Qualys Policy Compliance Reviews

I have been working with Qualys Policy Compliance for the past four years. Our complete infrastructure is on cloud and we have assets distributed across Asia and North America. We have a couple of users who tap into our card information and PCI information, and at these locations, the only infrastructure we have deployed is some firewalls. People connect through firewalls and access systems which contain credit card data. We are leveraging Qualys Policy Compliance module for PCI compliance, and we are monitoring those assets to ensure we do not see any open vulnerabilities or open ports for people in the PCI group. It is fairly simple, but it is helping us a lot. Our total transactions are not yet up to par, but we are leveraging it to fulfill the requirement and show it to our auditors.

From the analytics point of view, we only have a merchant account. Advanced analytics, I have not explored yet. In terms of VMDR, it is quite updated. Our monthly operating review includes updating our steering committee about the latest patches and where we are from a vulnerability management standpoint. We have leveraged an in-house patching solution, but the information provided by Qualys in terms of existing and recent vulnerabilities gives us a fairly flexible mechanism to update those vulnerabilities. When we patch one vulnerability, our patching percentage goes up. We are satisfied with that as well. We compared Qualys with other tools, but for the past three years, we have not considered any other tool other than Qualys.

Regarding the integration capabilities of Qualys Policy Compliance, we are only leveraging external scans. Those scans are not authenticated scans, they are basic scans. We have not explored integrations from Qualys since our infrastructure is all on cloud and the only infrastructure we have are four to five firewalls. It is fairly simple and fairly good.

In Qualys Policy Compliance, the best feature is that they keep their vulnerability database updated. I do not have to see any need after every quarter to get my team on board to update those vulnerabilities. They update the QIDs, and we can always put up our requests to consider false positives. It is fairly responsive, so we are on time for our PCI compliance and satisfied with that.

Qualys Policy Compliance has helped address compliance issues for us. Since we are not at par with the total transaction, our internal auditors only request the compliance certificate from Qualys from our steering committee and the auditors. They already know our schedule, so they do not have any issues.

Regarding improvements I would like to see in Qualys Policy Compliance, there are a couple of vulnerabilities where the metrics that are already there and the way Qualys measures those metrics and labels them as critical, high, or low does not align with my understanding from a user standpoint. Every time, I have to put in a false positive. Since I have been doing that for the past one year, the same vulnerability tends to pop up and they mark it as critical. Qualys needs to update and rediscover those weaknesses and re-label them. I understand what the company design and what the tool does, but it takes some time for us to manage those things.

In terms of missing features that I would like to see included in Qualys Policy Compliance, I do not think there are any. The feature does what we require and does the job. If there were some sort of reporting that fulfills auditor's requirements, particularly if there is an external audit and they ask us for any historical data like how long we have been compliant to the PCI framework, that would be valuable. Having reporting that shows historical data that we have been compliant from the date of inception, for example, from 2023 to 2025 onwards, would bring value to what we are reporting.

Once everything is set and done with Qualys Policy Compliance, we did not face any performance issues or issues in terms of it being resource-friendly or utilizing any machine resources. We did face some issues with purging additional assets. The flexibility with purging extra licenses is a good feature, but we are not utilizing it to the fullest, which is our issue. We have a policy where people go on sabbaticals and they come back and are provided with another license. We have to have ample licenses for this reason, so we struggled at some point in time, but it has been stable since then.

In terms of scalability with Qualys Policy Compliance, we did not face any issues. It was scalable. We always reach out to our account manager who understands the proposition and tends to forecast the next year's onboarding of people being onboarded. He gives us an idea that we can purchase certain things or upgrade some licenses and it would be enough. We only have to get in touch with our account manager and he does the job for us.

My experience with the technical support or customer service team at Qualys Policy Compliance was good. The service was good, they understood the scope, and we were ready to jump into the implementation phase in a day or two. It was quick.

Positive

The deployment part with Qualys Policy Compliance was straightforward, but we did face some challenges. Our organization is a Mac shop where every employee has a MacBook, so 70 percent of the people have Macs and the rest have Windows operating systems. It was not an issue with Qualys itself. The agent patching and agent upgrade is very simple. Mobile device management solutions for Mac are pretty limited in functionality. During the first setup, we did face some issues, but that was dealt with by Qualys support and it was not a hassle. We rolled out 4,000 agents in 24 hours. The major issue was only the integration with Kandji or Apple solutions that provide mobile device management like Kandji or Jamf. It took us some time to actually understand what was going on.

