Security Officer at a tech vendor with 10,001+ employees
Real User
Top 10
Aug 21, 2025
I use Qualys Web Application Scanning, and we are using Vulnerability Management. By Vulnerability Management, I mean not TotalCloud; they have some on-premises solutions also. Patch Management and Asset Management is what we do. We manage our assets, which in our case, are not just physical hardware but also virtual machines and remote desktops. We have to do our scanning on some 32 to 64 IP subscription setups, and we manage only those setups, not the entire organization because for that we have our own solutions. Our company has bigger security processes, but still, we use Qualys Web Application Scanning for some kind of security testing. Our application that we use is the Qualys Enterprise TruRisk Platform, which is what we purchased and licensed, and currently, we are using it. In the Qualys Enterprise TruRisk Platform, we have VMDR, and for Web Application Scanning, I can give positive feedback that the tool is able to catch most of the known vulnerabilities. However, tools such as Qualys Web Application Scanning do not typically check whether a vulnerable version is really impacting us or not. For example, if I am using a vulnerable Apache server, the tool flags it but won't check my safeguards that mitigate the vulnerability. So, while it flags vulnerable versions, I often find false positives. Previously, we used Qualys Web Application Scanning as an agent-based application for our cloud application, installing Qualys agents in all our Kubernetes pods or clusters with scanning running every 24 hours to find vulnerabilities. We removed Qualys agents from our cloud applications and now use our internal tools, but for on-premises applications, we still use Qualys Web Application Scanning, with VMDR being the tool I use most for vulnerability management, along with Qualys WAS as well.
I use Qualys Web Application Scanning for web application scanning for customers. I set up scans, schedule scans, and perform authenticated scans. On customer request basis, I initiate scans, download the reports, and review the findings. We use Qualys Web Application Scanning testing features, specifically TLS for compliance. While web application scanning still requires manual testing, from an automation perspective, we fulfill our compliance checks. We have a compliance requirement to perform scans on a quarterly basis, so Qualys Web Application Scanning helps with those automated scanning needs.
Cyber security specialist at a financial services firm with 10,001+ employees
Real User
Top 20
Sep 4, 2024
We use the platform for vulnerability management and website testing. It helps us identify and remediate web-based vulnerabilities in our applications, ensuring their security from potential attackers.
Head of Operations, Supply Chain at Lyreco Deutschland GmbH
Real User
Top 5
Aug 1, 2024
We use it as part of our vulnerability management strategy. Specifically, we scan web applications to identify vulnerabilities during deployment. Additionally, we use container scanning to check container vulnerabilities and infrastructure scanning to assess server vulnerabilities.
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: December 2025.
Cyber Security Engineer at R S Consulting Services
Reseller
Top 5
Feb 22, 2024
I use Qualys Web Application Scanning for various customers both within and outside the country. Our clients are mainly from the education and banking sectors, where we support them with financial and backend services.
We are using Qualys Web Application Scanning for our customers. We have the expertise in the solution to provide our customers with the results. We use the tool for scanning web applications for our clients.
Sr Cybersecurity Leader at a non-tech company with 1,001-5,000 employees
Real User
Feb 16, 2022
There are two parts. We use Web Application Scanning licenses to constantly assess our websites. When there are any changes on our websites, Qualys checks to see if there is a vulnerability. We use a SecOps/DevOps methodology, so Qualys is integrated into the development cycle. Qualys runs every time we update the site.
Lead Cyber Security engineer at a tech services company with 201-500 employees
Real User
May 19, 2021
My company works for another company called Ecolab here in Bangalore. We are an Ecolab digital center, we develop mobile application. We use Vericode and this solution for testing these web applications before going live. This includes the full testing periods and the production phase. Once it has been tested, we then get them ready to go live.
Senior Software Developer at a tech vendor with 1,001-5,000 employees
Real User
Aug 11, 2020
I think we have the fastest version, and they always upgrade it. I think it's the $2 or $3-a-month version. They have multiple engines inside it, but it's a site-based service. It is not on-demand, so Qualys will host it. It's the pay as you go service that is on the software-as-a-service. We use the DAST, dynamic application scan test.
CEO at a tech services company with 51-200 employees
Real User
Jan 12, 2020
For some projects, we will need to use this on-premises. It depends on the confidentiality of our project. For other projects, we will also be deploying on the cloud or maybe a hybrid solution as well. We are looking forward to having a relationship as a partner with this company and maybe one or two others. We are not just a customer. We have a bunch of freelancers that we are working with in three different companies in Slovenia, Australia, and other countries. We are looking for solutions to make our testing and security checks more affordable.
Assistant Manager - Cyber & Cloud Security at a financial services firm with 1,001-5,000 employees
Real User
Aug 16, 2018
The demo was mainly centered around vulnerability management. We were looking to find a tool which is able to do vulnerability management for internal assets and web applications which face the Internet and are exposed on it. We want a platform which can do vulnerability assessment for internal assets and also for assets which are published on the internet. I did this demo for three to six months.
Delivery Manager at a tech vendor with 1,001-5,000 employees
Vendor
Aug 2, 2018
We use it for external connection testing whenever we have a customer who utilizes post scanning tools for their main message. From the scanner's perspective, we use the scanner results to do manual testing.
