Qualys Enterprise TruRisk Platform Reviews

I was exploring Rapid7 and Tenable for my organization, but we have held off on that decision for some time. Currently, we are dealing with Qualys Enterprise TruRisk Platform. Our consumption is internal, and we operate as a service provider to consumers in the market. The use cases we have handled so far have not presented much of a challenge regarding scalability. We will learn more about scalability once we are expanding our use cases.

I have worked on the technology side covering overall risk assessment, which includes the application, data, the flow of information, various IT assets and all those associated risks, overall enterprise risk management pertaining to the technology side including people, process and assets, both digital and infrastructure.

Majorly, it focuses on application safeguarding, data safeguarding, sessions, API level security and all those related concerns. The ease of implementation, vendor diagnostics, REST APIs and other APIs provide a lot of flexibility to integrate various discrete IT landscapes that we operate into.

The governance part is the most prominent feature for us. We want to have a dashboard with just one click where the KPIs are pre-configured as per the business requirement and those things are monitored on a regular basis to check how things are moving. Governance and high-level management or board level visibility matter the most to us.

Resource utilization is always a challenge, so having proper visibility comes in very handy for us. Another use case we are also looking for is agents or artificial agents to monitor in real-time basis and make their own decisions to load balance or whatever best possible solutions they can work out on a real-time basis.

The governance part is the most prominent area for improvement. We want to have a dashboard with just one click where the KPIs are pre-configured as per the business requirement and those things are monitored on a regular basis to check how things are moving. Governance and high-level management or board level visibility matter the most.

We are trying to incorporate artificial models which can take care of many things that are currently taken care of manually or through certain jobs so that they can be automated with the help of AI models or agents. We will progress as the AI model matures with pattern learning and all those things.

We want self-decision capabilities. Not just analysis and giving alerts, but even taking decisions of actions and performing those actions. The first step would be to not only alert that there is an issue or threat, but to evaluate the threat itself in generality and suggest something. The second step is where those suggestions will definitely have some good minds working on them, but only if they are suitable will we make it as a learning model. Otherwise, we will discard and modify those things. The second level would be to let the learning model learn and then gradually figure out whether we can delegate the decision in the sense of the action that they can perform, see it and then evaluate whether it is falling in line as per the expectation. This is how we will progress on a use case basis only.

I have been using the solution for about two and a half years.

I believe we had almost small glitches and some outages about three to four times in the last two and a half years. These were not much of a concern because they have been resolved in the stipulated time. However, they have impacted us to a certain extent for those periods. In terms of stability, I would rate it somewhere around seven.

So far, the use cases that we have handled have not presented much of a challenge on the scalability part. We will learn about it once we are expanding our use cases. Intermittently we did face some scalability issues, but they were rectified by Qualys Enterprise TruRisk Platform team in consultation with AWS.

There is a global help desk as well as a regional help desk which takes care of support needs. Initially, it was a projectized phase, but now we are moving into a more operational phase. We do have support from them and we will see how things move on.

There are areas for improvement in their support structure. The first level is their interface with customers, and they also have an AI support system. I believe in the initial stages, if they can establish a confidence directly with agents or persons, that will definitely create a lot of trust built up. Slowly, once the account is mature enough, they can move into an AI-based support system on an elementary basis. Of course, we would definitely look forward to human intervention or expertise from subject matter experts as well, which is something that any support system requires.

Currently, there are two to three things to consider honestly. ROI will have its own timeline. I am looking at three years, more than three and a half years. In the initial phases, we are looking at efficiency improvements and reducing redundancies. These are the various things that we will be keeping an eye on. Overall ROI break even is something on three and a half years.

I was exploring Rapid7 and Tenable for my organization, but we have held off on that decision for some time.

