Qualys CyberSecurity Asset Management Reviews

We use Qualys CyberSecurity Asset Management mainly for asset management consolidation because we are using different tools. We have around 256 locations and 480 sites. We have created multiple platforms and are managing all the assets through Qualys CyberSecurity Asset Management.

We primarily focus on discovering and assessing vulnerabilities in internet-facing assets, web servers, and cloud services. Our activities include DNS enumeration, web crawling, and enhancing transparency in our processes. In the automotive sector, we also work with IT and OT devices. We assess the vulnerabilities of critical assets based on their contributions and potential exploits related to physical security. Our team checks for payload validations and actively monitors for exploitation attempts.

Additionally, our software team continuously monitors asset vulnerabilities, feeding this information into our Security Information Management (SIM) and vulnerability management systems, as well as Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) platforms.

The main thing I appreciate about Qualys CyberSecurity Asset Management is the cloud environment while tracking software and zero-day vulnerability risk, alongside asset discovery and tagging, as well as attack surface management. This is mainly focused on hardware and software assets across all on-premises and cloud environments, where we are tracking the lifecycle states and identifying vulnerabilities and everything related to risk management.

Integration of Qualys CyberSecurity Asset Management, particularly with ServiceNow, takes a very long time, and it needs prioritization of patch rules based on vulnerability risk. It should support complex environments, including MSP domains and multi-tenant setups.

The initial setup can be complex and requires coordination between IT and security teams, as API integration takes significant time. We have faced limitations on patch frequency control and legacy system support multiple times.

Additionally, the discovery elimination for unknown assets in CSAM should be enabled, as the discovery platform didn't segregate values properly when we are doing IT and OT assets. Furthermore, effective integration with CMDB such as ServiceNow for asset synchronization and a strong classification of risk scoring needs to allow us to focus on high-risk assets.

I have been using Qualys CyberSecurity Asset Management for around eight months.

We haven't observed any significant issues in the service. There were some issues about six months ago, but since then, it's been fine. Occasionally, we experience slowness, which might be a network issue on our end, but we only faced slowness once in the last six years, and that issue was addressed effectively.

We have a ticketing system in place and an internal team. Additionally, we have a technical account manager assigned from Qualys. Whenever we need support, we coordinate directly with this manager, and the Qualys support team assists us as needed, which happens occasionally.

I am happy with the quality and speed of the support provided by Qualys. We frequently reach out for support regarding different applications such as vulnerability management and web application scanning, especially given that we use multiple solutions for various clients. The support includes telephone availability, live chat options, and a solid support ticketing system. Additionally, the certification provided by Qualys has been beneficial for my SOC team, helping them with demo training and certification programs. We escalate incidents through the customer support portal for ongoing support tickets.

We also use BeyondTrust and TrapX. TrapX is suitable only for a very limited range of assets. It is primarily designed for the IT sector and may not be appropriate for other industries, such as automotive or healthcare, where multiple devices are involved.

When working in a small environment, everything tends to run smoothly. However, in larger and more distributed IT environments, especially at the lower tiers, challenges arise in compliance tracking and asset visibility. Initially, when we deploy these systems, we face multiple difficulties, particularly in coordinating with the support team. We have a technical account manager in place, and I hope they can help us navigate these issues more effectively.

For initial setups in smaller environments, everything is manageable. However, when scaling up to larger and distributed IT environments, there are significant challenges. For instance, the processes for asset visibility and content stacking can be quite complex. Automated tagging and continuous updates are essential for reducing manual asset management and enhancing the vulnerability prioritization process. Currently, significant initial configuration is required, along with software categorization and detailed reporting. In our work with a client, we would have customer calls for deployments, which would often coincide with support calls. Unfortunately, the documentation provided was not user-friendly, making it difficult to check and follow the necessary procedures.

For vulnerability management, we have a good price. We have a solid deal in place for the first and second years. However, as we expand to multiple locations, the pricing varies. For some clients, we have been able to adjust the pricing downwards due to lower costs for certain applications.

The risk score and asset evaluation are primarily based on multiple factors, including the asset criticality score and the Qualys Detection Score (QDS) for vulnerabilities, as well as their severity levels. Additionally, we consider the Asset Criticality Score (ACS) to reflect the value of critical assets. The QDS is also used for the Common Vulnerability Scoring System (CVSS) base score and to assess exploits, while checking on the maturity level and mitigation controls in place.

