Qualys VMDR Reviews

We use this solution to manage compliance and to verify the gap between the policy defined by the company and the ones that are implemented in the system. We also use Qualys for vulnerability management of assets in the cloud or on-prem. 

The most valuable feature is the ability to run different capabilities with the same agent. With only one agent, we can have EDR, vulnerability management, compliance and some basic SaaS security capabilities.

This solution could be improved by extending the agent capabilities to different operating systems including Mac and Linux. We would also like the capability to easily check for vulnerability in assets in the IOTs. 

They have been adding additional features such as attack surface monitoring and intelligence to help managers detect additional risks. Adding intelligence is one of the most important features that we need.

We have been using this solution for two years. 

This is a stable solution. 

For a company with over 100,000 assets, there are challenges with scalability. 

We haven't often needed support from Qualys but when we have needed it, they have been quick to respond and resolve our issues. 

Positive

If we compare Qualys VM to other vulnerability management solutions like Tenable, Qualys is only for agents. Their on-prem capabilities are pretty limited so it is very easy to manage assets that are cloud connected, but if they are not cloud connected, it is challenging. Tenable is better at managing non-cloud connected agents.

The initial setup is straightforward. After the cloud tenant is available and the agents are installed, the first scans can be done in one to two days.

There is maintenance required for the agents but it is completely controlled by the cloud and is done automatically. There is a necessity for human intervention when there is a new agent or new feature that must be tested before it is implemented.

We implemented the solution in-house. 

Return of investment is difficult to assess because it's a tool that helps to reduce risks but doesn't have a direct feature on ROI.

It is a high cost product. Compared to the other solutions, it is around 15 to 20% higher in cost. Qualys VMDR has multiple features in addition to vulnerability management and there is an additional cost for these features. 

The initial setup is not straightforward and it's important to have the agent connectivity linked to the cloud and available all the time.

If you have assets that are not connected to the cloud, you will need help from a service provider or integrator because the introduction of passive scanning is not straightforward.

I would rate this solution a seven out of ten.

In our DLP operations, we use the tool to address stability issues and implement fixes suggested by it. This helps manage risk levels and decide whether to fix issues or implement workarounds.

I like that we have many scanners and channels that don't overload. It helps us scan and track easily. Also, the tagging system is good for tagging. We can still use QualysAgent task ID tools even if tags aren't made.

The asset inventory management feature has improved our security posture, which is good. It was introduced recently, and we've just started using it. In terms of management, I believe it's better than what we were using before.

Qualys VMDR is good at handling vulnerability management trends, especially with its policy module. Qualys VMDR offers customizable labels that fit the organization's needs, unlike other tools. This is important for enhancing security and meeting compliance requirements.

There's a need to upgrade or fix the potential vulnerability rate. Around 20,000 potential vulnerabilities were showing in Qualys VMDR, but none of the other tools showed them. When we checked, it wasn't the case. Support explained that even small issues were being counted as vulnerabilities, causing issues in our audit. So, the security features could be improved to identify vulnerabilities accurately.

I have been working with the product for two years. 

The stability is generally good, but we did face issues during the pandemic due to connectivity problems with Qualys VMDR servers. There were syncing issues, and agents weren't getting updated. However, we later realized it was our issue because our software needed updating. We had to manually update the proxy settings, which Qualys VMDR should have done. We managed to tackle the challenge with the help of another team.

Support should be faster and more customer-friendly. We often have to review a lot of documentation for issues we're already aware of and follow basic steps repeatedly. Additionally, we must wait for Qualys VMDR personnel to move scans into debug mode, which can be time-consuming. Getting notifications or updates on these processes more quickly would be helpful.

Setting up the tool doesn't take long and doesn't require many people.

We have an annual contract for Qualys VMDR. I believe it's for either two years or five years.

I haven't personally done any integration, so I can't comment on it. However, I believe some integration was happening between Qualys VMDR and ServiceNow. Our asset management tool was also trying to integrate with Qualys VMDR, but I'm unsure about the details or how it works. I rate the overall product an eight out of ten. 