In terms of Qualys Policy Compliance's asset discovery and classification functionalities, we had some instances where we were not able to identify some rogue assets within our environment. The OS fingerprinting gave us valuable insights. For example, during internal pen testing, we found a server that was online but was not actually a server itself. It was a hosted machine on a laptop for a developer. Qualys identified the exact OS fingerprinting and we were able to find out which machine was live at the time of the scan. In terms of asset discovery, it was very appropriate and it actually helped us identify that rogue asset.

The reason I decided to stick with Qualys is that for the past three years, we went through evaluating other tools, but Qualys was always our priority and always our first choice because of what it was offering as a platform. We conduct vendor assessments through Qualys, we do PCI compliance, and we do ASV scans through Qualys. In terms of other solutions, I can name a few of them like Nessus and Nexpose, but their forte is completely different. Some of them, I know Nessus provides an ASV scan while Nexpose does not. Most of our requirements were being fulfilled through Qualys, so we were not ready to let go of the security questionnaire part, the PCI compliance part, or the vulnerability management program itself. That is where it truly adds value.

On a scale of one to ten, I would rate Qualys support team at eight, the account manager at nine, and the sales team at ten. Considering my very rich experience with Qualys Policy Compliance and with other Qualys technologies, I do not think there is any piece of advice or recommendation that I may share with other organizations considering it. They are doing a good job, though I am still waiting for some sort of agentic AI solutions from Qualys. We heavily rely on agentic AI solutions and we are leveraging almost every product that has that AI feature within them, so we are waiting for when Qualys adopts that feature. I would rate this review a ten out of ten.

I have assessed the effectiveness of the policy compliance by running scans against it but have not had the chance to post any kind of compliance.

The use cases I have used from the Qualys Policy Compliance include templates such as PCI compliance or FedRAMP, and we compile that based on the PCI compliance checklist we need to follow.

Qualys Policy Compliance has a notification system to alert customers if there are any new QIDs added or notifications about attacks, ensuring we receive timely data to address vulnerabilities effectively.

From the Qualys Policy Compliance, the best feature is that they have predefined templates for compliances, allowing easy application of compliance requirements against our products and providing clear reports on whether assets are compliant or not.

Qualys Policy Compliance customer support is very good.

I would appreciate improvements in our wrapper certificates and the policy compliance aligning better with automation scripting languages such as Python or Ansible.

They need to improve the reporting part of the CI/CD pipelines and the ability to download scans from pods.

I have been working with the Qualys Policy Compliance for almost 8 years.

The only challenge was ensuring the necessary traffic is allowed; otherwise, configuring from the Qualys Policy Compliance guide is straightforward.

It is very rare to encounter performance issues, about 0.1 to 0.01%.

I find it scalable.

Qualys Policy Compliance customer support is very good.

I would rate the technical support at an 8 out of 10.

Positive

I did not get a chance to use any other products for IT governance.

I evaluated other options, but found that Qualys Policy Compliance offers better compatibility and features than the Azure and Amazon policy compliance products.

I was involved in the purchasing of Qualys Policy Compliance in my previous company, where the costs are based on the number of devices and features, with enterprise level pricing which I cannot specify clearly.

We purchased from the Azure Marketplace and not from the AWS Marketplace for the EKS.

We can purchase from the AWS Marketplace, and it is easy to enable the Qualys Policy Compliance agent on VMs through both AWS and Azure marketplaces.

I cannot determine if it is cost-effective or brings ROI at this moment.

I was involved in the purchasing of Qualys Policy Compliance in my previous company, where the costs are based on the number of devices and features, with enterprise level pricing which I cannot specify clearly.

I have experience working with this product.

I have been working on Qualys Policy Compliance, Prisma Cloud, QRadar, and Splunk.

From Qualys Policy Compliance, I have been working with all the services, such as VMDR, assets, container security, and sensors, and I have been involved in PCI compliance and those kinds of compliance tasks.

For the policy compliance product, I have been working on PCI and HIPAA compliance and also internal policy compliance against our policy.

I rate Qualys Policy Compliance a 9 out of 10.

Qualys Policy Compliance is used to define hardening policies for different technology platforms, such as Windows member servers, Windows domain controllers, Linux flavors, and networking appliances. This is what it is used for.