I would rate Qualys CyberSecurity Asset Management a nine out of ten.

I use Qualys CyberSecurity Asset Management for vulnerability management and patch management, as it gives me a global view of our infrastructure, including what is installed and what assets we have. As we always say, before securing your infrastructure, you need to know what you have. I use Qualys CyberSecurity Asset Management to obtain this global view of our infrastructure.

I recently implemented external attack surface management and have not yet explored it extensively. I'm in the process of discovering its features over time; I began monitoring our subdomains and websites from an external view about a month ago. Therefore, I don't have a detailed answer regarding its effectiveness yet. I am still in the early stages of implementing the external attack surface management solution. We haven't reached a point to provide feedback or evaluate how well it has helped us discover any previously uncovered assets in the vulnerability management program. I am currently working on this and plan to present my findings to our IT leadership.

In addition to identifying vulnerabilities, Qualys CyberSecurity Asset Management monitors our infrastructure, including tracking certificates and user access to assets. This information is useful in our IT department for compliance purposes.

The TruRisk scoring feature of Qualys CyberSecurity Asset Management helps prioritize vulnerabilities and assets, offering more information than traditional metrics, where we usually focus only on severities four and five. By examining TruRisk, we find vulnerabilities of severity five that might not be as dangerous as they appear, allowing us to target the exact vulnerabilities we need to fix better than just relying on severity alone. However, not all IT departments may focus on TruRisk, as most tend to adhere to traditional approaches.

I utilize the CMDB sync feature in Qualys CyberSecurity Asset Management. I want to mention that previously, in my last position, we used traditional CMDBs, but now we synchronize the CMDB with Qualys. This correlation with other information in Qualys, the VMDR module, gives us better visibility and correlation between our asset inventory and our vulnerability inventory.

The correlation between the VMDR and CMDB in Qualys CyberSecurity Asset Management affects our meantime to remediation significantly. If there is a vulnerability in one software, the CMDB correlation can provide all assets with this vulnerable software, allowing us to deploy remediation efforts efficiently and focus on the exact assets that require attention.

One of the useful cases for Qualys CyberSecurity Asset Management is during compliance or audit missions, where we need to report on assets with specific software. For instance, if we need to confirm how many assets comply with our software whitelist, Qualys CyberSecurity Asset Management greatly assists us in obtaining these reports quickly and with enhanced visibility of information.

I mainly appreciate Qualys CyberSecurity Asset Management for its patch management capabilities, which are essential in my job for deploying patches and remediating vulnerabilities. While deploying patches, I utilize Qualys CyberSecurity Asset Management to identify exactly which assets are vulnerable and which require new software installations or updates. One thing I appreciate about Qualys CyberSecurity Asset Management is that it is user-friendly; the interface is easy to navigate, and it provides extensive information. Before using Qualys CyberSecurity Asset Management, I relied on multiple applications for information, but it consolidates all that information from different platforms into one solution.

Qualys CyberSecurity Asset Management continues to improve and get better day by day, particularly with enhancements dashboards. I encountered a few problems while using Qualys CyberSecurity Asset Management, particularly regarding software inventory management. I primarily check for deployed updates; however, sometimes both updates and software types appear together on one list, making it hard to differentiate. For example, when I review what's deployed on my laptop, I see Microsoft software, Windows updates, and other software mixed together, resulting in noisy reports. 

Additionally, I find that while information is available regarding which users have access to our servers, retrieving it often requires checking servers individually rather than obtaining a consolidated extraction when needed. These two use cases are beneficial, but improvements in these features would be greatly appreciated.

I have been using Qualys CyberSecurity Asset Management for two years.

The scalability of Qualys CyberSecurity Asset Management system is satisfactory. It is indeed scalable. 

I have previously worked with Qualys technical support, and they were quite helpful and responsive, providing us with the exact solutions we needed when we reached out for assistance. I would rate the tech support of Qualys a perfect ten out of ten for their performance.

Positive

I have worked with different solutions associated with the CMDB, and for patch management.

We utilize the cloud version of Qualys, which is hosted on AWS. I haven't been involved in the purchasing or initial setup of this part.

