Qualys VMDR Reviews

Qualys VMDR is a vulnerability management and detection response tool. It belongs to the first generation of vulnerability assessment tools. It enables us to manually identify vulnerable keys and fix them. It is built as a cutting-edge continuous platform where we can detect and protect. With this product, we can respond to specific vulnerabilities, going beyond just using artificial intelligence features. We have implemented VMDR across our cloud, physical interfaces, endpoints, and log servers. It's a good digital product for our organization.

It has improved our organization in many ways. We needed to have a security solution that focuses on different types of things. We discussed budgeting for the cloud and the need for an alternative to taking care of malware. Additionally, we have to consider various attacks. Therefore, Qualys VMDR is a great tool that helps us improve.

The most valuable feature is automation.

Qualys VMDR is basically susceptible to false positives, and false negatives. We receive a lot of false positives in there. VMDR can be considered a complex solution, especially for enterprises with limited resources or organizations. It requires extensive knowledge as an engineer. So, when using this tool, you need to utilize other tools to remediate the false security issues.

So maybe it should also have the ability to automatically identify and address false positives. In additional features, an automated process for remediating false positives. We might be looking for new types of signatures that can help us identify and address specific issues.

I have been using Qualys VMDR for one last year. 

I would rate the stability an eight out of ten.

I would rate the scalability an eight out of ten.

It took us one month to set up.

I have seen an ROI.

The price is very reasonable, so you can definitely go with all the endpoints it offers.  

Just consider the licenses we have within VMware. They could replicate some of these features, which are used for premium customers. So, it might be useful to include those features in the subscription plans.

Overall, I would rate the solution a nine out of ten.

This is a virtual scanner appliance. We have both physical and virtual options. 

I'm still in training and getting the hang of the solution. I do not know what features the company uses the most. They generally use it to scan all the AWS workloads and Azure workloads.

We generally analyze everything at the OS level and application level, including the open ports, the OS, and older versions, including the packaged versions. We generate the scan, and then we generate the report, and then we will issue it to the application teams to clear off those. 

We have Java remediation happening, and if Java has, for example, multiple versions and when I run the scan, it is going to identify all Java versions that are really vulnerable so you can fix them. Therefore, it helps keep things secure and up-to-date. 

The reporting is good. We give reports to the application teams and we will ask them to either fix or remove applications. Once that is done, then we will read the scan, and if it comes back that we don't have any critical, we are assured of good safety. 

The solution shows us classic categories, including high, medium, and low risks. It also shows critical items, and that gives us the advantage of prioritizing things. 

It's very clear on what components need to be fixed. 

The initial setup is straightforward. 

It's stable.

Technical support is helpful. 

I can't speak to disadvantages since I am in training and still learning and have yet to run a scan. 

It would be nice to have an all-in-one solution that was automated and could handle the scanning and reports as well as the patching and updating. 

I am pretty new to this organization. However, the organization has been dealing with the solution for almost four or five years now.

The stability has been good. The company has been using it for a while and hasn't had issues. I use dit in a previous company as well and never hear of any problems. 

It's easy to scale. 

Technical support is good. We always get a quick response. 

The setup process is simple. It's not overly complex. 

I don't have any details about the licensing process. 

We're implementors. 

When it comes to security, my only advice is based on my experience. They always say to use multiple products due to the fact that, even if the vulnerability is missed in one product, it'll be identified in the other product so that you are safe. 

However, when it comes to implementation, if you have multiple products, pipelining is a big problem. For example, if I use the Qualys scanner, and then it gives me all the vulnerabilities: how do I fix it? Either I have to fix it manually, or I have to fix it automatically. 

I'd like to use one product, and, for example, use a vulnerability scanner from Qualys and have patch management as well. While the solution is still maturing, I like the tight integration and I like that the scanner can identify items and patch management can fix them. It simplifies things, instead of having to deal with multiple products and then maybe having to manually fix items on top of that. 

I'd rate the solution nine out of ten.

Qualys VM is used for vulnerability scanning.

It's really beneficial for scanning and interacting with the agent. 

The disadvantage of working with Qualys is that the graphical interface is quite outdated.

If you want to choose a scan result, or maybe configure an IP range or something similar, it opens up a lot of processes, or steps, which is somewhat bothersome. Because it opens several phases, it is not a single-window program. 

We are testing it, as well as Rapid 7 InsightVM.

