Information Security Analyst at a tech services company with 11-50 employees
Real User
Top 20
Nov 17, 2025
I have been working with Qualys Policy Compliance for the past four years. Our complete infrastructure is on cloud and we have assets distributed across Asia and North America. We have a couple of users who tap into our card information and PCI information, and at these locations, the only infrastructure we have deployed is some firewalls. People connect through firewalls and access systems which contain credit card data. We are leveraging Qualys Policy Compliance module for PCI compliance, and we are monitoring those assets to ensure we do not see any open vulnerabilities or open ports for people in the PCI group. It is fairly simple, but it is helping us a lot. Our total transactions are not yet up to par, but we are leveraging it to fulfill the requirement and show it to our auditors. From the analytics point of view, we only have a merchant account. Advanced analytics, I have not explored yet. In terms of VMDR, it is quite updated. Our monthly operating review includes updating our steering committee about the latest patches and where we are from a vulnerability management standpoint. We have leveraged an in-house patching solution, but the information provided by Qualys in terms of existing and recent vulnerabilities gives us a fairly flexible mechanism to update those vulnerabilities. When we patch one vulnerability, our patching percentage goes up. We are satisfied with that as well. We compared Qualys with other tools, but for the past three years, we have not considered any other tool other than Qualys. Regarding the integration capabilities of Qualys Policy Compliance, we are only leveraging external scans. Those scans are not authenticated scans, they are basic scans. We have not explored integrations from Qualys since our infrastructure is all on cloud and the only infrastructure we have are four to five firewalls. It is fairly simple and fairly good.
I have assessed the effectiveness of the policy compliance by running scans against it but have not had the chance to post any kind of compliance. The use cases I have used from the Qualys Policy Compliance include templates such as PCI compliance or FedRAMP, and we compile that based on the PCI compliance checklist we need to follow.
Information Security Engineer at a university with 1,001-5,000 employees
Real User
Top 10
Feb 11, 2025
The solution is used for sorting out vulnerabilities that have implications on security auditing and ensuring all assets added to compliance have no vulnerabilities, at least not critical ones. I use it mainly for monitoring these assets and the vulnerabilities affecting compliance.
Cyber Security Analyst at a tech vendor with 10,001+ employees
Real User
Top 20
Oct 10, 2024
Before deploying any servers, they need to fulfill their compliance requirements. Each server needs to undergo compliance checks. Once all the compliance checks are completed, we can deploy them. Qualys Policy Compliance helps complete these compliance checks, which are necessary before deployment.
Qualys Policy Compliance is used to define hardening policies for different technology platforms, such as Windows member servers, Windows domain controllers, Linux flavors, and networking appliances. This is what it is used for.
We use QualysGuard Policy Compliance for VMDR (Vulnerability Management, Detection and Response). We can use the solution to detect, block, and mitigate vulnerabilities.
Policy Compliance pretty much has just one use case, and that is to compare or assess the security hardening of a typical operating system or platform or, in some cases, an application against predefined or customized security best practices. For example, if we are running Windows PCs and servers, an organization could say we are going to follow Microsoft's best practices for security configuration, including how to harden Windows computers. We would basically load the Qualys policy compliance module with those best practices and agree on the list with the customer. Then Qualys simply does the rest. It basically verifies for each individual check if it is actually in place or not.
Qualys Policy Compliance (PC) automates the collection of technical controls from information assets within the enterprise, and maps this information to policies to fix and document compliance with regulations and business mandates. It provides compliance reporting by leveraging a comprehensive knowledge-base that is mapped to prevalent security regulations, industry standards and compliance frameworks.
I have been working with Qualys Policy Compliance for the past four years. Our complete infrastructure is on cloud and we have assets distributed across Asia and North America. We have a couple of users who tap into our card information and PCI information, and at these locations, the only infrastructure we have deployed is some firewalls. People connect through firewalls and access systems which contain credit card data. We are leveraging Qualys Policy Compliance module for PCI compliance, and we are monitoring those assets to ensure we do not see any open vulnerabilities or open ports for people in the PCI group. It is fairly simple, but it is helping us a lot. Our total transactions are not yet up to par, but we are leveraging it to fulfill the requirement and show it to our auditors. From the analytics point of view, we only have a merchant account. Advanced analytics, I have not explored yet. In terms of VMDR, it is quite updated. Our monthly operating review includes updating our steering committee about the latest patches and where we are from a vulnerability management standpoint. We have leveraged an in-house patching solution, but the information provided by Qualys in terms of existing and recent vulnerabilities gives us a fairly flexible mechanism to update those vulnerabilities. When we patch one vulnerability, our patching percentage goes up. We are satisfied with that as well. We compared Qualys with other tools, but for the past three years, we have not considered any other tool other than Qualys. Regarding the integration capabilities of Qualys Policy Compliance, we are only leveraging external scans. Those scans are not authenticated scans, they are basic scans. We have not explored integrations from Qualys since our infrastructure is all on cloud and the only infrastructure we have are four to five firewalls. It is fairly simple and fairly good.
I have assessed the effectiveness of the policy compliance by running scans against it but have not had the chance to post any kind of compliance. The use cases I have used from the Qualys Policy Compliance include templates such as PCI compliance or FedRAMP, and we compile that based on the PCI compliance checklist we need to follow.
The solution is used for sorting out vulnerabilities that have implications on security auditing and ensuring all assets added to compliance have no vulnerabilities, at least not critical ones. I use it mainly for monitoring these assets and the vulnerabilities affecting compliance.
Before deploying any servers, they need to fulfill their compliance requirements. Each server needs to undergo compliance checks. Once all the compliance checks are completed, we can deploy them. Qualys Policy Compliance helps complete these compliance checks, which are necessary before deployment.
Qualys Policy Compliance is used to define hardening policies for different technology platforms, such as Windows member servers, Windows domain controllers, Linux flavors, and networking appliances. This is what it is used for.
We use QualysGuard Policy Compliance for VMDR (Vulnerability Management, Detection and Response). We can use the solution to detect, block, and mitigate vulnerabilities.
Policy Compliance pretty much has just one use case, and that is to compare or assess the security hardening of a typical operating system or platform or, in some cases, an application against predefined or customized security best practices. For example, if we are running Windows PCs and servers, an organization could say we are going to follow Microsoft's best practices for security configuration, including how to harden Windows computers. We would basically load the Qualys policy compliance module with those best practices and agree on the list with the customer. Then Qualys simply does the rest. It basically verifies for each individual check if it is actually in place or not.