Qualys VMDR Reviews

Qualys VM is used for vulnerability scanning.

It's really beneficial for scanning and interacting with the agent. 

The disadvantage of working with Qualys is that the graphical interface is quite outdated.

If you want to choose a scan result, or maybe configure an IP range or something similar, it opens up a lot of processes, or steps, which is somewhat bothersome. Because it opens several phases, it is not a single-window program. 

We are testing it, as well as Rapid 7 InsightVM.

We have been testing Qualys VM for approximately five weeks.

Qualys VM is a stable solution.

Qualys VM is a scalable product.

It works with ten assets. It works with 100 assets. It has worked with 3,000 assets. It's quite scalable.

In our organization, we have two dedicated people, and five others are only dedicated to gaining insights. 

It actually depends on how you remediate all of the vulnerabilities in Qualys since you can also set up it such that product owners, that is, the owners of the apps that are deployed on all systems, can access reports and everything. But that's not how we do things.

The security and infrastructure departments are using this solution in our organization.

We have a dedicated Qualys team of two persons assisting us with the implementation.

We are currently doing a proof of concept with both Qualys VM and Rapid 7 InsightVM.

Qualys is a fully SaaS solution.

It is dependent on the configuration. When you work with the agent, you are primarily concerned with deploying the agents to all assets. However, if you want to scan based on IP, you'll run into some problems.

If you wish to scan on an IP basis, for example, you should deploy a virtual appliance. You may set up several appliances for different domains. Otherwise, you must have your network rules properly configured so that the appliance can reach every asset.

It's relatively simple to set up the basics, but if you want to scan, it really depends on how many networks and domains you have.

In a couple of weeks, you can set it up.

It's very expensive, especially if you want to use multiple modules of Qualys.

I think mainly decide how you want to scan: based on IP or based on an agent.

Then work with the interface and then explore how it works.

I would rate Qualys VM an eight out of ten.

We do vulnerability management mostly with the agents and sometimes with the scanner.

We use it to install for around 20 or 30 clients right now so that we can remotely monitor their vulnerability status and help them improve their patch management processes. When certain critical things come up, we help clients with the Log4J, identifying where they need to remediate some of the super trendy critical things that come out and identifying end-of-life operating systems and software that need to be updated.

The reporting functionality is great. The most prominent feature that made us move from Nessus Professional was the scanner-based scanning to the Qualys agent-based scanning to move to work from home and remote.

If somebody's not connected to the network, you're not going to catch them with an appliance-based scan. However, if you have the agent on, as long as they're on the network, they're constantly checking in and constantly scanning.

It's more accurate and effective to get a picture of what the vulnerabilities are in a more distributed workforce.

The reporting capabilities that are available in Qualys are a work in progress. I know they're still evolving, and it's not always perfect. However, we only have so much flexibility to pinpoint a specific thing that we want to follow or monitor across all of our clients. We can set it up in a dashboard or report and do it quickly.

They're still evolving their platform in terms of reporting capabilities. Every time they make a change, it's not always super smooth, and it's a little quirky with bugs sometimes. That said, they've been really responsive at helping resolve issues that we find. We've got a pretty close relationship with them and our account managers there. We’re working on it.

We've been using it as a service provider for about a year or so.

The solution can sometimes be buggy.

The agent itself is stable. The reporting platform seems to go through quite a bit of change that they're trying to make it more robust and developing more things, and so we'll make customizations, and they make it update, and the customizations wipe out. I wouldn't say the reporting platform is super stable at the moment. However, it more than meets our needs far beyond what we had with Nessus Professional. The ability to monitor has been stable.

It's incredibly scalable. We've got it across 20 or 30 clients, and so we're pretty happy with how scalable it is from that aspect of a multi-client platform as an MSTP of that type of service.

However, the reporting doesn't seem to be as scalable. The more clients we add to it, the slower it runs with the reporting and dashboards.

Most of our clients are small and medium-sized businesses, so each of those clients has maybe anywhere from 30 to 1,000 agents.

We do plan to increase usage. We're only a year in. We touch a couple of hundred clients a year, so we're just learning the capabilities of it and growing with Qualys as we go. We're definitely all in with Qualys at this point.

I maybe had one meeting trying to understand how to build the dashboards, however, my colleague is the one that was selected to handle the solution and works closely with technical support. From what I heard, they've been great.

We previously used Nessus Professional. We switched when we could no longer go use our paid scanner on a client environment due to COVID and not actually going to client offices and nobody being there. Therefore, at that time, it wouldn't have been an effective vulnerability scan, and we had to look at other options. While one of our larger clients does have Nessus iOS through the city government, and it's a great tool, the pricing model was just cost prohibitive for our users across so many clients, and so that's why we were looking at other tools.

It's straightforward as long as the clients have any technical know-how or central management of their devices.

The agents update themselves. There isn’t maintenance necessary once it is deployed.

I’m not clear on the pricing. We don't use it as an in-house tool, and we use it more as a managed service provider. We provide information security consulting services for many companies. When they don't have vulnerability management, we'll offer to support Qualys for them. We've got the MSP platform, and so it's not the typical pricing structure or platform. Therefore, I can’t speak to the exact pricing or typical licensing.

