Qualys TotalCloud Reviews

At the moment, the organization where I work, Alior Bank, is using Qualys TotalCloud, although in the past we used Nessus Professional, which we dropped about two years ago. It was Professional, not the enterprise Tenable version, just Nessus.

I have been familiar with Qualys TotalCloud from the beginning of the implementation in our bank, which was in 2024 when we purchased it and started implementing it. I am part of the implementation and current management of Qualys TotalCloud.

Regarding Kubernetes and containers, I don't recall if it's part of Qualys TotalCloud or a different component.

We are utilizing Azure and GCP with Qualys TotalCloud.

Qualys TotalCloud provides unified vulnerability and threat assessment across both IAS and SaaS.

This solution provides a single prioritized view of risk, which helps reduce the work I would have to do. We are no longer based on CVSS; we are based on Qualys risk scoring, which is based on CVSS plus internal findings made by Qualys, and then assigns its own score.

The TruRisk insight feature has found a small number of assets with high vulnerability scores, though I am cautious since some information is classified.

Qualys TotalCloud has positively impacted our bank's performance, and we have definitely seen benefits after implementing this solution.

Improvements in Qualys TotalCloud could include technologies to cover compliance scanning, such as CIS benchmark scanning. It is somewhat difficult to set up Qualys TotalCloud properly for certain technologies. Additionally, while they moved to UI4, which is nicer, some parts of Qualys TotalCloud dashboards still look very old. You can switch between those interfaces and adopt them because some things are better in the new one, while others are not.

Overall, Qualys TotalCloud is a stable solution. I remember encountering a problem once, which was an issue for the whole EU2 platform and affected tenants on Qualys TotalCloud placed in EU2 areas. As I saw on the status page, it was only a problem in Europe, not in America or Asia.

Regarding technical support from Qualys, they respond, but the response time can be too long. Sometimes we need to wait weeks for solutions to simple questions.

If I had to rate Qualys support based on my experience from one to ten, I would say around six or weak seven, perhaps six plus.

It is difficult to compare the helpfulness of written explanations with other solutions as we used Nessus for a few years. We only had two or three years of experience with that support, and it was simply Nessus Professional and not Tenable Enterprise, so I could not make a comparison. However, currently we have very good support from our integrator, plus the support from Qualys itself.

Regarding deployment of Qualys TotalCloud, the installation of Cloud agents was given to administrators from each team who manage servers and workstations, including components in Azure or GCP cloud. This was not handled by me or my team, as I work in the cybersecurity department. We manage the use of Qualys TotalCloud, but installation is up to the administrators, and we provide them support.

Currently, in the cybersecurity department, we have two people involved in the deployment of Qualys TotalCloud, along with over one hundred administrators involved in implementing and installing agents on the machines.

The deployment of Qualys TotalCloud within our organization was a continuous process. However, the installation of Cloud agents on the machines took place within two to three months, about a quarter.

The benefits we see are related to cost reductions.

For a mid-size bank like ours, the licensing cost for Qualys TotalCloud is cheap. Tenable Enterprise costs double that of Qualys TotalCloud and Rapid7. We explored those three solutions and decided to go with Qualys TotalCloud.

Qualys TotalCloud provides written explanations to help guide remediation paths and eliminate cyber risks in our organization. I would rate this review an eight overall.

I use Qualys TotalCloud for cloud security posture management across AWS and Google Cloud. I use this tool for compliance and other purposes. I scan AWS and Azure for S3 buckets, security groups, unencrypted databases, and generally for IAM roles. It helps in terms of securing the data. I also use CIS benchmarks as a standard for hardening cloud posture management. Qualys TotalCloud helps to ensure I am enforcing the CIS benchmarks automatically.

For the TrueRisk insights, it provides context-aware prioritization of findings, asset criticality, risk trends, and real-time exposures of risk parameters. It ensures I can make informed decisions with higher management.

FlexScan helps me run targeted, on-demand cloud security checks instead of waiting for full scheduled scans. It allows for immediate results on risky configurations or vulnerabilities after major configuration changes. I use it to validate checks post-scan.

TrueRisk Eliminates helps in lowering risks from the organization's context by comparing with global standards. Though not used extensively, it aids in reducing exposure ratings or ensuring compliance.

One of the valuable features of Qualys TotalCloud is its recurring scanning patterns, which detect misconfigurations, risky configurations, and weak IAM policies. The tool automates the maintenance of CIS benchmarks at scale, which is very useful. Qualys TotalCloud serves as a single-point tool integrating various modules such as VM and policy compliance and security, providing a holistic view of my security posture.

