Qualys CyberSecurity Asset Management Reviews

My use cases involve using Qualys CyberSecurity Asset Management to detect vulnerabilities and then passing on the information to our IT team that has to fix the vulnerabilities.

The External Attack Surface Management covers my entire attack surface, but the majority of it doesn't apply to us because our external assets are not owned by us. We just have the external assets that are hosting our web pages.

The dashboards are my favorite feature.

I can pull up information and create my own dashboards specifically for what I'm looking for.

In addition to vulnerabilities, Qualys CyberSecurity Asset Management identifies all other risk factors for my assets.

The TruRisk feature could help prioritize vulnerabilities and assets, but our issue currently is that we weren't provided with adequate information to set things up correctly. We have many configurations to fix, and if we get to that point, it could be useful, but currently it's not because of inaccurate data.

The downsides of this solution include needing more knowledgeable account managers, and there needs to be more guidance on how to use their solution because there's so much to it. We've received very poor guidance from them, especially after learning several things we need to fix during the Qualys conference. Additionally, we need a solution to be able to do application deployment, which they sold us on a year ago, saying it was coming, and we still keep hearing it's coming.

I have been using Qualys CyberSecurity Asset Management for approximately a year.

I have seen some lagging, crashing, and downtime, but it doesn't happen very often.

It seems to be suitable for scalability. We're considered more of a medium-sized company, and it seems to be working out fine.

Their technical support is pretty good. The tickets I've sent in, they've been able to help me. We have issues with our account manager who does more than he should be doing and should be referring us to somebody else instead of trying to fix everything for us when he clearly doesn't know as much as he thinks he does.

Positive

I used Endpoint Central through ManageEngine before Qualys CyberSecurity Asset Management. It didn't detect as much as Qualys CyberSecurity Asset Management did, but the ability for our IT people to easily find the vulnerabilities and set up jobs was beneficial because it also had a fully application management and patching solution, including all third-party apps. It made it easier for our IT to fix vulnerabilities. Currently with Qualys CyberSecurity Asset Management, the majority of it is manual installs, and when you have a small IT team with over 5,000 assets, that becomes difficult.

From what I was told, the initial deployment was difficult, but I wasn't involved in that as I was in a different role when we deployed it.

I need to talk with my architecture team because after the Qualys conference, we've discovered there are things that aren't configured correctly. This could possibly mean we might need to get with Qualys CyberSecurity Asset Management to get things in shape so that we're adequately detecting vulnerabilities.

On a scale from one to ten for support, I would give them a nine.

We're just a customer and do not have any partnerships with Qualys CyberSecurity Asset Management.

I rate Qualys CyberSecurity Asset Management a six out of ten.

At our Android development company, Qualys CyberSecurity Asset Management safeguards our development environment and digital assets, including sensitive codebases, APIs, databases, and cloud-based infrastructure. By continuously monitoring these assets, Qualys helps us detect vulnerabilities, misconfigurations, and potential malware, protecting both our proprietary technology and client projects from threats like ransomware and malicious activity. Furthermore, it ensures compliance with industry standards through real-time insights and automated security patches, fostering trust between us and our valued customers.

Qualys Cybersecurity Asset Management offers comprehensive features to cover our entire attack surface. Its cloud-based platform provides full compliance management, ensuring infrastructures align with databases and standards. Cloud storage enables easy data retrieval and recovery. Additionally, it utilizes AI-powered features to monitor and manage security patches, enhancing overall security posture.

Qualys Cybersecurity Asset Management utilizes advanced deep neural networks and AI to identify previously undiscovered assets and threats, crucial to our company's security. We discovered an additional 120 assets with Qualys CSAM.

It has significantly enhanced our company's security by providing real-time visibility into all access points across our development ecosystems, improving vulnerability detection and risk management. This allows us to address security gaps quickly before they escalate into critical threats. The automated discovery of misconfigurations ensures continuous compliance with industry and government standards, reducing manual efforts and freeing our team to focus on innovation. This comprehensive approach has fortified our infrastructure, protecting sensitive code, client data, and cloud management from cyberattacks. Consequently, we have faced fewer security threats, allowing us to focus on other areas for improvement within the company.

The Asset Management helps us identify all risk factors, including vulnerabilities and malicious attacks, along with various other aspects of asset management.

