Qualys VMDR Reviews

We use the solution for vulnerability and policy scan. 

The product has helped us understand cybersecurity controls. 

I am impressed with the VMDR feature. 

The tool needs to improve the adding assets and report generation features. I would like to see the policy scan of offline appliances in the product's future releases. 

I have been using the product for three years. 

I would rate the product's stability a nine out of ten. 

I would rate the tool's scalability an eight out of ten. My company has 10 IT specialists using the product. 

The product's support is not very helpful. They suggest things that we already know. 

Neutral

I would rate the product's setup an eight out of ten. The tool's deployment took one to two days to complete. 

We deployed the solution in-house. 

The tool's pricing is expensive and I would rate the pricing a seven out of ten. 

I would rate the product an eight out of ten. You need to complete the training before using the product. 

This is a virtual scanner appliance. We have both physical and virtual options. 

I'm still in training and getting the hang of the solution. I do not know what features the company uses the most. They generally use it to scan all the AWS workloads and Azure workloads.

We generally analyze everything at the OS level and application level, including the open ports, the OS, and older versions, including the packaged versions. We generate the scan, and then we generate the report, and then we will issue it to the application teams to clear off those. 

We have Java remediation happening, and if Java has, for example, multiple versions and when I run the scan, it is going to identify all Java versions that are really vulnerable so you can fix them. Therefore, it helps keep things secure and up-to-date. 

The reporting is good. We give reports to the application teams and we will ask them to either fix or remove applications. Once that is done, then we will read the scan, and if it comes back that we don't have any critical, we are assured of good safety. 

The solution shows us classic categories, including high, medium, and low risks. It also shows critical items, and that gives us the advantage of prioritizing things. 

It's very clear on what components need to be fixed. 

The initial setup is straightforward. 

It's stable.

Technical support is helpful. 

I can't speak to disadvantages since I am in training and still learning and have yet to run a scan. 

It would be nice to have an all-in-one solution that was automated and could handle the scanning and reports as well as the patching and updating. 

I am pretty new to this organization. However, the organization has been dealing with the solution for almost four or five years now.

The stability has been good. The company has been using it for a while and hasn't had issues. I use dit in a previous company as well and never hear of any problems. 

It's easy to scale. 

Technical support is good. We always get a quick response. 

The setup process is simple. It's not overly complex. 

I don't have any details about the licensing process. 

We're implementors. 

When it comes to security, my only advice is based on my experience. They always say to use multiple products due to the fact that, even if the vulnerability is missed in one product, it'll be identified in the other product so that you are safe. 

However, when it comes to implementation, if you have multiple products, pipelining is a big problem. For example, if I use the Qualys scanner, and then it gives me all the vulnerabilities: how do I fix it? Either I have to fix it manually, or I have to fix it automatically. 

I'd like to use one product, and, for example, use a vulnerability scanner from Qualys and have patch management as well. While the solution is still maturing, I like the tight integration and I like that the scanner can identify items and patch management can fix them. It simplifies things, instead of having to deal with multiple products and then maybe having to manually fix items on top of that. 

I'd rate the solution nine out of ten.

We use this solution to scan the servers on the network. It is used predominantly by our information security team.

This solution gives us insight into our environment and improves our security. It helps us to maintain a good patching system whereby we know that XYZ is vulnerable within the system. 

Qualys makes us proactive in terms of handling patching and effective when it comes to scanning out network.

Qualys could be improved in its overall performance compared to other vulnerability management or scanning tools. 

I have been using this solution for five years. 

I have previously used Nessus. Overall, Nessus is a better tool because it provides greater insight into all vulnerabilities, some of which are skipped by Qualys. 

This solution is very easy to set up. 

We worked with a third party to complete deployment. 

In Nigerian Naira, we spend about roughly four to five million to use this solution and this is expensive compared to solutions like Nessus.

I would advise others to run a proof of concept and to exhaust all functionality if considering Qualys. This may take between 15 and 60 days to complete. 

I would rate this solution a six out of ten. 

Our customers use Qualys for vulnerability management, it's a way for them to discover the kinds of vulnerabilities they have on their systems. We are a partner with Qualys and I'm an infrastructure security consultant. We currently have 20 clients using Qualys. 

The functionality continues to improve and knowing when there are security issues is very helpful. 