Qualys TotalCloud provides threat intelligence feeds or threat integration, enabling me to mix data with other modules to identify recurring vulnerabilities or threats I face in my organization.

From a downside perspective, the UI is not user-friendly and feels dated compared to other tools like Prisma Cloud. The navigation is difficult in terms of understanding risk relationships. Attack path analysis is another area needing improvement. It struggles to predict how attackers may move through phases. Automating remediation could also be improved, as many tasks remain manual. The lack of data load speed sometimes leads to system lags. Customizing reports based on business standards is cumbersome. Pricing is high compared to competitors.

Installation could be simplified with fewer integration issues. Documentation focused on detailed user cases with if and else scenarios would be beneficial.

I have been using Qualys TotalCloud for the past four years with different organizations. I have been with two organizations in the past four years and have been using it at both.

It happens not very often, but sometimes it does occur. In terms of stability, I could say Qualys TotalCloud operates at 95% of the time, and the rest 5% depends on how I manage it.

From a scalability standpoint, I could say it is 90% scalable. The remaining 10% presents a challenge that Qualys could address.

From a technical support perspective, those individuals are competent enough to provide information regarding the product. They offer level one support initially, escalating as needed. I rate them four out of five because they respond quickly if issues are marked as high priority. I would give them 8.5.

Positive

I used Prisma Cloud previously. Prisma Cloud has better navigation and UI compared to Qualys TotalCloud. However, I have taken a whole package of Qualys and tend to use it.

In terms of installation, it could be simplified compared to other tools due to its packaging and tooling. A lack of specific help articles and integration issues are present. From a security standpoint, it is good but requires time.

For one of the organizations, I partnered with Qualys as a team since I have large projects. They assisted with a global rollout.

Pricing compared to competitor tools is high. My costs depend on asset subscriptions. Pricing remains constant regardless of asset utilization, whereas other tools employ a credit system.

Prisma Cloud and similar tools have slight variations in flow but follow the same frameworks. Prisma Cloud offers user-friendly navigation that is better than Qualys TotalCloud.

From a technical support perspective, those individuals are competent enough to provide information regarding the product feel. They provide level one support first to understand better. If they cannot resolve the issue, they can escalate it to the next level and come on a call. However, it does not make sense for them to escalate if it is a medium or low priority issue; they address those according to their SLAs. From another perspective, there could be some downsides. In my opinion, this is the best tool. My overall review rating for Qualys TotalCloud is 8.

My use case is for cloud security posture management and for getting alerts as we have onboarded most of our accounts in Qualys. Qualys provides the cloud and identifies misconfigurations in our cloud security module, providing us alerts, and we have integrated many tools into that solution. This helps us maintain our cloud security.

Qualys TotalCloud helps with my cloud security posture management by identifying vulnerabilities at a better early stage because we have deployed it into a CI/CD pipeline. This helps us detect vulnerabilities at the development level only. Before moving into production, it helps us detect the vulnerabilities, close them, remediate them, and then move the code into production. We have integrated that into our CI/CD pipeline.

The best features of Qualys TotalCloud include good threat intelligence and segregation of cloud accounts. Since we have multiple cloud accounts, it provides a segregation overview of all of our cloud accounts. It also has workload protection which identifies vulnerabilities in the Kubernetes environment and in our Docker images.

Qualys TotalCloud provides written explanations to help guide remediation paths and eliminate cyber risks with recommendations. Whenever any alerts or vulnerabilities have been detected by the solution, it provides the resource name, the asset name, and the solution on how to remediate that with all the steps included.

Qualys TotalCloud provides unified vulnerability and threat assessment for both IaaS and SaaS software.

Qualys TotalCloud provides a single prioritized view of risk through the dashboard, which displays all the risks that are identified in our images, Docker images, Kubernetes environment, and cloud security.

I use the TruRisk Insights feature, which is built into that solution. I assess the comprehensiveness of the risks found by the insights to be good due to its threat intelligence, as it identifies most risks whenever they are detected in the wild. It almost detects all the risks that are well-known in the industry. It has also some capabilities of artificial intelligence but not enough to detect any zero-day vulnerabilities.

The areas in the solution that have room for improvement include the UI/UX design, which should be improved, and they should integrate more artificial intelligence into the product.

I have been using Qualys TotalCloud for around three years.

I would rate stability around eight out of ten.

