Qualys Web Application Scanning Reviews

We primarily use this solution for VM scanning. We scan more than a thousand applications.

The most valuable features are scanning analysis and reporting.

This solution also provides real-time monitoring.

The interface is user-friendly and easy to understand.

The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities.

The scanner reports a lot of false positives, which is something that needs to be improved.

We have been using Qualys for almost a year.

The stability is good.

In terms of scalability, Qualys is good.

I have not dealt with technical support yet because there are other people dealing with issues that arise. My understanding is that technical support is good.

I have also used the Nexus Vulnerability Scanner and it reports fewer false positives.

This solution was implemented before I joined the department.

There are different options available with respect to licensing.

I would rate this solution an eight out of ten.

For some projects, we will need to use this on-premises. It depends on the confidentiality of our project. For other projects, we will also be deploying on the cloud or maybe a hybrid solution as well.  

We are looking forward to having a relationship as a partner with this company and maybe one or two others. We are not just a customer. We have a bunch of freelancers that we are working with in three different companies in Slovenia, Australia, and other countries. We are looking for solutions to make our testing and security checks more affordable.  

I am not the person who is actually directly testing this. One of the other people from our team is doing that. But I was involved in the selection of what we products we should compare based on available features, demos, and how products appear to meet our needs. What I remember from my experience with Qualys is that the simplicity of exporting reports and the simplicity and clarity of the reports included with the product is good. The website was also well-designed and easy to navigate. The SSL security measurements that the product offers seem comprehensive. But I can not say, at this preliminary phase, that I specifically think this or that from Qualys is the most valuable. It is intriguing enough to make our shortlist and POC efforts.  

Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.   

We are in the process of analyzing several products over several months in this category for comparison and proof of concept.  

We have not yet had to contact technical support for any reason.  

I don't have information at this moment because we are in the process of discovery and we have not fully deployed. We do have a test deployment running.  

The pricing of Qualys is quite expensive in comparison with the other products in this category that are offering pretty much the same thing. Pricing is one area of the product that can be improved. At this stage of our discovery, we only know the initial cost is high.  

We were testing a lot of products. We were looking for a good product for our needs and for the needs of our customers to scan vulnerabilities. Qualys was one of the products we chose to do further testing with. The testing with data is still continuing and is a process. As we are in the process of discovery now, we cannot exactly qualify our experience with the product.  

On a scale from one to ten where one is the worst ten is the best, I would rate Qualys as a seven at this point. It is difficult to rate Qualys — or even products from other companies — as better than this because we are hearing the same thing from all the product manufacturers before we went into testing. But based on the references from other users about Qualys, our current level of experience, the pricing as we know it and the services that are offered for free, Qualys is a seven.  

What we have mostly found at this point is that you can't just install a free trial version of a product and get a complete impression immediately. With some products like Qualys or others in the category, the pricing may not be completely right because there are hidden costs. It could be one solution is not quick to deploy and that seems to make it difficult but in actual use, it is easier than everything else. Some products will be easy to set up and after 10 days of trying to work with it, I might be disappointed because of what I committed to.  

With our vulnerabilities under control, it puts our services in compliance and minimizes our risk for exposure.

The vulnerability scanning and patching features are the most valuable parts of the solution.

The solution needs to adjust its pricing. They should make it more affordable.

The solution is stable.

The cloud service makes the solution very scalable. We have about ten users right now, however we don't intend to increase usage at this time.

Technical support is excellent. I would rate it ten out of ten.

We've never used a different solution.

The initial setup was straightforward. Deployment took about two weeks.

Our internal team handled the implementation.

We did not evaluate other options before choosing Qualys.

We are using the cloud deployment model.

I would recommend other users to use Qualys Application Scanning for application security. If you're serious about security you need a service or a solution that does continuous scanning of your application and infrastructure. There are always vulnerabilities being introduced.

I would rate the solution eight out of ten.

My primary use case of this solution is to audit the security level of my customer's internet. We offer this as a service.

The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level. 

They should improve the performance of the security scanning. It should have better performance. 

The stability is very good. 

The scalability is very good. It is very easy to expand this solution. We scan on an IP address basis. We have credit for 250 IP addresses, and we are free to use it in our user environment, or on the cloud. 

We have around twenty users using this solution. 

Their technical support is good. We don't use them frequently because we offer that service. 

I also checked Rapid7 for internal scanning. I picked Qualys for a specific use. It's a SaaS service. We use it to audit the security level of my customer's internet. 

The initial setup is straightforward. A deployment that we did last week took four hours in order to launch it. 

I am an integrator. I work for an integration company. I do the deployments. 

Our licensing costs are on a yearly basis. We buy a group of IP addresses we can scan on a yearly basis. 

I would advise someone considering this product is to find a solution that is easy to use. We use this solution because we need to.

