Qualys Web Application Scanning Room for Improvement
PK
PankajKhullar
Senior Security Engineer at Charter Communications
One area of improvement is reducing false positives by prioritizing agent findings over remote findings when there is a corresponding local agent finding.
View full review »MS
MukeshSaha
Associate Principal, Software Engineering at LTI - Larsen & Toubro Infotech
New features need to be added, specifically LLM-based solutions. With the growing reliance on AI, Qualys Web Application Scanning should be updated to handle AI-based applications and LLM-based attacks. Currently, if the system does not provide LLM-based vulnerabilities, I'll have to seek additional tools. I have communicated this to Qualys, and they are reportedly working on it.
View full review »
Kelvin Oladipo
Team Lead, Cyber Security at Uridium Technologies
I would like it to be cheaper because it is a bit expensive compared to competitors like Tenable Nessus. After using the product for a year, I might have more suggestions for improvements.
View full review »
Buyer's Guide
Qualys Web Application Scanning
March 2025
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
859,687 professionals have used our research since 2012.
KM
Kamil Matusik
Head of Operations, Supply Chain at Lyreco Deutschland GmbH
It is unclear how to build automation on Qualys. We do some automation, but not fully, because working is difficult. Many tasks we do via Qualys are prepared not via automation but by standard scanning. We don't integrate Qualys with our SDLC process. So, we're only configuring weekly scanning via this tool and checking the results.
View full review »
SubhajitAich
Security Consultant at Cognizant
Qualys Web Application Scanning is very complex to use, and its graphical interface is not very user-friendly. Compared to other solutions like Tenable and Rapid7, you need to navigate a lot to get the actual results out of Qualys Web Application Scanning.
If I have to search for one thing within the entire console, I have to look for it randomly. It's not very easy and very comfortable to find something. Overall, it's a very good solution, but it will be very good if the tool is more user-friendly.
JP
Jay_Prakash
Cyber security specialist at a financial services firm with 10,001+ employees
One area for improvement is the user interface. The new UI, which was recently upgraded, feels more complex and less user-friendly than the old version. However, as we continue to use it, we anticipate becoming more accustomed to it.
Additionally, improved scan scheduling options are needed, which Qualys is working on implementing.
Koketso Ditlhage
Information Communication Technology Specialist at UNIVERSITY OF JOHANNESBURG
The software’s pricing could be improved. When we buy a license, they charge us per asset. For instance, we have a three-year contract. However, the environment keeps growing every year. If we budget it for 200 IPs, we might need to buy a new license for another 200 IPs after six months. It has a cloud feature, yet the VMs are not enough. It would be nice if there were a cost reduction in scalability.
View full review »VG
Vytautas Gudynas
Senior IT Security Specialist at Citadele Banka AS
We have many websites. We don't force scanning on all of them at once because it's taking some time.
The solution should provide more information. AI capabilities could also be added.
View full review »
Brammadevan K
Cyber Security Engineer at R S Consulting Services
One area for improvement is the application scan interface. Although recent updates have introduced some features, there's a gap in supporting standards beyond OWASP.
Currently, there isn't an option to select or integrate other security standards directly within the platform, which limits the scope of scans to primarily OWASP. For broader compliance, custom integrations are required, which is a cumbersome process.
The platform primarily supports OWASP standards for scanning. If an organization needs to comply with other standards, such as ISO or NIST, there's no straightforward option to select these within the scanning interface.
This limitation requires custom solutions to meet other compliance requirements, which is not ideal.
Qualys should enhance its interface to allow users to easily select and scan according to multiple standards, not just OWASP. This includes both internal and external scans, providing a more flexible and comprehensive approach to web application security.
In addition to choosing standards, there's a distinction between internal and external scanning processes that could be streamlined.
Currently, for internal scanning, specific configurations and scanner appliances need to be deployed within the network, which differs from the simpler setup for external scans. This dual process complicates the setup for comprehensive scanning coverage.
The process should be simplified to eliminate the need for two distinct setups for internal and external scans within Qualys.
View full review »
reviewer2561502
Senior Application Security Engineer at a real estate/law firm with 501-1,000 employees
The authenticated scanning feature could be improved by adding support for real-time scanning tokens and authorization tokens. For example, after sessions, having tokens valid for applications allowing automated authenticated scanning, similar to what Burp offers with proxy support, would be beneficial.
View full review »reviewer2246079
Cyber Security Sales Specialist at a tech services company with 1,001-5,000 employees
There should be better visibility into the application.
View full review »
YongjinLee
Commercial Pre-Sales at Megazone
There should be better visibility into the application.
View full review »
Akhat Tukenov
Cyber Security Engineer at Alexis Company
The product should allow users to upload their payloads.
View full review »EG
Elmano Francisco Gonga
IT Security Analyst at Banco de Fomento Angola
It will be good if Qualys is integrated with QRadar.
View full review »
S S RAMA KRISHNA MURTHY SURI
Senior Manager at valuelabs LLP
There could be better management and faster scanning. An application may have a lot of URLs and complexity. If there are a couple of applications, that complexity multiplies. It can take three or four days to scan. That's too long. It should be maybe three or four hours.