We pay for the Qualys platform, and we will maintain the vulnerability management for our clients until they get their own vulnerability management solution.

I’d recommend the solution to others.

In a world of the hybrid workforce and work from home, if you're looking for a more effective vulnerability management tool, you have to go to the agent-based vulnerability management tools that are out there, and we've been extremely happy with Qualys. We were also delighted with Nessus in terms of their ability to identify things. However, an agent-based scanner is above an appliance base for known devices. Ideally, you have both of them together so you can scan your network for devices that might have an agent on it. However, for known devices, we definitely have been switching and really appreciate the switch to agent-based in Qualys.

I’d rate the solution eight out of ten. The only downside is that reporting can be slow, knowing that we're dealing with trying to load dashboards with 20,000 to 30,000 agents.

Qualys has a continuous endpoint monitoring feature for agent-based scanning. Once you deploy the solution, it monitors everything that is happening every 30 minutes. Then, if there are any vulnerabilities, they are reported. Plus, the dashboards are amazing. There are so many dashboards and things in the console that you can explore, which I think other solutions, Tenable.io for example, are still working on. 

They have everything covered as far as features are concerned, but Qualys should improve their customer experience. They need to improve the tech support experience and the turnaround time. 

I've been working with this solution for one to two years.

This solution is definitely stable.

The solution is scalable. 

I am not happy with the technical support because I had a very bad experience with them. On a scale of one to five, I would give Qualys tech support a two.

Neutral

There were a few challenges. I had an integration issue with Qualys where they had to enable the data privacy from the back end because I couldn't integrate it with the SIEM.

The ROI is definitely good for this solution. 

Qualys is a pay-as-you-go model, so there's flexibility to the pricing. 

Everything is well-documented by Qualys. Their white paper is published and they have much visibility across the globe and on different platforms. If you look into their educational YouTube channel, you get a lot of information. There are a lot of seminars and talks on Qualys VMDR features.

The advantage with Qualys is that you get a lot of features because it has been a market leader for quite a long time. The solution has an agent-based approach and I think it is highly evolved when compared to Tenable, for example. However, Qualys is a bit highly priced so if you're looking strictly at pricing, I think you will get a better value with Tenable. 

I would rate this solution as a nine out of ten.

We use the solution for vulnerability management. It helps us identify potentially vulnerable assets. Thus, we can prioritize patching based on a risk score.

The solution is easy to use and has many essential features. I found the concept of tags the most valuable feature. It allows us to build assets from different views. We can categorize systems with tags, either automatically or manually.

The solution's cloud agent is available only for limited operating systems such as Windows and Linux. They should make it accessible for more systems like FreeBSD. Also, it would be helpful if they made it available for Cisco or Juniper routers. Additionally, its price and support could be better as well.

We have been using the solution for six years.

The solution is stable. However, it takes time to generate reports.

We have ten solution users in our organization.

The solution's technical support team replies with generic answers. The quality of the response could be better.

Neutral

The solution's initial setup process was straightforward. We just followed the documentation.

The solution is costly.

I recommend the solution to others and rate it as a eight.

We use the solution for vulnerability and policy scan. 

The product has helped us understand cybersecurity controls. 

I am impressed with the VMDR feature. 

The tool needs to improve the adding assets and report generation features. I would like to see the policy scan of offline appliances in the product's future releases. 

I have been using the product for three years. 

I would rate the product's stability a nine out of ten. 

I would rate the tool's scalability an eight out of ten. My company has 10 IT specialists using the product. 

The product's support is not very helpful. They suggest things that we already know. 

Neutral

I would rate the product's setup an eight out of ten. The tool's deployment took one to two days to complete. 

We deployed the solution in-house. 

The tool's pricing is expensive and I would rate the pricing a seven out of ten. 

I would rate the product an eight out of ten. You need to complete the training before using the product. 

This is a virtual scanner appliance. We have both physical and virtual options. 

I'm still in training and getting the hang of the solution. I do not know what features the company uses the most. They generally use it to scan all the AWS workloads and Azure workloads.

We generally analyze everything at the OS level and application level, including the open ports, the OS, and older versions, including the packaged versions. We generate the scan, and then we generate the report, and then we will issue it to the application teams to clear off those. 

We have Java remediation happening, and if Java has, for example, multiple versions and when I run the scan, it is going to identify all Java versions that are really vulnerable so you can fix them. Therefore, it helps keep things secure and up-to-date. 

The reporting is good. We give reports to the application teams and we will ask them to either fix or remove applications. Once that is done, then we will read the scan, and if it comes back that we don't have any critical, we are assured of good safety. 

The solution shows us classic categories, including high, medium, and low risks. It also shows critical items, and that gives us the advantage of prioritizing things. 

It's very clear on what components need to be fixed. 

The initial setup is straightforward. 

It's stable.

Technical support is helpful. 

I can't speak to disadvantages since I am in training and still learning and have yet to run a scan. 

It would be nice to have an all-in-one solution that was automated and could handle the scanning and reports as well as the patching and updating. 

