IT Central Station is now PeerSpot: Here's why
Buyer's Guide
Vulnerability Management
July 2022
Get our free report covering Tenable Network Security, Tenable Network Security, Qualys, and other competitors of Tenable SC. Updated: July 2022.
619,967 professionals have used our research since 2012.

Read reviews of Tenable SC alternatives and competitors

Co-founder at a tech services company with 1-10 employees
Real User
Top 20
Provides good visibility, automated alerting for vulnerabilities, and responsive support
Pros and Cons
  • "Orca's platform provides an agentless data collection facility that collects information directly from the cloud using APIs, with zero impact on performance."
  • "I would like to see an option to do security checks on a code level. This is possible because they have access to all of the code running in the cloud provider, and combining their site-scanning solution with that would be a nice add-on."

What is our primary use case?

We are a solution provider and Orca Security is one of the products that we implement for our clients. Most of them are start-ups and scale-ups that are building their software on the cloud platform. If they don't have cloud services, they cannot use Orca, so that's the first requirement. They need to use a cloud platform like Amazon Web Services or Microsoft Azure or Google Cloud.

Then to use Orca, they need to make a connection with the cloud platform's API. This means that they don't need to install any software or hardware. At that point, the site-scanning technology in Orca Security will check for vulnerabilities in the environment, and then check whether there are any configuration issues.

Our clients can see the progress in compliance after they implement Orca. For example, there is a weekly report to show how things change. Most of the time, our clients start with perhaps 30% compliance. It gives you the option to select which standards you want to comply with, for example to the ISO standard, or the GDPR standard. Orca Security also has its own standards for specific cloud platforms.

You can see that the security improves by changing the configuration and tightening your cloud set-up. Similarly, when you start reducing the vulnerabilities that you have, the number of alerts you are receiving will decrease compared to what it was in the beginning. It takes some time to achieve a healthy state of cloud security but once a baseline is achieved, you will immediately see the problem if there is a critical alert. When a new vulnerability appears, it can be solved as soon as possible.

Orca's platform provides an agentless data collection facility that collects information directly from the cloud using APIs, with zero impact on performance. This is something that is very important because now, there is a need to have full visibility of your cloud security every day. One cannot rely on only a penetration test once a year, because our customers are start-ups and scale-ups that are really innovating. They are deploying code almost every day. They make changes to the configuration of their clouds using automated tools like Terraform, and they really need to have a solution like Orca to have the guarantee and the confidence that there is nothing new and critical being configured or added to that environment. For me, it's a no-brainer to have Orca running in your cloud.

By using the agentless approach, our clients avoid the need to deploy and maintain multiple tools. Also, if you're using an agent then you need to have it installed. This means that you have something running in your production environment, so that can have an impact.

Secondly, if you forget to deploy the agent on the new machine, you will not know that machine is there. You will not have a complete picture, and that's an important thing to consider. With Orca, you will have a full inventory of all of your assets, your configuration, your network setup, even assets that are not internet-facing. The old-school agent approach will not work, because even if you have the agents installed, you will still need to have something in the cloud doing scans. You will also need something that will look at the configuration of your cloud platform, which is not possible if you are just installing an agent on a VM.

Prior to Orca, our clients had considerably less coverage for their environments. When we compared the results of Orca against a typical vulnerability scan using Tenable, for example, the classical solutions only found 20%. This is because Orca is scanning behind the security configuration of your cloud provider, which is possible with integration using the API.

What is most valuable?

The compliance dashboard is one of the features that our customers find very interesting. Instead of having to run checklists and provide access to auditors, you can just generate a report from Orca.

The automation and alerting capabilities are very good. When there is a new vulnerability or a new issue, you can get an automated alert in Microsoft Teams or in Slack.

The visibility that Orca gives into the environment is really in-depth because of their site-scanning technology. They provide full visibility into everything running in the cloud environment. They can look at virtual machines; they can look at serverless; they can look at the configuration of users and roles. They can also see, for example, that a specific administrative user has no multifactor authentication configured. It covers the full stack and not only one specific item.

The alerting capabilities are now being added, which is a very good evolution.

The integration with SIEM tools is now in place, which is a nice feature.

What needs improvement?

I would like to see an option to do security checks on a code level. This is possible because they have access to all of the code running in the cloud provider, and combining their site-scanning solution with that would be a nice add-on. This would guarantee our customers that whatever is running in their cloud production is secure on all layers.

