Try our new research platform with insights from 80,000+ expert users

Qualys Web Application Scanning Room for Improvement

PK
Senior Security Engineer at Charter Communications

One area of improvement is reducing false positives by prioritizing agent findings over remote findings when there is a corresponding local agent finding.

View full review »
MS
Associate Principal, Software Engineering at LTI - Larsen & Toubro Infotech

New features need to be added, specifically LLM-based solutions. With the growing reliance on AI, Qualys Web Application Scanning should be updated to handle AI-based applications and LLM-based attacks. Currently, if the system does not provide LLM-based vulnerabilities, I'll have to seek additional tools. I have communicated this to Qualys, and they are reportedly working on it.

View full review »
Kelvin Oladipo - PeerSpot reviewer
Team Lead, Cyber Security at Uridium Technologies
I would like it to be cheaper because it is a bit expensive compared to competitors like Tenable Nessus. After using the product for a year, I might have more suggestions for improvements. View full review »
Buyer's Guide
Qualys Web Application Scanning
March 2025
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
859,687 professionals have used our research since 2012.
KM
Head of Operations, Supply Chain at Lyreco Deutschland GmbH

It is unclear how to build automation on Qualys. We do some automation, but not fully, because working is difficult. Many tasks we do via Qualys are prepared not via automation but by standard scanning. We don't integrate Qualys with our SDLC process. So, we're only configuring weekly scanning via this tool and checking the results.

View full review »
SubhajitAich - PeerSpot reviewer
Security Consultant at Cognizant

Qualys Web Application Scanning is very complex to use, and its graphical interface is not very user-friendly. Compared to other solutions like Tenable and Rapid7, you need to navigate a lot to get the actual results out of Qualys Web Application Scanning.

If I have to search for one thing within the entire console, I have to look for it randomly. It's not very easy and very comfortable to find something. Overall, it's a very good solution, but it will be very good if the tool is more user-friendly.

View full review »
JP
Cyber security specialist at a financial services firm with 10,001+ employees

One area for improvement is the user interface. The new UI, which was recently upgraded, feels more complex and less user-friendly than the old version. However, as we continue to use it, we anticipate becoming more accustomed to it. 

Additionally, improved scan scheduling options are needed, which Qualys is working on implementing.

View full review »
Koketso Ditlhage - PeerSpot reviewer
Information Communication Technology Specialist at UNIVERSITY OF JOHANNESBURG

The software’s pricing could be improved. When we buy a license, they charge us per asset. For instance, we have a three-year contract. However, the environment keeps growing every year. If we budget it for 200 IPs, we might need to buy a new license for another 200 IPs after six months. It has a cloud feature, yet the VMs are not enough. It would be nice if there were a cost reduction in scalability. 

View full review »
VG
Senior IT Security Specialist at Citadele Banka AS

We have many websites. We don't force scanning on all of them at once because it's taking some time.

The solution should provide more information. AI capabilities could also be added.

View full review »
Brammadevan K - PeerSpot reviewer
Cyber Security Engineer at R S Consulting Services

One area for improvement is the application scan interface. Although recent updates have introduced some features, there's a gap in supporting standards beyond OWASP. 

Currently, there isn't an option to select or integrate other security standards directly within the platform, which limits the scope of scans to primarily OWASP. For broader compliance, custom integrations are required, which is a cumbersome process.

The platform primarily supports OWASP standards for scanning. If an organization needs to comply with other standards, such as ISO or NIST, there's no straightforward option to select these within the scanning interface. 

This limitation requires custom solutions to meet other compliance requirements, which is not ideal.

Qualys should enhance its interface to allow users to easily select and scan according to multiple standards, not just OWASP. This includes both internal and external scans, providing a more flexible and comprehensive approach to web application security.

In addition to choosing standards, there's a distinction between internal and external scanning processes that could be streamlined.

Currently, for internal scanning, specific configurations and scanner appliances need to be deployed within the network, which differs from the simpler setup for external scans. This dual process complicates the setup for comprehensive scanning coverage.

The process should be simplified to eliminate the need for two distinct setups for internal and external scans within Qualys.

View full review »
reviewer2561502 - PeerSpot reviewer
Senior Application Security Engineer at a real estate/law firm with 501-1,000 employees

The authenticated scanning feature could be improved by adding support for real-time scanning tokens and authorization tokens. For example, after sessions, having tokens valid for applications allowing automated authenticated scanning, similar to what Burp offers with proxy support, would be beneficial.

View full review »
reviewer2246079 - PeerSpot reviewer
Cyber Security Sales Specialist at a tech services company with 1,001-5,000 employees

There should be better visibility into the application.

View full review »
YongjinLee - PeerSpot reviewer
Commercial Pre-Sales at Megazone

There should be better visibility into the application. 

View full review »
Akhat Tukenov - PeerSpot reviewer
Cyber Security Engineer at Alexis Company

The product should allow users to upload their payloads.

View full review »
EG
IT Security Analyst at Banco de Fomento Angola

It will be good if Qualys is integrated with QRadar.

