Qualys VMDR Reviews

We are consultants and resellers of Qualys VM. 

I like the solution's web application security for scanning, the solution is flexible with good integration. 

I'd like to see additional security for the app. The product lacks integrations for third party solutions or automation integration for other tools.

I've been using this solution for six months. 

The product is 100% stable. There are five users in the company who deal with operations and security analysis. There are four people in the company who deploy and provide support.

I've never used the technical support. Documentation is simple and complete. 

I've previously worked with Tenable IO and Rapid 7. We switched because of Qualys's web application feature.

The initial setup is straightforward. Initial deployment takes between two and four hours. We did it ourselves. 

I would recommend this solution. 

I would rate this solution a 10 out of 10. 

We are currently using Qualys for vulnerability detection, as part of our security solution. We're moving towards Defender ATP because I am looking more at the Operational Technology (OT) side of things than I am at the Information Technology (IT) side.

What I like best about this product is that it does what it is supposed to do, which is vulnerability scanning.

We are moving away from Qualys to Defender ATP because I find that Defender ATP is much better at prioritizing the vulnerabilities that I should be looking at.

In general, I would like to see some better analytics and prioritization of vulnerabilities.

We have been working with Qualys VM for three years.

Qualys VM is a stable solution.

This is a stable product.

Technical support is great and we've never really had a problem. They're always there if we need them.

We did not work with another similar solution prior to Qualys.

The initial setup is straightforward.

Our setup involved some on-premises deployments but ultimately, it uses the cloud.

They have recently changed the pricing model, which is now better than it was before.

Right now, we don't have anything in our OT environment, and this is what I am particularly interested in. I am currently having discussions about new solutions with Qualys, Tenable, and Forescout.

I would rate this solution a seven out of ten.

I use Qualys to review the validity of legacy applications, infrastructure, and simple data operating systems.

The ability to manage user accounts and give rights to the operator to know about abnormalities of applications is something that needs improvement. 

The pricing is also expensive.

I have been using Qualys for four years. 

It's stable.

I haven't needed to use technical support. 

The initial setup was good. We didn't have any problems with it. 

I would rate Qualys VM a ten out of ten. 

We use Qualys to check the status of our security posture.

Qualys help identifies the weakness in our critical infrastructure and provides guidelines how to address them.

maybe compliance monitoring.

Reporting can be improved more. It should generate much more stuff like field reports. Though the reports generally meet our need we hope we can customize it better.

2 years

very satisfactory

Its scalability is a four or five out of five. 

We haven't had problems up until this point that required technical support. The solution can run by itself and generate reports. We didn't have any issues that would need us to call technical support.

None

Simple and straightforward

in-house.

acceptable.

I would give the pricing three out of five.

No.

I would like for Qualys to have the ability to scan OT operation technology assets as well. 

If it can I would rate it 8 out of 10. 

The primary use cases of this solution are as a scanner. We use it with Azure and AWS. For on-premises, we use physical scanners all over the globe. We have deployed our external scanners in approximately 70 regions.

What I like about Qualys VM is the dashboard presentation. It's very good.

The reporting capability and executive reporting are very good.

Customer support needs to be improved because it was not to our SLA standards.

Suddenly, the scan engine will go down. We don't know what the reason is, or how it goes down. Because of that, the business is impacted.

I had a look at the PCI reports  (policy compliance reports) and I have heard that most memberships have been taken by Azure, although I was not aware of that. I would like to see more documentation or awareness.

I have worked with Qualys VM for the last two years.

This solution is stable.

The scalability is good.

The customer support is very bad. When we submit a ticket, we do not get a response immediately.

Previously, I have used Rapid 7 Nexpose. They are similar solutions although what Qualys is providing, it provides well but requires less. Qualys reporting is better.

Nexpose has upgraded too, and now their reporting is also very good.

The initial setup was straightforward and we didn't have any issues with it.

If you are comparing Nexpose and Qualys, I would prefer Qualys. The UI is good and whatever reports you are getting, are very clear. If you present it to management, the reports are good. They require an executive report that highlights the vulnerability and how many servers are affected. You can customize it also.

Nexpose is coming out with new features, but Qualys has already implemented them.

I would rate this solution an eight out of ten.

We are a solution provider and this is one of the products that we implement for our clients. We do a lot of work with containers. With respect to containerization, security is important for us and we regularly check the market to see what solutions are available in these areas.

This solution is primarily used for container security and compliance. Moving into any environment, in particular, one that is cloud-based, our clients want to make sure that things are okay from a compliance perspective. We generate reports and they can see whether there are any violations. If they see violations or security breaches during the audit then they have to be addressed.

The most valuable feature is that this solution is very lightweight.

I would like to see this solution simplified to work more easily in a multi-cloud environment. One of our customers has more than 3,000 servers across multiple regions, and they were asking about security and vulnerability checking in an automated fashion. This could be done with a cloud-based service that monitors all of the deployments, pulls the data from the containers, and checks for compliance.

We have been dealing with Qualys for at least three years, which is when our container journey began. At that point, our proposals did not deal with security for containers because our customers did not ask for it, but now it is something that we recommend.