It would be nice if this solution had the capability of fixing issues. As it is now, it only reports them. Having a button to patch a product, disable a service, or delete a VM would be nice. At this point, this is something they might not want to do because they are only doing audits rather than making changes. It is also something that would require having additional permissions, including write access using the API.

For how long have I used the solution?

I have been working with Orca Security for more than two years.

What do I think about the stability of the solution?

In the beginning, when we started to work with them more than two years ago, they were still just in the first phase of going live. At that point, we had some problems with the user interface and some bugs, but they have been developing very hard to solve those issues. For example, they migrated to a new version of the user interface, which is very good.

When there is a problem with stability, we can contact their support and they solve it immediately. These days, most issues have been solved and they're adding more functionality because they now have more developers working on it.

What do I think about the scalability of the solution?

In terms of scalability, we have customers that have a lot of assets, and some that only have a few. Of course, the more assets you have, the more vulnerabilities you have, and the more work that has to be done to solve those issues. That is something that takes time.

Our largest customer used to have more than 250 assets.

The customer is responsible for solving problems but because of Orca, we can track the progress and we can follow up on the vulnerability management and remediation.

How are customer service and support?

Technical support is very good. I would rate them a ten out of ten.

When you send an email, you get an answer immediately. They really try to determine what the problem is and identify the root cause. Either it's because it's something that we didn't know of or were unable to find in the documentation, or it's a bug or feature that is not known yet.

Which solution did I use previously and why did I switch?

We have seen customers moving from other solutions to Orca. When you are running your entire software solution in the cloud, and you make a lot of changes, have new deployments and new features, as well as configuration changes, your classical vulnerability scanners will miss things. 

For example, a traditional scanner will miss scanning a specific IP address or domain. When you are working in the cloud, everything is more elastic. Another problem is that you have new IP addresses not being used, but get allocated to another cloud customer. You can have a situation where you're scanning with those classical solutions, and it is actually somebody else's infrastructure. This is not the ideal situation.

These are some of the reasons that we have moved to Orca Security, replacing those classical mobility scanners.

Using Orca has helped consolidate vendors and services because it gives a better overall view. It's much easier to install and maintain than the typical vulnerability scanning approach. Our clients have replaced solutions such as Tenable, Qualys, and manual consultancy. In this last instance, if you don't have Orca or another product and you need to have a compliance check, then a security consultant will need to use a checklist and perform a manual inspection of all of the configurations.

Consolidating services has saved our clients both time and money. For instance, if you need to generate a compliance report every quarter, it will normally consume five to ten days. However, using Orca, it's checked every day and you can generate a report whenever you want.

Alternatively, you can use open-source tools but you don't always know what they are doing. 

How was the initial setup?

The initial setup is very straightforward. Everything is clearly documented and there is a video. They just need to log in and provide the API keys, which is very easy.

We have customers that first start with a trial or proof-of-concept, and then they immediately see the added value of the solution.

With the right access to the cloud platform, the deployment can take about 15 minutes.

What about the implementation team?

Our customers are responsible for doing the setup because we don't have access to their cloud platform.

Orca is a SaaS product that is always up to date.

What's my experience with pricing, setup cost, and licensing?

The pricing depends on how many assets you have running in your cloud and how many environments you have. If you have a dev environment, test environment, and a production environment then it's really important that you have coverage for all of them. But, you can start gradually because you can analyze one environment at a time. For example, you can begin with the production environment and fix all of the vulnerabilities there first. Then, add the test or acceptance environments, and then add your dev environments.

You really need to learn how Orca helps to improve your attack surface, and you don't want to start with everything at once. Instead, you want to start small and progress gradually, otherwise it will be a lot of work.

Pricing also depends on how you use your cloud provider. If you are working very cloud-native then it is much cheaper than a situation where you have a lot of virtual machines configured and running.

Which other solutions did I evaluate?

We generally look at the most innovative solution and start using it. We do not do benchmark testing because we don't have time for it.

What other advice do I have?

We normally set up customers on a trial basis to show them what the product is capable of. When you run a trial for a specific customer environment, you immediately see the benefits and value. You see that it does what they say it will and there are no hidden features. You immediately see the results in the dashboard, and how it works.

My advice for anybody who is considering Orca Security is to start with a proof of concept, as it will only take five minutes to set it up. Let it run for a few days and then look at the results. It will show you how it benchmarks against your existing tools, including things that you didn't know of and you need to solve. After the evaluation, purchase it to make sure that it keeps monitoring your existing environments.

