Qualys VMDR Reviews

Qualys VMDR is used as a vulnerability management tool. We have more than a thousand users in our company, and we have integrated Qualys with their machines to help update software and measure known or unknown risks, prioritize them, and patch the devices. We monitor and mitigate alerts, and we find vulnerabilities in specific machines or systems, which we then address.

Before implementing Qualys, we used third-party companies to conduct vulnerability audits and paid them separately for mitigation. With Qualys, we now conduct our vulnerability management and mitigation internally, saving both time and money since we can monitor every system and threat without requiring manual processes or third-party involvement. This has resulted in significant ROI and reduced the risk of breaches.

The best features of Qualys VMDR are its patch management capabilities and the ability to mitigate vulnerabilities automatically. The report export feature allows us to see how many incidents have been mitigated and which ones still need attention. The compliance dashboard helps us track and fix threats efficiently, ensuring all machines comply with security standards.

The user interface (UI) is quite complicated. Initial-stage engineers or analysts might miss something due to the complexity. Also, for hybrid users, the agent might get disconnected, requiring users to revisit the office to reinstall the agent. Additionally, the reports could be more interactive.

I have had five years of experience with cybersecurity platforms and have been using Qualys VMDR for that duration.

I would rate the stability of the solution nine out of ten. It is a robust platform that provides consistent performance.

For scalability, I would rate it nine or 9.5 out of ten. The cloud-based architecture allows us to deploy it across multiple locations seamlessly.

The technical support provided by Qualys is good. Queries are responded to promptly, and if needed, we can contact the TAM or any POCs directly. I would rate their support nine out of ten.

Positive

Before using Qualys, we used a third-party solution for vulnerability audits and mitigations. However, we switched to Qualys because it allows us to handle everything internally, avoiding the need for additional external services.

The initial setup is agent-based and straightforward, especially if you have necessary tools like Active Directory. Given the cloud-based nature of Qualys, deployment can be completed within a day with appropriate resources.

We have seen a significant ROI with Qualys, which is estimated to be around twenty to thirty percent. It has saved a lot of time and money by allowing us to mitigate issues without user interaction and preventing breaches.

Compared to Tenable, Qualys is quite expensive. However, its performance justifies the cost, making it a worthwhile investment.

We also use Tenable Solutions for vulnerability management. However, Tenable requires manual processes for mitigation, whereas Qualys allows for automated mitigation of vulnerabilities and threats.

I would definitely recommend Qualys to other users. Depending on the number of users and specific needs, Qualys is a good vulnerability management product that offers efficient solutions. I'd rate the solution nine out of ten.

My main use cases for Qualys VMDR are for server vulnerability and missing patches.

The most helpful and useful features of Qualys VMDR are its user-friendly design.

Qualys VMDR is easy to understand and provides detailed reports.

It impacts my workflow overall, with the patch management features as it has the missing patches listed in detail, making it easier to get a comprehensive report and providing some dashboards that offer visual representation.

There were some issues later with Qualys VMDR regarding security, specifically with numerous false positive reports.

It doesn't take much time to deploy Qualys VMDR. There is a process mentioned already on the website about how to proceed with the installation, so we followed that process.

I am satisfied with the support of Qualys VMDR as they are supportive. However, there are sometimes issues where we cannot talk to customer support directly, and we have to raise tickets, which sometimes takes a lot of time to resolve issues because it goes through their own phase. We cannot change the SLA or the priority of the tickets, so that is an issue.

Positive

Our organization changed to something else due to a higher management decision, and that might be the reason for the change regarding the pricing.

We are not using any AI features with Qualys VMDR.

Overall, I would rate Qualys VMDR as good, giving it an eight.

The primary use case for Qualys VMDR is for infrastructure vulnerability management. It assists devices, including all infrastructure devices like serverless network devices and development environments.

The solution has improved the organization significantly because it helps in assessing and prioritizing risk. Based on the results from Qualys, I can prioritize remediations with the remediation teams, thereby reducing the volume of vulnerabilities.