We have been testing Qualys VM for approximately five weeks.

Qualys VM is a stable solution.

Qualys VM is a scalable product.

It works with ten assets. It works with 100 assets. It has worked with 3,000 assets. It's quite scalable.

In our organization, we have two dedicated people, and five others are only dedicated to gaining insights. 

It actually depends on how you remediate all of the vulnerabilities in Qualys since you can also set up it such that product owners, that is, the owners of the apps that are deployed on all systems, can access reports and everything. But that's not how we do things.

The security and infrastructure departments are using this solution in our organization.

We have a dedicated Qualys team of two persons assisting us with the implementation.

We are currently doing a proof of concept with both Qualys VM and Rapid 7 InsightVM.

Qualys is a fully SaaS solution.

It is dependent on the configuration. When you work with the agent, you are primarily concerned with deploying the agents to all assets. However, if you want to scan based on IP, you'll run into some problems.

If you wish to scan on an IP basis, for example, you should deploy a virtual appliance. You may set up several appliances for different domains. Otherwise, you must have your network rules properly configured so that the appliance can reach every asset.

It's relatively simple to set up the basics, but if you want to scan, it really depends on how many networks and domains you have.

In a couple of weeks, you can set it up.

It's very expensive, especially if you want to use multiple modules of Qualys.

I think mainly decide how you want to scan: based on IP or based on an agent.

Then work with the interface and then explore how it works.

I would rate Qualys VM an eight out of ten.

We use this solution to scan the servers on the network. It is used predominantly by our information security team.

This solution gives us insight into our environment and improves our security. It helps us to maintain a good patching system whereby we know that XYZ is vulnerable within the system. 

Qualys makes us proactive in terms of handling patching and effective when it comes to scanning out network.

Qualys could be improved in its overall performance compared to other vulnerability management or scanning tools. 

I have been using this solution for five years. 

I have previously used Nessus. Overall, Nessus is a better tool because it provides greater insight into all vulnerabilities, some of which are skipped by Qualys. 

This solution is very easy to set up. 

We worked with a third party to complete deployment. 

In Nigerian Naira, we spend about roughly four to five million to use this solution and this is expensive compared to solutions like Nessus.

I would advise others to run a proof of concept and to exhaust all functionality if considering Qualys. This may take between 15 and 60 days to complete. 

I would rate this solution a six out of ten. 

Our customers use Qualys for vulnerability management, it's a way for them to discover the kinds of vulnerabilities they have on their systems. We are a partner with Qualys and I'm an infrastructure security consultant. We currently have 20 clients using Qualys. 

The functionality continues to improve and knowing when there are security issues is very helpful. 

I like the Qualys Cloud Agent because it's very easy to use. It has a low impact and is supported on Windows, Linux, and others. I deploy process scanners, which are usually connected to core switches so customers can replicate all the connections. Almost all our customers try to use the agents because they're already installed and integrated into the cloud and communicate with Qualys management. There are no problems and it's really better than using some virtual appliance to scan the various kinds of assets. Qualys has a lot of information and it's great to integrate with the Central Management Database.

If you're not overly experienced and you're looking for something in their management, it can sometimes be quite difficult because they can move buttons around without sending an update. Previously, if you deployed the Cloud Agent, you could define which tech would be under the agent and where it would be deployed. It now requires some text preparation and the Cloud Agent then downloads the specific profile defined without any indication that this might happen. If you are not using vulnerability management, you are not able to create the correct patch process for all applications stored on the system.

It would be helpful if Qualys would integrate with more systems like ServiceNow, Jira, and so on, to create some tickets and integrate them into the active directory, because each group works differently and if you need to prepare a ticket, it must be defined to a specific group of people. Qualys just created a kit on ServiceNow, but it doesn't have the correct group of people in the active directory.

I've been using this solution for three years. 

The solution is scalable. If you need more resources they can be added to the backend, depending on the circumstances and requirements. If you are able to deploy in the VMDR licensing, you are able to deploy unlimited virtual active appliances to discounted appliances. It all depends on your resources. 

Each customer is different and if you need to deploy a more active virtual process that will affect the implementation. If a customer wants to use policy compliance on their machines that can add to deployment time too. I tend to deploy myself because I'm usually making the POCs of Qualys.