For scalability, I would rate it nine out of ten.

Qualys TotalCloud requires maintenance, but it is managed by the Qualys team.

I would rate the technical support around eight out of ten.

Positive

The deployment was not easy, but with the help of the support team, we completed it.

It took about a week because we had many accounts we needed to migrate, and we needed to check the policies and define our policies. It took time because everything cannot go in one go, so we did it in a phase-wise manner.

It helps us because we have monthly meetings with our leadership team. These graphs help us give the return on investment of the product to the leadership team and also give us an overview of how this product is working, what the thresholds are, and how the configurations are working or not. This helps us determine that.

I would recommend Qualys TotalCloud to other users because it is cost-efficient and has a good return on investment. We can recommend it over other tools available in the market that are more costly.

I find the pricing of Qualys TotalCloud to be cost-efficient as of now. We evaluated three other tools that were more costly than this.

My comparison of Qualys with other vendors is based on the different features we tested. Based on the reports, we implemented the tools into our environment. We conducted proof of concept testing and checked that every tool provides the CSPM feature, the CWP feature, and the IaC feature. Qualys also provides those features. We tested those features with the default policies by running scans. We created some misconfigurations and checked whether they were detected by the tool. We conducted thorough POCs for each solution.

Qualys TotalCloud can be mentioned as a total cloud platform because it has the CWP model and CSPM model.

It has affected my security posture by integrating tools like Jira into that solution, which helps to generate tickets on the development team dashboard and the DevOps team's dashboard. This helps them remediate the findings. We also create weekly reports from the tool, and with the help of the DevOps team, we try to mitigate the risks which helps us manage our security posture.

Currently, there are around fifteen users who are using the solution. I would rate this solution an overall eight out of ten.

Our use case involves the assets that we have under cloud, the assets exposed to the internet, and the internal applications that we create for our organization purposes, where we perform application security testing.

Qualys TotalCloud is an excellent platform. The beauty of the platform is that we can get all the vulnerabilities. For example, if we test multiple IPs or multiple applications via Qualys TotalCloud, we can get all the reports in a single dashboard, and we can also see them segregated. Anybody can check that platform and easily learn about critical, high, and medium findings. They also provide remediation steps in a very appropriate manner.

The main part I love about Qualys TotalCloud is the continuous monitoring and providing legitimate insights. If our management allows, we will document our technical evaluation and provide it to the purchase team for costing. This decision will depend on how expensive the solution is.

Areas that need improvement in every solution include the remediation part. The remediation steps should be simple enough for everyone to understand. For example, if we find a critical or high vulnerability on an IP or server, the remediation steps should be communicated clearly so that different departments, such as marketing and sales, can remediate their servers using simple steps.

This evaluation is under POC and started about 15 to 20 days ago.

Regarding stability, I have tested a few servers, and I believe stability is good right now, so I rate it a nine.

For scalability, I would give it an eight.

Based on our evaluation, I would rate the support a nine.

There is a team of four to five members involved in this testing and evaluation.

Right now, we are using Tenable, specifically Tenable Nessus, as our VAPT tool, and we are seeking different options, which is why we have started the evaluation for Qualys TotalCloud.

You can review the Radware DDoS and Radware WAF. We are evaluating Qualys TotalCloud solution for our VAPT, which deals with vulnerability assessment and penetration testing. This evaluation is under POC and started about 15 to 20 days ago, focusing on our number of assets, servers, and IPs for the VAPT part, as well as the application security part.

It does not exactly provide unified vulnerability and threat assessment for SaaS. We are working under the guidelines of ISO 27001. We generally give the critical IPs and server names to test, and they provide us with the findings which we patch accordingly, as per the remediations.

I have not yet tried the TruRisk Insights feature, but I would love to get those insights.

In terms of detection, they are doing very well. I am more concerned about the detection feature because if anybody detects vulnerabilities effectively, that will benefit our organization. The findings they provide are legitimate vulnerabilities, and regarding prevention, that is on our side. They recommend steps for prevention on particular IPs, and we can only take actions after multiple approvals.

I consider Qualys TotalCloud a premium product, and I have no issues with that. If a product is premium, it typically offers better findings and opportunities. However, if the pricing is excessively high, we need to consider alternatives. A normal price or slightly more expensive is acceptable, but they should also provide good services.

I recommend this product because it supports both on-premises and cloud environments. The report format they provide after VAPT is very accessible, easy to learn, and beautifully presented. This is the best feature of the product. While I think Qualys TotalCloud is premium, I am concerned about the pricing details, particularly the cost per license.