The most valuable feature is the QID part, especially of CentralList, which makes it easy to assess new critical vulnerabilities. It saves a lot in assessing and prioritizing risks to the organization.

Support could be improved since the response can be slow. There is always room for improvement to align with the latest content and technologies.

I have used the solution for three years.

The solution is stable. Anytime there is downtime or maintenance, Qualys ensures that we are well-informed with priority communications.

Scalability would be rated nine or nine point five out of ten. We have high satisfaction with this aspect.

Technical support response can sometimes be slow, leading to a rating of eight or nine out of ten.

Positive

I previously used a different tool. I switched to Qualys as it didn't have the same feature set.

The initial setup was straightforward. Deployment took two to three days.

The deployment was done by a different team, so I do not have specific details about the implementation team size.

I have used RapidSky before Qualys.

I would recommend Qualys VMDR because it ensures comprehensive coverage, including aspects like vulnerability management and PCI, providing good inputs and improvements over time.

I'd rate the solution nine out of ten.

We use the product for enterprise network infrastructure scanning.

The product has multiple valuable areas. The process of defining and discovering scans is organized efficiently. It has an effective tagging system and authentication mechanism compared to other tools. Its integration with AD helps us a lot. Additionally, I like the report generation feature.

Qualys could improve the inbuilt dashboards. They could be advanced compared to competitors like Rapid7 and Tenable. They should include a faster reverse integration process. They could enhance its integration with ServiceNow CMDB to ensure that mapping IP addresses, domains, and net bias names is consistent and accurate.

We have been using Qualys VMDR for nearly two and a half years.

I rate the product's stability a nine out of ten. I have rarely seen any stability issues with Qualys.

I rate the product's scalability an eight out of ten. We only recommend some people use Qualys in our organization. It is a limited audience. It is used by the vulnerability management team and a few critical resources from different parts of the cybersecurity department. We have 50 users in total. They should provide role-based access for managers, reviewers, and scanners.

The initial setup process is simple as I have prior experience working on two full-time projects with it. I find it simple as I have enough background knowledge of it.

The product is more expensive than that of any other vendor.

I did work on Tenable's POC and some other vendors. It has some limitations in detecting different types of vulnerabilities or false positives. Qualys is on the higher side when compared to the other tools.

I rate the product an eight out of ten.

We use Qualys VMDR to scan our public websites and products, anywhere that is publicly available. We deploy it through Qualys's cloud scanner.

Qualys VMDR provides us with a quick response to threat findings through regular scheduled scanning, which improves our security operations. It also offers an impressive knowledge base for quick research results and coverage of all vulnerabilities.

The knowledge base is the most impressive feature because it provides quick research results and coverage of all vulnerabilities. Additionally, the real-time threat detection feature provides quick responses to threat findings.

Qualys VMDR should improve authenticated scanning capabilities. It currently only allows basic authorization tokens and preset parameters. In contrast, Burp's in-built browser works more like a proxy, which makes security testing easier and more accurate. Pricing is also an issue; it's high enough to deter mid-sized to small companies. Moreover, the technical support is slow and tends to just reference documentation rather than providing real technical assistance.

I have been using it personally for five years, while my company has been using it for three years.

The technical support is slow to respond. Most likely, they just provide reference links for documentation instead of offering in-depth technical guidance. This level of support doesn't compare well to others like Cisco, Juniper, or Avaya, which offer more hands-on assistance.

Neutral

This goes beyond my scope of responsibilities and is managed by my superior.

The pricing for Qualys products is too high, and the licensing model involves paying for the whole bundle, which may not be affordable for mid-sized to small companies.

We are currently looking for alternatives to Qualys by researching competitor products on the market.

For midsize to small-size companies, Qualys might not be the best choice if you don't have enough funding for security due to its high pricing. Qualys VMDR is still recommended for comprehensive vulnerability management but be prepared for slow technical support.

I'd rate the solution nine out of ten.

Our use cases are primarily on-premises vulnerability management and remediation, external attack surface management and vulnerability scanning.

