility is the best feature for me. It helps me understand security controls on our network and where we lack visibility. With a single security tool, we are able to get an extensive list. 

Additionally, I can verify version controls and port details for major applications.

There can be further simplification to reduce the overall noise and provide ESAM-related data. Some data modification might also be required, but that is not as critical as noise reduction.

I have used Qualys CyberSecurity Asset Management for over three years.

Its stability is good. I do not have an issue with it. I would rate it a ten out of ten for stability.

Its scalability is good. I would rate it a ten out of ten for scalability.

We are located in different countries. It is being used by our admin team with more than 50 people.

I would rate their support a nine out of ten. We might not always get a good solution. We might get only a workaround.

Positive

From the start, I have been using this solution in this organization.

It is very easy for me to deploy. There is no complexity. 

Its implementation takes about a week, but it can vary.  

Being a SaaS solution, it does not require much maintenance. It has an uptime of 99.9%. It is working perfectly with the scheduled information.

It has reduced resources and the time spent on gathering and combining data from different tools into a single tool. It used to be a tedious job, but it has now been reduced with the single software.

I would recommend this solution if you want a unique software to collect all the inventory data and have information about the attack surface.

I would rate Qualys CyberSecurity Asset Management a nine out of ten.

We use it to gain complete visibility into our assets and monitor our security posture.

Our overall experience has been very good. It gives us a 360-degree view of our assets. It gives us the complete data such as the types of services running or applications installed. If an asset or software is end-of-life or end-of-support, it provides the status related to that. Apart from that, we get to know the ports and services that are running.

Previously, I did not have visibility over the complete inventory. Qualys CSAM gives me the complete inventory with the number of assets connected to the network. Based on the cloud agents that were deployed and remote scans, we can see the whole inventory in a single module. The CSAM module allows us to track the end-of-life or end-of-support status of the software on our assets. We get to know in advance that particular software is going to be end-of-life or end-of-support. Such a feature helps us to take action proactively.

It gives visibility into the domains or subdomains managed by my organization. I can track those very effectively. I can even perform lightweight scans which are completely managed or controlled by Qualys, unlike remote scans that are performed by the end user. It gives visibility into the vulnerabilities related to applications or assets on a real-time basis because these scans are performed once a day on a daily basis. With one click, the EASM module provides the domain names related to my organization. Qualys directly performs the scan and if any applications or assets are not in my CMDB because I missed updating the details, it highlights them, so I have complete visibility over my publicly exposed assets or applications.

It is able to discover different kinds of assets, such as web servers, DB servers, or application servers. It can identify network devices. I even have visibility over the devices managed by ISPs, and I am able to take action appropriately.

Asset tagging is one of the main features of the CSAM module. While creating asset tags or after creating asset tags, we can set the asset criticality. Based on the vulnerabilities identified in the assets, Qualys provides a detection or TruRisk scoring.

TruRisk scoring helps prioritize vulnerabilities and assets. This prioritization is very helpful for me. In an infrastructure with 300,000 assets, we might see millions of vulnerabilities in the assets. We need to prioritize vulnerability remediation because we cannot focus on remediating all the vulnerabilities at the same time. We can start with the assets that are critical in our organization. TruRisk scoring helps with that.

It makes us more secure and also helps us with our KPIs or KRI. We have had zero attacks since we enabled all the features in Qualys CSAM.

It fetches the asset details based on remote scans or the cloud agents that are deployed. With passive sensors, I am able to see the rogue assets that are passing through a particular switch wherever passive sensors are deployed. I can see what other assets are connected to the network. One of my goals is to identify the assets that are missing with the cloud agents so that I can get the cloud agents deployed and get them added to my asset inventory. Network devices obviously cannot be installed with the cloud agents, but at least I have visibility that these are the network devices, or these are the endpoints, or these are the servers, whereas rogue assets are a threat to the organization. They may even compromise other assets in the network, so with these passive sensors, I am getting complete visibility.

Even IoT devices can be scanned through these passive sensors. The passive sensors can read the configuration of the devices passing through a particular switch. Previously, I used to perform remote scans on IoT devices. This effort of performing the remote scan is minimized because these passive sensors are able to find the vulnerabilities related to any of the IoT devices by reading their configuration. This is another feature that is helping me as part of our operations.