SandeepKumar1
Design Engineer at Uop Ipl, Honeywell
Sometimes the response time is low because the handshake fails, and then you have to re-login and start again. In the next release, Qualys should include more integration with different applications and single-sign-on protocol.
View full review »it_user1580550
Lead Cyber Security engineer at a tech services company with 201-500 employees
When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem.
In the future, customer support could improve and the output report needs to be simplified for better understanding.
View full review »HJ
Hwang James
Data Specialist at CHUN SHIN LIMITED
We are concerned with the frequency of their virus code updates and reporting that contains false positives. We do not think that the accuracy of the reporting is as good as it should be.
It would be nice if Qualys would provide a solution after analyzing the data for us so we can understand what the cause of a vulnerability is and how to fix it. It would be good enough to provide something like just a download page that describes the problem and the steps to take to resolve the vulnerability.
We are researching open source software because Qualys needs to improve their reports and the documentation for the end-users in resolving scanned issues.
Sometimes the deployment is complicated. It is not so easy to deploy and that should be simplified. Something like Zap or other open-source software is often easier to deploy.
reviewer1387992
Senior Software Developer at a tech vendor with 1,001-5,000 employees
One area that could be improved is the a data server. That's probably what I most noticed in comparison with the Rapid7. Also, the UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs. This is not good.
Additionally, you don't have a recording feature, where you can record your screen navigation. Like a macro, you want to create the full screen, and they don't provide a tool which can record your navigation and then do a replay.
In terms of what should be included in the next release, like I mentioned, just the UI, the user interface screen. Also, it would be good If they could improve and enrich the reports. These are the fundamental differences with Rapid7.
View full review »
Vivek Sathaye
Director at Benelec
We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error.
View full review »SubhajitAich
Security Consultant at Cognizant
The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities.
The scanner reports a lot of false positives, which is something that needs to be improved.
View full review »reviewer1254240
CEO at a tech services company with 51-200 employees
Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.
View full review »AJ
Lead43690
Lead Security Architect at a financial services firm with 501-1,000 employees
The solution needs to adjust its pricing. They should make it more affordable.
View full review »Consultab6ea
Consultant at a tech services company with 1,001-5,000 employees
They should improve the performance of the security scanning. It should have better performance.
View full review »
Daniel_Ndiba
Assistant Manager - Cyber & Cloud Security at a financial services firm with 1,001-5,000 employees
The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected.
Going forward, I would like it to scan for given vulnerabilities and add-ons, then confirm whether it is an actual threat or not without the false positives.
View full review »RT
Reviewer32192
Delivery Manager at a tech vendor with 1,001-5,000 employees
In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.
View full review »CybSec9734
Cyber Security Consultant at a tech services company with 10,001+ employees
The GUI could be a little less complicated as it opens a lot of new windows for creating search lists, templates, reports, or for scanning purposes.
Also, occasionally it can't even authenticate to basic web forms.
View full review »it_user563475
Deputy Manager at a tech services company with 10,001+ employees
Please add manual penetration testing features.
Also I didn't like the license terms and the features were limited compared to other tools used for web applications.
View full review »it_user700140
Ex Senior Security Analyst and Onsite consultant at Paladion Networks
In certain cases, this product does have false positives, which the company should work on. They should also try to include business logic vulnerabilities in the scanner testing.
View full review »it_user395523
Sr. Director, Cloud Platform Engineering at a tech vendor with 5,001-10,000 employees
The licensing and user permissions are a little wonky for a DevOps team to use, probably because it’s traditionally an InfoSec tool.
View full review »it_user488199
Senior Security Systems Engineer at a computer software company with 501-1,000 employees
The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.
View full review »it_user494979
Module Lead with 1,001-5,000 employees
The tool should have a live HTTP editor and more configuration options for some situations, such as handling applications that have URL rewriting enabled.
The tool should have more mature APIs for integration and automation. They should provide more flexible APIs to download reports.
View full review »it_user335103
Info-Security Consultant at a financial services firm with 1,001-5,000 employees
It's missing some zero-day patches.
View full review »it_user255879
Security Analyst at a tech services company with 1,001-5,000 employees
Enhancing the capability to find XSS.
View full review »reviewer2254848
Technical Lead at a computer software company with 501-1,000 employees
The product's pricing could be better.
View full review »Buyer's Guide
Qualys Web Application Scanning
March 2025
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
859,687 professionals have used our research since 2012.
Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Popular Comparisons
SonarQube Server (formerly SonarQube)
Checkmarx One
CrowdStrike Falcon Cloud Security
OpenText Core Application Security
SonarQube Cloud (formerly SonarCloud)
GitHub Advanced Security
Sonatype Lifecycle
Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More:
- Primary Use Case
- Benefits
- Valuable Features
- Room for Improvement
- Customer Service and Support
- Initial Setup
- ROI
- Pricing
- Other Advice
- What is the biggest difference between OWASP Zap and Qualys?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the Top 5 cybersecurity trends in 2022?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- We're evaluating Tripwire, what else should we consider?
- Which application security solutions include both vulnerability scans and quality checks?
- Is SonarQube the best tool for static analysis?
- Why Do I Need Application Security Software?
- Which Email Security enterprise solution would you choose: Cisco Secure Email vs Forcepoint Email Security vs Barracuda Email Security Gateway?