As everybody knows, nothing is ideal and things keep evolving. At this moment, I do not want to highlight anything at this point. We were not exactly in a position to do extensive comparisons because it was intensive POCs, and although we did certain POCs, this solution came very close to our requirements. Qualys Enterprise TruRisk Platform is on the cusp of a lot of new advances that they bring to the table, which is what we also appreciate. They incorporate a lot of new things in the beginning technology space, making it available for us users makes our life easier. The overall offering is above average compared to others. My review rating for this solution is seven.

I basically use Qualys Enterprise TruRisk Platform to scan my internal networks and the URLs we work on. These two are the test cases, and then we scan the clusters. If we have an IP hosted on the Kubernetes clusters, we just pick that IP address and scan it for vulnerabilities. That is one use case from that scanner. When we have an IP range from 0 to 32 in the ports, we try to scan it from there. If one IP has multiple applications, we try to scan it on that particular part where it is hosted as an external network and it scans all those things along with the web applications. It's a SAST thing which we do.

The favorite feature of Qualys Enterprise TruRisk Platform is that it provides the whole information of a particular vulnerability. If it detects a vulnerability from a web application, it will provide the whole summary of where it could go wrong in the future if you don't want to test it out now. You can take a note of it and then give the summary to your engineering team.

It will also provide the information of the CVEs related to it, CVSS score related to it, and the CVEs will help you to understand more about how bad it can get. The comprehensive summary can be downloaded in the form of a CSV or PDF, or you can also take the output as .json if you want to send it on some clusters. This is one of the best parts about Qualys Enterprise TruRisk Platform.

One thing which I really want Qualys Enterprise TruRisk Platform to improve is the UI. While it might not be the case for everyone and it's subjective, in my team, most people agree on that part. The UI should be more user-friendly. If you have uploaded a file containing many IP addresses, you don't have a straightforward option to check what the IP addresses were. If we want to search an IP address from the list, we need to check it one by one.

Also, when we download something, the feature should be upfront. When we get the result of the scan, it should be 'download this file'. In many scanners, when you go to the download option, you get the options for particular formats immediately. However, in this case, when you click on download, it loads another page before giving you the output options for PDF or CSV. This feature should be upfront.

I have been using it for the past five or six years.

It just runs continuously without issues. Sometimes it happens that our internal network is not working that efficiently, so we might suffer loading issues for some time, but that's not something which needs to be addressed from Qualys Enterprise TruRisk Platform's end.

I had to reach out to support a couple of times, or three or four times. That was because some scans crashed, which happened initially during setup. Once we supplied 130 URLs to it for scanning one by one, and it crashed in between. We did not have any clue what happened, so we had to reach out to support. I have a mixed experience with it as I faced it twice. From my perspective, the platform works really neat and clean, but sometimes it does have issues.

They are very fast with their support. If something goes wrong, such as when the scan is not loading or the output is not coming straightforward, we send them a mail and they typically reply within a day. If it's PT time, they will reply as soon as possible. I have seen replies in less than two or three hours. Their support is really good.

Positive

We use Acunetix and Tenable, but I still feel Qualys Enterprise TruRisk Platform provides better results. That is the reason we have been using it for a while. I have used it along with Tenable, which was Nessus previously, and Acunetix. We have separate scanners for different technologies, but Qualys Enterprise TruRisk Platform has been doing better than those solutions because it's the pioneer in scanning for what we do now. Many teams in different organizations, at least in India, use Acunetix or Tenable.

The setup was easy and straightforward. When it was first set up, we just went ahead, implemented it on our local environment, and it went really smoothly. There were not many complications. You just set it up with a couple of IP addresses with ports which you want to use on Qualys Enterprise TruRisk Platform and then everything works fine. The competitors have some complications in installing or starting the scanner. For example, Nessus and Acunetix are quite complicated to start. Qualys Enterprise TruRisk Platform does a better job in that aspect.