I would rate this solution a ten out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Senior Security Consultant at a tech services company with 10,001+ employees
Consultant
Excellent continuous monitoring, helpful technical support, easy to scale, and simple to install
Pros and Cons
  • "The most recent is VMDR, which provides a comprehensive overview of how to detect, patch, and remediate specific vulnerabilities."
  • "Qualys currently does not have any features for scanning SCADA, IoT, and Industrial Control Systems."

What is our primary use case?

Qualys' main function is to scan IT systems. It does the scanning of computer systems.

What is most valuable?

Continuous Monitoring is excellent because it is entirely dependent on the agent, and the Agent Scan, is also quite good. 

I also like the asset tagging, asset grouping features, and the dashboard, because we can customize and create our own dashboard. That's quite good. 

The most recent is VMDR, which provides a comprehensive overview of how to detect, patch, and remediate specific vulnerabilities. That is also an excellent module.

What needs improvement?

The dashboard itself could be improved, while we can customize it, they can create different tabs where we can see the trending vulnerabilities, how many there are, or how many have been fixed, as in the most recent scan report, so that trend analysis is a little easier.

Aside from that, the solution itself is fairly generic in nature. What they can do is pretty much customize everything and provide a relevant solution for everything. For example, because Qualys has a Cloud Agent that scans a system's entire inventory. As a result, they can test their use cases to determine whether or not a vulnerability has been confirmed. If they can do so, they can also provide us with a straightforward solution to a specific problem rather than a generic one. That could be one area where they can improve. 

Qualys does not currently have an IoT, SCADA vulnerability assessment, they can significantly improve their IoT, SCADA, and ICS (Industrial Control Systems) vulnerability assessment technique. When you compare with Tenable SC it has more features than Qualys VM.

If you see power grids, large oil stations, they fall under SCADA and Industrial Control Systems. These systems are very different from standard IT systems. Qualys currently does not have any features for scanning SCADA, IoT, and Industrial Control Systems.

I believe they can improve on the addition of devices. Assume I have two lakhs of devices that cannot all be added at the same time. For example, if I have two lakhs of devices, and two lakhs of those devices have a Cloud Agent, adding all of those devices at once is not easy. We have to add it 1,000 at a time, which takes a long time when there are two lakhs of assets to add. If we do 1,000 at a time, we'll have to do it for around two lakhs, which is quite difficult.

They can increase their frequency of working faster, similar to the time constraint they currently have. The second thing they can improve is the addition of assets. They can almost completely automate the process of adding assets, or they can increase the maximum number of assets that can be added in one go. They are only allowed to add 1,000 assets. If I want to add two lakh assets, it will be extremely difficult to do so by adding 1,000, at a time.

That is a fairly technical issue. Most of the false positives reported by Qualys or the inability to detect a cumulative patch update, if any, are the few things that they can improve and incorporate. 

As I previously stated, it would be extremely beneficial if they could implement scanning, vulnerability scanning of IoT systems, Industrial Control Systems, and SCADA devices.

For how long have I used the solution?

I have been working with Qualys VM for approximately four years.

We have been using multiple Qualys modules, such as VMDR, Cloud Agent, AssetView, and Continuous Monitoring. The most recent version that we are using is 4.14.

What do I think about the stability of the solution?

It's reasonably steady. When we say stable version, there is also room for improvement in that Qualys will not be able to handle large amounts of data at once. When you do billions of scans, such as a scan for millions of devices, it becomes extremely slow, and gathering data and populating the report becomes extremely tedious. 

What do I think about the scalability of the solution?

Scalability is quite good. We can pretty much rely on the tool. It is easy to scale. 

If the organization grows, we can pretty much scale it to most of the areas. The only problem is that they must primarily work on Industrial Control Systems and lightweight devices such as CCTV cameras, and lightweight devices. As a result, they are required to work in that field, otherwise, it is pretty good.

Based on my previous experience, there were approximately 300 or more users using Qualys in organizations with a population of more than two lakh people. Currently, I see that approximately 400 users are using it, and the size of the organization is significantly larger than the previous one.

We use this solution daily.

How are customer service and support?

Technicals support is pretty good. Since I've been working in this, they've been friendly and straightforward, and we were able to get the most out of them.

We have suggested areas for improvement, and they have been working on them. They always make a good impression on us.

Which solution did I use previously and why did I switch?

As a consultant, I've worked on a variety of projects in a variety of organizations.

How was the initial setup?