I like the Qualys Cloud Agent because it's very easy to use. It has a low impact and is supported on Windows, Linux, and others. I deploy process scanners, which are usually connected to core switches so customers can replicate all the connections. Almost all our customers try to use the agents because they're already installed and integrated into the cloud and communicate with Qualys management. There are no problems and it's really better than using some virtual appliance to scan the various kinds of assets. Qualys has a lot of information and it's great to integrate with the Central Management Database.

If you're not overly experienced and you're looking for something in their management, it can sometimes be quite difficult because they can move buttons around without sending an update. Previously, if you deployed the Cloud Agent, you could define which tech would be under the agent and where it would be deployed. It now requires some text preparation and the Cloud Agent then downloads the specific profile defined without any indication that this might happen. If you are not using vulnerability management, you are not able to create the correct patch process for all applications stored on the system.

It would be helpful if Qualys would integrate with more systems like ServiceNow, Jira, and so on, to create some tickets and integrate them into the active directory, because each group works differently and if you need to prepare a ticket, it must be defined to a specific group of people. Qualys just created a kit on ServiceNow, but it doesn't have the correct group of people in the active directory.

I've been using this solution for three years. 

The solution is scalable. If you need more resources they can be added to the backend, depending on the circumstances and requirements. If you are able to deploy in the VMDR licensing, you are able to deploy unlimited virtual active appliances to discounted appliances. It all depends on your resources. 

Each customer is different and if you need to deploy a more active virtual process that will affect the implementation. If a customer wants to use policy compliance on their machines that can add to deployment time too. I tend to deploy myself because I'm usually making the POCs of Qualys.

I believe the annual cost is approximately $40 per asset in VMDR, although it also depends on the circumstances. It contains all the features one needs although if you need synchronization with ServiceNow and CMDB, there is an additional cost. 

I constantly speak to other companies to find out what they're doing and what the differences are between the different products. My job is to find the best solution for my customers so it's important to know what's on the market.

I rate this solution eight out of 10. 

I use Qualys VM for vulnerability scanning, enterprise management, web application scanning, and patch deployment.

Qualys VM's best features are vulnerability management and customizable scoring.

Qualys VM's vulnerability scan could be improved, especially the number of CVE numbers it can manage at a time. It could also be more user-friendly. In the next release, Qualys VM should include threat intelligence and external test service management.

I've been using Qualys VM for around six months.

Qualys VM is stable and reliable.

Qualys VM is quite easy to scale.

Qualys' customer service could be better.

Neutral

The initial setup was not user-friendly.

I evaluated Tenable but chose Qualys VM because of its management features.

I would rate Qualys VM eight out of ten.

We primarily use the solution for full enterprise visibility from both an asset detection perspective and vulnerability detection perspective. Basically, we are tracking all the devices over agents, including PCs and servers, et cetera. 

We are able to understand what our current situation is on the devices. At the second stage, we are able to catch the devices which do not have agents or which are not in the inventory, with on-premise scanners. 

We are running security configuration hardening assessments or compliance with CIA security benchmarks. 

In addition to that, we are also utilizing the cloud assessment solution of the Qualys, to ensure compliance with CIA security standards. For example, the Amazon cloud platform is configured compliantly with the CIA security benchmark. These are the four pillars utilized.

The prioritization mechanism is the most valuable aspect of the solution.

The initial setup is straightforward. 

Technical support is great.

The stability and reliability are good.

The user experience, the UI, needs to be improved. The technology is there and it is obvious it is able to do many things, however, from a user experience perspective, the UI design is a bit complicated. If the platform could have a bit more of a user-friendly environment, it could be easier for the admins and analysts to use it.

The solution is a bit expensive if you do not have access to discounts. 

From a general perspective, SLA tracking capabilities could be improved with a building method. There was a tracking method to be able to see if this vulnerability for a while or maybe it was patched. However, an internal SLA mechanism could help with batch prioritization and issue detection. 

I'd rate the solution at a nine out of ten.

I've been using the solution for six months. I've used it for less than a year now. 

The solution is stable. The passive scanning capabilities are advanced. I'm able to see all the missing paths and many vulnerabilities or many configuration mistakes at the same time. Due to its passive scanning, we don't see any stress or research consumption from agents.