We use the solution for vulnerability management.

The solution's best features are scanning and vulnerability management. By using them, we can obtain all critical reports.

They should improve the solution's pricing. Also, they should enhance the authentication feature. Presently, we face issues while scanning multiple assets. In cases of heavy workloads, it must scan assets properly.

We have been using the solution for more than six years.

It is a stable solution.

It is a scalable solution. We have more than 50,000 solution users in our organization globally.

The solution's technical support is excellent and responsive.

The solution's initial setup is straightforward.

We have over 30 administrators managing the solution in our organization. In addition to installing the solution internally, we receive assistance from other vendors.

The solution is expensive.

I recommend the solution to others. It is excellent. We can detect and mitigate all the vulnerabilities using it.

I rate the solution as an eight.

We're using the entire suite except for Patch Management. I use Qualys VM for my production environment on Amazon AWS. I also use it for my endpoints and some BDI solutions that require on-premise solutions, and I use it for both.

I find Qualys VM very robust, and it's very useful for vulnerability management and patch management. The value that it brings to my environment is economies of scale. There is no limitation on adding any endpoints. You go by the rule, and it's added once another endpoint is added to our environment. It's automatically installed, and it's less work from our end. It frees up my license automatically if I don't need an endpoint or if my machine is decommissioned.

I like the dashboard displays because I don't see any duplication. The most important part is vulnerability management and prioritization. Unlike Symantec, it shows the kind of vulnerability I would want to patch first. It provides a holistic view of the kind of vulnerabilities and the ones I should remediate first.

I don't have to do a scan; it just brings up those critical kinds of vulnerabilities like zero-day vulnerabilities and tells me to prioritize them. You have to prioritize these vulnerabilities first and go on with the rest. The dashboard shows me the ones that have been fixed, so I don't have to complete an aging report.

The user experience and the graphical interface are good. As it's user-friendly and understandable on an executive level, it brings real value. We also use this solution because it's robust and flexibile. 

The price could be better. Asset view is still a legacy feature. I'm not able to extract the information about the asset with complete details. It would be better if they fixed that in the next release.

I know Qualys is already working on it, so I'm hopeful it will be available in the next five or six months. That would be something that's changed where I seek improvement.

I have been working with Qualys VM for the past six months.

Qualys VM is a stable solution.

Qualys VM is a scalable solution. We currently have about 4500 users in our organization.

Support could be a little bit faster. I haven't been granted access to their support portal, but I have a technical support engineer who's always available, and there is only one person I can talk to. But the problem is if he's absent, I'm left waiting for access to his portal. 

I used Symantec before but switched to Qualys VM as there's no limitation to adding endpoints. The other reason everyone moved to Qualys VM was its robustness and flexibility. I think that's something that's there, and there was no hassle in deploying the agent. All I had to do was get these machines that were enrolled in our MDM solutions.

As it's a cloud agent, there wasn't any specific setup. It's also managed centrally by Qualys, and when they always release a new update, all we have to do is push it. So, the maintenance requirement is minimum at best.

We deployed this solution by ourselves.

Qualys VM is quite expensive. It's a subscription-based license, and it's yearly. Right now, it's open for me, and I don't have any limitations or caps on the licenses. They are seeing if the product is viable for 4500 users. I can add as much as I want, and at the end of the subscription, they'll let me know how many licenses were actually used and bill me accordingly.

On a scale from one to five, I would give their pricing a three. It's still expensive.

If you're going for an on-premises solution, you should dive into the POC. Because I wasn't procuring an on-premises solution, it was pretty easy for me, and the support was quite helpful. But if you're going to deploy it on-premises, you should go through a proper procedure of going through the POC and getting to know the product. I would rate it at the top because it's better than Nexpose, it's better than Tenable, and it's better than Symantec.

On a scale from one to ten, I would give Qualys VM an eight. 

Qualys VM is used for vulnerability scanning.

It's really beneficial for scanning and interacting with the agent. 