I would rate it an eight out of ten. Not a ten because the reporting needs improvement. It should have better automatic reporting. 

The demo was mainly centered around vulnerability management. We were looking to find a tool which is able to do vulnerability management for internal assets and web applications which face the Internet and are exposed on it. We want a platform which can do vulnerability assessment for internal assets and also for assets which are published on the internet.

I did this demo for three to six months.

It gave us an idea of what lay in our network, and the vulnerabilities in it. Most IT admins are not aware of what is happening on the network. It was able to advise them of what's happening on the network. They could see the web-based applications and where attacks on the outside were coming from.

On the dashboard, you can see vulnerabilities that you have, as they are increasing or reducing over periods of time.

It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard. Usually, you have to purchase separate tools.

The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected.

Going forward, I would like it to scan for given vulnerabilities and add-ons, then confirm whether it is an actual threat or not without the false positives.

It is a stable product, once it is implemented. 

We haven't had any major errors or bugs. It runs quite well.

The plans can be installed internally on the infrastructure or be used with a cloud-base scenario. If you have a cloud structure, the scalability is almost unlimited because it all depends on the number of assets that you want to manage. This can be done without any major configuration changes. In terms of scalability, Qualys has handled it quite well.

Technical support was quite responsive and effective. If engaged on email, they got back to us on time. 

When setting up the solution, it was quite a challenge when trying to set up the internal VM. The guides were not able to give all the scenarios one might encounter when installing the product. At some point, we became stuck, not knowing what to do next.

Work closely with your network administrator. The challenge for us was when trying to connect the virtual machine to the cloud on Qualys, ensuring the firewall policy and rules are in line with the communication passing through without being dropped anywhere. 

Support was helpful during implementation. They also referred us to a third-party vendor who we could work with as a partner. 

Licensing was based on the number of assets that you want to scan on your network. You can also do licensing on subscription. On subscription, it is easier and more flexible. You tell Qualys that you want to move from the 1000 to 2000 band or the 3000 or 5000 band, then they will give you the quotation for it. Once you pay for it, applying the licensing is quite easy and effective.

Pricing was reasonable and competitive. It was not too far above the other products.

We have been evaluating the following: Rapid7, Tenable.io, Tenable SecurityCenter, and Acunetix for web applications. 

We use it for external connection testing whenever we have a customer who utilizes post scanning tools for their main message. From the scanner's perspective, we use the scanner results to do manual testing.

We are looking for automation in our scanning activities or projects, because manual won't work. So, automation is required for us. As a result, using the Qualys scanner result is helpful for us.

We are using scanners and the PCI model. We do PCI scanning because we are a PCI vendor. We are using the tool to do the scanning on whatever the latest vulnerabilities there are, and Qualys is always providing us updates. We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not.

In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.

It has been stable.

It is good and scalable.

Technical support is responsive.

We were and still are using webMethods Professional. We use both in tandem to do manual testing. That is our process of doing things.

We use the cloud instances for our setups. We have one setup, and it is on the cloud, so it is not complex. Actually, we don't have to do any set up. 

We have applications located in our different offices, and so far there set up has not been a challenge.

Qualys has an IT-based licensing based on a yearly license, which is a good way of handling it. However, in some cases, when we do the PCI scanning, the host will not like the scanning and we lose the IT license. So, this could be improved.

It is a very much stable. If you have a good amount of calender-based activities, it is good for defining frequency. You can define the calendar internally, then you can do your scanning. Though, it has some triaging features which should finally be fixed. 

We have a lot of applications in our environment that we need to scan frequently. We have a lot of tutorial sites, e-learning sites, and other related websites which we have to build, maintain, and scan continuously for security purposes.

It definitely helps us with the remediation process as we can create different reports, whatever is required at the time. 

• It's cloud-based so the installation is not so tedious.
• Easily deployed.
• Highly scalable.
• Comprehensive reporting.

Also, you can integrate your Burp Suite results and create an integrated report. 

The way it shows the results - threats and exploit details - makes remediation very easy.

We have seen very few false positives. We found the documentation very useful, particularly the roll-out guide. While the tool is not hard to use, by dividing the documentation into sections, the company provided specific guidance on use cases that are not necessarily limited to the tool itself.

The GUI could be a little less complicated as it opens a lot of new windows for creating search lists, templates, reports, or for scanning purposes. 

Also, occasionally it can't even authenticate to basic web forms.

Qualys offers one excellent support, which includes 24/7 phone and mail support, as well as access to its online user community.

Cloud hosted application, and was also accessible through mobile app.

Dynamic features for pen testing automation, with manual.

Network scanner has good reporting, coverage was also good. In Web scanner, dashboard was good but features were limited.

Please add manual penetration testing features. 

Also I didn't like the license terms and the features were limited compared to other tools used for web applications.