Network scans are a bit more intense and they of course require research and can create some noise, however, for the most part, it is okay. There is no reliability issue from our perspective.

I haven't really tried to scale the solution and therefore cannot really speak to it. We do have some activities happening on there, however, I'm not ready to provide feedback for the results. It's my understanding, however, that the API extensibility is great. I've just not seen anything yet that I can really comment on.

Technical support is pretty good. It is very easy to get support from the global team, at least for us. We don't depend on local partners, which is great due to the fact that, whenever you are acting in 10 or 11 countries, local partners can be an issue. The language barriers, et cetera, can be an issue. That's why it is great to have responsible global support.

The initial setup was very straightforward. We just deployed the agents and everything went very smoothly. There were no big issues.

We pay a yearly fee for a license. 

They have very good discounts. That's why the price is okay for us. Generally, if we talk about the price without discounts, I do see a big peak in vulnerability management solutions licenses. It is not only Qualys. All the vendors peaked at some point. 

We do see over $100,000 in terms of price, for mid-size programs. You likely will pay more than $100,000 without any discount. It is a bit pricey. There's room to improve, however, I believe they're managing things with discount offerings. I'm saying this not only for Qualys. All the vulnerability management solutions do the same thing price-wise.

We did evaluate other solutions. We looked at most other vulnerability management solutions.

We are just a customer and end-user.

We are using the latest version of the solution. I cannot speak to the exact version we are using, however. 

We are using both the on-premises and cloud deployment models. We have on-premise sensors and we have a scan-over cloud service from Qualys. Qualys cloud has a scanning capability for pairing sensors, for scanning an external perimeter. Therefore, we are utilizing that and agents as well.

I'd recommend the solution.

If anybody looks forward to first perimeter security, if any conceptual work is done around perimeter security, they have to solve that agent issue first for their program. Companies need to select a solution that can work wherever the PC is. 

Qualys VMDR is a vulnerability management and detection response tool. It belongs to the first generation of vulnerability assessment tools. It enables us to manually identify vulnerable keys and fix them. It is built as a cutting-edge continuous platform where we can detect and protect. With this product, we can respond to specific vulnerabilities, going beyond just using artificial intelligence features. We have implemented VMDR across our cloud, physical interfaces, endpoints, and log servers. It's a good digital product for our organization.

It has improved our organization in many ways. We needed to have a security solution that focuses on different types of things. We discussed budgeting for the cloud and the need for an alternative to taking care of malware. Additionally, we have to consider various attacks. Therefore, Qualys VMDR is a great tool that helps us improve.

The most valuable feature is automation.

Qualys VMDR is basically susceptible to false positives, and false negatives. We receive a lot of false positives in there. VMDR can be considered a complex solution, especially for enterprises with limited resources or organizations. It requires extensive knowledge as an engineer. So, when using this tool, you need to utilize other tools to remediate the false security issues.

So maybe it should also have the ability to automatically identify and address false positives. In additional features, an automated process for remediating false positives. We might be looking for new types of signatures that can help us identify and address specific issues.

I have been using Qualys VMDR for one last year. 

I would rate the stability an eight out of ten.

I would rate the scalability an eight out of ten.

It took us one month to set up.

I have seen an ROI.

The price is very reasonable, so you can definitely go with all the endpoints it offers.  

Just consider the licenses we have within VMware. They could replicate some of these features, which are used for premium customers. So, it might be useful to include those features in the subscription plans.

Overall, I would rate the solution a nine out of ten.

We use this solution mainly for vulnerability management.

Qualys is a well-known name in the market and we use it for different scenarios. We also like the flexibility in their licensing.

The IoT scan is not great and we would like to see some improvements to it.

We have been using this solution for over three years.

It is a stable solution.

It is a scalable solution. We use the test version.

I rate the technical support an eight out of ten. They have really good support.

Positive

I rate the initial setup a nine out of ten. It was very good and easy. 

It has a competitive price. I rate the pricing an eight out of ten.

I rate this solution a ten out of ten. Compared to other solutions, brand awareness and Azure integration are the strong points of Qualys VM. We would like to have some predefined parameters for the setup in regards to security and vulnerability, and how to maximize it. For example, we want scans and management with some predefined parameters that we need to have in the environment prior to deployment and initial setup.