Security Officer at a tech vendor with 10,001+ employees
Real User
Top 5
Aug 21, 2025
The downside of Qualys Web Application Scanning is that it cannot crawl automatically. If I provide an IP address and a login form, it does basic testing, but it doesn't go deep as IBM AppScan does. If Qualys Web Application Scanning could improve its crawling capability, it would be more user-friendly. Qualys Web Application Scanning does IP-level testing, requiring direct input of credentials, and can only scan a few pages to provide known generic vulnerabilities, which isn't as beneficial from my point of view. The Vulnerability Management also relies heavily on version numbers and will flag vulnerabilities based on the component version, but it doesn't check if a real fix exists, leading to flags on components that actually have workarounds available.
I have experience with adaptive scanning for single-page applications, which was not very effective. Generally, comparing with other tools, Qualys Web Application Scanning still needs to improve on the results. Qualys Web Application Scanning needs to improve on discovering vulnerabilities of the application. For authenticated scans, Qualys Web Application Scanning requires more improvement. The UI needs to be more improvised.
I would like it to be cheaper because it is a bit expensive compared to competitors like Tenable Nessus ( /products/tenable-nessus-reviews ). After using the product for a year, I might have more suggestions for improvements.
Cyber security specialist at a financial services firm with 10,001+ employees
Real User
Top 10
Sep 4, 2024
One area for improvement is the user interface. The new UI, which was recently upgraded, feels more complex and less user-friendly than the old version. However, as we continue to use it, we anticipate becoming more accustomed to it. Additionally, improved scan scheduling options are needed, which Qualys is working on implementing.
Head of Operations, Supply Chain at Lyreco Deutschland GmbH
Real User
Top 5
Aug 1, 2024
It is unclear how to build automation on Qualys. We do some automation, but not fully, because working is difficult. Many tasks we do via Qualys are prepared not via automation but by standard scanning. We don't integrate Qualys with our SDLC process. So, we're only configuring weekly scanning via this tool and checking the results.
Senior IT Security Specialist at Citadele Banka AS
Real User
Top 5
Jun 5, 2024
We have many websites. We don't force scanning on all of them at once because it's taking some time. The solution should provide more information. AI capabilities could also be added.
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: April 2026.
Cyber Security Engineer at R S Consulting Services
Reseller
Feb 22, 2024
One area for improvement is the application scan interface. Although recent updates have introduced some features, there's a gap in supporting standards beyond OWASP. Currently, there isn't an option to select or integrate other security standards directly within the platform, which limits the scope of scans to primarily OWASP. For broader compliance, custom integrations are required, which is a cumbersome process. The platform primarily supports OWASP standards for scanning. If an organization needs to comply with other standards, such as ISO or NIST, there's no straightforward option to select these within the scanning interface. This limitation requires custom solutions to meet other compliance requirements, which is not ideal. Qualys should enhance its interface to allow users to easily select and scan according to multiple standards, not just OWASP. This includes both internal and external scans, providing a more flexible and comprehensive approach to web application security. In addition to choosing standards, there's a distinction between internal and external scanning processes that could be streamlined. Currently, for internal scanning, specific configurations and scanner appliances need to be deployed within the network, which differs from the simpler setup for external scans. This dual process complicates the setup for comprehensive scanning coverage. The process should be simplified to eliminate the need for two distinct setups for internal and external scans within Qualys.
Qualys Web Application Scanning is very complex to use, and its graphical interface is not very user-friendly. Compared to other solutions like Tenable and Rapid7, you need to navigate a lot to get the actual results out of Qualys Web Application Scanning. If I have to search for one thing within the entire console, I have to look for it randomly. It's not very easy and very comfortable to find something. Overall, it's a very good solution, but it will be very good if the tool is more user-friendly.
Information Communication Technology Specialist at UNIVERSITY OF JOHANNESBURG
Real User
Top 5
Jun 30, 2023
The software’s pricing could be improved. When we buy a license, they charge us per asset. For instance, we have a three-year contract. However, the environment keeps growing every year. If we budget it for 200 IPs, we might need to buy a new license for another 200 IPs after six months. It has a cloud feature, yet the VMs are not enough. It would be nice if there were a cost reduction in scalability.