I would pick Tenable as the best alternative for Qualys Enterprise TruRisk Platform. We can supply similar things to Tenable and scan multiple URLs at one time. The GUI is simple, making it user-friendly for those not familiar with scanners. They have a clean interface where everything is in front of them. The output process is simple - when the scan is complete, you click a button and it downloads the file without additional steps. These features are similar to Qualys Enterprise TruRisk Platform, except for the downloading part where Qualys Enterprise TruRisk Platform requires an extra page to check options.

Qualys Enterprise TruRisk Platform has been really good in every aspect. On a scale of 1-10, I rate it a nine out of ten.

The major use cases from my side for Qualys Enterprise TruRisk Platform integrate with our VMDR, Qualys VMDR. Basically, what TruRisk does is it helps with risk prioritization. We do all the integrations with existing products, which again is Qualys VMDR for us. We also integrate with a couple of other products, next-gen antivirus and others. Then it helps us normalize the overall risk that we have, not just looking at vulnerabilities. Based on that, we just prioritize whether this patching process or putting in any security controls is worth an effort or not. If it is worth the effort, then how do we prioritize? Which ones should go at the top? Which one needs to be dealt with first, and then gradually, the non-critical ones can stay down the chain.

The threat prioritization feature of Qualys Enterprise TruRisk Platform helps for resource allocation, especially for the crown jewel applications that we have. Of course, we feed that via CMDB into the tool. So we kind of prioritize what risks need to be taken care of, and then depending upon who owns it or we have a detailed RACI matrix which shows that hey, this particular thing or gap needs to be fixed by the network team, for example, or infrastructure team, server team, then we allocate those resources based upon priority. If it is a very high risk to the business, then we allocate resources based on that kind of risk prioritization, which is what the tool is meant to do. It is done on an ad-hoc basis, so on the process side, it needs to be taken care of from the process and cannot be automated, the resource allocation. But once we know that it is a high priority, then we allocate the resources within the span of time and that needs to be dealt with.

The benefits of visibility from Qualys Enterprise TruRisk Platform is that it is the central tool. The first thing that we integrate with is our asset inventory or CMDB, and we do it via ServiceNow. So we have all the assets, and then a lot of it depends on or it is a prerequisite to have very clean and hygienic CMDB. So there we have got all the assets, we have got all the applications, the business owners, stakeholders, and all of those. Then there is asset criticality, which is the most important thing that gets fed into TruRisk, and that is something which creates a positive or a negative bias on the risk that comes in because it is us, the business owners who understand the criticality of it, and that is more a subjective thing. So that is fed and then that is the most central integration. Then we do integrate with Qualys VMDR and all the other platforms which spit out their own various versions of vulnerabilities and risk and all of that. The tool then quantifies it and then prioritizes which ones need to be handled at the top.

Positive aspects of Qualys Enterprise TruRisk Platform are that it is mandatory for every organization. Every day we have so many security products, and then all of them spit out their own version of risk. Unless we consolidate them and quantify them, there is no way we can actually prioritize. Palo Alto may be giving some particular vulnerability a CVSS score or some high risk. Then some other product may be giving something else, and then our team does not understand which one to prioritize. That is where we absolutely need this tool so that it integrates with everyone. We have also integrated that with our ServiceNow CMDB and we have mentioned the asset criticality. Based upon that, it gets fed into Qualys Enterprise TruRisk Platform, and then we get the final quantified risk. Then it gives us these are the things that we need to handle, these are the top ones in the business technology risk, and then we need to take care of those first. Of course, there are some positives or false positives, but something which the tool says is something, but then for us, it may not be that big of a deal because we may have some compensatory control. This tool is mandatory if we are looking for a holistic, enterprise-wide solid risk governance and anything that has a GRC. They would absolutely need the content that this tool spits out. Else, it is a nightmare to deal with everything.

It is all continuous. The continuous monitoring feature of Qualys Enterprise TruRisk Platform is a continuous threat and exposure management kind of essential CTEM that is built in it. It is not the tool that does it. It is the feeds that it gets from other tools that enriches it, and then we get various metrics. We have foundational metrics, CVSS scores, severity and all of those. Then it takes care of all of those, consolidates them, checks all the vulnerability signatures. Again, not every vulnerability leads to a risk. A couple of them have not been exploited. That is how it works.