This advanced cloud system utilizes APIs to connect and retrieve data, while passive sensors track the code bases of our applications.

Passive sensors hinder the real-time identification of potential risks, as they transmit real-time data and additional information with a delay. However, the system's speed, combined with AI, deep learning, and robotic process automation, enables efficient risk identification despite this limitation.

The most valuable feature is the real-time visibility Qualys CyberSecurity Asset Management provides into all assets across our development and operational environments. As an app development company dealing with multiple platforms, servers, APIs, and mobile data, each becomes a significant target for cyber threats. 

Qualys CyberSecurity Asset Management ensures a comprehensive inventory of all assets, regardless of their distribution. This allows us to detect vulnerabilities, misconfigurations, and outdated systems before they become security issues. The automated vulnerability scanning and patch management features, with automatic risk identification and remediation, are also invaluable. By reducing manual intervention, these features increase efficiency and allow our team to focus on other priorities.

There are a few areas Qualys CyberSecurity Asset Management can improve. First, the UI needs improvement as it can become overwhelming after prolonged use. A more intuitive design with simplified navigation would be beneficial for all team members, especially beginners. 

Second, the reporting feature could offer more customizable templates and easier-to-digest visualizations. This would help in creating targeted reports for different stakeholders, such as technical teams and executives. 

Lastly, integration capabilities with third-party tools and platforms should be expanded. While some integrations are supported, more options like CI/CD pipelines, which are integral for app deployment, would be advantageous.

I have been using Qualys CyberSecurity Asset Management for one year.

I would rate the stability of Qualys CyberSecurity Asset Management eight out of ten.

I would rate the scalability of Qualys CyberSecurity Asset Management ten out of ten.

Once we needed to contact their customer support, we received timely assistance. The support team was knowledgeable and offered a variety of quick resolution options. They also provided extensive documentation and access to community forums, allowing us to find solutions independently.

Positive

I previously evaluated Nessus, but while it offers effective vulnerability scanning, it lacked the comprehensive asset management and continuous monitoring capabilities necessary for expanding our application management system. We needed a solution that provided deeper visibility into our digital assets, including cloud infrastructure and mobile applications. 

Qualys offered a more integrated approach by combining vulnerability management, compliance checks, and real-time inventory in a single platform, simplifying processes, improving collaboration between development and security teams, and offering greater scalability.

The initial setup was smooth and easy to follow, aided by guidance from the Qualys team.

The deployment took three to four hours.

The implementation was performed with assistance from the Qualys team, who helped with platform configuration and integration into existing systems.

Our return on investment includes a significant reduction in security incidents, decreasing potential costs related to data breaches, system downtime, and compliance fines. This was achieved through streamlined vulnerability management, which reduced labor costs by approximately $109,000 annually. Additionally, enhanced client and company trust led to approximately $99,000 in new contracts. These improvements to our security infrastructure contributed to overall business growth of approximately 150 percent over the past year.

The pricing for Qualys Cybersecurity Asset Management is reasonable, with an annual subscription costing around $1,000 per year or a monthly subscription starting at approximately $72 per month, depending on the specific package and features included.

I would rate Qualys CyberSecurity Asset Management eight out of ten.

We use Qualys CyberSecurity Asset Management in six locations across the country.

Qualys CyberSecurity Asset Management does not require any maintenance.

I would advise fostering security awareness through regular review and updates to security policies and protocols. Staying informed about other platforms is important, but Qualys CyberSecurity Asset Management is a fit for our company due to its reasonable cost, scalability, stability, and excellent integration and deployment features.

I have been working with Qualys for approximately two and a half years. I have used this module to manage security postures in cloud environments, and it is essentially used for hybrid management systems. This allows me to adhere to security practices across cloud environments.

I appreciate the feature that simplifies cloud security posture, offering insights into vulnerabilities, and reducing the complexity of managing the security program. It provides a proactive security posture, identifying risks before attempts are made. It is also scalable in hybrid management, offering dynamic capabilities in cloud environments, providing visibility to thousands of assets. Additionally, it is beneficial in discovering what's occurring in the cloud environment and provides visibility in asset discovery. It helps monitor assets continuously, granting real-time visibility, which aids the IT environment in maintaining these assets. External attack surface management allows me to consider things from an attacker's perspective. I've improved on faster remediation and reduced risk breaches, as the module enables me to quickly identify vulnerabilities and take necessary actions. Decision-making is straightforward, allowing risk prioritization and action accordingly.

