Qualys VMDR Reviews

Our primary use case is vulnerability assessment.

This solution has provided information about existing vulnerabilities, and helped with quick remediation in case of global malware attacks.

The most valuable feature is the certificate management. The reason is the limited license provided by the mother company.

The reporting in this solution can be improved.

The primary use for the solution is vulnerability management.

The way we can maintain a current actual registry of all the IP assets within it is very good. The scanning of software assets on the endpoint machine is also useful. I've tried the scanning of similar asset vulnerabilities throughout different servers, including Unix and Windows. Qualys maintains a good intervention database. We have a service line that updates to the newest software, or whenever you set it up. The second service line has denominated my nodes across the globe. It's easy to deploy the solution.

The server application scanning has room for improvement.

It's quite complex on the way it is set up, so it takes a fair bit of time in order to get your head around it in order to deploy it. Once you've deployed it, then you're never confident on the versions of the browsers and the SSL certificates, etc. You have to always go back into Qualys and check.

They do talk about an agent-based scanning for non-IP machines. It sort of sits between server scanning and endpoint scanning. That's not very clear. If they can improve that and deploy, then it'll be such a nice package.

The solution should help its vendors more with renewals. For example, we had deployed the solution as a reseller to a client and then somebody else came along and we didn't end up getting the renewal licenses for the servers. I wasn't very happy about that. We put all the hard work to get it in, but the following years we didn't get the benefit of our low pricing in the first year. 

They should integrate with the dashboard and provide a plugins link for data that's coming into API on the dashboard. When the users buy the license, they can turn it items on. So, that way you know you've got the full solution. What you don't pay for is not switched on, and what you pay for can get switched on immediately.

The solution is very stable. 

The solution is highly scalable.

Technical support is fantastic.

I would advise others to always have a proof of concept version of the solution put into play. Then spend a good two months on it. Stabilize the solution and check out the features and then deploy it into production. Otherwise, you will spend money during the real project for what could have been done as a POC. Deploy the core solution, get the scanning done and all the critical components put it in a proof of concept and then move it into production.

I would rate the solution eight out of ten.

The first thing we like is the scanner, the device which checks vulnerability management.

They also have threat detection which maps threats. There is a feed that comes from Qualys when a new vulnerability is found. It tells us which machines are infected with that vulnerability. If there is a new attack, we definitely know that it is happening, what is happening in our environment.

What we have found is that the solution is not closely tied with the patch management. It is okay with newer ones, like Windows 10 machines; it gives the correct patch. But for Windows 7 or Windows Server 2008, it does not give us the correct patch so we have to manually identify the patches. This is a major problem.

It's stable. Every month we scan more than 5,000 IP addresses and we are able to detect vulnerabilities.

Our experience is that the problems we send them take too much time to resolve. For example, we opened a case for the problem I mentioned earlier, the vulnerabilities with Windows 7 and Server 2008 where it's trying the wrong patch. It took them a long time to even give us the correct explanation. So this is a problem.

The initial setup was very easy. We just needed to download the virtual machine. There is a key and we just needed to provide a proxy setting. That's it.

We did all the configuration as a one-time job where we defined our subnet and mapped. We needed to schedule the scan and the map and we needed to schedule a group of, say, Windows. It was just a one-time job where needed to configure the query and run it. It created a report and sent it to the administrators. After that one-time job, everything happens automatically.

We did it on our own.

I would recommend Qualys because it's very easy to use. It does not require many specific skills. We are always on the latest version because Qualys provides automatic updates.

We have a virtual appliance in each site and that sends the logs to the cloud. We have the consoles on the cloud which enable us to query and scan. All this happens through the cloud.

We only have one administrator for the solution who monitors and checks if there is anything to be aware of. It sends the reports to all the different administrators, such as network, Linux, and Windows administrators and they take it from there.

We also have Qualys configuration management module. If there are any particular issues in any servers or in any network, it gives us a report to suggest and rectify the issues. It tells us what changes are needed to on that device.

Datacenters which are in different locations.