Regarding the deployment of Qualys CyberSecurity Asset Management, I did not work directly on the project. I typically find that the project is already completed, so my role involves deploying the Qualys agent. I think this process is smooth, as my colleagues who manage the project have not reported any significant problems.

To a colleague at another company who believes they only need external attack surface management for their vulnerability management and detection response program, I would advise them to fully utilize Qualys CyberSecurity Asset Management for a better experience. By using all its features, rather than limiting themselves to just external attack surface information, they can gather more comprehensive information that can enhance their job performance.

For organizations considering Qualys CyberSecurity Asset Management, my advice is to fully utilize all the features available to maximize the experience. By leveraging all information provided, IT professionals can enhance their operations since every detail matters, and more information generally leads to better outcomes.

I would rate Qualys CyberSecurity Asset Management an eight out of ten.

I use Qualys CyberSecurity Asset Management for management, cycle life, analysis, cataloging, enumeration, classification, and remediation.

I am using Qualys CyberSecurity Asset Management for managing assets with Qualys and CMDB, along with business intelligence for classification and extraction for information classification. I analyze this data with TruRisk score to understand the impact on business and risk classification.

I use Qualys CyberSecurity Asset Management for looking at the network with a focus on Shadow IT. I examine network devices across the network using TruRisk score for criticality, classification, risk assessment, and cycle life in remediation.

I use Qualys CyberSecurity Asset Management for metrics to check the timeline for resolution of problems. With RSC and classification of IT and devices, this represents the best practice of business. I use the metrics for resolutions to prioritize risk score for remediation, mitigation, classification, and reporting to the CISO and the board members.

I manage the cycle life with Qualys CyberSecurity Asset Management to make the work easier in practice.

Qualys CyberSecurity Asset Management has excellent resources for asset management, and the C-SAM module is complete and powerful. It manages assets and their roles on the network, access, and classification.

The solution provides analysis and criticality with TruRisk score for management and Shadow IT detection. It creates visualization in the network for the business.

Qualys CyberSecurity Asset Management delivers positive impact through organization management visualization and control for statistics on cycle life and remediation and mitigation in application standards and business rules, such as PCI DSS, and other filters with the PC module and classification in Qualys patch for remediation cycle life.

In the best practice for categorizing assets with the C-SAM module in Qualys CyberSecurity Asset Management, I see potential for improvement with integration of other CMDB systems in creating a relationship with Qualys and other solutions. I would like to see improvements in the criticality score and TruRisk, along with KDS and those classifications for analyzing the real risk impact for business, and in the periodic checking of devices and networking.

I have been using Qualys CyberSecurity Asset Management for three years.

Qualys CyberSecurity Asset Management is stable.

The scalability of Qualys CyberSecurity Asset Management is acceptable and working well.

There are no problems with the customer support of Qualys CyberSecurity Asset Management.

Positive

Qualys CyberSecurity Asset Management is the principal solution I use currently. However, in other organizations, I have used other solutions based on different CISO perspectives and administrative cultures.

Regarding return on investment, I first look at the reality of the environment and the decrease in critical vulnerabilities with Qualys CyberSecurity Asset Management, which equals a positive return on investment.

Qualys CyberSecurity Asset Management is a perfect tool at a nine out of ten rating. A perfect tool does not exist, but I rate it a nine for its recurring increase in capability and the increase in expertise among Qualys specialists. The more expert the team, the better the results.

I work more in the organization in the on-premises environment with Qualys CyberSecurity Asset Management. I do not have difficulty, but it requires more organization for successful results. I am using only integration with AWS and Azure.

With specialists, I do not have concerns regarding price with Qualys CyberSecurity Asset Management. For me, it is only a matter of organization and the architecture implementation. My experience with Qualys is excellent. I would rate Qualys CyberSecurity Asset Management a nine on a scale of one to ten.

My current use cases for Qualys CyberSecurity Asset Management involve hunting for software that is end of sale or end of life. I also use it to identify where prohibited software is installed on a device. For example, I identify if software that shouldn't be on an endpoint exists. That includes the vulnerabilities associated with certain software.