In one platform, we can see the compliance level.

It takes time to realize its benefits, but that is not because of the platform. It is related to the enterprise. It depends on how long it takes for the infrastructure team to deploy and maintain the policy for existing assets and new assets and to maintain the Qualys agents and get them up and running. It is also based on the enterprise-wise agreement on how often compliance should be validated. After all these parameters are clear and defined by the enterprise, the platform is straightforward. It allows validation and follow-up for the status.

The platform allows multiple features that are very useful. The first one is being able to define the enterprise policy. The second one is to be able to automatically check the compliance level based on that policy, and the third one is that it allows us to generate reports and dashboards to see the compliance level easily.

Policy implementation is sometimes a little bit different than, for example, the CIS standards. If you are using a CIS type of standard, controls will be differently implemented, and that implementation is not straightforward. There is no clear mapping for the CIS controls in terms of how they should be implemented into Qualys, so the implementation stage might be a little bit challenging for the customer. That means that the customer will end up opening support cases, which will overload their support team to explain those. If they are somehow published somewhere, it would save time and effort for both sides.

I have been using Qualys Policy Compliance for five years.

This is a very stable module. I have not encountered any crashing of this module.

It is just out of the box because it is either based on cloud agents that need to be deployed or it is based on scanning, so it is very scalable. There is no problem with that.

The only thing that needs to be adjusted is the license. If the infrastructure is suddenly growing to twice the host number, the license should be adjusted. Apart from that, it is very scalable.

I have contacted their support many times. Most of the time, their support team is very responsive and helpful. From a customer perspective, it can be sometimes challenging when support asks for different types of evidence. That is completely understandable because to review and fix, they need the information. That is completely understandable, but it is a mini project because we need to respond in time and provide the needed evidence. Sometimes it needs a meeting that usually saves time for both sides to see what exactly is not going well and get help, but they are responsive. They adjust themselves to the customer's needs.

Positive

In the beginning, some of the assets were manually hardened, but that was not good enough at the enterprise level. We needed a way to automatically have visibility over the posture. This is the first tool that we are using, and we are very happy with it.

Its implementation is somewhere in the middle. That is because some of the controls are pretty straightforward and can be easily defined, but other controls cannot be found in Qualys. They need some kind of research and maybe opening a support case or multiple support cases. Depending on the technology, the primary deployment or the primary configuration might be challenging. However, our effort is paying off because the same platform allows us to have multiple features. It saves a lot of time, and time is money.

The number of people required depends on the enterprise. For a small to medium enterprise, it would be enough to have one member who is responsible for vulnerability management and policy compliance. For bigger enterprises, it depends on the number of hosts.

Maintenance is required but not from a Qualys perspective. The maintenance is from a hardening perspective. For example, if an upgrade changes some of the hardening configuration, it needs to be maintained on the box in order to keep compliance. However, once the policy is deployed and defined in Qualys, unless the enterprise policy changes, there is no need for maintenance.

The prices might be a little bit high. I cannot compare it with another product because we did not try any other product, but this is my impression when comparing different modules.

I inherited Qualys when I started to work with the bank. We just had that module. We were happy to see a platform that allows us multiple features, such as vulnerability management, asset inventory, and policy compliance. All those are based on the same configuration and the same platform. It saves a lot of time, a lot of money, and a lot of effort. Having the Qualys agent deployed allows us to do all of those together and also scan the assets that cannot have a Qualys agent. We use the very same scanners to perform all those requirements. It is very important for us to have one platform that allows all those together.

Doing the homework before going to Policy Compliance in Qualys would be a very good idea. Decide what type of hardening standards to use and approve the standards. Decide how often the policy compliance should be validated and reported, what types of reports are needed, and which individuals need different types of access or different types of reports. Knowing all those will make the implementation pretty straightforward.

We had a module from Qualys, but we did not fully implement it, so we had to define enterprise policies, update those in Qualys, enforce them, and check the compliance level. It was a work process that took more than a year. It is still ongoing because Policy Compliance allows checking compliance against a policy, but the policy itself needs to be defined by the enterprise. It then needs to be approved and tested. Only after that, it is updated in Qualys and followed up on the compliance level.

I would rate Qualys Policy Compliance an eight out of ten.

The solution is used for sorting out vulnerabilities that have implications on security auditing and ensuring all assets added to compliance have no vulnerabilities, at least not critical ones. I use it mainly for monitoring these assets and the vulnerabilities affecting compliance.