The benefits I've seen are twofold. The biggest benefit is from a security operations perspective, where we are able to drive our security posture upwards by remediating any discovered vulnerabilities. We can also automate the remediation process. The other big benefit is executive reporting because it's very easy to produce trends over time to report on risk.

The most valuable features are vulnerability detection, patching capabilities, and remediation. Cloud security posture management is also very valuable. I find these features valuable because getting a unified view of your cloud security posture across different environments is not always easy. For example, you might have most of your resources sitting in Azure, but you might have a couple of workloads in AWS. Naturally, there are different tools that report on that, so it's invaluable to have those pulled into a single dashboard so you can drive your remediation from a single platform.

If anything, I would like to see the user interface modernized a bit more. Also, there are a lot of various modules, and if they could be consolidated into fewer options, it would make the buying experience easier.

I've been working with Qualys VMDR for the last three years or so.

We haven’t faced any issues, the solution is very stable.

Because the management sits in the cloud, you don't have to worry about management appliances or anything like that on-premise, so the solution is very scalable. You can split your assets into asset groups and delegate management to different teams. Around 1,000 users are using Qualys in my organization across 60 locations.

We've had very few technical issues, and the customer support team has quickly resolved issues we've had.

Positive

In the first step, Qualys provisions your cloud-based management instance. From there, you get a small, lightweight agent deployed by deployment technology like Microsoft Intune, in our case, SCCM, or any deployment technology.

We worked with BCX Namibia and the Qualys team in South Africa while deploying the solution. It took two weeks to deploy the solution. The solution is not difficult to maintain because the management component is cloud-based and is taken care of by Qualys. Any agent upgrades that might be necessary are very seamless.

We have seen an ROI using Qualys. Most breaches nowadays are because of a vulnerability that is exploited. By virtue of being able to identify and remediate these vulnerabilities, I believe we are significantly driving our cybersecurity risk downwards.

The pricing is very competitive, especially because Qualys is integrated and does vulnerability management and remediation patching in one solution, so there's no need for a separate patching solution. You can also get very granular with the amount of IP addresses you can cover. You can go from as few as 16 IP addresses to many more. And the Qualys team is also willing to work with organizations to make the solution make commercial sense. The prices are fixed. We have a yearly subscription model based on the number of IP addresses we’re scanning.

We evaluated vulnerability management in Microsoft Defender, but we found the reporting and functionality lacking compared to Qualys. And then the Microsoft licensing costs were also a bit of a dealbreaker.

If you're considering implementing Qualys in your organization, work with a strong pre-sales partner. Evaluate the product, make sure it does what you need, make sure you buy the features that you need, and make sure to use the training and onboarding material that Qualys has made available on its website so you can leverage the solution's full capability from the start. I rate Qualys VMDR a nine out of ten.

We are managing hundreds of AWS and several on-premises accounts using Qualys agents and scanners to provide data inputs for Qualys. We are using several of the Qualys modules, VMDR, Cloud Agents, Connectors along with Global Asset View (GAV).  GAV dynamic tagging is valuable for tracking owners of assets.   

Qualys' main function is to provide us with vulnerability management information for our end users and is a major input to our CMDB.  We rely on a combination of agents and scans to provide us with the system data.   

We are seeing more of the issues we suspected were there. Qualys is allowing us to get an overall picture of our Risk posture. It has enabled us to identify assets we did not know existed.  

However, Qualys has not enabled us to get a complete picture of our risk posture, due to our own limitations in our deployments and limitations in the Qualys back end, dashboards, UI, connector reliability, and the limitations of the Qualys Scripting Language (QSL).  

Qualys implementation requires dedicated back-end support from various teams which was not clearly explained to us or planned for. 

Cloud Agents: lots of control available and very trouble-free. It pulls all systems information, including installed software and open ports. It's very configurable to adjust impact to systems.  

Connectors: Pulls all the cloud information per account and helps to build a CMDB.  Qualys connectors do some control evaluations to help manage these accounts. 

Global Asset View (GAV): With the ability to establish dynamic tagging and perform queries GAV has become a very valuable research tool to our teams. 