• Asset discovery
• Asset sanitization
• Scan scheduling
• Patch supersedence.

Patch supersedence.

Representation of the total number of vulnerabilities (with name) vs. the number of patches (with name).

The primary use case is using this as the infrastructure scanner for an enterprise vulnerability programme in a customer organization.

The customer was manually testing asset health by point-in-time audits. Using the policy compliance module allowed this to be automated and saved time as well as generated more complete coverage of assets leading to greater assurance.

The prebuilt CIS templates are very useful.

Expanding the template library would be very useful.

It mainly scans the model against all of our online websites.

There are fewer false positives when using this solution. We are also cutting the need for news monitoring with this solution.

We find all of the features useful. 

One note for room for improvement is that all of the data is stored on the cloud. I think it would be better if they came up with a big box that could store the data and collect data from, it would be a huge improvement.

It is an extremely impressive and stable product. I would give it a 99% out of 100%. It is very close to being perfect.

I have had no issues with scalability. Initially, we had some issues with the dashboard, but eventually, it set and stabilized. There was an issue with the data dashing between the two models initially, but it was resolved.

The tech support is helpful. When we initially open a ticket, we get response within five minutes. Then, they open a case and we receive input from tech support within 24-48 hours with a Q-ID.

My primary use case is to actually fill out forms, ensure that they are being closed in a timely manner. This is why we use these one point solutions.

I find most valuable to achieve a channel system and we can also use it to track when we actually close the ticketing of the sites.

In addition, it is quite easy to implement. We found it quite convenient.

I think it could improve asset imagery.  

I have not encountered issues with stability of the product.

I have not encountered any issues of scalability function. We do have to pay extra according to the number we are placing on the scan. So, when you want to be covered for the scalability, you will have to pay more.

The initial setup was straightforward. It was quite simple. We just needed to download the image from the website, and onto our service team.

Qualys is considered more expensive versus other products on the market.

We were previously using McAfee. We had to switch because McAfee stopped producing the solution we needed. We considered Tenable Nessus, but we chose Qualys in the end.

I advise that you see if this solution can fit your problems, and help your needs.

My primary use case is for the web application scans of websites. I also made some new search profiles and other scanning profiles.

Before using Qualys, we had other security tools. And, the main purpose was to remove the granularity. We had so many attacks every day. Qualys really helped us manage the security for our operations.

The most valuable features are that it is a simple solution that makes scanning easy. You just give it a scheduled task, and it will do everything for you. The reporting is fine, too. And, the knowledge base is pretty good, too.

The only improvement I can think of is on the implementation side, otherwise the operation is fine. At times it is a bit slow.

Qualys is really nice, but people only use Qualys for the VM and web scan. They just file the report, and send the report to the customer or client. They don't do anything with the reports. They will get the report, and there are usually 30 to 40 vulnerabilities, not in the web servers. And, of those 30 vulnerabilities, 10 or 15 were usually the first cases. In case of those vulnerabilities are around 50, in which around 50-60% of vulnerabilities are usually found worse. So, for those cases, was pretty low and in Qualys we have to look for them also. Whenever the report comes, we just send the report from the client. And that was one of the biggest issues. So, in this area, we only have to actually check the vulnerabilities in the report. You just have to catch a little bit of this, when we do the type or not. That was one of the issues we had with Qualys.

No, we have not experienced any issues with stability of the product at all.

I have not encountered issues with scalability of the solution. I had scanned 77 servers at a time, and found no issues with scalability while doing so.

I have not had a need to deal with Qualys tech support.

I have previous experience with Tenable Nessus. I like Qualys better because there are so many nice features, it builds better.

I am not personally involved with the pricing or licensing of the solution for our organization.

I have prior experience with Alert Logic CloudDefender, RSA, Odyssey and Forcepoint Websense (formerly Raytheon Websense). 

A really nice feature of Qualys is the asset management. Some of the end users were using that function, and paid for that particular function. It is helpful to get a bit of history of all types of supports of scanning of particular servers.