The solution's interface looks good, which enhances asset scanning and ensures automatic patching. Automation is excellent. The reporting feature is comprehensive and mandates security solutions. I submit evidences from Qualys to auditor partners, which shows the quality of reporting. 

Scalability is a trending feature, with the ability to relate platforms to PCs and cloud instances, including hybrid clouds. Integration with ticketing tools such as Confluence, Jira, and ServiceNow is also a valuable feature.

Some sort of education or knowledge base about the product would be beneficial for beginners. They could offer more training sessions for beginners who are new to the solution, as learning would be great for them.

I have been using Qualys Policy Compliance for about two years.

I find that the solution is stable without any issues.

The solution is scalable and can relate platforms to PCs, cloud instances, and hybrid clouds. Integration with ticketing tools is present.

I rate technical support nine out of ten. They offer very good support.

Positive

The installation is straightforward and can be handled by a single user if they have enough knowledge.

The product is very expensive, rated nine out of ten, however, it is worth trying and can potentially replace other platforms.

Overall, I rate the solution nine out of ten. I would prefer to remain completely anonymous and ensure that both my name and company name are not published.

Before deploying any servers, they need to fulfill their compliance requirements. Each server needs to undergo compliance checks. Once all the compliance checks are completed, we can deploy them. Qualys Policy Compliance helps complete these compliance checks, which are necessary before deployment.

Qualys Policy Compliance has been helpful in my organization. Initially, I was not familiar with Qualys and related tools like ServiceNow and Jira, yet with Qualys, I've learned how to handle tasks confidently on these platforms. The solution has improved my capabilities in handling reporting and other tasks related to security management.

The reporting and security checks are valuable. Each time we perform a scan, we encounter different issues, but Qualys allows us to investigate these issues and rectify them. This process increases our knowledge and skills over time.

The policy creation aspect needs improvement. Our team has limited knowledge about creating policies, and I need to focus on this area more. I should study more about creating and handling policies efficiently.

I have been using Qualys Policy Compliance for around three years. My total experience with it is approximately two years and seven months.

In terms of stability, the solution deserves a nine out of ten. It performs reliably even during extended scanning operations.

Qualys is scalable, with capabilities to handle large numbers of IPs during scans. The scalability is rated as a nine.

The customer service and technical support from Qualys are commendable. They respond immediately and provide appropriate solutions when issues arise.

Positive

Before using Qualys, I started my career in manual security configuration testing. I manually verified configurations and evidence provided by platforms and have since transitioned to using Qualys.

I’m not familiar with the ROI specifics in terms of percentages, however, Qualys has been efficient in conducting scans that save time and effort.

Qualys Policy Compliance is cost-efficient and provides great security features for the price. It is used by most companies because of its cost-effective and efficient nature.

Qualys is good for cost efficiency, scalability, and support. It efficiently handles numerous vulnerabilities and assists in compliance management.

I'd rate the solution nine out of ten.

Policy Compliance pretty much has just one use case, and that is to compare or assess the security hardening of a typical operating system or platform or, in some cases, an application against predefined or customized security best practices. For example, if we are running Windows PCs and servers, an organization could say we are going to follow Microsoft's best practices for security configuration, including how to harden Windows computers. We would basically load the Qualys policy compliance module with those best practices and agree on the list with the customer. Then Qualys simply does the rest. It basically verifies for each individual check if it is actually in place or not. 

It's a simple product. It's basically binary decisions based on the policy. You first define the policy, and then the tool compares the policy against the actual state of, for example, a Windows computer.

The policy compliance really is the most valuable aspect of the solution. You can actually create your own configuration controls. Even if it's not part of the preexisting library of controls we can handle it. For example, we had a client that had their own specific hardening requirements what kind of, let's say, registry entries or permissions on the file system or specific files being or not being on the file system. We were able to create these policies. 

It's really customizable. It can be customized pretty much to meet any need and any policy that customers can throw at us.

The reporting needs improvement. 

While the tool is really good at doing the assessment, it's not as good at reporting various compliance states. Maybe management reporting could be improved as well. They really need to improve the versioning of the policies. You can create basically your own policy based on the industry practice. However, if that industry practice changes, for example, maybe there's a new version from Microsoft, you basically need to start from scratch. That kind of migration from the old best practice to the new best practice and retaining all those customizations that have been done for the old one that has not been actually done. That's something to improve. However, we typically do it as we work with it. We do it programmatically. We do it through the API.