I believe the annual cost is approximately $40 per asset in VMDR, although it also depends on the circumstances. It contains all the features one needs although if you need synchronization with ServiceNow and CMDB, there is an additional cost. 

I constantly speak to other companies to find out what they're doing and what the differences are between the different products. My job is to find the best solution for my customers so it's important to know what's on the market.

I rate this solution eight out of 10. 

I use Qualys VM for vulnerability scanning, enterprise management, web application scanning, and patch deployment.

Qualys VM's best features are vulnerability management and customizable scoring.

Qualys VM's vulnerability scan could be improved, especially the number of CVE numbers it can manage at a time. It could also be more user-friendly. In the next release, Qualys VM should include threat intelligence and external test service management.

I've been using Qualys VM for around six months.

Qualys VM is stable and reliable.

Qualys VM is quite easy to scale.

Qualys' customer service could be better.

Neutral

The initial setup was not user-friendly.

I evaluated Tenable but chose Qualys VM because of its management features.

I would rate Qualys VM eight out of ten.

We're using the entire suite except for Patch Management. I use Qualys VM for my production environment on Amazon AWS. I also use it for my endpoints and some BDI solutions that require on-premise solutions, and I use it for both.

I find Qualys VM very robust, and it's very useful for vulnerability management and patch management. The value that it brings to my environment is economies of scale. There is no limitation on adding any endpoints. You go by the rule, and it's added once another endpoint is added to our environment. It's automatically installed, and it's less work from our end. It frees up my license automatically if I don't need an endpoint or if my machine is decommissioned.

I like the dashboard displays because I don't see any duplication. The most important part is vulnerability management and prioritization. Unlike Symantec, it shows the kind of vulnerability I would want to patch first. It provides a holistic view of the kind of vulnerabilities and the ones I should remediate first.

I don't have to do a scan; it just brings up those critical kinds of vulnerabilities like zero-day vulnerabilities and tells me to prioritize them. You have to prioritize these vulnerabilities first and go on with the rest. The dashboard shows me the ones that have been fixed, so I don't have to complete an aging report.

The user experience and the graphical interface are good. As it's user-friendly and understandable on an executive level, it brings real value. We also use this solution because it's robust and flexibile. 

The price could be better. Asset view is still a legacy feature. I'm not able to extract the information about the asset with complete details. It would be better if they fixed that in the next release.

I know Qualys is already working on it, so I'm hopeful it will be available in the next five or six months. That would be something that's changed where I seek improvement.

I have been working with Qualys VM for the past six months.

Qualys VM is a stable solution.

Qualys VM is a scalable solution. We currently have about 4500 users in our organization.

Support could be a little bit faster. I haven't been granted access to their support portal, but I have a technical support engineer who's always available, and there is only one person I can talk to. But the problem is if he's absent, I'm left waiting for access to his portal. 

I used Symantec before but switched to Qualys VM as there's no limitation to adding endpoints. The other reason everyone moved to Qualys VM was its robustness and flexibility. I think that's something that's there, and there was no hassle in deploying the agent. All I had to do was get these machines that were enrolled in our MDM solutions.

As it's a cloud agent, there wasn't any specific setup. It's also managed centrally by Qualys, and when they always release a new update, all we have to do is push it. So, the maintenance requirement is minimum at best.

We deployed this solution by ourselves.

Qualys VM is quite expensive. It's a subscription-based license, and it's yearly. Right now, it's open for me, and I don't have any limitations or caps on the licenses. They are seeing if the product is viable for 4500 users. I can add as much as I want, and at the end of the subscription, they'll let me know how many licenses were actually used and bill me accordingly.

On a scale from one to five, I would give their pricing a three. It's still expensive.

If you're going for an on-premises solution, you should dive into the POC. Because I wasn't procuring an on-premises solution, it was pretty easy for me, and the support was quite helpful. But if you're going to deploy it on-premises, you should go through a proper procedure of going through the POC and getting to know the product. I would rate it at the top because it's better than Nexpose, it's better than Tenable, and it's better than Symantec.

On a scale from one to ten, I would give Qualys VM an eight. 

I primarily use Qualys VM to manage vulnerability tickets.

Qualys VM's most valuable feature is automatic detection.

Qualys VM should improve its methodology.

I've been working with Qualys VM for six months.

Qualys VM is stable but slow.

Qualys' technical support is quite good.

Positive

The initial setup was quite straightforward.

I would rate Qualys VM as seven out of ten.