I think the CTEM part of Qualys Enterprise TruRisk Platform can get better, not that anyone else is doing, but continuous threat and exposure management. We are now going beyond the risk, especially in areas where AI is involved. For example, we have all these AI models, and then there are new products coming in, for example, AI runtime security and others. I think it is high time that we start feeding those things from those platforms into something like TruRisk. That gives us again, it is very difficult I understand, to attach a particular value or a score to that particular risk because with AI, we have all these new things for which there is no signature or there is no vulnerability known, and that thing is very dynamic, but it has to be done. So that is one of those things. Integration with AI runtime security tools, I guess that is crucial. Feeding Qualys may develop or have its own database of vulnerabilities which are AI specific or not, I do not know, but it should have the capability to get the feeds from all the other sources. So I think that is crucial.

That one about AI runtime security, I think it is high time that everyone starts thinking about that and bringing integrating all the risks that come along with AI runtime. For example, we use ChatGPT, and then there are all the tech teams which have API integrations with OpenAI, Claude, Anthropic and others. Then there are all these prompts or prompt injection attacks or model poisoning and others. If there is something and then we do use a Palo Alto, for example, for AI runtime security. Now, if something happens, someone is trying to poison the model, or if the runtime system itself has some vulnerabilities, it is crucial that every single risk prioritization tool also has the ability to integrate with that tool and then ingest and then figure out what is the risk level of that particular event or that particular system. Everyone needs to inherit that. It is not a Qualys thing. Of course, it is very difficult to do it without the risk of bringing in a lot of false positives. But that must be done.

I have been dealing with Qualys Enterprise TruRisk Platform for about two, two and a half, three years, I guess. I do not think it is a very old product either. It has been around quite recently, and that is how I have been working with it.

If it is not stable, then it does not make any difference to us, to be frank, because this is more a scoresheet. We have so many things coming in, and then we have a final scorecard, which is this particular platform. We do not use it on a day-to-day basis, to be really frank. This is a periodic drill. So it matches with our vulnerability scans and all of that. For high-critical assets, yes, and there is a dedicated team, especially the senior architect, someone the me, we usually look at very closely. But it is not a 24/7 thing. It is not critical in the way that we have for Cortex XDR where if it fails, then the organization basically ceases to function.

All we do is purchase the license and it just scales out. Qualys is fairly elastic. When purchasing a tenant, if we have a fair understanding of our landscape, we can just tell the SE, the account executive, and then they can provision a tenant based upon that. I have never faced any challenges. Qualys is very elastic in their cloud. So that does not create any challenges.

The technical support from Qualys is the same as VMDR, the one that we checked earlier. The only technical challenges that we had so far were with integrations, and then they just fixed it. Maybe we were doing certain areas not correctly. There was one instance where there was not enough documentation, or it was there, but it was not that detailed. So that was one instance, but apart from that, we never faced any challenges.

I would rate that a nine. They are always available, so I would say nine. Nine is great. The tool that I was thinking about earlier was RiskSense. That is the competitor we had in mind when we brought in TruRisk. Then I think we also ran a couple of evaluations, but because of our VMDR, we preferred the risk prioritization tool as TruRisk as well.

It is a cloud tenant. We do not have to do anything for the deployment procedure. We just have a cloud tenant and we just have integration. So we just put in our API keys and do the same on the other side. It takes about less than a minute sometimes. Maybe three minutes for integration.

The experience with pricing, setup cost, and licensing for Qualys Enterprise TruRisk Platform is expensive. It is definitely expensive. If I were to compare that with the one that we had, I do not recall the name exactly. It is taken over by Cisco now. I do not remember. I will update the notes once we publish it or send it out for review. So I think that was not on par with what TruRisk does. Qualys Enterprise TruRisk Platform is way better than the other one. It is taken over by Cisco now. RiskLens or something. That is the one.

