We have been using Qualys Web Application Scanning for automated web architecture scanning in an enterprise environment.
Senior Application Security Engineer at a real estate/law firm with 501-1,000 employees
Automated scanning enhanced by detailed reporting and integration
Pros and Cons
- "The most valuable features are the scheduled scanning, detailed reports, asset management, the knowledge database, and the overall product framework."
- "The authenticated scanning feature could be improved by adding support for real-time scanning tokens and authorization tokens."
What is our primary use case?
How has it helped my organization?
The solution integrates well with our database and asset management, providing a detailed framework that connects products and shares knowledge across them.
What is most valuable?
The most valuable features are the scheduled scanning, detailed reports, asset management, the knowledge database, and the overall product framework. The integration with other tools is also a significant advantage.
What needs improvement?
The authenticated scanning feature could be improved by adding support for real-time scanning tokens and authorization tokens. For example, after sessions, having tokens valid for applications allowing automated authenticated scanning, similar to what Burp offers with proxy support, would be beneficial.
Buyer's Guide
Qualys Web Application Scanning
June 2026
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
904,836 professionals have used our research since 2012.
What do I think about the scalability of the solution?
The enterprise-level deployment was scalable and supported our business growth well.
Which solution did I use previously and why did I switch?
We were looking at alternatives like Burp and Acunetix, particularly from the security research side, for better results and accuracy.
What's my experience with pricing, setup cost, and licensing?
Pricing is a significant consideration. Although the product is good for certain details and automated processes, it may not be as cost-effective for some tasks.
Which other solutions did I evaluate?
We evaluated other solutions like Burp and Acunetix.
What other advice do I have?
For specific web applications, Burp may provide better results, however, for integration of tools, Qualys Web Application Scanning is a good choice.
I'd rate the solution eight out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Senior IT Security Specialist at Citadele Banka AS
Scans the website with continuous monitoring and has an easy deployment
Pros and Cons
- "The tool links vulnerabilities with DDIs and gives a complete overview of the application. The continuous monitoring capability is good."
- "We have many websites. We don't force scanning on all of them at once because it's taking some time."
What is our primary use case?
We use the solution to scan the website.
What is most valuable?
The tool links vulnerabilities with DDIs and gives a complete overview of the application. The continuous monitoring capability is good.
What needs improvement?
We have many websites. We don't force scanning on all of them at once because it's taking some time.
The solution should provide more information. AI capabilities could also be added.
For how long have I used the solution?
I have been using Qualys Web Application Scanning for three months.
What do I think about the scalability of the solution?
It is easy to add new devices. The solution is scalable.
How are customer service and support?
We contacted our manager directly. She added us for progressive scanning, which was done in a few hours.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We have used NetSparker. Qualys is all about web application Scanning
How was the initial setup?
The initial setup is straightforward and fast. One person can be enough for the deployment.
What other advice do I have?
Overall, I rate the solution a ten out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Qualys Web Application Scanning
June 2026
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
904,836 professionals have used our research since 2012.
IT Security Analyst at Banco de Fomento Angola
A stable and easy-to-deploy solution that helps organizations to manage the vulnerabilities in their network
Pros and Cons
- "The product prevents possible vulnerabilities in our network."
- "The support could be faster."
What is our primary use case?
We use the solution for scanning and vulnerability management.
What is most valuable?
The product prevents possible vulnerabilities in our network.
What needs improvement?
It will be good if Qualys is integrated with QRadar.
For how long have I used the solution?
I have been using the solution for three years.
What do I think about the stability of the solution?
The tool is stable.
What do I think about the scalability of the solution?
The tool is scalable since it is on the cloud. We have 60 users.
How are customer service and support?
The support is moderately good. Sometimes, the team responds on time. Sometimes, it takes time. The support could be faster.
Which solution did I use previously and why did I switch?
I have used many other tools. In some cases, I prefer other tools because they give better visibility into the vulnerabilities. In general, Qualys is good.
How was the initial setup?
The initial setup was super easy because it is cloud-based. We use it internally. The installation took two days. We had to improve the tools and create the tags and assets. Two or three engineers can deploy the product. The product is easy to maintain.
What other advice do I have?
I integrate Qualys and QRadar. QRadar is for SCM. It helps centralize the management of the network. It provides good visibility of Qualys. Qualys is a good product. There are better tools in the market. However, I recommend Qualys to others. Overall, I rate the product an eight out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Cyber Security Sales Specialist at a tech services company with 1,001-5,000 employees
Stable and reliable solution with good performance
Pros and Cons
- "It is a cloud-based solution, so it is easy to scale."
- "The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera."
- "There should be better visibility into the application."
What is our primary use case?
The primary use case includes scanning the web applications that are public facing.
What is most valuable?
The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera.
What needs improvement?
There should be better visibility into the application.
For how long have I used the solution?
Our customers have been using this solution for more than three years now.
What do I think about the stability of the solution?
It is a stable solution.
What do I think about the scalability of the solution?
It is a cloud-based solution, so it is easy to scale.
We work with enterprise-level clients with over 2500 endpoints.