The External Attack Surface Management (EASM) module, available within CSAM, is valuable. It helps track all the domains and subdomains related to our organization. It performs the discovery scans and provides the results of the domains or subdomains related to my organization. It also performs scans to identify any vulnerabilities, which helps to take proactive measures before those vulnerabilities are identified by any attacker.

The IoT or OT asset discovery feature is valuable. We can analyze the traffic that is passing through at the L2 switch level with the passive sensors. It provides information about any rogue asset connected to a switch or a network. We can see all the unmanaged or managed assets.

The ability to define a list of unauthorized software and create a rule to define software authorization is helpful. We have a diverse organization with a robust infrastructure of more than 300,000 assets. By creating unauthorized lists and rules in the Qualys CSAM module, I can block certain software from being used in the organization. When I create such a rule, I can see all the assets having unauthorized software installed. I can then immediately take action by blocking that asset or remotely uninstalling that particular software. Such actions can be taken directly from its interface when I have unauthorized software rules in place. This is an important and helpful feature for my organization.

The scanning function could be improved. Currently, in the EASM module, the scan frequency is limited to once daily, but allowing end users control over scan scheduling would be advantageous. Publicly exposed assets are very critical. If a remediation action is taken by the end-user or the auditor working on a vulnerability management program, that person must be given access to run the scan as and when required. This way they can immediately check whether that particular vulnerability is present or not.

Also, allowing more comprehensive scan configurations could be beneficial. The lightweight scan that it does is only based on the ports or services that are identified through the Discovery Scan. It would be helpful for the auditors to be able to run a more comprehensive scan.

Additionally, while downloadable asset information is available in the CSAM module, it lacks mapping of software to assets in a consolidated report format. For instance, if I want to download information about 100,000 assets along with the software mapped to those assets, this option is currently not available. If I download the SH details, it will have only the BIOS information, the serial number of the device, the hostname, the MAC address, and the IP address. Only these details are available. It does not give information about the software installed on those assets. The software mapping with assets is not given in a consolidated report. Enhancing this capability would elevate its usefulness.

I have been using the CSAM module for about four to five years. It was previously known as AssetView. We used AssetView for over 12 years and then shifted to using CSAM when it was introduced four to five years ago.

The platform is quite stable as it is able to handle data from various sources, such as cloud agents or the VMDR module. It has the EASM capability. It is pretty stable even though it holds a lot of data related to our assets or applications. I would rate it a ten out of ten for stability.

Scalability is impressive, supporting a myriad of features and substantial data from diverse modules. It offers a comprehensive view of asset management and is equipped to handle an extensive array of data efficiently.

Our organization has its presence in different geographical locations. We have about 300,000 assets installed with agents worldwide.

There are 50 to 60 people from the IT team and the information security team working with Qualys CSAM.

I am satisfied with their support. I would rate their customer support a ten out of ten.

Positive

I was using the AssetView module before migrating to Qualys CSAM. AssetView has very basic features. Other than the asset tagging feature, AssetView does not have other features available in Qualys CSAM, such as EOL detection and software version detection. 

Knowing the software version is very useful for me when any zero-day vulnerability is published. I can check the version of the software that is vulnerable to a zero-day CVE, and then with the Qualys CSAM module, I can see the assets that are using that particular vulnerable version. Without even performing the active scan, I can get visibility over the assets having vulnerable versions. I can then take the remediation action. This is the most important feature in the CSAM module as compared to AssetView. 

The initial setup was straightforward. Although I was not a part of the implementation team, I understand it did not take much time due to an efficient cloud agent deployment and network connectivity setup.

It does not require any maintenance from our side. There is almost zero-touch maintenance because it is a SaaS platform managed by Qualys itself. We might have to modify or create asset tags or dashboards. These are operational tasks that we might have to do on a regular basis. Other than that, no maintenance is required from our side.

The implementation involved a small team of about five to six members who collaborated with the Qualys vendor.

Though the solution is considered expensive, if bundled with other services such as VMDR or cloud agents, its value would significantly increase. It is currently a bit costly, but with bundling, it could become attractive to more customers.

I would highly recommend this solution to other users looking to enhance their asset inventory visibility. Asset inventory is the primary source of truth for any IT team or information security team. Qualys CSAM provides that visibility. With the integration of CMDB, you get even better visibility over the asset inventory. You also get EOL information about the assets and applications. These are the main reasons for recommending it. I am pretty happy with it.