I've been using the solution for 22 years. 

The solution is completely stable. 

The solution scales. However, there is a little bit of difference regarding the speed of various cloud platforms from Qualys. Basically, they are running on completely independent platforms around the world. They sometimes lack performance. So accessing the web UI, sometimes you might see the leg and wait for the page to load. The improvement of web interface could improve in certain situations.

We have 13 engineers using the solution. They're all trained in Qualys.

We do not use technical support that much as we are pretty good experts. That said, when we do have questions, they are pretty good.

Positive

The initial setup is straightforward and really easy. You install an agent basically. Maybe it is slightly more complicated. However, that's not Qualys' fault. It's more how the organizations work. If we need to scan over the network, we need to obviously put something in the network like a scanner. That involves discussions with the client more in-depth than if we just tell them, "please take this agent and install it on all your Windows analytics service." Typically organizations just agree to that. 

It's done within maybe a couple of days, max. It really depends on the client. The distribution of the solution, so it's ready for assessment. Then there's the importing of the policies. If we are talking about these kinds of best practices from the library, it's straightforward. It's a click, then a little bit of customization. It can be done within hours even. We now have one client who installed the first ten agents within like three hours, and we are already getting the results. 

For customers, certainly, they've seen a return on investment compared to other solutions. It basically gives the results almost immediately after the agents or scanning has started. In terms of visibility of the data, it's easy to use and reliable. I've only seen positives from clients. Of course, the return on investment on security products is almost impossible to calculate. You cannot put the value into hard terms, really. Just putting ROI on one tool is almost impossible.

The cost varies. It really depends as the pricing is on a sliding scale. I'm not at liberty to say what the pricing is as it's confidential. I'm under an NDA from Qualys.

There's no versioning in Qualys, there's simply the latest version. It's a cloud solution.

We are a reseller for Qualys. We also manage it and do the consulting around it. So we definitely plan to increase it. We also use it internally.

While it may seem relatively easy and certainly quick to implement, there is a certain nuance. I would always advise new users to engage with experts.

I'd rate the solution ten out of ten. 

It's the best I've seen. It is easy, fast, and reliable. 

We are using it for hardening of the servers, according to the policies that we have as benchmarks here in the bank.

It has performed quite well, very well. We are satisfied with the product.

We have tightened our infrastructure using the solution and it's a safer environment from cyber crime and cyber attacks.

It gives us very good compliance reports with the standards that we are choosing. The reports are very comprehensive and they are very lucid about the configuration.

I can't think of any improvements, but I am interested in other modules, if there are any.

Quite good, in terms of availability and production of the reports.

Quite good.

We are not entirely satisfied with technical support but it's not bad. I would rate it about eight out of 10.

There are cases that were not solved in the past. Now we are using a different approach so we will probably handle the issue, but with a solution resulting from thinking out of the box, not a by-the-book solution.

This is our first such solution. We needed it because of the regulation that appeared a year ago.

It was very straightforward, very easy to set up.

When selecting a vendor, the most important criterion is price, at least according to our management board.

It's quite a good solution. Do a proof of concept and see the benefits of the solution and then decide if it fits your budget.

We use QualysGuard Policy Compliance for VMDR (Vulnerability Management, Detection and Response). We can use the solution to detect, block, and mitigate vulnerabilities.

The most valuable feature of QualysGuard Policy Compliance is the automation that can detect real-time threats and decrease risks. QualysGuard Policy Compliance is integrated with the SIEM tool. VMDR tools work on asset management, vulnerability management, threat detection, and response.

It would be good if the solution’s technical support could be faster.

I would like to improve the solution's detection feature whereby any vulnerability can be detected and immediately put in the sandbox.

I have been using QualysGuard Policy Compliance for one year.

The solution’s initial setup is easy.

The solution’s deployment does not take a long time.

We have seen a return on investment with QualysGuard Policy Compliance.

The solution's pricing is in the mid-range, where it is neither expensive nor very cheap.

QualysGuard Policy Compliance is deployed on-cloud in our organization. The solution is deployed mostly on AWS and Microsoft Azure cloud.

I would recommend QualysGuard Policy Compliance to other users.

Overall, I rate QualysGuard Policy Compliance an eight out of ten.