Qualys VMDR Reviews and Pricing

it_user247242

Consultant with 501-1,000 employees

May 31, 2015

Download

Using the vulnerability management module you can track the list of vulnerabilities.

What is most valuable?

I have mostly used vulnerability management so I would recommend it for the same.

How has it helped my organization?

Most of my clients uses it for the vulnerability scanning of their internal & external network devices. Using the vulnerability management module you can track the list of vulnerabilities and can take action to remediate them. You can also see the list of vulnerability by severities and various other stuff.

What needs improvement?

I can't say as I have worked mostly on its vulnerability management module.

For how long have I used the solution?

I've used it for two years.

Buyer's Guide

Qualys VMDR

June 2025

Free Report: Qualys VMDR Reviews and More

Learn what your peers think about Qualys VMDR. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.

DOWNLOAD NOW

861,524 professionals have used our research since 2012.

What was my experience with deployment of the solution?

I didn't work on the deployment.

What do I think about the stability of the solution?

No issues encountered.

What do I think about the scalability of the solution?

No issues encountered.

Which solution did I use previously and why did I switch?

I didn't use a previous solution, but the vulnerability management helped me to find out about it.

Which other solutions did I evaluate?

I have seen other products like Nessus, Nmap, iDefense and so on but I found this one much better.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

it_user5130

Security Expert at a financial services firm with 1,001-5,000 employees

Feb 26, 2015

Makes many promises but in order to do so, Qualys requires the client to provide a backdoor to the system.

The QualysGuard Private Cloud Platform (QG PCP) makes many promises, one of which is that vulnerability scan data can be hosted by a private cloud platform in a client's data center and under the client's control. If taken at their word, this may seen promising, but the reality is that Qualys still will have to manage this platform remotely. By doing so, they will have access to this data remotely anyway and can pull it down to their site as needed. Needless to say, Qualys requires the client to provide a backdoor to the system.

The Qualys PCP equipment is leased and never sold to the customer. There are many legal issues with this which allows them to access their equipment. They require the customer to give them remote access in order for them to manage it remotely. That is a requirement and not an option. They keep it a big secret how it is managed.

Remote Access

What kind of remote access to the QG PCP do they require?

1. Persistent iVPN tunnel
2. VPN remote access account

Qualys still has the means to pull the data back to Qualys through SSH/SCP even though it is hosted on a customer site. In fact, Qualys does not allow the customer to monitor the network traffic being sent back to Qualys. Such requests were flat out refused during a security assessment. What they pull back is their business and the customer has no right to know.

Network Sniffer

Network monitoring had to be done outside of the QG PCP as Qualys did not allow internal network sniffing. This traffic analysis did show a few weaknesses.

1. Emails were being sent to email server UNENCRYPTED. Yes, one could see the message being sent as well as who the recipients were. Emails were being back to Qualys through the Internet. A lot of sensitive information were sent unencrypted including server names, configuration, scripts, running jobs, listening ports, full internal DNS names.

2. Internet connections from Indonesia were seen accessing the QG PCP even though it was supposed to be in a controlled access network in a data center

3. A lot of failed DNS requests to www.qualys.com and other qualys subdomains, looks like the system has not been fined tuned to be hosted at a client site. The interesting thing is that it tries to do windows updates on its own by accessing the Internet.

4. Undocumented protocols used by the Qualys PCP; namely AppleTalk, CMIP-Man, and Feixin

5. syslog messages sent across the network unencrypted.

Firewall Rule Analysis

Firewall rule analysis shows that SSH is allowed into the platform through VPN firewall as well as HTTP(S) protocols.

Internet Access

The Qualys PCP itself does access network traffic in and out of the controlled access network environment as seen in the diagram below.

1. The Qualys PCP Service Network requires outbound communication for

a. NTP – Time Synchronization

b. DNS – Name Resolution

c. SMTP – Email

d. WHOIS – External Internet

e. Daily Vulnerability Updates - External Internet.

WHOIS pulls information from the Internet and Daily Signature Updates are pulled from Qualys through the Internet on port 443. In effect, the PCP is pulling information from Qualys through the Internet to retrieve updates. A man-in-the-middle attack could intercept the update and instead return a malware update to the Qualys PCP provided that a vulnerability exists in the platform.