I would rate Qualys CSAM a ten out of ten.

We use Qualys CSAM for information related to EOL and EOS applications. For the machines connected to Qualys CSAM, we have information about the serial number and hardware ID. We have some integration mechanisms with AD. All these helped us to make sure the agents and applications that we use are good enough to run in our infrastructure.

We have a mechanism called authorized and unauthorized applications inside our organization. Qualys CSAM helps us implement this by reporting unauthorized applications through pop-ups or alerts. This mechanism ensures that any unauthorized application is quickly identified, and appropriate measures are taken swiftly. The tool provides valuable insights into our infrastructure.

For external attack surface management, we have a configuration profile that we configure with the domain name. With this domain name, we get all the information from Qualys. They have integration with Shodan and their own scanning mechanism to get publicly exposed IPs or domains for our organization and its subsidiaries. 

It is a useful solution for us for IT-related or security-related activities. We get information about all the assets in our organization, and we also get to know if any ports are open or exposed to the Internet.

It helps us with risk prioritization. It highlights any vulnerabilities that are exploitable. We have various reports. We can see EOL or EOS software or any unauthorized applications. All these reports are triggered in a daily manner. We get the latest list every day. We can also use the dashboard.

In addition to the asset criticality score that we have configured, we have the TruRisk score. All this data helps us to prioritize the assets and vulnerabilities. 

The most valuable features of Qualys CSAM include the ability to manage authorized and unauthorized applications efficiently. This feature helps in validating applications and maintaining a secure environment. 

Additionally, Qualys CSAM offers comprehensive data, including serial numbers, BIOS information, and software details related to EOL and EOS. These capabilities are crucial for ensuring infrastructure readiness and security.

In my opinion, the area that needs improvement is the role-based access control (RBAC). The access privilege management needs to be more robust and streamlined to enhance user access management. Additionally, improvements to the user interface could be beneficial.

I have been using Qualys CSAM for one and a half years.

I would rate the stability of Qualys CSAM a ten out of ten. The agent-related stability is excellent, and we have not experienced any lags.

The scalability of Qualys CSAM is good. It is a SaaS platform. I would rate it a nine out of ten for scalability.

We have it at multiple locations and countries. We have multiple networks and subsidiaries. We have about 300k users.

The customer service is excellent. I would rate them a nine out of ten. Although there have been occasional delays in response time, the support generally addresses issues promptly and effectively.

Positive

I have only used Qualys CSAM in this organization and have not switched from any previous solutions.

We have a hybrid setup. The initial setup is straightforward, requiring a single code within an agent file, making the deployment process very easy.

Other than the upgrades, it does not require any maintenance from our side.

I would strongly recommend Qualys CSAM to other users because of its reliable detection logic and high level of support. We have not seen any glitches with it. In the case of any issues, we can get them resolved promptly, maintaining efficiency. 

I would rate the Qualys CSAM a ten out of ten for its overall performance.

My current use cases for Qualys CyberSecurity Asset Management involve hunting for software that is end of sale or end of life. I also use it to identify where prohibited software is installed on a device. For example, I identify if software that shouldn't be on an endpoint exists. That includes the vulnerabilities associated with certain software.

Improve software inventory capabilities

What I appreciate most about Qualys CyberSecurity Asset Management is the inventory feature, where I can look up assets, software, applications, open ports, and similar items because it's very useful. For example, with assets, I can see all the devices that have the protection installed and access one of these endpoints to see all the information about it. On the software side, I can see a list of all software installed on all my platforms, referring to all my endpoints that have the client installed.

The comprehensive approach that Qualys offers is beneficial because it includes the TruRisk score, which summarizes all vectors influencing the risk of an asset. For example, it highlights exploitations for certain vulnerabilities and provides all the links if they are available or public. Furthermore, the integrated Threat Intelligence platform within the interface allows me to see if there's a trend for certain vulnerabilities and check if I have that vulnerability on my platform.

One downside of Qualys CyberSecurity Asset Management is that I would prefer to see a more interactive dashboard. For example, when I see unknown software in the inventory and try to get a list of assets with certain software, I have to go inside the software menu. If I could have something more interactive that doesn't require going inside multiple categories, it would help. Also, I think the filters should accept three or more queries together to get broader results. However, this could also be an issue stemming from my knowledge or lack thereof.