I rate this product a nine overall.

We utilize all three major cloud platforms: Azure, GCP, and AWS, with over 500 subscriptions and accounts onboarded in the public cloud. To manage these, we employ TotalCloud to evaluate, compare, and monitor the security compliance posture of each cloud account, enabling us to rectify and mitigate any misconfigurations. We are currently exploring TotalCloud's advanced features, such as CWP, TruRisk Insight, and Cloud Detection and Response, and have successfully implemented FlexScan, which has yielded excellent results in securing our Internet-facing VMs and headsets.

We are using cloud-based network tools to improve our security posture, but it was initially difficult to gain a consolidated view of our security status. To address this, we implemented Qualys TotalCloud and integrated our subscriptions from Azure, AWS, and GCP. This provides a unified dashboard displaying the compliance posture of our entire cloud infrastructure, allowing us to prioritize tasks and identify areas for immediate improvement. The tool also details the technical steps required to enhance our security posture, which has significantly contributed to increasing our cloud compliance from 60 percent to 90 percent.

TotalCloud provides written explanations to guide remediation and eliminate cyber risks. While all cloud platforms offer security features, it's challenging to consolidate them into a single dashboard. Qualys TotalCloud effectively addresses this by consolidating multiple cloud platforms and subscriptions onto one dashboard. This allows users to quickly identify and mitigate misconfigurations and risks, simplifying security management.

Before implementing TotalCloud, our compliance rate was approximately 50 to 60 percent. However, after adopting the platform, it has increased to 80 to 90 percent. TotalCloud also helps us minimize attack surfaces by identifying root accounts and encryption issues, thereby enhancing our overall security by 40 percent.

TotalCloud offers a unified platform for assessing vulnerabilities and threats across both IaaS and PaaS environments. This unified view has improved our cloud security posture management.

We gain a single, prioritized view of risks through TotalCloud's TruRisk Insights feature. This feature considers not only the QDA score but also factors in cost and other relevant elements to provide a comprehensive risk assessment. From a potentially overwhelming list of findings, TruRisk Insights prioritizes the most critical risks, allowing us to focus our efforts and resources on addressing these high-priority tasks efficiently.

A single, prioritized view of risk streamlines the risk assessment process by eliminating the need to consolidate multiple sources. This comprehensive view is instrumental in communicating with other business customers who may be unaware of potential risks or misconfigurations within their resources. By identifying and informing them of these issues, we can guide them towards compliance and ensure a more secure environment.

TruRisk Insights provides valuable findings by identifying vulnerabilities and misconfigurations, displaying them on a dashboard, and offering deeper insights into the attack surface. It analyzes not only internet-facing devices but also those indirectly connected, providing a comprehensive understanding of potential risks. This is crucial because even devices not directly connected to the internet can be vulnerable if they have an attack surface. TruRisk Insights also offers mitigation strategies, making it a highly useful tool for managing security risks.

With the VMDR feature enabled and the Qualys Agent installed on various assets, we can identify existing vulnerabilities. TruRisk Insights then calculates risk scores, prioritizes tasks, and presents the number of findings. This allows us to focus on mitigating high-priority vulnerabilities while deferring those with lower priority, ultimately reducing overall risk.

TruRisk Insights provides device details, allowing for containerization of misconfigured devices. This process involves isolating problematic devices and rectifying misconfigurations, ultimately enhancing our security posture.

TotalCloud has been excellent in providing us with immediate access to all the products and features we need, such as CSPM, TruRisk Insights, and compliance reports, including CIS and HIPAA. This easy access to crucial information and tools has dramatically improved our efficiency and ability to meet various compliance standards.

Although TotalCloud is a helpful tool, some of its advanced features are still under development. For example, the Cloud Detection and Response feature is currently only fully functional for AWS, while support for GCP and Azure is still in progress. Additionally, while the detection component of CDR is robust, the automated response and remediation functionality is yet to be available.

I have been using TotalCloud for two years.

I would rate the stability of Qualys TotalCloud ten out of ten.

I would rate the scalability of Qualys TotalCloud ten out of ten. We have been able to increase accounts easily whenever needed.

Qualys' customer support is good, though occasional backend consultations can cause minor delays. Overall, the service is commendable.

Positive

Prior to adopting Qualys, we relied solely on native cloud security measures provided by Azure, AWS, and GCP, rather than employing any third-party solutions.