We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error.
There could be better management and faster scanning. An application may have a lot of URLs and complexity. If there are a couple of applications, that complexity multiplies. It can take three or four days to scan. That's too long. It should be maybe three or four hours.
Sometimes the response time is low because the handshake fails, and then you have to re-login and start again. In the next release, Qualys should include more integration with different applications and single-sign-on protocol.
Lead Cyber Security engineer at a tech services company with 201-500 employees
Real User
May 19, 2021
When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem. In the future, customer support could improve and the output report needs to be simplified for better understanding.
We are concerned with the frequency of their virus code updates and reporting that contains false positives. We do not think that the accuracy of the reporting is as good as it should be. It would be nice if Qualys would provide a solution after analyzing the data for us so we can understand what the cause of a vulnerability is and how to fix it. It would be good enough to provide something like just a download page that describes the problem and the steps to take to resolve the vulnerability. We are researching open source software because Qualys needs to improve their reports and the documentation for the end-users in resolving scanned issues. Sometimes the deployment is complicated. It is not so easy to deploy and that should be simplified. Something like Zap or other open-source software is often easier to deploy.
Senior Software Developer at a tech vendor with 1,001-5,000 employees
Real User
Aug 11, 2020
One area that could be improved is the a data server. That's probably what I most noticed in comparison with the Rapid7. Also, the UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs. This is not good. Additionally, you don't have a recording feature, where you can record your screen navigation. Like a macro, you want to create the full screen, and they don't provide a tool which can record your navigation and then do a replay. In terms of what should be included in the next release, like I mentioned, just the UI, the user interface screen. Also, it would be good If they could improve and enrich the reports. These are the fundamental differences with Rapid7.
The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities. The scanner reports a lot of false positives, which is something that needs to be improved.
CEO at a tech services company with 51-200 employees
Real User
Jan 12, 2020
Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.
Assistant Manager - Cyber & Cloud Security at a financial services firm with 1,001-5,000 employees
Real User
Aug 16, 2018
The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected. Going forward, I would like it to scan for given vulnerabilities and add-ons, then confirm whether it is an actual threat or not without the false positives.
Delivery Manager at a tech vendor with 1,001-5,000 employees
Vendor
Aug 2, 2018
In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.
Qualys Web Application Scanning offers advanced vulnerability management, progressive scheduling, and seamless integration with DevOps environments. Its user-friendly design enables enterprises to enhance security with comprehensive scanning and detailed forensic insights.Qualys Web Application Scanning addresses enterprise-level security challenges by providing robust solutions for vulnerability management, penetration testing, and compliance checks. While easing the navigation process, it...
The downside of Qualys Web Application Scanning is that it cannot crawl automatically. If I provide an IP address and a login form, it does basic testing, but it doesn't go deep as IBM AppScan does. If Qualys Web Application Scanning could improve its crawling capability, it would be more user-friendly. Qualys Web Application Scanning does IP-level testing, requiring direct input of credentials, and can only scan a few pages to provide known generic vulnerabilities, which isn't as beneficial from my point of view. The Vulnerability Management also relies heavily on version numbers and will flag vulnerabilities based on the component version, but it doesn't check if a real fix exists, leading to flags on components that actually have workarounds available.
I have experience with adaptive scanning for single-page applications, which was not very effective. Generally, comparing with other tools, Qualys Web Application Scanning still needs to improve on the results. Qualys Web Application Scanning needs to improve on discovering vulnerabilities of the application. For authenticated scans, Qualys Web Application Scanning requires more improvement. The UI needs to be more improvised.
I would like it to be cheaper because it is a bit expensive compared to competitors like Tenable Nessus ( /products/tenable-nessus-reviews ). After using the product for a year, I might have more suggestions for improvements.
One area for improvement is the user interface. The new UI, which was recently upgraded, feels more complex and less user-friendly than the old version. However, as we continue to use it, we anticipate becoming more accustomed to it. Additionally, improved scan scheduling options are needed, which Qualys is working on implementing.
