Qualys Web Application Scanning Reviews and Pricing

Module Lead with 1,001-5,000 employees

Aug 31, 2016

It reports fewer false positives than other tools. The tool should have a live HTTP editor and more mature APIs.

What is most valuable?

There is nothing out of the box in the Qualys web application scanning module. One good thing is that it reports fewer false positives.

How has it helped my organization?

We use many other products along with Qualys. In a way, Qualys dashboards are good to keep track of vulnerabilities found asset-wise.

What needs improvement?

The tool should have a live HTTP editor and more configuration options for some situations, such as handling applications that have URL rewriting enabled.

The tool should have more mature APIs for integration and automation. They should provide more flexible APIs to download reports.

For how long have I used the solution?

I have been using it for almost four years now.

Buyer's Guide

Qualys Web Application Scanning

March 2025

Free Report: Qualys Web Application Scanning Reviews and More

Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.

DOWNLOAD NOW

857,028 professionals have used our research since 2012.

What do I think about the stability of the solution?

Qualys is good, stability-wise.

What do I think about the scalability of the solution?

Qualys is perfect, scalability-wise.

How are customer service and support?

On a scale of 1-5 with 5 being the highest, I would rate technical support at 3.

Which solution did I use previously and why did I switch?

I have used Nessus, Burp Suite, and IBM AppScan. Cost- and functionality-wise, I find Burp Suite the best of them all. AppScan is good, but very expensive and reports more false positives.

How was the initial setup?

Setup is straightforward.

What's my experience with pricing, setup cost, and licensing?

Licensing could be cheaper. It is expensive at present.

What other advice do I have?

Qualys is only a good product for in-house vulnerability management programs. It is not feasible to use Qualys for client-facing consulting engagements because of the cost.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

it_user335112

Information Security Manager at a comms service provider with 1,001-5,000 employees

Nov 5, 2015

Download

It's provided us with comprehensive, proactive, and automated vulnerability assessment.

What is most valuable?

OWASP Top 10 scanning
PCI-ASV scanning

How has it helped my organization?

It's provided us with comprehensive, proactive, and automated vulnerability assessment.

For how long have I used the solution?

I've used it for two years.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

It's good.

Technical Support:

It's good.

Which solution did I use previously and why did I switch?

We switched due to there being a high number of false positives.

How was the initial setup?

It was straightforward.

What about the implementation team?

We used an integrato

Which other solutions did I evaluate?

Nessus
Acunetix
Tripwire

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Buyer's Guide

Qualys Web Application Scanning

March 2025

Free Report: Qualys Web Application Scanning Reviews and More

Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.

DOWNLOAD NOW

857,028 professionals have used our research since 2012.

it_user335103

Info-Security Consultant at a financial services firm with 1,001-5,000 employees

Nov 2, 2015

Download

It protects against zero-day vulnerabilities, like Heartbleed.

What is most valuable?

It protects against zero-day vulnerabilities, like Heartbleed.

What needs improvement?

It's missing some zero-day patches.

For how long have I used the solution?

I've used it for a few months.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

It's high.

Technical Support:

It's high.

Which solution did I use previously and why did I switch?

I used Rapid7 NeXpose in another shop.

How was the initial setup?

The product was already installed when I got there, I just added more scanning jobs and used the reports for remediation, etc.

Which other solutions did I evaluate?

I evaluated and selected Rapid7 NeXpose in a previous job (over QualysGuard) because the compliance department there vetoed using “an external service”. Also, we wanted to get Metasploit later.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

it_user255879

Security Analyst at a tech services company with 1,001-5,000 employees

Jun 16, 2015

Download

Automated tools cannot find all the vulnerabilities, but this is one of the best.

What is most valuable?

WAS and being able to integrate Selenium IDE to automate the login process was most helpful.

How has it helped my organization?

Scheduling feature allows to scan on the weekends and holidays in a planned way.

What needs improvement?

Enhancing the capability to find XSS.

For how long have I used the solution?

I've used it for six months.

What was my experience with deployment of the solution?

No issues encountered.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

How are customer service and technical support?

Customer Service:

I've never had the chance to interact.

Technical Support:

I've never had the chance to interact.

Which solution did I use previously and why did I switch?

This would depend on the clients' requirements.

How was the initial setup?

It's straightforward. In fact, it's one of the easiest solutions to implement.

What about the implementation team?

We used a vendor team who had good expertise.

What other advice do I have?

I would recommend this tool. Simply, go for it. The video tutorials would give an insight on the simplicity and effectiveness of the product.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

it_user5130

Security Expert at a financial services firm with 1,001-5,000 employees

Mar 14, 2013

Premature product - not a proper product to be used for PCI approved Web Scanning

v2 Review: Premature product - not a proper product to be used for PCI approved web scanning

Having done numerous penetration tests using various manual and automated tools, today we are focusing on a new tool called QualysGuard Web Application Scanning v2.4.1. In the process of doing a pentest, we often use a quality automated tool to check for standard issues while we focus on the much more difficult issues of the testing. As this reduces the time it takes to do a full test, allows us to work more efficiently, and besides who wants to waste time doing monotonous simplistic checking. In this regard, I have used AppScan quite extensively, and HP WebInspect as well, and both are very good tools for the most part. They help out on the basic checks quite a bit.