The initial deployment was straightforward due to my 17-year tenure in IT. Understanding security compliance facilitated the use and exploration of Qualys. While experts might encounter challenges, the product and backend teams have been highly supportive and accessible. Qualys has also been responsive within its SLAs.

We are constantly exploring new features and collaborating with Qualys to ensure we derive value. The finance team handles specifics on cost-effectiveness, but regular engagements with our TAM and product engineers suggest beneficial ROI.

Pricing is managed by our finance team; however, Qualys TotalCloud offers cost-effective licensing flexibility. Existing VMware licenses can be switched to cloud features, eliminating the need for new purchases, which distinguishes it from other products.

I would rate Qualys TotalCloud ten out of ten.

We are evaluating and implementing TotalCloud Detection and Response, a cutting-edge Cloud Detection and Response solution that utilizes AI and machine learning. This comprehensive product enhances our security posture and threat detection capabilities within the cloud environment.

We operate a SaaS platform with multiple locations, including an MSP involving 12 to 15 data centers globally. While we utilize sensors at our facilities, this won't hinder operations, as the geographically diverse data centers ensure easy management. We have 20 users of Qualys TotalCloud in our department.

Qualys maintains TotalCloud and provides notification of maintenance windows to minimize disruption during working hours.

Qualys TotalCloud significantly aided in maintaining and managing compliance scores, making it a highly recommended solution. The platform's exceptional accessibility, including comprehensive technical and TAM support, coupled with consistent availability and reachability, solidifies its value. Advocating for Qualys, I encourage others to utilize this robust platform.

We use Qualys TotalCloud to assess the security posture of our cloud-hosted environment. This tool allows us to access real-time data, categorize assets, prioritize critical vulnerabilities, and establish regular patching policies to mitigate our overall vulnerability risk.

We are eager to utilize Qualys TotalCloud to create a ticketing system integrated with our SecOps module, such as ServiceNow or a similar tool. This integration will enable automated ticket creation following assessments and vulnerability identification within our environments. The system should assign tickets to respective team members, prioritize fixes, and provide comprehensive dashboards for tracking progress and visualizing generated reports.

Qualys TotalCloud provides written explanations to help with remediation paths and eliminate cyber risk, significantly reducing our time spent on these tasks. It ensures that we can minimize manual efforts and prioritize security issues identified by the platform, allowing us to focus on critical areas and improve overall efficiency.

Qualys TotalCloud has significantly improved our organization by automating our reporting processes, reducing the time spent on report creation from two hours to less than fifteen to twenty minutes. It offers complete visibility of our cloud environment, which aids in prioritizing vulnerabilities and security risks effectively.

It provides unified vulnerability and threat assessments across both Infrastructure as a Service and Software as a Service, significantly improving our overall cloud security posture management. Compared to our previous Managed Cloud environment, even within this organization, we have made substantial progress. Previously, we relied on different tools with limited features for vulnerability posture management. However, with Qualys TotalCloud, we have implemented new policies and processes for remediation, resulting in a 70 to 90 percent improvement in our security standards.

Qualys TotalCloud offers a consolidated, prioritized view of risk across our chosen scope, allowing us to focus on specific vulnerabilities and security threats within a single dashboard. This streamlined approach eliminates the need to collate data from multiple sources, improving efficiency and providing comprehensive visibility into our cloud environment.

TruRisk Insights considers multiple factors, including Qualys detection score, asset scoring, risk, and CVSS scoring, to generate a comprehensive priority rating. Additionally, customization options allow for incorporating factors like internet exposure, public accessibility, or intranet presence, further refining the risk scoring and prioritization process.

Vulnerability identification is inconsistent, especially for assets with high vulnerability scores. This is influenced by the environment and project of the asset, and potential oversight during migration between versions. This may lead to a few individuals discovering significant vulnerabilities. However, Qualys' TruRisk Insights can identify the post-migration version of an asset, enabling us to determine the specific vulnerability and appropriate remediation actions, such as patching.

TruRisk Insights has significantly improved our security posture by automating our reporting process. Previously, creating reports required manually identifying assets, categorizing their environment, and calculating scores in Excel, which was time-consuming. Now, with TruRisk Insights, we can generate reports in less than 20 minutes by simply using the Qualys TotalCloud console to download the desired information. 