Improve software inventory capabilities

What I appreciate most about Qualys CyberSecurity Asset Management is the inventory feature, where I can look up assets, software, applications, open ports, and similar items because it's very useful. For example, with assets, I can see all the devices that have the protection installed and access one of these endpoints to see all the information about it. On the software side, I can see a list of all software installed on all my platforms, referring to all my endpoints that have the client installed.

The comprehensive approach that Qualys offers is beneficial because it includes the TruRisk score, which summarizes all vectors influencing the risk of an asset. For example, it highlights exploitations for certain vulnerabilities and provides all the links if they are available or public. Furthermore, the integrated Threat Intelligence platform within the interface allows me to see if there's a trend for certain vulnerabilities and check if I have that vulnerability on my platform.

One downside of Qualys CyberSecurity Asset Management is that I would prefer to see a more interactive dashboard. For example, when I see unknown software in the inventory and try to get a list of assets with certain software, I have to go inside the software menu. If I could have something more interactive that doesn't require going inside multiple categories, it would help. Also, I think the filters should accept three or more queries together to get broader results. However, this could also be an issue stemming from my knowledge or lack thereof.

I have been using Qualys CyberSecurity Asset Management in this company for at least one to two years, but the implementation has been around for three years.

I have experienced a couple of instances with lagging, but nothing substantial that impacts reporting. There may be some delays on the dashboard, but nothing affects the functionality of reporting vulnerabilities from the endpoint.

The scalability of Qualys CyberSecurity Asset Management is significant because you can deploy it across physical endpoints, cloud enviroments and VDI using a configuration file. If someone uses Windows Server, they could use a GPO to deploy it. There are many options. I've seen large platforms with numerous endpoints and vulnerabilities, and that makes me think they have an impressive capability for handling large volumes, which is very scalable in my opinion.

I haven't contacted Qualys technical support or customer support because we have a team that possesses extensive information and they reach directly to the vendor.

Positive

In the past, I used some open-source solutions at another company, but I don't remember the name. I recalled using them occasionally, but they didn't have this kind of reach. The same principle applies; you install a client on the endpoint, and it reports to the server.

I find the initial deployment of Qualys CyberSecurity Asset Management overall easy, especially with support from the vendor and personnel who understand how to handle the integration and permissions with the firewall to allow traffic.

The initial deployment took around a month or possibly less to fully deploy Qualys CyberSecurity Asset Management for the first time, though I wasn't present during the implementation.

I don't have access to the pricing information, but I understand that Qualys CyberSecurity Asset Management is expensive compared to other brands or vendors, although the price is worth it.

I have the most experience with Qualys CyberSecurity Asset Management, VMDR, and CSAM, as well as CA. Besides VMDR, I also used the Threat Intelligence model extensively.

Regarding the CMDB Sync feature, I learned about it just a couple of weeks ago. Although we don't have the implementation, we would find it useful to share information from Qualys, such as vulnerabilities and all devices, and track the person in charge of a certain device by creating a ticket.

The TruRisk score is a very useful feature, as it summarizes all the factors influencing the importance of a vulnerability concerning an asset or an endpoint. It helps with the prioritization of remediation.

We have both the passive sensor and the cloud agent. We use the cloud agent by installing it on the devices, while the passive sensor allows us to detect devices that don't have the protection and can't have the protection, for example, the networking devices.

We don't manage maintenance for Qualys CyberSecurity Asset Management as it depends on the vendor because they sometimes deploy updates and upgrades, but nothing is required on our end.

On a scale of 1-10, I rate this solution a 7.

We use it to gain complete visibility into our assets and monitor our security posture.

Our overall experience has been very good. It gives us a 360-degree view of our assets. It gives us the complete data such as the types of services running or applications installed. If an asset or software is end-of-life or end-of-support, it provides the status related to that. Apart from that, we get to know the ports and services that are running.

Previously, I did not have visibility over the complete inventory. Qualys CSAM gives me the complete inventory with the number of assets connected to the network. Based on the cloud agents that were deployed and remote scans, we can see the whole inventory in a single module. The CSAM module allows us to track the end-of-life or end-of-support status of the software on our assets. We get to know in advance that particular software is going to be end-of-life or end-of-support. Such a feature helps us to take action proactively.