I have been using Qualys CyberSecurity Asset Management in this company for at least one to two years, but the implementation has been around for three years.

I have experienced a couple of instances with lagging, but nothing substantial that impacts reporting. There may be some delays on the dashboard, but nothing affects the functionality of reporting vulnerabilities from the endpoint.

The scalability of Qualys CyberSecurity Asset Management is significant because you can deploy it across physical endpoints, cloud enviroments and VDI using a configuration file. If someone uses Windows Server, they could use a GPO to deploy it. There are many options. I've seen large platforms with numerous endpoints and vulnerabilities, and that makes me think they have an impressive capability for handling large volumes, which is very scalable in my opinion.

I haven't contacted Qualys technical support or customer support because we have a team that possesses extensive information and they reach directly to the vendor.

Positive

In the past, I used some open-source solutions at another company, but I don't remember the name. I recalled using them occasionally, but they didn't have this kind of reach. The same principle applies; you install a client on the endpoint, and it reports to the server.

I find the initial deployment of Qualys CyberSecurity Asset Management overall easy, especially with support from the vendor and personnel who understand how to handle the integration and permissions with the firewall to allow traffic.

The initial deployment took around a month or possibly less to fully deploy Qualys CyberSecurity Asset Management for the first time, though I wasn't present during the implementation.

I don't have access to the pricing information, but I understand that Qualys CyberSecurity Asset Management is expensive compared to other brands or vendors, although the price is worth it.

I have the most experience with Qualys CyberSecurity Asset Management, VMDR, and CSAM, as well as CA. Besides VMDR, I also used the Threat Intelligence model extensively.

Regarding the CMDB Sync feature, I learned about it just a couple of weeks ago. Although we don't have the implementation, we would find it useful to share information from Qualys, such as vulnerabilities and all devices, and track the person in charge of a certain device by creating a ticket.

The TruRisk score is a very useful feature, as it summarizes all the factors influencing the importance of a vulnerability concerning an asset or an endpoint. It helps with the prioritization of remediation.

We have both the passive sensor and the cloud agent. We use the cloud agent by installing it on the devices, while the passive sensor allows us to detect devices that don't have the protection and can't have the protection, for example, the networking devices.

We don't manage maintenance for Qualys CyberSecurity Asset Management as it depends on the vendor because they sometimes deploy updates and upgrades, but nothing is required on our end.

On a scale of 1-10, I rate this solution a 7.

My use cases involve using Qualys CyberSecurity Asset Management to detect vulnerabilities and then passing on the information to our IT team that has to fix the vulnerabilities.

The External Attack Surface Management covers my entire attack surface, but the majority of it doesn't apply to us because our external assets are not owned by us. We just have the external assets that are hosting our web pages.

The dashboards are my favorite feature.

I can pull up information and create my own dashboards specifically for what I'm looking for.

In addition to vulnerabilities, Qualys CyberSecurity Asset Management identifies all other risk factors for my assets.

The TruRisk feature could help prioritize vulnerabilities and assets, but our issue currently is that we weren't provided with adequate information to set things up correctly. We have many configurations to fix, and if we get to that point, it could be useful, but currently it's not because of inaccurate data.

The downsides of this solution include needing more knowledgeable account managers, and there needs to be more guidance on how to use their solution because there's so much to it. We've received very poor guidance from them, especially after learning several things we need to fix during the Qualys conference. Additionally, we need a solution to be able to do application deployment, which they sold us on a year ago, saying it was coming, and we still keep hearing it's coming.

I have been using Qualys CyberSecurity Asset Management for approximately a year.

I have seen some lagging, crashing, and downtime, but it doesn't happen very often.

It seems to be suitable for scalability. We're considered more of a medium-sized company, and it seems to be working out fine.

Their technical support is pretty good. The tickets I've sent in, they've been able to help me. We have issues with our account manager who does more than he should be doing and should be referring us to somebody else instead of trying to fix everything for us when he clearly doesn't know as much as he thinks he does.