How are customer service and support?
The customer service and support are good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I would say Qualys is on the better side. It's more about the performance and the quality of the product because it's been around for a long time.
How was the initial setup?
The initial setup is relatively easy. The installation process is quite straightforward, making it user-friendly.
What about the implementation team?
The duration of deployment varies depending on the complexity of the customer's environment and their implementation status. We ensure to accommodate the customer's preferred implementation pace.
What's my experience with pricing, setup cost, and licensing?
We normally purchase an annual license. There are additional costs. From Qualys, it's for the license and maintenance, which includes patches and stuff like that. Additionally, we have our own service delivery costs.
What other advice do I have?
Qualys is a stable and reliable solution. It has been around for a long time.
Overall, I would rate the solution an eight out of ten. There is scope for improvement. It is still an early technology.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: My company has a business relationship with this vendor other than being a customer. Reseller
Commercial Pre-Sales at Megazone
Highly stable and scalable solution which is suitable for enterprise businesses
Pros and Cons
- "The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera."
- "There should be better visibility into the application."
What is our primary use case?
The primary use case includes scanning the web applications that are public facing.
What is most valuable?
The Qualys Web Application Scanning solution offers a single comprehensive console and consolidated reporting, covering all aspects from on-prem to cloud and compliance, etcetera.
What needs improvement?
There should be better visibility into the application.
For how long have I used the solution?
Our customers have been using this solution for more than three years now.
What do I think about the stability of the solution?
It is a stable solution.
What do I think about the scalability of the solution?
It is a cloud-based solution, so it is easy to scale.
We work with enterprise-level clients with over 2500 endpoints.
How are customer service and support?
The customer service and support are good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I would say Qualys is on the better side. It's more about the performance and the quality of the product because it's been around for a long time.
How was the initial setup?
The initial setup is easy.
What about the implementation team?
The time taken for implementation depends on the customer's environment. It could take around a month, depending on the module.
We have a team of two to three people to implement at the enterprise level. Moreover, it is easy to maintain.
What's my experience with pricing, setup cost, and licensing?
We normally purchase an annual license. There are additional costs. From Qualys, it's for the license and maintenance, which includes patches and stuff like that. Additionally, we have our own service delivery costs.
Which other solutions did I evaluate?
I'm familiar with all of the Qualys-based products because we partner with Qualys, so I have a local contact in New Zealand who helps me with all the technical information.
Moreover, I'm a pre-sales specialist, so I recommend the solution to our potential customers and then we implement through another team for customers.
What other advice do I have?
Qualys is a stable and reliable solution. It has been around for a long time.
Overall, I would rate the solution an eight out of ten. There is scope for improvement. It is still an early technology.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: My company has a business relationship with this vendor other than being a customer. Reseller
Cyber Security Engineer at Alexis Company
Provides the best web application vulnerability audit with a lot of integrations but doesn’t allow users to upload their payloads
Pros and Cons
- "Licensing is the most valuable. Qualys provides the best licensing for companies. It is the best product for the development purposes of web applications. The product has a lot of integrations."
- "The product should allow users to upload their payloads."
What is our primary use case?
Our customers use the solution to audit their web-application before releasing them to the Internet.
What is most valuable?
Licensing is the most valuable. Qualys provides the best licensing for companies. It is the best product for the development purposes of web applications. The product has a lot of integrations.
What needs improvement?
The product should allow users to upload their payloads.
For how long have I used the solution?
I have been using the solution for three years.
What do I think about the stability of the solution?
I rate the product’s stability an eight out of ten.
What do I think about the scalability of the solution?
I rate the product’s scalability a nine out of ten.
How was the initial setup?
We did not face any issues while deploying the solution. The product provides good documentation for deployment.
What's my experience with pricing, setup cost, and licensing?
The product has a very good licensing model.
What other advice do I have?
I am using the latest version of the solution.
Tenable makes us wait 90 days to delete the test web application, and Rapid7 does not allow us to delete it as well as Acunetix (once a year).
I will recommend the solution to others. Overall, I rate the solution an eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company has a business relationship with this vendor other than being a customer. Reseller
Senior Manager at valuelabs LLP
Helpful support, many great integrations, and lots of reference material
Pros and Cons
- "It works with many different products."
- "Technical support is very good whenever we send them a message."
- "There could be better management and faster scanning."
What is our primary use case?
We use the solution alongside others for static scanning. It's used for endpoint scanning.
What is most valuable?
The monitor's ability to read the reports, or to do very detailed reports is great. It's good at looking at the different vulnerabilities. Rarely are there security loopholes. It can also suggest ways to mitigate risks and vulnerabilities.
There's a lot of great reference material.
The integration is great. It works with many different products.
What needs improvement?
There could be better management and faster scanning. An application may have a lot of URLs and complexity. If there are a couple of applications, that complexity multiplies. It can take three or four days to scan. That's too long. It should be maybe three or four hours.
For how long have I used the solution?
We've been using the solution for two years.
What do I think about the stability of the solution?