Qualys is continually developing, adding new features each year. Previously, there was no on-demand scan feature in a cloud agent, but multiple features have since been added to my cloud agent module. In CSAM as well, I expect features that make security and IT team tasks easier, eliminating manual efforts. Features enhancing the interaction with IT or security teams should be added, such as a ticketing feature that, if an issue arises in the CSAM module, enables direct ticket creation in systems like ServiceNow. This would streamline assigning tickets to appropriate teams.

I have used the solution for two and a half years.

I do not think there are any issues.

It's scalable. I do not face any limitations.

I would rate the technical support nine out of ten. They are effective; if I raise a ticket, they directly contact me and solve my problems, whether related to deployment or unresolved vulnerabilities.

Positive

I have been using Qualys from the beginning and have not used any other solution extensively. However, I have some familiarity with Rapid7, but it lacked the level of detail found in Qualys.

The initial setup was smooth, particularly with the cloud agent installation and sensor deployment. After the initial stage and the licensing part were completed, I became involved in creating user IDs and as an administrator, I managed user access, including giving privileges to admins. I coordinated with the Linux, Windows, and Mac teams to download and install the agent and conduct testing.

I received assistance from the Qualys support team, specifically from the ACCPL team provided by Qualys. It was a third-party team.

As mentioned earlier, it saves time and facilitates direct communication with real issues I have faced.

At present, I do not think so; however, I may consider CrowdStrike as it has some features, though not as detailed.

The CSAM module is great and continually improving with updates. I would rate it nine out of ten. However, based on the company's budget, Qualys offers limited features, which can also be utilized in other environments. I rate the overall solution nine out of ten.

We primarily use it to collect asset information. Our primary value from it is in collecting on-premises assets, as well as the ability to tag those assets with custom tags. We are also using the external attack surface management portion a little bit. We have not fully operationalized it yet, but it looks intriguing.

Additionally, we are leveraging Qualys CSAM's capability to detect software and applications, as well as to identify unauthorized and authorized software in the environment.

From an inventory point of view, Qualys CSAM gets everything very well. We augment that with Qualys TotalCloud, so we get better insights into our cloud platform, but for our internal data centers, this is our source of truth for asset information.

Our favorite features are the tagging and the ability to quickly find assets in the portal. 

Additionally, I do like the fact that Qualys CSAM is integrated with the rest of our vulnerability scanning utilities. We use the full suite from Qualys. The fact that it is integrated makes it very easy to understand. It shares tagging information with VMDR. That is very nice.

Qualys CSAM has discovered assets not previously covered by our vulnerability management program. Primarily, if we have assets without vulnerabilities, they become less visible, but Qualys CSAM alerts us to them because they have IP addresses and are attached to our network. It could discover everything from printers to servers to endpoints. It could discover UPSs, network devices, and across all operating systems. It discovers our security badge readers and digital signage. We have to feed that the IP address ranges, but beyond that, it finds everything in our internal network.

We were able to realize its benefits within the first quarter of installing it. We did have to take some time to learn it and understand how to operationally leverage what it was telling us, but it was very quick.

In addition to vulnerabilities, Qualys CSAM helps identify other risk factors to a degree. For instance, we can see if servers or assets have incorrect naming standards. We have our network segmented into development model, test, and production, and we have server naming standards that identify which management they should be in. If a production server has the naming standard of a development model server, we can find that. That is one area we have used it for.

We are not fully using TruRisk, but we are using the Qualys detection score that is central to our corporate risk prioritization approach. It has completely replaced our homegrown one.

Some areas that would be helpful are more comprehensive tagging and the ability to set up better dynamic rules. 

Also, in the area of software categorization, having only three categories (approved, unapproved, unknown) is limiting. We would prefer more options, such as 'approved only for pilot' or 'approved for this line of business,' allowing for better granularity in categorizing software.

They do not yet have a built-in integration with the service management tool that we use. We do not use ServiceNow. We use a different one. We are using a product called Symphony Summit.

We started using it probably about a year and a half ago. It became operational around mid-2023.