The disadvantage of working with Qualys is that the graphical interface is quite outdated.

If you want to choose a scan result, or maybe configure an IP range or something similar, it opens up a lot of processes, or steps, which is somewhat bothersome. Because it opens several phases, it is not a single-window program. 

We are testing it, as well as Rapid 7 InsightVM.

We have been testing Qualys VM for approximately five weeks.

Qualys VM is a stable solution.

Qualys VM is a scalable product.

It works with ten assets. It works with 100 assets. It has worked with 3,000 assets. It's quite scalable.

In our organization, we have two dedicated people, and five others are only dedicated to gaining insights. 

It actually depends on how you remediate all of the vulnerabilities in Qualys since you can also set up it such that product owners, that is, the owners of the apps that are deployed on all systems, can access reports and everything. But that's not how we do things.

The security and infrastructure departments are using this solution in our organization.

We have a dedicated Qualys team of two persons assisting us with the implementation.

We are currently doing a proof of concept with both Qualys VM and Rapid 7 InsightVM.

Qualys is a fully SaaS solution.

It is dependent on the configuration. When you work with the agent, you are primarily concerned with deploying the agents to all assets. However, if you want to scan based on IP, you'll run into some problems.

If you wish to scan on an IP basis, for example, you should deploy a virtual appliance. You may set up several appliances for different domains. Otherwise, you must have your network rules properly configured so that the appliance can reach every asset.

It's relatively simple to set up the basics, but if you want to scan, it really depends on how many networks and domains you have.

In a couple of weeks, you can set it up.

It's very expensive, especially if you want to use multiple modules of Qualys.

I think mainly decide how you want to scan: based on IP or based on an agent.

Then work with the interface and then explore how it works.

I would rate Qualys VM an eight out of ten.

I primarily use Qualys VM to manage vulnerability tickets.

Qualys VM's most valuable feature is automatic detection.

Qualys VM should improve its methodology.

I've been working with Qualys VM for six months.

Qualys VM is stable but slow.

Qualys' technical support is quite good.

Positive

The initial setup was quite straightforward.

I would rate Qualys VM as seven out of ten.

Qualys' main function is to scan IT systems. It does the scanning of computer systems.

Continuous Monitoring is excellent because it is entirely dependent on the agent, and the Agent Scan, is also quite good. 

I also like the asset tagging, asset grouping features, and the dashboard, because we can customize and create our own dashboard. That's quite good. 

The most recent is VMDR, which provides a comprehensive overview of how to detect, patch, and remediate specific vulnerabilities. That is also an excellent module.

The dashboard itself could be improved, while we can customize it, they can create different tabs where we can see the trending vulnerabilities, how many there are, or how many have been fixed, as in the most recent scan report, so that trend analysis is a little easier.

Aside from that, the solution itself is fairly generic in nature. What they can do is pretty much customize everything and provide a relevant solution for everything. For example, because Qualys has a Cloud Agent that scans a system's entire inventory. As a result, they can test their use cases to determine whether or not a vulnerability has been confirmed. If they can do so, they can also provide us with a straightforward solution to a specific problem rather than a generic one. That could be one area where they can improve. 

Qualys does not currently have an IoT, SCADA vulnerability assessment, they can significantly improve their IoT, SCADA, and ICS (Industrial Control Systems) vulnerability assessment technique. When you compare with Tenable SC it has more features than Qualys VM.

If you see power grids, large oil stations, they fall under SCADA and Industrial Control Systems. These systems are very different from standard IT systems. Qualys currently does not have any features for scanning SCADA, IoT, and Industrial Control Systems.

I believe they can improve on the addition of devices. Assume I have two lakhs of devices that cannot all be added at the same time. For example, if I have two lakhs of devices, and two lakhs of those devices have a Cloud Agent, adding all of those devices at once is not easy. We have to add it 1,000 at a time, which takes a long time when there are two lakhs of assets to add. If we do 1,000 at a time, we'll have to do it for around two lakhs, which is quite difficult.