Positive

I used Endpoint Central through ManageEngine before Qualys CyberSecurity Asset Management. It didn't detect as much as Qualys CyberSecurity Asset Management did, but the ability for our IT people to easily find the vulnerabilities and set up jobs was beneficial because it also had a fully application management and patching solution, including all third-party apps. It made it easier for our IT to fix vulnerabilities. Currently with Qualys CyberSecurity Asset Management, the majority of it is manual installs, and when you have a small IT team with over 5,000 assets, that becomes difficult.

From what I was told, the initial deployment was difficult, but I wasn't involved in that as I was in a different role when we deployed it.

I need to talk with my architecture team because after the Qualys conference, we've discovered there are things that aren't configured correctly. This could possibly mean we might need to get with Qualys CyberSecurity Asset Management to get things in shape so that we're adequately detecting vulnerabilities.

On a scale from one to ten for support, I would give them a nine.

We're just a customer and do not have any partnerships with Qualys CyberSecurity Asset Management.

I rate Qualys CyberSecurity Asset Management a six out of ten.

At our Android development company, Qualys CyberSecurity Asset Management safeguards our development environment and digital assets, including sensitive codebases, APIs, databases, and cloud-based infrastructure. By continuously monitoring these assets, Qualys helps us detect vulnerabilities, misconfigurations, and potential malware, protecting both our proprietary technology and client projects from threats like ransomware and malicious activity. Furthermore, it ensures compliance with industry standards through real-time insights and automated security patches, fostering trust between us and our valued customers.

Qualys Cybersecurity Asset Management offers comprehensive features to cover our entire attack surface. Its cloud-based platform provides full compliance management, ensuring infrastructures align with databases and standards. Cloud storage enables easy data retrieval and recovery. Additionally, it utilizes AI-powered features to monitor and manage security patches, enhancing overall security posture.

Qualys Cybersecurity Asset Management utilizes advanced deep neural networks and AI to identify previously undiscovered assets and threats, crucial to our company's security. We discovered an additional 120 assets with Qualys CSAM.

It has significantly enhanced our company's security by providing real-time visibility into all access points across our development ecosystems, improving vulnerability detection and risk management. This allows us to address security gaps quickly before they escalate into critical threats. The automated discovery of misconfigurations ensures continuous compliance with industry and government standards, reducing manual efforts and freeing our team to focus on innovation. This comprehensive approach has fortified our infrastructure, protecting sensitive code, client data, and cloud management from cyberattacks. Consequently, we have faced fewer security threats, allowing us to focus on other areas for improvement within the company.

The Asset Management helps us identify all risk factors, including vulnerabilities and malicious attacks, along with various other aspects of asset management.

This advanced cloud system utilizes APIs to connect and retrieve data, while passive sensors track the code bases of our applications.

Passive sensors hinder the real-time identification of potential risks, as they transmit real-time data and additional information with a delay. However, the system's speed, combined with AI, deep learning, and robotic process automation, enables efficient risk identification despite this limitation.

The most valuable feature is the real-time visibility Qualys CyberSecurity Asset Management provides into all assets across our development and operational environments. As an app development company dealing with multiple platforms, servers, APIs, and mobile data, each becomes a significant target for cyber threats. 

Qualys CyberSecurity Asset Management ensures a comprehensive inventory of all assets, regardless of their distribution. This allows us to detect vulnerabilities, misconfigurations, and outdated systems before they become security issues. The automated vulnerability scanning and patch management features, with automatic risk identification and remediation, are also invaluable. By reducing manual intervention, these features increase efficiency and allow our team to focus on other priorities.

There are a few areas Qualys CyberSecurity Asset Management can improve. First, the UI needs improvement as it can become overwhelming after prolonged use. A more intuitive design with simplified navigation would be beneficial for all team members, especially beginners. 

Second, the reporting feature could offer more customizable templates and easier-to-digest visualizations. This would help in creating targeted reports for different stakeholders, such as technical teams and executives. 

Lastly, integration capabilities with third-party tools and platforms should be expanded. While some integrations are supported, more options like CI/CD pipelines, which are integral for app deployment, would be advantageous.

I have been using Qualys CyberSecurity Asset Management for one year.

I would rate the stability of Qualys CyberSecurity Asset Management eight out of ten.

I would rate the scalability of Qualys CyberSecurity Asset Management ten out of ten.

Once we needed to contact their customer support, we received timely assistance. The support team was knowledgeable and offered a variety of quick resolution options. They also provided extensive documentation and access to community forums, allowing us to find solutions independently.