We have encountered very little instability. I have subscribed to their update notifications, and I love getting the release notes because there is always something new in there that is exciting. They are constantly adding capabilities. I love that. It is a bit challenging to keep up at times, but if you want to maximize the value of the tool, you have to stay on top of release notes. As far as stability goes, there is almost nothing. Overall, there are almost no issues. If there are any issues, they usually affect the entire pod. It is not specific to CSAM.

With roughly 10,000 assets under management. We have not encountered any issues with scalability at all.

I have not personally contacted technical support, but I know we get a very good response. We have an excellent technical company who will escalate and support us. We have had a pretty good experience with technical support.

Positive

I used to have some involvement with a CMDB product from BMC called ADDM. It was similar to Qualys CSAM, but due to a lack of organizational appetite to support it, it was replaced. That is the closest thing to Qualys CSAM that I have ever played with.

It is a cloud solution. We do have cloud agents that reside on our endpoints or assets. I do like the fact that Qualys CSAM uses the same agent on the assets as all the other Qualys products. That was a big plus over other things that we looked at.  They required another agent to be installed.

Its initial setup was fairly easy. It takes a little bit of time to get things fully operational and standardized, but Qualys CSAM was easy to install and get up and running. We had to sit back and think about how we best wanted to represent the tagging. That took some time. We are still playing with that. The biggest challenge has been coming up with the best way for us to represent the assets and software discovered by Qualys CSAM.

We had to consider the best way to represent tagging in our system and ensure everything was standardized, but the setup process itself was straightforward.

It did not take us long to fully deploy it. It took less than a week because we already had the cloud agents installed for VMDR. We or our account manager flipped the switch to turn the license on, and we started collecting data right away.

The deployment of Qualys CSAM was a one-person job. We had an additional person for backup reasons, but the job primarily required only one person.

Its maintenance is being taken care of by Qualys. The software tagging is manual, so we have to go in and manually say that product XYZ is no longer approved. That is the only maintenance we do on that platform. It is just whether or not the software is approved or not.

The pricing is fair. I would love to see the price come down a little bit, but we do get a lot of value out of it. We are squeezing every ounce of value we can out of the tool.

Like every product, there are nuances. You have to understand that there are different categories of software. When it detects software, it puts it into various categories. It took us a little while to understand their taxonomy for the software side, so my advice would be to spend a little time understanding that.

We have had good luck with the API. To automate things, we are leveraging their CSAM API, and it is working fine, but there is a little bit of a learning curve. In terms of the core product, you turn it on and it just starts. If you have VMDR already in place, it starts to collect data for you right away, within minutes.

I would rate Qualys CSAM a nine out of ten. If they had a connector for the service management tool that we use, it would be a ten.

Currently, we are using it for asset inventory to determine how many Windows machines and how many Linux machines there are. Accordingly, we categorize them. 

We prioritize the assets according to vulnerability and risk score, identifying the most critical and vulnerable assets. We obtain this information from Qualys CyberSecurity Asset Management and use it for vulnerability remediation and prioritization.

We have visibility into public-facing IPs and open ports. It helps us in covering the entire attack surface.

We are able to discover various assets such as servers, endpoints, and different operating systems. It is connected to the VMDR console, patch management module, and cloud agent. We can see all the information through the console. We are able to see any outdated versions of software or end-of-support devices. We can then take action accordingly.

We were able to see its benefits immediately. Previously, we used a formula, but now, CSAM enables vulnerability prioritization without spending time creating or applying formulas.

TruRisk Score provides insight into an asset, indicating its risk score and vulnerability. If the score exceeds a particular threshold, we focus on the asset and consider a risk exception. If vulnerabilities are not remediated, we attempt remediation by consulting the TruRisk dashboard. This dashboard is also used to showcase to management without needing customization.

It provides most of the information needed regarding the assets, including the operating system and whether the assets are network devices or servers. The device type is available as well. We can prioritize vulnerabilities and assign a risk score. 

The main aspect that needs improvement is the user interface, which should be more intuitive. It is not easy for a new user because it provides a lot of details. Capturing information quickly is difficult. The user interface should be improved to make information more accessible.

I have been using it for two years. We got it along with our VMDR.

There are no stability issues, and I would rate it a ten out of ten.

I would rate it a seven out of ten in scalability.