The technical support for this solution is good. We are required to solve any kind of security issue whin two hours, so these are critical tickets. The entire instance usually has to come down until the fix is delivered.

We often demonstrate these types of tools to the enterprise architecture team, who will ultimately decide which solutions they are going to implement based on their environment and requirements.

We are completely agnostic with respect to which tools our customers decide to implement. As an engineering team, we implement what the customer wants. In the case of Qualys and other solutions, we download the information and pass it along to our customers. We also facilitate or set up communication between vendors and customers to best help our clients.

We do try to learn about who the providers are and what differentiates their solutions from others. Sometimes our customers do not know very much about the products, so we try to provide as much insight as possible to facilitate their decision making. 

A lot of our customers have a workload that is scattered across a multi-cloud environment. This means that some of the RFPs we answer are based on very large landscapes with distributed workloads.

I would rate this solution a seven out of ten.

Our primary uses for this solution are security vulnerability detection and policy compliance.

It's been the chosen solution year after year for vulnerability management and our vulnerability management program is centered around this tool.

The most valuable features are vulnerability detection and the scanning capability to enable identification of vulnerabilities across our network.

I would like to see this solution more developed and competitive in the Cloud space.

We have been using Qualys VM for fifteen years.

Our primary use case is vulnerability assessment.

This solution has provided information about existing vulnerabilities, and helped with quick remediation in case of global malware attacks.

The most valuable feature is the certificate management. The reason is the limited license provided by the mother company.

The reporting in this solution can be improved.

The primary use for the solution is vulnerability management.

The way we can maintain a current actual registry of all the IP assets within it is very good. The scanning of software assets on the endpoint machine is also useful. I've tried the scanning of similar asset vulnerabilities throughout different servers, including Unix and Windows. Qualys maintains a good intervention database. We have a service line that updates to the newest software, or whenever you set it up. The second service line has denominated my nodes across the globe. It's easy to deploy the solution.

The server application scanning has room for improvement.

It's quite complex on the way it is set up, so it takes a fair bit of time in order to get your head around it in order to deploy it. Once you've deployed it, then you're never confident on the versions of the browsers and the SSL certificates, etc. You have to always go back into Qualys and check.

They do talk about an agent-based scanning for non-IP machines. It sort of sits between server scanning and endpoint scanning. That's not very clear. If they can improve that and deploy, then it'll be such a nice package.

The solution should help its vendors more with renewals. For example, we had deployed the solution as a reseller to a client and then somebody else came along and we didn't end up getting the renewal licenses for the servers. I wasn't very happy about that. We put all the hard work to get it in, but the following years we didn't get the benefit of our low pricing in the first year. 

They should integrate with the dashboard and provide a plugins link for data that's coming into API on the dashboard. When the users buy the license, they can turn it items on. So, that way you know you've got the full solution. What you don't pay for is not switched on, and what you pay for can get switched on immediately.

The solution is very stable. 

The solution is highly scalable.

Technical support is fantastic.

I would advise others to always have a proof of concept version of the solution put into play. Then spend a good two months on it. Stabilize the solution and check out the features and then deploy it into production. Otherwise, you will spend money during the real project for what could have been done as a POC. Deploy the core solution, get the scanning done and all the critical components put it in a proof of concept and then move it into production.

I would rate the solution eight out of ten.

The first thing we like is the scanner, the device which checks vulnerability management.

They also have threat detection which maps threats. There is a feed that comes from Qualys when a new vulnerability is found. It tells us which machines are infected with that vulnerability. If there is a new attack, we definitely know that it is happening, what is happening in our environment.

What we have found is that the solution is not closely tied with the patch management. It is okay with newer ones, like Windows 10 machines; it gives the correct patch. But for Windows 7 or Windows Server 2008, it does not give us the correct patch so we have to manually identify the patches. This is a major problem.

It's stable. Every month we scan more than 5,000 IP addresses and we are able to detect vulnerabilities.

Our experience is that the problems we send them take too much time to resolve. For example, we opened a case for the problem I mentioned earlier, the vulnerabilities with Windows 7 and Server 2008 where it's trying the wrong patch. It took them a long time to even give us the correct explanation. So this is a problem.

The initial setup was very easy. We just needed to download the virtual machine. There is a key and we just needed to provide a proxy setting. That's it.

We did all the configuration as a one-time job where we defined our subnet and mapped. We needed to schedule the scan and the map and we needed to schedule a group of, say, Windows. It was just a one-time job where needed to configure the query and run it. It created a report and sent it to the administrators. After that one-time job, everything happens automatically.

We did it on our own.

I would recommend Qualys because it's very easy to use. It does not require many specific skills. We are always on the latest version because Qualys provides automatic updates.

We have a virtual appliance in each site and that sends the logs to the cloud. We have the consoles on the cloud which enable us to query and scan. All this happens through the cloud.

We only have one administrator for the solution who monitors and checks if there is anything to be aware of. It sends the reports to all the different administrators, such as network, Linux, and Windows administrators and they take it from there.

We also have Qualys configuration management module. If there are any particular issues in any servers or in any network, it gives us a report to suggest and rectify the issues. It tells us what changes are needed to on that device.