It gives visibility into the domains or subdomains managed by my organization. I can track those very effectively. I can even perform lightweight scans which are completely managed or controlled by Qualys, unlike remote scans that are performed by the end user. It gives visibility into the vulnerabilities related to applications or assets on a real-time basis because these scans are performed once a day on a daily basis. With one click, the EASM module provides the domain names related to my organization. Qualys directly performs the scan and if any applications or assets are not in my CMDB because I missed updating the details, it highlights them, so I have complete visibility over my publicly exposed assets or applications.

It is able to discover different kinds of assets, such as web servers, DB servers, or application servers. It can identify network devices. I even have visibility over the devices managed by ISPs, and I am able to take action appropriately.

Asset tagging is one of the main features of the CSAM module. While creating asset tags or after creating asset tags, we can set the asset criticality. Based on the vulnerabilities identified in the assets, Qualys provides a detection or TruRisk scoring.

TruRisk scoring helps prioritize vulnerabilities and assets. This prioritization is very helpful for me. In an infrastructure with 300,000 assets, we might see millions of vulnerabilities in the assets. We need to prioritize vulnerability remediation because we cannot focus on remediating all the vulnerabilities at the same time. We can start with the assets that are critical in our organization. TruRisk scoring helps with that.

It makes us more secure and also helps us with our KPIs or KRI. We have had zero attacks since we enabled all the features in Qualys CSAM.

It fetches the asset details based on remote scans or the cloud agents that are deployed. With passive sensors, I am able to see the rogue assets that are passing through a particular switch wherever passive sensors are deployed. I can see what other assets are connected to the network. One of my goals is to identify the assets that are missing with the cloud agents so that I can get the cloud agents deployed and get them added to my asset inventory. Network devices obviously cannot be installed with the cloud agents, but at least I have visibility that these are the network devices, or these are the endpoints, or these are the servers, whereas rogue assets are a threat to the organization. They may even compromise other assets in the network, so with these passive sensors, I am getting complete visibility.

Even IoT devices can be scanned through these passive sensors. The passive sensors can read the configuration of the devices passing through a particular switch. Previously, I used to perform remote scans on IoT devices. This effort of performing the remote scan is minimized because these passive sensors are able to find the vulnerabilities related to any of the IoT devices by reading their configuration. This is another feature that is helping me as part of our operations.

The External Attack Surface Management (EASM) module, available within CSAM, is valuable. It helps track all the domains and subdomains related to our organization. It performs the discovery scans and provides the results of the domains or subdomains related to my organization. It also performs scans to identify any vulnerabilities, which helps to take proactive measures before those vulnerabilities are identified by any attacker.

The IoT or OT asset discovery feature is valuable. We can analyze the traffic that is passing through at the L2 switch level with the passive sensors. It provides information about any rogue asset connected to a switch or a network. We can see all the unmanaged or managed assets.

The ability to define a list of unauthorized software and create a rule to define software authorization is helpful. We have a diverse organization with a robust infrastructure of more than 300,000 assets. By creating unauthorized lists and rules in the Qualys CSAM module, I can block certain software from being used in the organization. When I create such a rule, I can see all the assets having unauthorized software installed. I can then immediately take action by blocking that asset or remotely uninstalling that particular software. Such actions can be taken directly from its interface when I have unauthorized software rules in place. This is an important and helpful feature for my organization.

The scanning function could be improved. Currently, in the EASM module, the scan frequency is limited to once daily, but allowing end users control over scan scheduling would be advantageous. Publicly exposed assets are very critical. If a remediation action is taken by the end-user or the auditor working on a vulnerability management program, that person must be given access to run the scan as and when required. This way they can immediately check whether that particular vulnerability is present or not.

Also, allowing more comprehensive scan configurations could be beneficial. The lightweight scan that it does is only based on the ports or services that are identified through the Discovery Scan. It would be helpful for the auditors to be able to run a more comprehensive scan.

Additionally, while downloadable asset information is available in the CSAM module, it lacks mapping of software to assets in a consolidated report format. For instance, if I want to download information about 100,000 assets along with the software mapped to those assets, this option is currently not available. If I download the SH details, it will have only the BIOS information, the serial number of the device, the hostname, the MAC address, and the IP address. Only these details are available. It does not give information about the software installed on those assets. The software mapping with assets is not given in a consolidated report. Enhancing this capability would elevate its usefulness.

