Information Security Analyst at a tech services company with 11-50 employees
Real User
Top 20
Nov 17, 2025
In terms of Qualys Policy Compliance's asset discovery and classification functionalities, we had some instances where we were not able to identify some rogue assets within our environment. The OS fingerprinting gave us valuable insights. For example, during internal pen testing, we found a server that was online but was not actually a server itself. It was a hosted machine on a laptop for a developer. Qualys identified the exact OS fingerprinting and we were able to find out which machine was live at the time of the scan. In terms of asset discovery, it was very appropriate and it actually helped us identify that rogue asset. The reason I decided to stick with Qualys is that for the past three years, we went through evaluating other tools, but Qualys was always our priority and always our first choice because of what it was offering as a platform. We conduct vendor assessments through Qualys, we do PCI compliance, and we do ASV scans through Qualys. In terms of other solutions, I can name a few of them like Nessus and Nexpose, but their forte is completely different. Some of them, I know Nessus provides an ASV scan while Nexpose does not. Most of our requirements were being fulfilled through Qualys, so we were not ready to let go of the security questionnaire part, the PCI compliance part, or the vulnerability management program itself. That is where it truly adds value. On a scale of one to ten, I would rate Qualys support team at eight, the account manager at nine, and the sales team at ten. Considering my very rich experience with Qualys Policy Compliance and with other Qualys technologies, I do not think there is any piece of advice or recommendation that I may share with other organizations considering it. They are doing a good job, though I am still waiting for some sort of agentic AI solutions from Qualys. We heavily rely on agentic AI solutions and we are leveraging almost every product that has that AI feature within them, so we are waiting for when Qualys adopts that feature. I would rate this review a ten out of ten.
I have experience working with this product. I have been working on Qualys Policy Compliance, Prisma Cloud, QRadar, and Splunk. From Qualys Policy Compliance, I have been working with all the services, such as VMDR, assets, container security, and sensors, and I have been involved in PCI compliance and those kinds of compliance tasks. For the policy compliance product, I have been working on PCI and HIPAA compliance and also internal policy compliance against our policy. I rate Qualys Policy Compliance a 9 out of 10.
Information Security Engineer at a university with 1,001-5,000 employees
Real User
Top 10
Feb 11, 2025
Overall, I rate the solution nine out of ten. I would prefer to remain completely anonymous and ensure that both my name and company name are not published.
Cyber Security Analyst at a tech vendor with 10,001+ employees
Real User
Top 20
Oct 10, 2024
Qualys is good for cost efficiency, scalability, and support. It efficiently handles numerous vulnerabilities and assists in compliance management. I'd rate the solution nine out of ten.
Doing the homework before going to Policy Compliance in Qualys would be a very good idea. Decide what type of hardening standards to use and approve the standards. Decide how often the policy compliance should be validated and reported, what types of reports are needed, and which individuals need different types of access or different types of reports. Knowing all those will make the implementation pretty straightforward. We had a module from Qualys, but we did not fully implement it, so we had to define enterprise policies, update those in Qualys, enforce them, and check the compliance level. It was a work process that took more than a year. It is still ongoing because Policy Compliance allows checking compliance against a policy, but the policy itself needs to be defined by the enterprise. It then needs to be approved and tested. Only after that, it is updated in Qualys and followed up on the compliance level. I would rate Qualys Policy Compliance an eight out of ten.
QualysGuard Policy Compliance is deployed on-cloud in our organization. The solution is deployed mostly on AWS and Microsoft Azure cloud. I would recommend QualysGuard Policy Compliance to other users. Overall, I rate QualysGuard Policy Compliance an eight out of ten.
There's no versioning in Qualys, there's simply the latest version. It's a cloud solution. We are a reseller for Qualys. We also manage it and do the consulting around it. So we definitely plan to increase it. We also use it internally. While it may seem relatively easy and certainly quick to implement, there is a certain nuance. I would always advise new users to engage with experts. I'd rate the solution ten out of ten. It's the best I've seen. It is easy, fast, and reliable.