2. The physical scanners communicate to the Qualys PCP. This requires that inbound port 443 be opened on the PCP. Physical scanners in the DMZ also need to communicate to the PCP on port 443. Access to the PCP from the DMZ increases the risk.

3. Qualys SOC accesses the PCP through iVPN and VPN connections from the Internet for maintenance and support.

Virtual Scanners

A sniffer placed on a virtual scanner showed that it chose to use SSLv3, which is deprecated, by default on some servers to communicate to the Qualys PCP. In particular, it uses SSLv3 with RC4-MD5. MD5 is obsolete. Qualys documentation claims they use TLSv1 and the latest modern secure protocols.

Application Analysis

Perl API

Application analysis was done by running Perl scripts against the qualysapi server and testing for vulnerabilities. The server itself was found to be vulnerable by accepting login credentials for API requests via base64 encoding and passed through plaintext HTTP. This could result of loss and capture of Qualys Admin credentials which could result in access to vulnerability scan results.

Web Application
The Qualys Web Application tests resulted in a number of vulnerabilities.

Qualys PCP Internal

Additional vulnerabilities were found inside the Qualys PCP infrastructure itself. It was found to be very insecure.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Buyer's Guide

Qualys VMDR

June 2025

Free Report: Qualys VMDR Reviews and More

Learn what your peers think about Qualys VMDR. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.

DOWNLOAD NOW

861,524 professionals have used our research since 2012.

it_user147540

Security Compliance Analyst at a healthcare company with 501-1,000 employees

Aug 20, 2014

Download

Delivers higher frequency of scans & better aggregation of results. Ticket management has room for improvement.

Valuable Features

Integrity of scanners; never do I need to worry….“Is this scanner going to bring down a host?”.

Improvements to My Organization

Higher frequency of scans, better aggregation of scan results, abundance of different reports (can be scheduled and automated), delivering metrics to senior management.

Room for Improvement

Ticket management

Use of Solution

5 + years

Deployment Issues

Stability Issues

Scalability Issues

Customer Service and Technical Support

Customer Service: Good – 4 out of 5Technical Support: Good – 4 out of 5

Initial Setup

Straightforward. Assuming you know your network layout, # of devices and other basic information it is pretty simple to figure out what you need. Qualys ships you the scanners, you rack them, set them up and technically could start scanning. Though, there is other recommended tasks to complete via the QualysGuard Vulnerability Management web portal such as defining asset groups, setting up scan rules, turning ticketing on, generating reports, etc.

Implementation Team

In-house

ROI

I do not have a specific quantitative number to provide but from a qualitative perspective it has been enormous. Once you are set up properly and have proper acceptance from support teams, device owners and senior management you can start to scan your environment much more often which increases your organizations ability to detect vulnerabilities more often reducing your overall vulnerability footprint and corresponding business risk.

Pricing, Setup Cost and Licensing

The original setup cost was about $10,000 and the day-to-day costs is less than $100 per day with one caveat. Our parent company is large and has allowed us to fall under their pricing model. If we were not under their model our costs would be about 40% higher.

Other Advice

Take the time to properly identify your network and as importantly get approval and acceptance from the group up – especially senior management. In addition, it is very important to have your scan schedule, profiles, reporting, metrics, expectations, etc. documented so that everyone in the company understands your expectations.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

reviewer1399569

Senior Consultant at a tech services company with 11-50 employees

May 13, 2022

Download

Connects threat intelligence information with identified vulnerabilities, so you can prioritize vulnerabilities according to actual attacks

Pros and Cons

"The most valuable feature is the connection of threat intelligence information with identified vulnerabilities, which means you can prioritize vulnerabilities according to actual attacks."

"Some of the older features could be polished instead of focusing on releasing new features."

What is our primary use case?

I primarily use Qualys VM for vulnerability management, security configuration, and management and asset inventory.

What is most valuable?

The most valuable feature is the connection of threat intelligence information with identified vulnerabilities, which means you can prioritize vulnerabilities according to actual attacks.

What needs improvement?

Some of the older features could be polished instead of focusing on releasing new features.

For how long have I used the solution?

I've been using Qualys VM for around eighteen years.

What do I think about the stability of the solution?

We've had no problems with stability.

What do I think about the scalability of the solution?

Qualys VM is quite easy to scale, and you can cover a large number of instances.