Sometimes, when I encounter challenges or discrepancies in the console data, I communicate with support and receive good responses. The technical support of Qualys is noteworthy, as I have not experienced delayed responses.

Positive

We have not used any other solution before.

Deployment is easy because we do not need to configure much on CSAM. It automatically populates data, requiring us to only focus on cloud agent deployment and scanning, which makes it very easy.

The full implementation took about a month. We had 2,500 assets. Initially, we only onboarded servers. That was easy. After that, we onboarded endpoints. Overall, it took three to four months to populate all the data.

It does not require any maintenance from our end because we are using the cloud version.

The entire team, consisting of four people, worked on the Qualys implementation.

The pricing is reasonable relative to the features provided, as it collects all module data and operates as a main, centralized inventory, making it a cost-effective solution.

Qualys offers an automated solution for asset inventory. I would recommend it to anyone looking for a similar solution.

I would rate the solution an eight out of ten.

The use cases for Qualys CyberSecurity Asset Management (CSAM) include getting software details, such as identifying software that is reaching end-of-life (EOL) or has already become EOL, and getting asset details.

Additionally, the integration with Shodan through External Attack Surface Management (EASM) helps get asset details of public-facing assets.

I also use its reporting capabilities. I can generate reports related to software with queries.

I also used the web application to see potential web-hosted assets for our subscription.

ESAM covers the entire attack surface. Earlier, we were using a third-party vendor, but we now completely rely on Qualys for ESAM. It scans the assets and also tags them based on the domain and subdomain. It discovers more and provides complete details about the assets, such as the external interface and internal interface. It correlates them, and we get the complete details of the assets, which were not given by the other solution. It just gave the IPs. We had to take the IP, put it in Qualys, and check the details. With Qualys, it is very easy to get the asset details.

We were able to realize its benefits immediately after the deployment. 

We use the TruRisk score, but based on the QDS and ACS, we have also derived our own severity for the organization. We assess whether it is really exploitable and being exploited in the wild.

We had some issues with the agents and detections until May, but after the version upgrade to 5.4, we saw a tremendous improvement in detection. We have 99.9% detections, and we were also able to achieve 84% patching and compliance in five days because of the detections.

I like the EASM part because it provides visibility into unmanaged assets that are public-facing. Previously, we had to log in to Shodan and get the details. Instead of that, Qualys has an external scanner that scans the assets belonging to, for example, Infosys. We give the domain, subdomains, and any related subsidiaries in the configuration. Based on that, it scans the domain and gives correlated results with the public-facing IP and the internal IP used in Infosys for an asset. I can see both interfaces in EASM. I can see the software details for all the assets and any ports that are open on the assets.

For some of the software, there was no life cycle or general information. We wanted them to give details in the database as and when the software comes. I raised a ticket for that, and after that, they updated the details for more than one million software.

They should address the false positives generated in EASM. It is fetching assets that have Infosys as the keyword. They should fix that.

When we click on the web application, it only shows potential web assets. The application details are not there.

Overall, CSAM has matured a lot. These are the few enhancements that need to be done.

I have been using the solution for three years. I use it regularly for my day-to-day activities.

We have not seen any issues with stability such as lagging, crashing, or downtime.

Qualys CSAM is highly scalable. I would rate its scalability a ten out of ten.

Customer service is efficient, with a support executive being assigned within 24 hours. They respond based on ticket severity. The support team actively involves themselves in resolving raised issues.

We also have governance calls where we raise tickets and troubleshoot and resolve any concerns.

For EASM, we were previously using another solution. They only provided basic details like IP addresses. With CSAM, we have comprehensive asset details, including enumeration and routing details. We also have TruRisk details.

The other vendor only gives me the ID. They do not tell me who the owner is. Qualys gives me all the information about the assets, software, vulnerabilities, open ports, and interfaces. We get the network summary and asset summary in one place.

Its initial setup was relatively straightforward. The deployment did not take much time.

Its maintenance is taken care of by Qualys.

The deployment was done in-house by one person, without the need for an external integrator or consultant.

The pricing for Qualys CSAM is nominal.

I would rate Qualys CSAM a ten out of ten. I am very satisfied with its features, including dynamic and static tagging, and the comprehensive details it provides for asset management. I am happy with it.

We use it for scanning, vulnerability management, a little bit of policy compliance, and some web application scanning.