Qualys Policy Compliance (PC) automates the collection of technical controls from information assets within the enterprise, and maps this information to policies to fix and document compliance with regulations and business mandates. It provides compliance reporting by leveraging a comprehensive knowledge-base that is mapped to prevalent security regulations, industry standards and compliance frameworks.
In terms of Qualys Policy Compliance's asset discovery and classification functionalities, we had some instances where we were not able to identify some rogue assets within our environment. The OS fingerprinting gave us valuable insights. For example, during internal pen testing, we found a server that was online but was not actually a server itself. It was a hosted machine on a laptop for a developer. Qualys identified the exact OS fingerprinting and we were able to find out which machine was live at the time of the scan. In terms of asset discovery, it was very appropriate and it actually helped us identify that rogue asset. The reason I decided to stick with Qualys is that for the past three years, we went through evaluating other tools, but Qualys was always our priority and always our first choice because of what it was offering as a platform. We conduct vendor assessments through Qualys, we do PCI compliance, and we do ASV scans through Qualys. In terms of other solutions, I can name a few of them like Nessus and Nexpose, but their forte is completely different. Some of them, I know Nessus provides an ASV scan while Nexpose does not. Most of our requirements were being fulfilled through Qualys, so we were not ready to let go of the security questionnaire part, the PCI compliance part, or the vulnerability management program itself. That is where it truly adds value. On a scale of one to ten, I would rate Qualys support team at eight, the account manager at nine, and the sales team at ten. Considering my very rich experience with Qualys Policy Compliance and with other Qualys technologies, I do not think there is any piece of advice or recommendation that I may share with other organizations considering it. They are doing a good job, though I am still waiting for some sort of agentic AI solutions from Qualys. We heavily rely on agentic AI solutions and we are leveraging almost every product that has that AI feature within them, so we are waiting for when Qualys adopts that feature. I would rate this review a ten out of ten.
I have experience working with this product. I have been working on Qualys Policy Compliance, Prisma Cloud, QRadar, and Splunk. From Qualys Policy Compliance, I have been working with all the services, such as VMDR, assets, container security, and sensors, and I have been involved in PCI compliance and those kinds of compliance tasks. For the policy compliance product, I have been working on PCI and HIPAA compliance and also internal policy compliance against our policy. I rate Qualys Policy Compliance a 9 out of 10.
Overall, I rate the solution nine out of ten. I would prefer to remain completely anonymous and ensure that both my name and company name are not published.
Qualys is good for cost efficiency, scalability, and support. It efficiently handles numerous vulnerabilities and assists in compliance management. I'd rate the solution nine out of ten.
Doing the homework before going to Policy Compliance in Qualys would be a very good idea. Decide what type of hardening standards to use and approve the standards. Decide how often the policy compliance should be validated and reported, what types of reports are needed, and which individuals need different types of access or different types of reports. Knowing all those will make the implementation pretty straightforward. We had a module from Qualys, but we did not fully implement it, so we had to define enterprise policies, update those in Qualys, enforce them, and check the compliance level. It was a work process that took more than a year. It is still ongoing because Policy Compliance allows checking compliance against a policy, but the policy itself needs to be defined by the enterprise. It then needs to be approved and tested. Only after that, it is updated in Qualys and followed up on the compliance level. I would rate Qualys Policy Compliance an eight out of ten.
QualysGuard Policy Compliance is deployed on-cloud in our organization. The solution is deployed mostly on AWS and Microsoft Azure cloud. I would recommend QualysGuard Policy Compliance to other users. Overall, I rate QualysGuard Policy Compliance an eight out of ten.
There's no versioning in Qualys, there's simply the latest version. It's a cloud solution. We are a reseller for Qualys. We also manage it and do the consulting around it. So we definitely plan to increase it. We also use it internally. While it may seem relatively easy and certainly quick to implement, there is a certain nuance. I would always advise new users to engage with experts. I'd rate the solution ten out of ten. It's the best I've seen. It is easy, fast, and reliable.