Positive

I previously evaluated Nessus, but while it offers effective vulnerability scanning, it lacked the comprehensive asset management and continuous monitoring capabilities necessary for expanding our application management system. We needed a solution that provided deeper visibility into our digital assets, including cloud infrastructure and mobile applications. 

Qualys offered a more integrated approach by combining vulnerability management, compliance checks, and real-time inventory in a single platform, simplifying processes, improving collaboration between development and security teams, and offering greater scalability.

The initial setup was smooth and easy to follow, aided by guidance from the Qualys team.

The deployment took three to four hours.

The implementation was performed with assistance from the Qualys team, who helped with platform configuration and integration into existing systems.

Our return on investment includes a significant reduction in security incidents, decreasing potential costs related to data breaches, system downtime, and compliance fines. This was achieved through streamlined vulnerability management, which reduced labor costs by approximately $109,000 annually. Additionally, enhanced client and company trust led to approximately $99,000 in new contracts. These improvements to our security infrastructure contributed to overall business growth of approximately 150 percent over the past year.

The pricing for Qualys Cybersecurity Asset Management is reasonable, with an annual subscription costing around $1,000 per year or a monthly subscription starting at approximately $72 per month, depending on the specific package and features included.

I would rate Qualys CyberSecurity Asset Management eight out of ten.

We use Qualys CyberSecurity Asset Management in six locations across the country.

Qualys CyberSecurity Asset Management does not require any maintenance.

I would advise fostering security awareness through regular review and updates to security policies and protocols. Staying informed about other platforms is important, but Qualys CyberSecurity Asset Management is a fit for our company due to its reasonable cost, scalability, stability, and excellent integration and deployment features.

I have been working with Qualys for approximately two and a half years. I have used this module to manage security postures in cloud environments, and it is essentially used for hybrid management systems. This allows me to adhere to security practices across cloud environments.

I appreciate the feature that simplifies cloud security posture, offering insights into vulnerabilities, and reducing the complexity of managing the security program. It provides a proactive security posture, identifying risks before attempts are made. It is also scalable in hybrid management, offering dynamic capabilities in cloud environments, providing visibility to thousands of assets. Additionally, it is beneficial in discovering what's occurring in the cloud environment and provides visibility in asset discovery. It helps monitor assets continuously, granting real-time visibility, which aids the IT environment in maintaining these assets. External attack surface management allows me to consider things from an attacker's perspective. I've improved on faster remediation and reduced risk breaches, as the module enables me to quickly identify vulnerabilities and take necessary actions. Decision-making is straightforward, allowing risk prioritization and action accordingly.

Qualys is continually developing, adding new features each year. Previously, there was no on-demand scan feature in a cloud agent, but multiple features have since been added to my cloud agent module. In CSAM as well, I expect features that make security and IT team tasks easier, eliminating manual efforts. Features enhancing the interaction with IT or security teams should be added, such as a ticketing feature that, if an issue arises in the CSAM module, enables direct ticket creation in systems like ServiceNow. This would streamline assigning tickets to appropriate teams.

I have used the solution for two and a half years.

I do not think there are any issues.

It's scalable. I do not face any limitations.

I would rate the technical support nine out of ten. They are effective; if I raise a ticket, they directly contact me and solve my problems, whether related to deployment or unresolved vulnerabilities.

Positive

I have been using Qualys from the beginning and have not used any other solution extensively. However, I have some familiarity with Rapid7, but it lacked the level of detail found in Qualys.

The initial setup was smooth, particularly with the cloud agent installation and sensor deployment. After the initial stage and the licensing part were completed, I became involved in creating user IDs and as an administrator, I managed user access, including giving privileges to admins. I coordinated with the Linux, Windows, and Mac teams to download and install the agent and conduct testing.

I received assistance from the Qualys support team, specifically from the ACCPL team provided by Qualys. It was a third-party team.

As mentioned earlier, it saves time and facilitates direct communication with real issues I have faced.

At present, I do not think so; however, I may consider CrowdStrike as it has some features, though not as detailed.

The CSAM module is great and continually improving with updates. I would rate it nine out of ten. However, based on the company's budget, Qualys offers limited features, which can also be utilized in other environments. I rate the overall solution nine out of ten.