I have been using the CSAM module for about four to five years. It was previously known as AssetView. We used AssetView for over 12 years and then shifted to using CSAM when it was introduced four to five years ago.

The platform is quite stable as it is able to handle data from various sources, such as cloud agents or the VMDR module. It has the EASM capability. It is pretty stable even though it holds a lot of data related to our assets or applications. I would rate it a ten out of ten for stability.

Scalability is impressive, supporting a myriad of features and substantial data from diverse modules. It offers a comprehensive view of asset management and is equipped to handle an extensive array of data efficiently.

Our organization has its presence in different geographical locations. We have about 300,000 assets installed with agents worldwide.

There are 50 to 60 people from the IT team and the information security team working with Qualys CSAM.

I am satisfied with their support. I would rate their customer support a ten out of ten.

Positive

I was using the AssetView module before migrating to Qualys CSAM. AssetView has very basic features. Other than the asset tagging feature, AssetView does not have other features available in Qualys CSAM, such as EOL detection and software version detection. 

Knowing the software version is very useful for me when any zero-day vulnerability is published. I can check the version of the software that is vulnerable to a zero-day CVE, and then with the Qualys CSAM module, I can see the assets that are using that particular vulnerable version. Without even performing the active scan, I can get visibility over the assets having vulnerable versions. I can then take the remediation action. This is the most important feature in the CSAM module as compared to AssetView. 

The initial setup was straightforward. Although I was not a part of the implementation team, I understand it did not take much time due to an efficient cloud agent deployment and network connectivity setup.

It does not require any maintenance from our side. There is almost zero-touch maintenance because it is a SaaS platform managed by Qualys itself. We might have to modify or create asset tags or dashboards. These are operational tasks that we might have to do on a regular basis. Other than that, no maintenance is required from our side.

The implementation involved a small team of about five to six members who collaborated with the Qualys vendor.

Though the solution is considered expensive, if bundled with other services such as VMDR or cloud agents, its value would significantly increase. It is currently a bit costly, but with bundling, it could become attractive to more customers.

I would highly recommend this solution to other users looking to enhance their asset inventory visibility. Asset inventory is the primary source of truth for any IT team or information security team. Qualys CSAM provides that visibility. With the integration of CMDB, you get even better visibility over the asset inventory. You also get EOL information about the assets and applications. These are the main reasons for recommending it. I am pretty happy with it.

I would rate Qualys CSAM a ten out of ten.

I primarily use it for a small, single-site, multi-source setup with multi-WAN inputs. I have a main fiber connection and a couple of failovers while managing different networks across different segments.

I really enjoy the flexibility of the interface setup configuration for my network VLANs, which makes it very easy to configure. When I'm doing multi-inputs with internet providers coming in, it's very easy to manage and set up with very little effort.

The technical support is super responsive; I generally get a response within an hour, two hours, or three hours. I've only had to contact them maybe two or three times for very minor issues, but there's no issue there. I think it's very responsive.

I think the one thing Qualys CyberSecurity Asset Management can do better is the package management and the updating process. Knowing that you can't update any of the packages until you've done the actual operating system update can be a bit confusing. Beyond that, I don't have any major issues. There are generally some user interface updates and tweaks here and there, but that's a lower priority in my opinion.

I've been using it for about eight years in my career.

For stability, I would give it a 10; I have no issues there.

Scalability works well; I would say it's probably going to be a nine.

The technical support is super responsive; I generally get a response within an hour, two hours, or three hours. I've only had to contact them maybe two or three times for very minor issues. I think it's very responsive.

Positive

I've used Unifi primarily in the last couple of years, probably three years now, at a separate site. It's nice, but it's not nearly as configurable. Qualys CyberSecurity Asset Management software's ability to do VPN, both with regard to Tailscale and OpenVPN, is really very easy to use, whereas Unifi is not ideal. Their security is open by default versus Qualys CyberSecurity Asset Management, which is closed, which is always going to be preferable.

For an entirely new site, the initial deployment would take some time to configure and set up. If you're coming from an existing setup or configuration, you effectively export the configuration, upload it, and make some minor updates. Even with the booting environments, it's easy in that if you make a mistake, you can go back or revert to an existing experience. It might take some time, but it's not overly complicated. I would say it requires minimal effort, especially if there's a plan in place ahead of what the structure will be.