One of Qualys' best features is its categorization, which allows us to see the types of assets, their security postures, and the AI-powered version of the tool. The AI enhancements simplify vulnerability management by eliminating the need for SQL queries to create policies. Now, we can simply input our requirements, such as critical vulnerabilities in the production environment or specific operating systems, and the tool generates the results accordingly. Additionally, we can create custom dashboards to monitor specific areas of interest, like vulnerabilities affecting a particular OS, exposed ports, majorly targeted vulnerabilities, or the most exploited vulnerabilities in the environment.

Two areas for improvement in Qualys TotalCloud are the speed of the public cloud platform and vulnerability detection. While the public cloud platform is necessary due to the lack of a private cloud infrastructure, page load speeds could be faster. Additionally, vulnerability detection needs improvement, as it currently takes several days for new vulnerabilities to be added to the knowledge base, hindering prompt detection and remediation. Ideally, updates should be more immediate, enabling quicker implementation of solutions.

I have been using Qualys TotalCloud for two to three years.

The stability is excellent, with well-planned maintenance schedules communicated in advance by Qualys. This ensures business continuity and preparedness for any planned downtime.

I would rate the scalability of Qualys TotalCloud nine out of ten.

The Qualys customer support is exceptional.

Positive

The deployment was straightforward, taking less than a day.

The implementation involved four or five team members on our side. It's unclear how many were involved from the Qualys side.

Regarding return on investment, it is going well, although we are yet to complete year-end assessments. Qualys TotalCloud has saved us approximately 15 to 20 percent of our efforts.

Although Qualys TotalCloud is relatively expensive due to its unique automation features, its cost-effectiveness is rated an eight out of ten, with ten being the most costly.

We evaluated other solutions such as Rapid7 and Falcon CrowdStrike. However, Qualys provides more comprehensive features.

I would rate Qualys TotalCloud a nine out of ten.

We recommend and provide Qualys TotalCloud to our clients in various locations. We also utilize it internally across our global organization, spanning multiple countries in Asia, Europe, the US, and other regions. Therefore, Qualys TotalCloud is deployed globally. We have approximately 850 users with varying levels of access. Many have read-only access to view reports and the status of their environment. However, only a limited number of users have the necessary permissions to perform scans and make changes. The majority of users have read-only access.

Qualys TotalCloud, while generally reliable, occasionally requires maintenance and may experience downtime. Qualys performs its quarterly maintenance, but infrequent issues can arise, perhaps once or twice a year, causing crashes or slowdowns within the system. These rare instances may result in limited or delayed portal access, hindering report generation and dashboard viewing.

As a satisfied user, I recommend Qualys TotalCloud to other organizations or clients. I see myself as biased because I am a fan of the product and extensively use it.

We have experience with Veracode and other SCA solutions, but I'm not interested in participating in any campaign. Other than Snyk, we use Qualys for Vulnerability Management, specifically the VMDR solution. TrueRisk Management is not what we use; it's an extension to VMDR, but what we actually use is the main module of Qualys, which is Vulnerability Management, Detection, and Response.

We are not using TrueRisk at all because we have our own framework and we use Qualys Detection Score for everything. We do use Qualys TotalCloud for continuous monitoring. The main use case with Qualys TotalCloud is that VMDR provides a direct solution for on-prem systems and it offers a similar solution for cloud infrastructure including AWS, Azure, and GCP, along with an option to scan containers and other related resources.

The features I value about using Qualys include container scanning; they did give us some requested features, but maturity-wise, they are not there yet with respect to container scanning. The solution is maybe slightly expensive, but it's not as expensive as other tools such as Wiz. Generally, Qualys is very good at detections, whether on cloud or on-prem. The agent allows deployment on both infrastructures, providing continuous monitoring of your assets, which is a key selling point for us.

The features I value about using Qualys include container scanning; they provided us with some requested features, but maturity-wise, they are not there yet with respect to container scanning.

The solution is slightly expensive, but it's not as expensive as other tools such as Wiz. Generally, Qualys is very good at detections, whether on cloud or on-prem. The agent allows deployment on both infrastructures, providing continuous monitoring of your assets, which is a key selling point for us.

Detections get updated in Qualys with a unique identifier called QID. Whenever there's new information, such as a new CVE, Qualys processes that and generates a QID. Since our agents are installed across our infrastructure, they identify vulnerabilities based on the agent information, and any new detections also get updated to a manifest that runs every four hours, checking for new vulnerabilities.

The single prioritized view of risk helps reduce the work significantly; Qualys Detection Score not only considers the basic CVSS score but also factors in threat information and the exploitability factor, which helps us prioritize effectively. We also have another separate framework we developed that we use on top of this.