Qualys Web Application Scanning (WAS) is a fully cloud-based web application security scanner. The scanner will automatically crawl periodically and test web applications to discover potential vulnerabilities, including cross-site scripting (XSS) and SQL injection. The consistent testing equips the automated service to generate consistent results, lessen false positives, and offer the ability to scale to protect thousands of websites effortlessly.
Qualys Web Application Scanning is bundled...
I use Qualys Web Application Scanning, and we are using Vulnerability Management. By Vulnerability Management, I mean not TotalCloud; they have some on-premises solutions also. Patch Management and Asset Management is what we do. We manage our assets, which in our case, are not just physical hardware but also virtual machines and remote desktops. We have to do our scanning on some 32 to 64 IP subscription setups, and we manage only those setups, not the entire organization because for that we have our own solutions. Our company has bigger security processes, but still, we use Qualys Web Application Scanning for some kind of security testing. Our application that we use is the Qualys Enterprise TruRisk Platform, which is what we purchased and licensed, and currently, we are using it. In the Qualys Enterprise TruRisk Platform, we have VMDR, and for Web Application Scanning, I can give positive feedback that the tool is able to catch most of the known vulnerabilities. However, tools such as Qualys Web Application Scanning do not typically check whether a vulnerable version is really impacting us or not. For example, if I am using a vulnerable Apache server, the tool flags it but won't check my safeguards that mitigate the vulnerability. So, while it flags vulnerable versions, I often find false positives. Previously, we used Qualys Web Application Scanning as an agent-based application for our cloud application, installing Qualys agents in all our Kubernetes pods or clusters with scanning running every 24 hours to find vulnerabilities. We removed Qualys agents from our cloud applications and now use our internal tools, but for on-premises applications, we still use Qualys Web Application Scanning, with VMDR being the tool I use most for vulnerability management, along with Qualys WAS as well.
I use Qualys Web Application Scanning for web application scanning for customers. I set up scans, schedule scans, and perform authenticated scans. On customer request basis, I initiate scans, download the reports, and review the findings. We use Qualys Web Application Scanning testing features, specifically TLS for compliance. While web application scanning still requires manual testing, from an automation perspective, we fulfill our compliance checks. We have a compliance requirement to perform scans on a quarterly basis, so Qualys Web Application Scanning helps with those automated scanning needs.
I use it for web application scanning to scan for vulnerabilities within our internal and external assets.
We use the platform for vulnerability management and website testing. It helps us identify and remediate web-based vulnerabilities in our applications, ensuring their security from potential attackers.
We use it as part of our vulnerability management strategy. Specifically, we scan web applications to identify vulnerabilities during deployment. Additionally, we use container scanning to check container vulnerabilities and infrastructure scanning to assess server vulnerabilities.
We use the solution to scan the website.
I use Qualys Web Application Scanning for various customers both within and outside the country. Our clients are mainly from the education and banking sectors, where we support them with financial and backend services.
We use the solution for scanning and vulnerability management.
We use the solution for multiple purposes, such as infrastructure vulnerability scanning and web application scanning.
We primarily use Qualys Web Application Scanning for website penetration testing.
We use the software to help us with application scaling. We can scale our server environment both on Linux and Microsoft using it.
Our customers use the solution to audit their web-application before releasing them to the Internet.
We are using Qualys Web Application Scanning for our customers. We have the expertise in the solution to provide our customers with the results. We use the tool for scanning web applications for our clients.
We use the solution alongside others for static scanning. It's used for endpoint scanning.
My main use of Qualys WAS is for multifactor authentication for web and mobile applications.
There are two parts. We use Web Application Scanning licenses to constantly assess our websites. When there are any changes on our websites, Qualys checks to see if there is a vulnerability. We use a SecOps/DevOps methodology, so Qualys is integrated into the development cycle. Qualys runs every time we update the site.
My company works for another company called Ecolab here in Bangalore. We are an Ecolab digital center, we develop mobile application. We use Vericode and this solution for testing these web applications before going live. This includes the full testing periods and the production phase. Once it has been tested, we then get them ready to go live.
We are using Qualys for vulnerability detection in our IDC (International Data Center) on our web pages and world-wide-web applications and services.
I think we have the fastest version, and they always upgrade it. I think it's the $2 or $3-a-month version. They have multiple engines inside it, but it's a site-based service. It is not on-demand, so Qualys will host it. It's the pay as you go service that is on the software-as-a-service. We use the DAST, dynamic application scan test.
We primarily use this solution for VM scanning. We scan more than a thousand applications.
For some projects, we will need to use this on-premises. It depends on the confidentiality of our project. For other projects, we will also be deploying on the cloud or maybe a hybrid solution as well. We are looking forward to having a relationship as a partner with this company and maybe one or two others. We are not just a customer. We have a bunch of freelancers that we are working with in three different companies in Slovenia, Australia, and other countries. We are looking for solutions to make our testing and security checks more affordable.
My primary use case of this solution is to audit the security level of my customer's internet. We offer this as a service.
The demo was mainly centered around vulnerability management. We were looking to find a tool which is able to do vulnerability management for internal assets and web applications which face the Internet and are exposed on it. We want a platform which can do vulnerability assessment for internal assets and also for assets which are published on the internet. I did this demo for three to six months.
We use it for external connection testing whenever we have a customer who utilizes post scanning tools for their main message. From the scanner's perspective, we use the scanner results to do manual testing.