Quite recently, I was introduced to QualysGuard Web Application Scanner (WAS) v2.4.1. This tool was very simple to use which is true to Qualys name. Point and click and you are done. Unfortunately, I found out that it didn't help with the standard checks either.

Problem #1
1. It couldn't even authenticate to basic web forms. I've used AppScan on hundreds of sites, and not once was there a problem in not being able to authenticate. A web security tools isn't very useful if it can't get passed the logon screen because that's where most of the application resides. How is it supposed to check anything if it doesn't get passed the logon screen' The Qualys product support/product manager's response to this is to use Selenium Scripting. Unfortunately, the current applications that are being tested only run on Internet Explorer (IE) and Selenium scripting automatic record and playback only works on FireFox. So one must learn a new scripting language in order to make it work with IE. This is hardly an easy point and click solution. Learning a new scripting language is time consuming and error prone. Other professional web scanners have this feature built in.

Problem #2
2. It cannot do a manual explore like other professional tools. For instance, manual explore is needed to fill in certain forms properly in order to get to the critical screens for testing. For example, you must fill in a proper social security number to look up the customer and get to the rest of the application. Qualys WAS does not support this feature. This web scanner doesn't allow the user to fill in the initial forms with proper data thereby never testing the whole application, which is critical. The Qualys product support/product manager's response was this is a simple point and click tool, "we don't support nor do we plan to support complex features such as manual explore."

Problem #3
3. Web service scanner has limited functionality in comparison to other professional tools. In this day and age, many web applications use web services. To not support this feature properly is ridiculous. The Qualys product support/product manager's response, "we only support web service fuzzing at this point." What about testing authenticated web service calls' It also doesn't support pre-populated data on web pages not web services other than the logon screen. This pretty much reduces their web service testing to a dummy tool. To make this work, you have to use tools like SOAPUI or Burp Suite Pro with scripting/plugins to pre-populate data, manual explore, and sequence test steps.

Problem #4
4. Lack of details provided by Qualys.
a. Most professional tools have an audit log that shows exactly what tests were performed and how they were performed. Qualys does not provide an audit log of what tests they did. We are supposed to guess instead as to what might have actually transpired. Real reason behind not providing an audit log is more likely along the lines of they don't all the check they are supposed to and even if they did, it probably wasn't exhaustive testing of say XSS. Either way, we have no idea whether they did the work they claimed to have or not. A Big Mystery Here!

b. No details provided on the actual request/response when a vulnerability is found. True to Qualys name of simplicity. The vulnerability finding is so simplistic and lacking any details as to how it was tested, one wonders how to test whether this finding is a false positive or not. Well, I guess one is supposed to take Qualys word for it. :)

Problem #5
5. Missed critical session management vulnerabilities. Qualys missed a critical session management vulnerability that I had to find manually that AppScan would have found. The Qualys product support/product manager's response, "we are putting in a fix for this soon."

All in all, QualyGuard Web Application Scanner (WAS) v2 is lacking quite a bit in terms of quality and details. Do you want to risk the security of your enterprise by relying on a product like this' Currently, the product is premature and should not considered to be a proper product to used for PCI approved Web Scanning. In fact, it should not even be PCI approved until it matures quite a bit. Qualys needs to understand how a true web application scanner works before releasing a premature product to cash in on a exploding market.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

it_user5130Security Expert at a financial services firm with 1,001-5,000 employees

Report as inappropriate

Feb 17, 2014

This is a review of their Web Application Scanning Product and not Vulnerability Management. Their Vulnerability Management Product is actually pretty good.

See all 2 comments

reviewer2254848

Technical Lead at a computer software company with 501-1,000 employees

Aug 11, 2023

Download

Easy-to-deploy product with good stability

Pros and Cons

"It is a good product for website penetration testing to detect vulnerabilities."

"The product's pricing could be better."

What is our primary use case?

We primarily use Qualys Web Application Scanning for website penetration testing.

What is most valuable?

It is a good product for website penetration testing to detect vulnerabilities.

What needs improvement?

The product's pricing could be better.

For how long have I used the solution?

We have been using Qualys Web Application Scanning for less than a year.

What do I think about the stability of the solution?

The platform has good stability.

What do I think about the scalability of the solution?

It is a scalable product.

How are customer service and support?

The technical support services are good.

How was the initial setup?

Qualys Web Application Scanning is easy to deploy.

What's my experience with pricing, setup cost, and licensing?

It is an expensive platform.

What other advice do I have?

Qualys Web Application Scanning is easy to use and deploy. I rate it a nine out of ten. However, it could be less expensive compared to other open-source tools.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.