The downside is only in container security, but it has not been a long time since they introduced these models. Our use cases were edge use cases, so they had to develop some features for us, but they are indeed doing a good job.

I would rate their support a seven on a scale of one to ten. For working with the people from Qualys, I would say seven is an accurate rating.

Positive

Before switching to Qualys, we were doing everything completely manual, and we wanted a more automated solution, which prompted us to switch.

Our experience with the setup and deployment was quite good; Qualys was supportive, and we met with them twice a week while setting up the scanners and operations.

The setup was done by us while Qualys guided us, as they do not have access to our infrastructure for deployments.

Regarding pricing and setup cost, it was not the most expensive. While checking tools for container scanning, we considered Wiz and a startup, but we believe having one tool for as much as possible makes tracking and monitoring easier. We had Qualys agents installed everywhere, which facilitated the shift to container scanning.

Qualys TotalCloud does help guide remediation paths and eliminate cyber risks. I would rate this solution a seven overall.

I have approximately three to four years of experience working with Qualys TotalCloud.

I have been using Qualys TotalCloud while working with EY, Ernst & Young, where I utilize cloud tools for Qualys, employing two types of tools: one for policy and compliance, for security and compliance audits, and another for security audits such as vulnerability assessments and risk assessments. Based on that tool, it is very easy to go through the inventory and easily deploy the compliance policies as needed while also receiving comprehensive assessment scores.

I use Qualys TotalCloud primarily for compliance and cloud security, and I am also getting certified from Qualys in both compliance auditing and vulnerability management, making me a certified specialist for Qualys.

In Qualys TotalCloud, everything is in a single platform and as a unified CNAP application, it combines CSPM, CWPM, CIEMs, and workload securities with a lightweight agent that covers everything, including cloud resources, configuration, misconfigurations, and shadow assets, allowing us to work around AWS, Azure, and GCP platforms while generating compliance reports and providing end-users with easy access to dashboard audit reports and executive views.

To eliminate cyber risk, I think the best method in Qualys TotalCloud is correlating vulnerability exposure and configuration with identity instead of just CVs, making it the perfect option for use within Qualys TotalCloud. If someone were to ask me to review Qualys TotalCloud, I would summarize it as an end-to-end solution for cloud security with visibility and governance-grade controls without needing to manage multiple disconnected tools. In comparison to other tools such as Prisma, Wiz, and Defender, Qualys TotalCloud helps unify vulnerability and threat assessment in IaaS and SaaS environments because it has an intuitive web interface that is simple enough for anyone to learn with just a few hours of preliminary training, allowing users to easily deploy initial assets and policy configurations as needed while generating customized reports.

I have compared Qualys TotalCloud with other vendors such as Prisma, Wiz, and Defender, noting that despite some limitations in those other tools, Qualys TotalCloud performs exceptionally well across various compliance requirements, offering a simple interface for customizing reports while meeting auditors' needs with regulatory benchmarks, including CIS, NIST, ISO, and PCI.

Qualys TotalCloud provides a single unified dashboard for all types of reports, executive views, and dashboards, allowing you to easily access key summaries and recommendations.

I think Qualys TotalCloud needs to improve its handling of zero-day vulnerabilities and supply chain management because modern ransomware attacks not only target prime critical infrastructures but also the supply chain system. If Qualys TotalCloud can solely assess risks based on initially added assets, there may be vulnerabilities within supporting firms that go undetected.

For stability, I would rate Qualys TotalCloud a nine out of ten. While there may be occasional disruptions due to internet connectivity issues, the application supports both offline and online functionality, maintaining operability even under hybrid working conditions.

Qualys TotalCloud is highly scalable, rated at ten out of ten, facilitating easy scale-up or scale-down based on audit and compliance needs.

I rate the technical support from Qualys TotalCloud a perfect ten out of ten because whenever we log incidents, all service level agreements are met within half an hour, with prompt provision of root cause analyses by the support teams.

Positive

I have limited feedback on how Qualys TotalCloud helps my cloud security posture management, but it works well with misconfiguration detections and provides deep mapping with CIS, NIST, ISO frameworks, PCI compliance, and regulatory benchmarks.

In terms of pricing, compared with the top market leaders in Gartner's reports, I find Qualys TotalCloud to have a reasonable standard rate, which is not too hard to access. They have also introduced use case basis rates that allow auditors to purchase specific instances of the cloud service, leading to a flexible pay-per-usage model.