If we compare Qualys to its competitors, it really helps if we are using the VMDR solution which is a risk prioritization tool that TruRisk of the same vendor which we deployed for VMDR. Because a lot of those things, most of those things, in fact, they come from VMDR. So I think that makes if we give Nessus or Tenable as one, and then we use TruRisk, then we may not get the same kind of output. So preferably, our VMDR solution and the risk prioritization tool, I would prefer them to be the same.

The metrics for real-time threat intelligence updates are fed in real time. We have configured it real time, and the effectiveness of those largely depends. So the existing ones, all the vulnerabilities that have been there, we that is usually understood by the individual vendors. Where it becomes most effective is where Qualys is capable of building a QID or a signature and all of that before others do. That is where it becomes super effective. Else it is again, all the vendors, they typically are on top of these things, so I do not think there is a significant lag, but of course, Qualys does do much better.

Qualys Enterprise TruRisk Platform is a fantastic tool. It is kind of expensive, but it is indispensable. It is not something that we can do away with. TruRisk, every single enterprise which is trying to reach a maturity level, especially with risk governance and all of those, this is crucial. It is kind of not thought of often, but it really makes life simple once we have got it. I would rate this review a nine overall.

My main reasons to use Qualys Enterprise TruRisk Platform were vulnerability severity assessment for assets like server endpoints and cloud resources. We utilized it for asset scores, vulnerability scores, overall enterprise risk, security perimeter analysis, and zero-trust implementation.

Qualys Enterprise TruRisk Platform was helpful for managing potential threats in my case because we had defenders and this tool alongside them. The amount of information and data it generated was really beneficial for us to analyze and work upon.

The product was helpful to assess risks with machine learning algorithms. The machine learning platform learns the behavior, learns the patterns, learns the tactics, and then creates results for you depending on your enterprise.

Qualys Enterprise TruRisk Platform was helpful with threat prioritization features for resource allocation, and it played a good role in our analysis and day-to-day monitoring.

The solution was beneficial in identifying true risk scores, where we were lacking and where we were performing well. It identified trust distributions amongst our assets, what are high risk items, what are critical things, vulnerabilities that can be exploited, and what are critical priorities for us. The remediation action it suggested was helpful as well.

I have not been working with real-time threat intelligence updates.

Back then, AI integration was not there with the product, but I am uncertain about how the tool has upgraded itself now. If it is still not there, then AI integration could be a helpful addition.

Compared to Microsoft, there were already advanced tools, so I had seen some drawbacks compared to licensing or technical side.

I am uncertain about the product now, but if AI is not there, then it is good to have AI because when I was using Qualys Enterprise TruRisk Platform, AI was not that much developed.

So far, only AI integration is the only area for improvement with Qualys Enterprise TruRisk Platform.

I used Qualys Enterprise TruRisk Platform for eight to nine months.

I would describe Qualys Enterprise TruRisk Platform as stable regarding crashes or downtimes ever happening.

Qualys Enterprise TruRisk Platform is scalable and easily scalable in the product.

The customer service was cooperative and readily available for technical support. I would give them a rating of nine out of ten for their support.

Positive

Qualys Enterprise TruRisk Platform was advanced because it had tagging features, really good analytical features, and it used to give details that are required rather than giving a surplus of information.

I would choose Qualys Enterprise TruRisk Platform if I had to choose between Microsoft and Qualys Enterprise TruRisk Platform because it is that good.

Integration-wise, Qualys Enterprise TruRisk Platform was smooth, and we had support. We did not have to spend excessive time figuring out how to proceed, so the integration capability and visibility across various digital environments was smooth.

The initial setup of Qualys Enterprise TruRisk Platform was not complex and not straightforward; it was somewhere in the middle.

We had a pilot test before we did the final deployment, so everything was well-scoped regarding challenges with installation.

The installation of Qualys Enterprise TruRisk Platform is somewhat tricky compared to Cisco, and it depends on the end-user knowledge.