The initial setup is simple and straightforward.

What about the implementation team?

We initially had assistance from the vendor, but once we had a good understanding of it, we scaled it in our organization.

Which other solutions did I evaluate?

Because I've been using Qualys for quite some time, I was looking for a comparison of several solutions such as Tenable SC, Rapid7, InsightVM, and Tenable Nessus. I was curious to know if there were any other tools that were better than Qualys.

I was looking for more information about Tenable SC and wanted to compare it to Qualys in more detail, with parameters such as, how the false positives are detected in Tenable SC and how good it is in comparison to Qualys. In a similar manner, in comparison to Qualys, we learn about its usability, interface, and how user-friendly it is. Those are the few things I was looking for, and I'm still looking for more information about Tenable right now.

What other advice do I have?

They have the ability to improve SCADA. SCADA stands for Supervisory Control and Data Acquisition, and IoT stands for Internet of Things scanning.

Recommending this solution would depend on the organization, the requirements, and the devices they have.

For a typical IT system, it is very good to go with this solution. Microsoft, Deloitte, and the majority of organizations still use it, it is pretty much good to go. But, once again, it is entirely dependent on how the organization is, what type of devices they have, and what kind of scans they would like to have, it is entirely dependent.

In a broad sense, it is a good solution to go with.

I would rate Qualys VM an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Director of Information Technology at a government with 201-500 employees
Real User
Top 20
Good at identifying vulnerabilities but had issues with scans and endpoint accuracy
Pros and Cons
  • "The main functionality of identifying item endpoints that weren't properly patched or had vulnerabilities is the solution's most valuable feature."
  • "We found that after you passed an endpoint, it didn't always reflect it in the next scan. I'm not sure if it was a glitch or some issue with the product's software. That was never clear. That was always an issue and something that definitely needed improvement."

What is our primary use case?

The solution is primarily used for vulnerability management, specifically vulnerability scanning of the endpoint devices.

What is most valuable?

The main functionality of identifying item endpoints that weren't properly patched or had vulnerabilities is the solution's most valuable feature.

What needs improvement?

We found that after you passed an endpoint, it didn't always reflect it in the next scan. I'm not sure if it was a glitch or some issue with the product's software. That was never clear. That was always an issue and something that definitely needed improvement.

For how long have I used the solution?

We've used the solution for four years.

What do I think about the stability of the solution?

I didn't notice anything in terms of stability issues. There was always data in it, so I didn't, face any problems. We just had an issue once where we would scan and then we would patch and occasionally it wasn't reflected on the next scan that that patch was there. That was the biggest issue we faced. Other than that, it was reliable. We didn't really have glitchiness or bugs. It wasn't crashing or freezing on us.

What do I think about the scalability of the solution?

I probably don't have an opinion on the scalability. It seemed to function, however, beyond that I'm not sure. As an end-user, I just would log in and run reports. I wasn't in charge of expanding the solution. I used it in a pretty non-technical way.

There were only ever about 10 to 15 users on the solution at any given time.

How are customer service and technical support?

I never actually got in touch with technical support. I wouldn't be able to speak t their level of service.

Which solution did I use previously and why did I switch?

The company did not use a different solution before using this product.

How was the initial setup?

I never set up the software myself. I was always just an end-user. I can't speak to if the solution was straightforward or complex.

I have not idea how long deployment took. I'm not sure if it was a long process or not.

Maintenance was handled by our security division. I don't know if there was one person or there were multiple admins that handled that aspect of the solution.

What about the implementation team?

It's my understanding that the solution was set up in-house and an integrator or reseller was not used.

What's my experience with pricing, setup cost, and licensing?

I'm not sure what the solution would cost on a monthly or yearly basis.

Which other solutions did I evaluate?

I'm not sure if the company evaluated other options or not. I wasn't part of that process.

The company I'm working with now is looking at evaluating Tenable.io.

What other advice do I have?

The company I worked for was just a customer and I was just an end-user. There was no business relationship between the two companies that I was aware of.

The company is considering moving from on-premises to the cloud.

I am unsure of which version of the solution is being used currently. I'm no longer at the company where I used the product.

While the solution worked well, I have never compared other solutions, so I don't know if it's best in class or not.

I'd rate the solution six out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Vulnerability Management
July 2022
Get our free report covering Tenable Network Security, Tenable Network Security, Qualys, and other competitors of Tenable SC. Updated: July 2022.
619,967 professionals have used our research since 2012.