Overall, deploying Qualys TotalCloud across all cloud platforms is very easy.

We handle clients of all sizes, including direct work with government entities, and are currently deployed in various states within government and public sectors.

Vendor maintenance, such as patches for Qualys TotalCloud, is conducted promptly. I observe that if a zero-day vulnerability emerges, the vendor deploys patches as per market recommendations without significant delays.

While we do not work directly with Qualys in our organization, I utilize it during audit activities at client premises alongside various other tools such as Metasploit, Rapid7, and others that I prefer not to disclose. We can deploy Qualys TotalCloud where needed, particularly for presentation layers, while other tools handle deeper network layer security requirements.

I recommend Qualys TotalCloud, having written various articles on it. I suggest potential users align their use cases with its capabilities before deciding, as a proof of concept could be beneficial.

I have given this review an overall rating of eight out of ten.

I use Qualys TotalCloud for vulnerability as a service, vulnerability management as a service. I use it to check my devices to see if they're free from vulnerabilities, to send updates, and also as a form of inventory for the devices.

I can use Qualys TotalCloud to uninstall unwanted devices, which is great. I can also use the feature of seeing what my vulnerabilities are, a form of inventory, and knowing the criticals and the less criticals. Once you have your vulnerabilities fixed and your patches pushed out using Qualys TotalCloud, then you are able to eliminate threats and cyber risk. Qualys TotalCloud is also used to provide unified vulnerability and threat assessment across both IaaS and SaaS.

I sometimes have difficulty detecting or uninstalling certain versions of applications, which I have to do manually. More advanced features or AI could improve this process. A single prioritized view of risk is also lacking, which could enhance decision-making. Additionally, it could use improvements to perform actions without requiring manual intervention.

I have been using Qualys TotalCloud for one year now.

It is stable. I have not had any issues with it.

I rate the documentation they provide or the knowledge base between five to seven.

Negative

I have done POC with Okta and CrowdStrike. Qualys TotalCloud focuses on vulnerability management and security features. Okta focuses more on identities and IAMs. CrowdStrike is more of intrusion detection and assessment.

The application was quite easy to deploy in over 3,000 applications using Qualys TotalCloud.

It's just me using Qualys TotalCloud. The users don't really have anything to do with it. I do all the admin side from my end.

The return on investment I've seen in the past year with Qualys TotalCloud is quite significant, around 10% to 20%.

Qualys TotalCloud's pricing is fair. It is not expensive and is affordable.

Cloud security posture changes with time when using Qualys TotalCloud. It depends on how early you detect threats and fix them. Qualys TotalCloud doesn't provide a single prioritized view of risk. The product does what it says it's going to do, so I recommend it. I rate Qualys TotalCloud six out of ten.

Qualys TotalCloud provides container security, vulnerability management, posture management, and more.

Qualys TotalCloud saves about a third of resources. Qualys TotalCloud provides written explanations to guide remediation paths and eliminate cyber risk, and I appreciate the written explanation and the visualization of attack paths.

Qualys TotalCloud provides unified vulnerability and threat assessment for IaaS and SaaS. Qualys TotalCloud provides a single prioritized view of risk, which helps reduce my workload by not having to combine multiple sources.

In my opinion, what can be improved in Qualys TotalCloud includes pricing and container scanning.

I started working with Qualys TotalCloud approximately one year ago.

I assess Qualys TotalCloud as stable, and I would rate it an 8, with 10 being the best.

I would rate Qualys TotalCloud a 7 for scalability on a scale from 1 to 10.

I would rate the technical support for Qualys TotalCloud about a 7 on a scale from 1 to 10.

Positive

It is easy to deploy Qualys TotalCloud.

Qualys TotalCloud is on the pricier side, and I would rate the pricing around an 8 on a scale from 1 to 10.

I compare Qualys TotalCloud with other solutions and other vendors as a good contender, though I acknowledge there are differences. In comparison with other vendors, including Microsoft, Qualys TotalCloud holds its own but presents distinct features.

I do use the TruRisk Insight feature with Qualys TotalCloud. I assess the comprehensiveness and the range of risks found with TruRisk Insights as adequate.

The TruRisk Insights feature has found a small number of assets with high vulnerability scores. The effect of TruRisk Insights on security posture is significant, as it provides better awareness and focus on critical risks.

I would recommend this product to other users, and my advice would include doing a proof of concept to see if it fits their needs. I would rate this product an 8 overall.