The learning curve documentation is perfect. They keep on updating their resources, so they are not lacking behind in that.

Qualys Enterprise TruRisk Platform was not expensive regarding the pricing point. We made a purchase choice that was within our budget.

The pricing was up to the mark at that time regarding pricing, interface, documentation, and all of it.

I have not considered anything apart from the products we discussed, such as Palo Alto, Fortinet, or Splunk.

We discussed Check Point Harmony SaaS and Web Gateway, and there is also one more product like CloudGuard Network Security. I have worked with the Check Point firewall, SmartConsole, and Check Point Firewall.

We also discussed Qualys Enterprise TruRisk Platform and VMDR. I have worked on Qualys VMDR, which is not the same as Qualys Enterprise TruRisk Platform or Qualys TotalCloud. The TruRisk factor and TotalCloud are different products that I have not worked with, only VMDR.

I am not still using Qualys Enterprise TruRisk Platform. I had used it in the past with the TruRisk platform. I have had no problems, no problems at all with potential minor problems.

My overall rating for this review is nine.

I am using all the modules on Qualys. It is a vulnerability and risk management platform. Additionally, we are using it for quality compliance. Currently, we are managing overall projects and supporting some initiatives. We access the check systems for this purpose. While Tenable sometimes misses vulnerabilities, Qualys consistently identifies potential vulnerabilities.

Qualys offers versatility. It can function both with and without agents, offering flexibility in deployment. Furthermore, it provides comprehensive support for various systems such as Windows Server, Unix servers, and databases, including SQL, Oracle, and others for development. 

Additionally, it extends its functionality to network devices like Cisco and Palo Alto firewalls, switches, routers, and Wi-Fi, making it a comprehensive solution for enterprise needs. With its enhanced support, Qualys minimizes the need for additional tools, providing a comprehensive solution for enterprise security.

Support could be improved. Contacting support is a lengthy process for raising a case. 

Recently, while attempting to set up a customized CI checklist, I faced difficulties updating parameters and obtaining results. Each Control ID in the checklist required a separate case, which presented a significant challenge given the number of checks involved. If issues arise with these checks, we must raise cases. Despite providing documentation and evidence, we receive standard instructions to follow rules we've already adhered to, making the process repetitive.

I have been using Qualys Enterprise TruRisk Platform for four to five years.

Policies are essential for ensuring security and compliance, covering all necessary aspects and being user-friendly. Setting up policies is easy with the guides available on the Qualys portal and the Internet. Testing parameters after setup is straightforward, allowing us to verify outputs. 

However, one limitation is the inability to access saved logs directly. Requesting logs requires involvement from the Qualys team, preventing us from analyzing them independently. This lack of access raises concerns about data privacy, as organizations prefer to keep their data internal. While Qualys undoubtedly has access to our data during scans and responses, ensuring transparency and control over this access remains a priority."

I rate the solution’s stability a seven out of ten.

Our current setup is straightforward. Setting up the scanners and configuring settings is not complex. When using agent-based scanning, installing agents on servers is manageable with the assistance of our managed work. Qualys can discover all assets in our environment and install agents online, eliminating the need for manual installations. Connectivity issues were resolved using the QVS proxy, which our organization readily embraced. Since we already had internal proxy access, configuring the setup was easy. We created and deployed a package across all console workstations and computers.

We opt for an IT-based approach, paying for Qualys via subscription.

If I communicate with admin users responsible for modifying settings, I interact with around 14-16 of them. However, in terms of managing access and overseeing the health of Qualys, I handle close to 20,000-30,000, including network and server devices.

Although we have specialized personnel, we lack visibility into logs to analyze and identify root causes. During screen sharing sessions, when troubleshooting, I actively participate and resolve issues most of the time. So, if we had additional specialists, they could also analyze logs, potentially leading to quicker resolutions.

Overall, I rate the solution an eight-point five out of ten.