One person can do this type of deployment, but you're going to need to be testing. Honestly, it's not nearly as complicated as a larger, more legacy offering, so I think it's very easy.

I'm not entirely sure about the pricing; I don't know.

Qualys CyberSecurity Asset Management does require some maintenance on my end, such as manual updates in terms of releases. Checking those out, doing some testing, and confirming it looks good in a non-prod environment is not that complicated. Even again, if you do the boot states, it's easy to manage. They come out about every 12 months, and I know that's one thing against Netgate—that they're a little bit slower on development—but honestly, that's probably preferable because it's not constantly updating. My review rating for this product is 9.

At our Android development company, Qualys CyberSecurity Asset Management safeguards our development environment and digital assets, including sensitive codebases, APIs, databases, and cloud-based infrastructure. By continuously monitoring these assets, Qualys helps us detect vulnerabilities, misconfigurations, and potential malware, protecting both our proprietary technology and client projects from threats like ransomware and malicious activity. Furthermore, it ensures compliance with industry standards through real-time insights and automated security patches, fostering trust between us and our valued customers.

Qualys Cybersecurity Asset Management offers comprehensive features to cover our entire attack surface. Its cloud-based platform provides full compliance management, ensuring infrastructures align with databases and standards. Cloud storage enables easy data retrieval and recovery. Additionally, it utilizes AI-powered features to monitor and manage security patches, enhancing overall security posture.

Qualys Cybersecurity Asset Management utilizes advanced deep neural networks and AI to identify previously undiscovered assets and threats, crucial to our company's security. We discovered an additional 120 assets with Qualys CSAM.

It has significantly enhanced our company's security by providing real-time visibility into all access points across our development ecosystems, improving vulnerability detection and risk management. This allows us to address security gaps quickly before they escalate into critical threats. The automated discovery of misconfigurations ensures continuous compliance with industry and government standards, reducing manual efforts and freeing our team to focus on innovation. This comprehensive approach has fortified our infrastructure, protecting sensitive code, client data, and cloud management from cyberattacks. Consequently, we have faced fewer security threats, allowing us to focus on other areas for improvement within the company.

The Asset Management helps us identify all risk factors, including vulnerabilities and malicious attacks, along with various other aspects of asset management.

This advanced cloud system utilizes APIs to connect and retrieve data, while passive sensors track the code bases of our applications.

Passive sensors hinder the real-time identification of potential risks, as they transmit real-time data and additional information with a delay. However, the system's speed, combined with AI, deep learning, and robotic process automation, enables efficient risk identification despite this limitation.

The most valuable feature is the real-time visibility Qualys CyberSecurity Asset Management provides into all assets across our development and operational environments. As an app development company dealing with multiple platforms, servers, APIs, and mobile data, each becomes a significant target for cyber threats. 

Qualys CyberSecurity Asset Management ensures a comprehensive inventory of all assets, regardless of their distribution. This allows us to detect vulnerabilities, misconfigurations, and outdated systems before they become security issues. The automated vulnerability scanning and patch management features, with automatic risk identification and remediation, are also invaluable. By reducing manual intervention, these features increase efficiency and allow our team to focus on other priorities.

There are a few areas Qualys CyberSecurity Asset Management can improve. First, the UI needs improvement as it can become overwhelming after prolonged use. A more intuitive design with simplified navigation would be beneficial for all team members, especially beginners. 

Second, the reporting feature could offer more customizable templates and easier-to-digest visualizations. This would help in creating targeted reports for different stakeholders, such as technical teams and executives. 

Lastly, integration capabilities with third-party tools and platforms should be expanded. While some integrations are supported, more options like CI/CD pipelines, which are integral for app deployment, would be advantageous.

I have been using Qualys CyberSecurity Asset Management for one year.

I would rate the stability of Qualys CyberSecurity Asset Management eight out of ten.

I would rate the scalability of Qualys CyberSecurity Asset Management ten out of ten.

Once we needed to contact their customer support, we received timely assistance. The support team was knowledgeable and offered a variety of quick resolution options. They also provided extensive documentation and access to community forums, allowing us to find solutions independently.