How are customer service and support?

The technical support is pretty good, though sometimes the response time could be better.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup is quite simple.

What's my experience with pricing, setup cost, and licensing?

Qualys VM is better suited for medium to large companies because the price can be too much for smaller customers. With the SaaS version, you're buying a license for use per asset, so the price can differ, and there are additional fees for features like patch management and EDR policy compliance.

Which other solutions did I evaluate?

We also tested Tenable and Rapid7.

What other advice do I have?

I would rate Qualys VM as nine out of ten.

Which deployment model are you using for this solution?

Public Cloud

Disclosure: My company has a business relationship with this vendor other than being a customer. Partner

reviewer1405830

Technical Architect at a outsourcing company with 1,001-5,000 employees

Jun 15, 2022

Download

Great vulnerability management but doesn't pick up every vulnerability

Pros and Cons

"Qualys VM's best feature is vulnerability management."

"Qualys VM's scanner doesn't pick up every vulnerability, so we have to use multiple scanners to cover that gap."

What is most valuable?

Qualys VM's best feature is vulnerability management.

What needs improvement?

Qualys VM's scanner doesn't pick up every vulnerability, so we have to use multiple scanners to cover that gap. Their reporting could also be more user-friendly. In the next release, I would like Qualys to include basic policy and compliance checks in the basic licensing.

For how long have I used the solution?

I've been using Qualys VM for almost two years.

What do I think about the stability of the solution?

Qualys VM is quite stable - we've had no problems with it.

What do I think about the scalability of the solution?

Qualys VM's scalability depends on the license that you use.

Which solution did I use previously and why did I switch?

Previously we used Nessus, but only Qualys does intrusive scanning.

What about the implementation team?

We used an in-house team.

What's my experience with pricing, setup cost, and licensing?

An annual license for a single scanner costs around $3,000.

What other advice do I have?

Qualys VM is a really good tool for vulnerability scanning, and it has different sets of profiles that can be utilized for your own requirements. I would rate Qualys VM as seven out of ten.

Which deployment model are you using for this solution?

Private Cloud

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

reviewer2564316

System Engineer at a financial services firm with 1-10 employees

Oct 15, 2024

Download

Enhanced vulnerability detection and scanning with valuable asset management options

Pros and Cons

"Authenticated scans provide different options, including those using or not using the FactSet and adding option profiles."

"It would be helpful to have features for better tracking, including options for adding relevant owners or supporting groups for each asset."

What is our primary use case?

We use Qualys VMDR for vulnerability management and operations, such as scanning assets to identify vulnerabilities and updating the reports for different teams.

How has it helped my organization?

We identified and resolved many vulnerabilities by using Qualys VMDR. It has been helpful in detecting externally facing asset vulnerabilities and coordinating patching or remediation with different teams.

What is most valuable?

I find the scans portion of VMDR to be valuable. Authenticated scans provide different options, including those using or not using the FactSet and adding option profiles. Another good feature is the Knowledge Base, which provides detailed information on vulnerabilities, period scores, solutions, issues, and mitigation.

What needs improvement?

I'd suggest improvements in asset management. It would be helpful to have features for better tracking, including options for adding relevant owners or supporting groups for each asset.

For how long have I used the solution?

I have been using Qualys VMDR for about three years.

What do I think about the stability of the solution?

The solution is stable. I would rate it eight out of ten.

What do I think about the scalability of the solution?

Scalability is rated at 7.5 out of ten.

How are customer service and support?

When you raise a report, it will be generated in VMDR and shared with the respective team. Depending on client requests, reports can be in PDF or Excel format.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I did not use any previous vulnerability solutions; I started directly with Qualys.

How was the initial setup?

The setup for Qualys VMDR is easy since it's a cloud tool. Access is provided through different inboxes, and deployment is straightforward.

What's my experience with pricing, setup cost, and licensing?

I am not aware of the actual cost or pricing as it is managed by the client.

Which other solutions did I evaluate?

Compared to other solutions like Nexus, Qualys provides more options and is a better tool.

What other advice do I have?

I recommend using Qualys as it offers many valuable features and options. It is better compared to solutions like Nexus.

I'd rate the solution nine out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other

Disclosure: My company does not have a business relationship with this vendor other than being a customer.

Last updated: Oct 15, 2024