We primarily implemented it for StateRamp compliance requirements with NIST 800-53.

There have been some instances where devices that were not known to be in a specific place were discovered. They were primarily EC2 instances deployed in an AWS account. Our systems are scalable. They scale in and out all the time, so it is hard to give a precise number of the devices discovered. It probably discovered 3% to 5% of the overall system.

In addition to vulnerabilities, it identifies other risk factors for our assets. It does not cover all, but it covers about 80%.

The scanning results are pretty good, and some of the insights are quite valuable. The fact that it is a largely cloud or SaaS product means that there is less management and maintenance required. Those are all benefits we like.

We have had challenges modifying the agent configuration. Particularly, when we want to change the tenant that the agent is pointing to, we have had difficulties making that reliable and working properly. For Windows agent installations, updates require more than a simple configuration change. It requires a download and install, which we find cumbersome, but once it is in place, it is pretty good.

We have been using the solution for about two years.

Our systems are scalable, so they scale in and out all the time.

It is above average. There have been issues where we had to bring in Qualys and other vendors. There was some finger-pointing back and forth about who was responsible, which is common, but overall, they are responsive and generally knowledgeable.

Neutral

For web application scans, we previously used WebInspect, but we changed due to scalability issues. WebInspect could not meet our frequent scan requirements without significant infrastructure improvements. Qualys seems to be able to handle it better.

We also used Tenable IO, which was not very cloud-aware, whereas Qualys has better AWS cloud integrations and capabilities.

It was a little time-consuming, but we did not find it overly complex.

The first time, it took about two weeks. Subsequently, because we worked out the kinks and figured out some things, we could get a new system up and running in a couple of days.

It requires regular patching maintenance, the same as any other OS. There is nothing outside of what I would consider normal. We have two people involved in maintenance.

Two people were involved full-time with a handful of support staff. Their roles included security vulnerability engineer, network engineer, and network architect. We also had some consulting professional services provided by Qualys.

It has reduced the amount of in-house development and configuration changes needed to make the scanners compatible with the AWS cloud. It has reduced the number of development and scripting hours along with maintenance hours. It has allowed fewer individuals to manage the system overall, providing some ROI benefits.

The pricing is market-competitive. We have large licenses through a corporation, but I am only involved with a small portion of it, so I do not know its price.

Defense-in-depth is very important. There are many layers to a network. There are many layers to an operating system, and there are many layers to applications. It is essential to provide security, detection, and prevention at each one of those layers.

To a colleague at another company who says they only need to add External Attack Surface Management to their vulnerability management detection/response program but they do not need the full depth of the CSAM offering, I would say that they are likely to get hacked.

We do not use Qualys CSAM for the entire attack surface. We primarily use it for production deployments. Our entire attack surface, corporate-wise, is managed elsewhere. It is competitive. It is not the best that I have seen, but it is competitive.

TruRisk Scoring helps prioritize vulnerabilities and assets, but we do not use it all that much. Our reporting requirements are tied to CVE rankings. While we sometimes take a look at it, we do not rely on it.

We use the solution's CMDB Sync feature, but we use it more as a confirmation of an existing CMDB tool we have.

I would rate Qualys CSAM an eight out of ten.

We use Qualys CyberSecurity Asset Management to improve asset tracking and manage our security posture, thereby minimizing security risk. Enhanced visibility into our asset inventory enables us to implement appropriate security measures to protect against potential incidents and threats.

The major challenge in security today is that many organizations still have an extreme problem: they are not aware of how many assets they have. As businesses grow, their assets grow as well. However, asset tracking has traditionally been a manual and cumbersome process. Due to this, many assets were mismanaged. Nobody tracked them properly, and assets were not updated with OS patching or application patching. This was particularly problematic for data sets, as many people across the organization were unfamiliar with those assets, which led to security issues. This is why we implemented Qualys CyberSecurity Asset Management.

The external attack surface refers to the externally visible endpoints hosted by any company. External scanning can be performed to identify the number of publicly-facing assets. CSM provides functionality to scan these external assets, and based on the scanning results, patching can be performed to address any identified vulnerabilities.

The best part about Qualys CSAM is that it continuously pulls data. We can either install a cloud agent on all our machines or use IP wave scanning to identify the IP subnet. Qualys CSAM will identify any machine that spins up within that IT subnet during its scheduled scans. Once it finds a new machine within the subnet, it will register it as a new asset and populate it on the dashboard.