They can increase their frequency of working faster, similar to the time constraint they currently have. The second thing they can improve is the addition of assets. They can almost completely automate the process of adding assets, or they can increase the maximum number of assets that can be added in one go. They are only allowed to add 1,000 assets. If I want to add two lakh assets, it will be extremely difficult to do so by adding 1,000, at a time.

That is a fairly technical issue. Most of the false positives reported by Qualys or the inability to detect a cumulative patch update, if any, are the few things that they can improve and incorporate. 

As I previously stated, it would be extremely beneficial if they could implement scanning, vulnerability scanning of IoT systems, Industrial Control Systems, and SCADA devices.

I have been working with Qualys VM for approximately four years.

We have been using multiple Qualys modules, such as VMDR, Cloud Agent, AssetView, and Continuous Monitoring. The most recent version that we are using is 4.14.

It's reasonably steady. When we say stable version, there is also room for improvement in that Qualys will not be able to handle large amounts of data at once. When you do billions of scans, such as a scan for millions of devices, it becomes extremely slow, and gathering data and populating the report becomes extremely tedious. 

Scalability is quite good. We can pretty much rely on the tool. It is easy to scale. 

If the organization grows, we can pretty much scale it to most of the areas. The only problem is that they must primarily work on Industrial Control Systems and lightweight devices such as CCTV cameras, and lightweight devices. As a result, they are required to work in that field, otherwise, it is pretty good.

Based on my previous experience, there were approximately 300 or more users using Qualys in organizations with a population of more than two lakh people. Currently, I see that approximately 400 users are using it, and the size of the organization is significantly larger than the previous one.

We use this solution daily.

Technicals support is pretty good. Since I've been working in this, they've been friendly and straightforward, and we were able to get the most out of them.

We have suggested areas for improvement, and they have been working on them. They always make a good impression on us.

As a consultant, I've worked on a variety of projects in a variety of organizations.

The initial setup is simple and straightforward.

We initially had assistance from the vendor, but once we had a good understanding of it, we scaled it in our organization.

Because I've been using Qualys for quite some time, I was looking for a comparison of several solutions such as Tenable SC, Rapid7, InsightVM, and Tenable Nessus. I was curious to know if there were any other tools that were better than Qualys.

I was looking for more information about Tenable SC and wanted to compare it to Qualys in more detail, with parameters such as, how the false positives are detected in Tenable SC and how good it is in comparison to Qualys. In a similar manner, in comparison to Qualys, we learn about its usability, interface, and how user-friendly it is. Those are the few things I was looking for, and I'm still looking for more information about Tenable right now.

They have the ability to improve SCADA. SCADA stands for Supervisory Control and Data Acquisition, and IoT stands for Internet of Things scanning.

Recommending this solution would depend on the organization, the requirements, and the devices they have.

For a typical IT system, it is very good to go with this solution. Microsoft, Deloitte, and the majority of organizations still use it, it is pretty much good to go. But, once again, it is entirely dependent on how the organization is, what type of devices they have, and what kind of scans they would like to have, it is entirely dependent.

In a broad sense, it is a good solution to go with.

I would rate Qualys VM an eight out of ten.

We use the solution for vulnerability management. It helps us identify potentially vulnerable assets. Thus, we can prioritize patching based on a risk score.

The solution is easy to use and has many essential features. I found the concept of tags the most valuable feature. It allows us to build assets from different views. We can categorize systems with tags, either automatically or manually.

The solution's cloud agent is available only for limited operating systems such as Windows and Linux. They should make it accessible for more systems like FreeBSD. Also, it would be helpful if they made it available for Cisco or Juniper routers. Additionally, its price and support could be better as well.

We have been using the solution for six years.

The solution is stable. However, it takes time to generate reports.

We have ten solution users in our organization.

The solution's technical support team replies with generic answers. The quality of the response could be better.

Neutral

The solution's initial setup process was straightforward. We just followed the documentation.

The solution is costly.

I recommend the solution to others and rate it as a eight.