Positive

I previously evaluated Nessus, but while it offers effective vulnerability scanning, it lacked the comprehensive asset management and continuous monitoring capabilities necessary for expanding our application management system. We needed a solution that provided deeper visibility into our digital assets, including cloud infrastructure and mobile applications. 

Qualys offered a more integrated approach by combining vulnerability management, compliance checks, and real-time inventory in a single platform, simplifying processes, improving collaboration between development and security teams, and offering greater scalability.

The initial setup was smooth and easy to follow, aided by guidance from the Qualys team.

The deployment took three to four hours.

The implementation was performed with assistance from the Qualys team, who helped with platform configuration and integration into existing systems.

Our return on investment includes a significant reduction in security incidents, decreasing potential costs related to data breaches, system downtime, and compliance fines. This was achieved through streamlined vulnerability management, which reduced labor costs by approximately $109,000 annually. Additionally, enhanced client and company trust led to approximately $99,000 in new contracts. These improvements to our security infrastructure contributed to overall business growth of approximately 150 percent over the past year.

The pricing for Qualys Cybersecurity Asset Management is reasonable, with an annual subscription costing around $1,000 per year or a monthly subscription starting at approximately $72 per month, depending on the specific package and features included.

I would rate Qualys CyberSecurity Asset Management eight out of ten.

We use Qualys CyberSecurity Asset Management in six locations across the country.

Qualys CyberSecurity Asset Management does not require any maintenance.

I would advise fostering security awareness through regular review and updates to security policies and protocols. Staying informed about other platforms is important, but Qualys CyberSecurity Asset Management is a fit for our company due to its reasonable cost, scalability, stability, and excellent integration and deployment features.

My use cases involve using Qualys CyberSecurity Asset Management to detect vulnerabilities and then passing on the information to our IT team that has to fix the vulnerabilities.

The External Attack Surface Management covers my entire attack surface, but the majority of it doesn't apply to us because our external assets are not owned by us. We just have the external assets that are hosting our web pages.

The dashboards are my favorite feature.

I can pull up information and create my own dashboards specifically for what I'm looking for.

In addition to vulnerabilities, Qualys CyberSecurity Asset Management identifies all other risk factors for my assets.

The TruRisk feature could help prioritize vulnerabilities and assets, but our issue currently is that we weren't provided with adequate information to set things up correctly. We have many configurations to fix, and if we get to that point, it could be useful, but currently it's not because of inaccurate data.

The downsides of this solution include needing more knowledgeable account managers, and there needs to be more guidance on how to use their solution because there's so much to it. We've received very poor guidance from them, especially after learning several things we need to fix during the Qualys conference. Additionally, we need a solution to be able to do application deployment, which they sold us on a year ago, saying it was coming, and we still keep hearing it's coming.

I have been using Qualys CyberSecurity Asset Management for approximately a year.

I have seen some lagging, crashing, and downtime, but it doesn't happen very often.

It seems to be suitable for scalability. We're considered more of a medium-sized company, and it seems to be working out fine.

Their technical support is pretty good. The tickets I've sent in, they've been able to help me. We have issues with our account manager who does more than he should be doing and should be referring us to somebody else instead of trying to fix everything for us when he clearly doesn't know as much as he thinks he does.

Positive

I used Endpoint Central through ManageEngine before Qualys CyberSecurity Asset Management. It didn't detect as much as Qualys CyberSecurity Asset Management did, but the ability for our IT people to easily find the vulnerabilities and set up jobs was beneficial because it also had a fully application management and patching solution, including all third-party apps. It made it easier for our IT to fix vulnerabilities. Currently with Qualys CyberSecurity Asset Management, the majority of it is manual installs, and when you have a small IT team with over 5,000 assets, that becomes difficult.

From what I was told, the initial deployment was difficult, but I wasn't involved in that as I was in a different role when we deployed it.

I need to talk with my architecture team because after the Qualys conference, we've discovered there are things that aren't configured correctly. This could possibly mean we might need to get with Qualys CyberSecurity Asset Management to get things in shape so that we're adequately detecting vulnerabilities.

On a scale from one to ten for support, I would give them a nine.

We're just a customer and do not have any partnerships with Qualys CyberSecurity Asset Management.

I rate Qualys CyberSecurity Asset Management a six out of ten.