Support: It's often overseas and often following a script, basically asking us to redo what we opened the case with. 

Multiple APIs: There seems to be a lack of easy onboarding into Qualys. We had to use manual inputs and some API calls to get items in place. 

Dashboard: It is very rudimentary with very little customization. The Qualys Scripting Language (QSL) works differently in different Qualys modules, so when you get it working in one area you have to modify the syntax in others.  

User account management: We often have to give users more rights than needed just to give them what they need. 

Integration with the various Qualys Modules: You can tell the UI is different based on of the different teams that created them. 

QSL syntax same in all modules

Responsiveness of some of the components: They time out, you get a blank screen, etc.

Backend updates between the various modules: You update connectors and information takes a few minutes to show in VMDR or Global Asset View

Connectors: Connectors have a throttling issue with AWS which causes them to frequently fail unless you manually run them again. 

I've used the solution for three years.

Stability is not the issue. However, the reliably of the different modules is a concern. I have never seen all of Qualys go down. 

The solution is very scalable (with a matching cost, in that, it gets expensive as you grow). 

Our CSM has awesome, however, support is often overseas at conflicting hours.  Support seems to follow scripts and forces us to go through the same scripts. Some solutions required months from Qualys to implement. 

Negative

We used Tenable.IO which we found very limited. However, in our other cloud environment, we had to use Teanble.SC with which we were able to use a Lambda function and a few API calls to make it operate very well in the cloud. 

The setup is complex in many ways, from setting up agents and connectors to trying to create dashboards that fit our needs.  

We managed the setup in-house.

Management is very concerned about the cost of using Qualys; it keeps going up as we pursue 100% deployment. 

The price is very high and escalates quickly based on the number of appliances you need. 

We evaluated Tenable.SC and Rapid7.

If you're going to deploy Qualys it is key to have someone dedicated to supporting the back end, making sure all the components are working as expected.  This is not a fire-and-forget solution. 

The use cases would be for scanning purposes, for identifying assets, identifying and viewing assets, and setting up scan schedules. I use it primarily as a vulnerability management and scanning tool.

When you have everything in one place, the job is very easy. Qualys VMDR having a Russian nesting doll sort of environment does take a steep learning curve, but having everything in one place is quite neat.

The most valuable feature is the asset view where I can find individual assets and take a deeper dive into their information gathering section, potential vulnerabilities, and confirmed vulnerabilities. I also value the scheduling of scans and reports as per the desired timeframes.

The reporting section needs improvement as running reports can take several hours. A more intuitive way to configure reports settings to reduce run time would be helpful. Improvements are needed for sorting QIDs and findings during the reporting section without downloading the entire report. 

Additionally, there is a need to address the issue of retaining report sections when they exceed one or two GBs. For asset management, adding a notification for unscanned assets or those missing CVE ratings would help.

I have been using it for close to three and a half to four years now.

There are rarely any stability issues. Discrepancies are usually anticipated due to the downtime and maintenance window provided in advance. It's a technological tool, and random anomalies may happen, but they are manageable.

Qualys offers one of the best scalability capabilities for large-scale deployments. Its tools and solutions work effectively with large corporations. VMDR helps club multiple vulnerabilities into one QID, which assists with remediation cycles.

Customer support is fast, although there can be a lot of back and forth. However, the overall service is satisfactory and of great quality.

Positive

I have used Nessus and Burp Suite, however, Burp Suite isn't in close proximity with Qualys for scanning purposes. Microsoft Defender offers some advantages with real-time, agent-based scanning that consumes fewer resources.

The initial setup was quite simple and straightforward. Setting up Qualys was fairly easy with clear documentation and guidance.

I am not familiar with the pricing side as I am not a part of that aspect. However, it is on the higher side, but it provides large-scale scalability for vulnerability management.

I have evaluated Nessus and Microsoft Defender for vulnerability management.

Users should go through the training offered by Qualys for all VMDR modules and take an introductory call on how to use and schedule tasks. Setting up one thing at a time and testing the desired results before moving on is advised.

I'd rate the solution eight out of ten.