It is unclear how to build automation on Qualys. We do some automation, but not fully, because working is difficult. Many tasks we do via Qualys are prepared not via automation but by standard scanning. We don't integrate Qualys with our SDLC process. So, we're only configuring weekly scanning via this tool and checking the results.
We have many websites. We don't force scanning on all of them at once because it's taking some time. The solution should provide more information. AI capabilities could also be added.
One area for improvement is the application scan interface. Although recent updates have introduced some features, there's a gap in supporting standards beyond OWASP. Currently, there isn't an option to select or integrate other security standards directly within the platform, which limits the scope of scans to primarily OWASP. For broader compliance, custom integrations are required, which is a cumbersome process. The platform primarily supports OWASP standards for scanning. If an organization needs to comply with other standards, such as ISO or NIST, there's no straightforward option to select these within the scanning interface. This limitation requires custom solutions to meet other compliance requirements, which is not ideal. Qualys should enhance its interface to allow users to easily select and scan according to multiple standards, not just OWASP. This includes both internal and external scans, providing a more flexible and comprehensive approach to web application security. In addition to choosing standards, there's a distinction between internal and external scanning processes that could be streamlined. Currently, for internal scanning, specific configurations and scanner appliances need to be deployed within the network, which differs from the simpler setup for external scans. This dual process complicates the setup for comprehensive scanning coverage. The process should be simplified to eliminate the need for two distinct setups for internal and external scans within Qualys.
It will be good if Qualys is integrated with QRadar.
Qualys Web Application Scanning is very complex to use, and its graphical interface is not very user-friendly. Compared to other solutions like Tenable and Rapid7, you need to navigate a lot to get the actual results out of Qualys Web Application Scanning. If I have to search for one thing within the entire console, I have to look for it randomly. It's not very easy and very comfortable to find something. Overall, it's a very good solution, but it will be very good if the tool is more user-friendly.
The product's pricing could be better.
The software’s pricing could be improved. When we buy a license, they charge us per asset. For instance, we have a three-year contract. However, the environment keeps growing every year. If we budget it for 200 IPs, we might need to buy a new license for another 200 IPs after six months. It has a cloud feature, yet the VMs are not enough. It would be nice if there were a cost reduction in scalability.
The product should allow users to upload their payloads.
We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error.
There could be better management and faster scanning. An application may have a lot of URLs and complexity. If there are a couple of applications, that complexity multiplies. It can take three or four days to scan. That's too long. It should be maybe three or four hours.
Sometimes the response time is low because the handshake fails, and then you have to re-login and start again. In the next release, Qualys should include more integration with different applications and single-sign-on protocol.
When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem. In the future, customer support could improve and the output report needs to be simplified for better understanding.
We are concerned with the frequency of their virus code updates and reporting that contains false positives. We do not think that the accuracy of the reporting is as good as it should be. It would be nice if Qualys would provide a solution after analyzing the data for us so we can understand what the cause of a vulnerability is and how to fix it. It would be good enough to provide something like just a download page that describes the problem and the steps to take to resolve the vulnerability. We are researching open source software because Qualys needs to improve their reports and the documentation for the end-users in resolving scanned issues. Sometimes the deployment is complicated. It is not so easy to deploy and that should be simplified. Something like Zap or other open-source software is often easier to deploy.
One area that could be improved is the a data server. That's probably what I most noticed in comparison with the Rapid7. Also, the UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs. This is not good. Additionally, you don't have a recording feature, where you can record your screen navigation. Like a macro, you want to create the full screen, and they don't provide a tool which can record your navigation and then do a replay. In terms of what should be included in the next release, like I mentioned, just the UI, the user interface screen. Also, it would be good If they could improve and enrich the reports. These are the fundamental differences with Rapid7.
The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities. The scanner reports a lot of false positives, which is something that needs to be improved.
Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.
The solution needs to adjust its pricing. They should make it more affordable.
They should improve the performance of the security scanning. It should have better performance.
The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected. Going forward, I would like it to scan for given vulnerabilities and add-ons, then confirm whether it is an actual threat or not without the false positives.
In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.