I am pretty new to this organization. However, the organization has been dealing with the solution for almost four or five years now.

The stability has been good. The company has been using it for a while and hasn't had issues. I use dit in a previous company as well and never hear of any problems. 

It's easy to scale. 

Technical support is good. We always get a quick response. 

The setup process is simple. It's not overly complex. 

I don't have any details about the licensing process. 

We're implementors. 

When it comes to security, my only advice is based on my experience. They always say to use multiple products due to the fact that, even if the vulnerability is missed in one product, it'll be identified in the other product so that you are safe. 

However, when it comes to implementation, if you have multiple products, pipelining is a big problem. For example, if I use the Qualys scanner, and then it gives me all the vulnerabilities: how do I fix it? Either I have to fix it manually, or I have to fix it automatically. 

I'd like to use one product, and, for example, use a vulnerability scanner from Qualys and have patch management as well. While the solution is still maturing, I like the tight integration and I like that the scanner can identify items and patch management can fix them. It simplifies things, instead of having to deal with multiple products and then maybe having to manually fix items on top of that. 

I'd rate the solution nine out of ten.

Qualys has many products. However, the prominent one is for scanning the vulnerabilities on endpoints, including servers and desktops. The other can be for using multiple other products, like taking the certificate, inventory, and software inventory of endpoints through scanning. 

Additionally, we use the solution for web application scanning. When they have web applications, they can scan applications for various vulnerabilities and give recommendations.

Almost all of the features are great. We use Qualys for vulnerability scanning of servers and web application scanning. These are the two prominent features that we often use.

The initial setup is very straightforward. 

It's stable and quite reliable.

The product can scale. 

Technical support is helpful, and the product provides a good amount of training. 

Qualys has evolved a lot. It is one of the services that has evolved a lot, and we do recommend Qualys to the specs tent. 

However, their products are very modular, so for customers, they need to provide some roadmap on how the customer can utilize their products. For example, starting with vulnerability scanning, they need to show how they can extend their products for multiple other use cases. They need to do a better job of educating customer more.

There needs to be better documentation. 

Maybe their price scheduler could be made simpler.

It's expensive.

We've been using Qualys for a long time. I've used it for more than five years.

It is stable. It is reliable. The solution doesn't have any bugs or glitches, and it doesn't crash or freeze.

It's scalable. It's easy to expand. 

Many people use the solution. There are likely more than 10,000 users.

The usage is based on the business requirements. It all depends on the service offering.

They do offer a lot of support in the form of training for users. They also offer labs. The technical teams are reachable. Technical support is quite good with them.

Positive

This is an easy product to set up. It's not very complex to implement.

The deployment was very fast. We could do it in about a week's time. It can be done very quickly. There are just some configurations on the cloud, and you can handle the agent deployment using some deployment tools. 

We pay an annual licensing fee. 

Prices do vary. If it is for a standard solution, they are the best. If a company goes for some advanced solutions, like web scanning, it does become pricey. However, the basic solution is good. It's just the advanced solutions that drive up the price.

I am a consultant. 

I'd recommend the solution to others. 

I would rate the product ten out of ten.

We use this solution to manage compliance and to verify the gap between the policy defined by the company and the ones that are implemented in the system. We also use Qualys for vulnerability management of assets in the cloud or on-prem. 

The most valuable feature is the ability to run different capabilities with the same agent. With only one agent, we can have EDR, vulnerability management, compliance and some basic SaaS security capabilities.

This solution could be improved by extending the agent capabilities to different operating systems including Mac and Linux. We would also like the capability to easily check for vulnerability in assets in the IOTs. 

They have been adding additional features such as attack surface monitoring and intelligence to help managers detect additional risks. Adding intelligence is one of the most important features that we need.

We have been using this solution for two years. 

This is a stable solution. 

For a company with over 100,000 assets, there are challenges with scalability. 

We haven't often needed support from Qualys but when we have needed it, they have been quick to respond and resolve our issues. 

Positive

If we compare Qualys VM to other vulnerability management solutions like Tenable, Qualys is only for agents. Their on-prem capabilities are pretty limited so it is very easy to manage assets that are cloud connected, but if they are not cloud connected, it is challenging. Tenable is better at managing non-cloud connected agents.

The initial setup is straightforward. After the cloud tenant is available and the agents are installed, the first scans can be done in one to two days.

There is maintenance required for the agents but it is completely controlled by the cloud and is done automatically. There is a necessity for human intervention when there is a new agent or new feature that must be tested before it is implemented.

We implemented the solution in-house. 

Return of investment is difficult to assess because it's a tool that helps to reduce risks but doesn't have a direct feature on ROI.

It is a high cost product. Compared to the other solutions, it is around 15 to 20% higher in cost. Qualys VMDR has multiple features in addition to vulnerability management and there is an additional cost for these features. 

The initial setup is not straightforward and it's important to have the agent connectivity linked to the cloud and available all the time.

If you have assets that are not connected to the cloud, you will need help from a service provider or integrator because the introduction of passive scanning is not straightforward.

I would rate this solution a seven out of ten.