View full review »
S S RAMA KRISHNA MURTHY  SURI - PeerSpot reviewer
Senior Manager at valuelabs LLP

There could be better management and faster scanning. An application may have a lot of URLs and complexity. If there are a couple of applications, that complexity multiplies. It can take three or four days to scan. That's too long. It should be maybe three or four hours. 

View full review »
SandeepKumar1 - PeerSpot reviewer
Design Engineer at Uop Ipl, Honeywell

Sometimes the response time is low because the handshake fails, and then you have to re-login and start again. In the next release, Qualys should include more integration with different applications and single-sign-on protocol.

View full review »
it_user1580550 - PeerSpot reviewer
Lead Cyber Security engineer at a tech services company with 201-500 employees

When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem.

In the future, customer support could improve and the output report needs to be simplified for better understanding.

View full review »
HJ
Data Specialist at CHUN SHIN LIMITED

We are concerned with the frequency of their virus code updates and reporting that contains false positives. We do not think that the accuracy of the reporting is as good as it should be.  

It would be nice if Qualys would provide a solution after analyzing the data for us so we can understand what the cause of a vulnerability is and how to fix it. It would be good enough to provide something like just a download page that describes the problem and the steps to take to resolve the vulnerability.  

We are researching open source software because Qualys needs to improve their reports and the documentation for the end-users in resolving scanned issues.  

Sometimes the deployment is complicated. It is not so easy to deploy and that should be simplified. Something like Zap or other open-source software is often easier to deploy.  

View full review »
reviewer1387992 - PeerSpot reviewer
Senior Software Developer at a tech vendor with 1,001-5,000 employees

One area that could be improved is the a data server. That's probably what I most noticed in comparison with the Rapid7. Also, the UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs. This is not good. 

Additionally, you don't have a recording feature, where you can record your screen navigation. Like a macro, you want to create the full screen, and they don't provide a tool which can record your navigation and then do a replay.

In terms of what should be included in the next release, like I mentioned, just the UI, the user interface screen. Also, it would be good If they could improve and enrich the reports. These are the fundamental differences with Rapid7.

View full review »
Vivek Sathaye - PeerSpot reviewer
Director at Benelec

We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error.

View full review »
SubhajitAich - PeerSpot reviewer
Security Consultant at Cognizant

The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities.

The scanner reports a lot of false positives, which is something that needs to be improved.

View full review »
reviewer1254240 - PeerSpot reviewer
CEO at a tech services company with 51-200 employees

Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.   

View full review »
AJ
Lead Security Architect at a financial services firm with 501-1,000 employees

The solution needs to adjust its pricing. They should make it more affordable.

View full review »
Consultab6ea - PeerSpot reviewer
Consultant at a tech services company with 1,001-5,000 employees

They should improve the performance of the security scanning. It should have better performance. 

View full review »
Daniel_Ndiba - PeerSpot reviewer
Assistant Manager - Cyber & Cloud Security at a financial services firm with 1,001-5,000 employees

The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected.

Going forward, I would like it to scan for given vulnerabilities and add-ons, then confirm whether it is an actual threat or not without the false positives.

View full review »
RT
Delivery Manager at a tech vendor with 1,001-5,000 employees

In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.

View full review »
CybSec9734 - PeerSpot reviewer
Cyber Security Consultant at a tech services company with 10,001+ employees

The GUI could be a little less complicated as it opens a lot of new windows for creating search lists, templates, reports, or for scanning purposes. 

Also, occasionally it can't even authenticate to basic web forms.

View full review »
it_user563475 - PeerSpot reviewer
Deputy Manager at a tech services company with 10,001+ employees

Please add manual penetration testing features. 

Also I didn't like the license terms and the features were limited compared to other tools used for web applications.

View full review »
it_user700140 - PeerSpot reviewer
Ex Senior Security Analyst and Onsite consultant at Paladion Networks

In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the scanner testing.

View full review »
it_user395523 - PeerSpot reviewer
Sr. Director, Cloud Platform Engineering at a tech vendor with 5,001-10,000 employees

The licensing and user permissions are a little wonky for a DevOps team to use, probably because it’s traditionally an InfoSec tool.

View full review »
it_user488199 - PeerSpot reviewer
Senior Security Systems Engineer at a computer software company with 501-1,000 employees

The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.

View full review »
it_user494979 - PeerSpot reviewer
Module Lead with 1,001-5,000 employees

The tool should have a live HTTP editor and more configuration options for some situations, such as handling applications that have URL rewriting enabled.

The tool should have more mature APIs for integration and automation. They should provide more flexible APIs to download reports.

View full review »
it_user335103 - PeerSpot reviewer
Info-Security Consultant at a financial services firm with 1,001-5,000 employees

It's missing some zero-day patches.

View full review »
it_user255879 - PeerSpot reviewer
Security Analyst at a tech services company with 1,001-5,000 employees

Enhancing the capability to find XSS.

View full review »
reviewer2254848 - PeerSpot reviewer
Technical Lead at a computer software company with 501-1,000 employees

The product's pricing could be better.

View full review »
Buyer's Guide
Qualys Web Application Scanning
March 2025
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
859,687 professionals have used our research since 2012.