Qualys CyberSecurity Asset Management was able to identify an additional 50 to 100 assets that were not part of our vulnerability management program.

The key functionality of CSAM is a new feature update that Qualys releases periodically. It provides organizations and IT professionals with key metrics to understand how assets behave within their infrastructure, addressing the issue of unfamiliarity. CSAM focuses on efficacy, efficiency, and improved asset tracking. Better asset tracking enhances security posture, enabling timely patching and streamlining the entire vulnerability management lifecccccycle. Asset management is the first phase, and when asset tracking is simplified, the entire vulnerability management cycle becomes easier.

When discussing additional risk factors, CSAM provides crucial insights into the nature of the host, including basic information like hostname, IP address, operating system, installed applications, initial discovery date by Qualys, and current online/offline status. Leveraging risk factors like initial discovery date and the presence of malicious or outdated applications allows for collaboration with patch management teams to assess machine compliance. Effective asset management lifecycle practices empower organizations to comprehensively address many risk factors.

The True Risk Scoring was accurate. While false positives are always possible, they were minimal in Qualys, making it nearly perfect.

I have leveraged active and passive sensors, such as Qualys Cloud Agent models, to gain better visibility into our assets.

Qualys will send a probe whenever we have passive sensors and an established IP connection. This probing timeline indicates how frequently the network needs to be probed—for example, every 30 minutes. Based on the timeline, the sensor will probe the entire IP range and detect any new machines that appear, improving our visibility.

The best feature is asset discovery through their cloud agent or IP-based scanning. It provides detailed information about each asset, including its operating system, applications, power status, and improved asset polling. These are some key metrics provided by Qualys CyberSecurity Asset Management.

In our reporting, we faced a challenge syncing with cloud devices. The issue arose because, let's say, we have 250 licenses and use AWS cloud with its auto-scaling feature. As the load increases, the server count automatically scales up. The cloud agent was installed on the new devices, but when the old devices were decommissioned, it wasn't uninstalling from the asset as it should have been. This made asset tracking with cloud auto-scaling quite challenging, as we had difficulty uninstalling the sensor.

I have been using Qualys CyberSecurity Asset Management for five years.

I would rate the stability of Qualys CyberSecurity Asset Management nine out of ten.

I would rate the scalability of Qualys CyberSecurity Asset Management nine out of ten.

I have used Tenable Nessus, Greenbone, and Rapid7, but my confidence in Qualys is far greater than that in the others.

Some of the reasons we chose Qualys were its user interface, ease of problem-solving, and straightforward explanations of use cases. The deployment facility, deployment guidelines, post-deployment management, and Qualys support team assistance we receive after purchasing the product are excellent. These factors influenced me to choose Qualys over other products.

The deployment is straightforward, and Qualys is easy to understand. The transition from on-premises to the cloud was smooth, and overall, it was a positive experience.

The transition from on-premises to the cloud, including around 5,000 devices, took me one month to complete.

We have observed a return on investment of approximately 95 percent, and Qualys CyberSecurity Asset Management has also reduced our costs by 35 percent.

Qualys CyberSecurity Asset Management provided an excellent return on investment. It offered comprehensive visibility into the security lifecycle across our organization, providing clarity on the state of our security infrastructure. Furthermore, it stands out as one of the top vulnerability management tools currently available.

Qualys offers excellent value for money. Its pricing model is transparent and fair, with no hidden fees. It provides flexible options tailored to our specific needs. Its pricing structure is easy to understand, and its team will work with us to find the best solution. It's open to discussions and committed to offering competitive pricing. Compared to similar products on the market, Qualys is priced competitively.

I would rate Qualys CyberSecurity Asset Management nine out of ten.

We hosted Qualys CyberSecurity Asset Management in a single location, not multiple locations. From a security perspective, we utilized availability zones, but there was only one physical location. I served as the administrator, and in addition to me, there were four to five other individuals who used Qualys for enhanced monitoring.

From a maintenance perspective, if the Qualys platform requires maintenance, customers will receive prior notification. This ensures that customers are aware of any potential service interruptions. Every software system needs maintenance, whether for an upgrade or to implement significant changes.

I highly recommend Qualys to others.