It's a stable product. There are no bugs or glitches and it doesn't crash or freeze. The solution is reliable.
What do I think about the scalability of the solution?
It leverages the cloud. One of the upsides of that is the scalability that is possible.
We have about 500 to 600 people on the solution currently.
How are customer service and support?
Technical support is very good whenever we send them a message. They will schedule a call and then they will check in with us until the issue's resolved or until we understand the entire problem and they clarify issues. They're very quick as well.
How was the initial setup?
The initial setup, due to the fact that it is the cloud, is very easy. It's a SaaS solution. We don't have to install anything in order to get going. You are on it right away. There is no deployment time to get through.
Since it's so quick and immediate, you don't need a big team to get it of the ground.
What about the implementation team?
We were able to handle the implementation ourselves. It's not hard. You don't need consultants or integrators.
What was our ROI?
We have seen an ROI and my understanding is that it is pretty good.
What's my experience with pricing, setup cost, and licensing?
I don't directly deal with the licensing aspect of the product.
What other advice do I have?
I'd recommend the solution to others. We haven't had any issues after two years of working with it.
I'd rate the solution eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Design Engineer at Uop Ipl, Honeywell
Good security options but slow response time and needs more integration
Pros and Cons
- "Qualys WAS' most valuable features are the navigation flow of the UI and the option for a different layer of security (identification and operation through email and mobile)."
- "Sometimes the response time is low because the handshake fails, and then you have to re-login and start again."
What is our primary use case?
My main use of Qualys WAS is for multifactor authentication for web and mobile applications.
What is most valuable?
Qualys WAS' most valuable features are the navigation flow of the UI and the option for a different layer of security (identification and operation through email and mobile).
What needs improvement?
Sometimes the response time is low because the handshake fails, and then you have to re-login and start again. In the next release, Qualys should include more integration with different applications and single-sign-on protocol.
For how long have I used the solution?
I've been using Qualys Web Application Scanning for a year and a half.
What do I think about the stability of the solution?
Qualys WAS is stable unless we have a breach.
What do I think about the scalability of the solution?
Qualys WAS is scalable.
How are customer service and support?
Qualys' technical support is good but could improve its resolution speed.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Previously, I used CA Identity Solutions by Broadcom, which had easier integration, more options for MFA, and biometric options.
How was the initial setup?
The initial setup was complex and took about three months to deploy. I would rate the setup experience as four out of five.
What about the implementation team?
We used a vendor team.
What's my experience with pricing, setup cost, and licensing?
Qualys WAS' pricing is competitive.
What other advice do I have?
I would recommend getting the POC done before implementing WAS, especially if there will be a lot of APIs involved in developing the product. Look at how the endpoint security works when the APIs run with a different channel, like web and mobile applications. I would give Qualys WAS a rating of six out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Sr Cybersecurity Leader at a non-tech company with 1,001-5,000 employees
We like its process of updating signatures, and it's way ahead of its industry peers.
Pros and Cons
- "Qualys' process of updating signatures is something we really appreciate, and it's way ahead of its industry peers."
- "We procured around 110 licenses for Web Application Scanning, but we have issues running concurrent scans. I don't currently have the option to trigger scans for all 100-plus websites. The default limit is around 10 conference scans. It's not very scalable, to be honest, because of the limitation that they put on concurrent scans."
- "We procured around 110 licenses for Web Application Scanning, but we have issues running concurrent scans."
What is our primary use case?
There are two parts. We use Web Application Scanning licenses to constantly assess our websites. When there are any changes on our websites, Qualys checks to see if there is a vulnerability. We use a SecOps/DevOps methodology, so Qualys is integrated into the development cycle. Qualys runs every time we update the site.
What is most valuable?
Qualys' process of updating signatures is something we really appreciate, and it's way ahead of its industry peers.
For how long have I used the solution?
We have been using Web Application Scanning since 2018.
What do I think about the stability of the solution?
Web Application Scanning is a stable solution.
What do I think about the scalability of the solution?
We procured around 110 licenses for Web Application Scanning, but we have issues running concurrent scans. I don't currently have the option to trigger scans for all 100-plus websites. The default limit is around 10 conference scans. It's not very scalable, to be honest, because of the limitation that they put on concurrent scans.
How are customer service and support?
I've had some issues with Qualys support. It's transactional. There is no face to the support model. I don't see anyone from Qualys engaging with us on a quarterly business or annual business review to help us understand if we are fully utilizing Qualys' capabilities.
This isn't a technical problem. It's more of an issue with customer relations. I think they can improve by touching base with us more often to let us know if our rollout is following industry best practices or not.
How was the initial setup?
We used Verizon to help us with the rollout, and there were no trouble tickets or any technical issues with the rollout, so I would say the implementation was pretty smooth. The design-build phase took a couple of weeks.
What's my experience with pricing, setup cost, and licensing?
We pay for a yearly license, but we also pay a separate cost for an engineer from Verizon.
Which other solutions did I evaluate?
When evaluating Qualys, we looked at industry best practices and state of-art-tools. Qualys was the default leader in its segment, so we went ahead with Qualys. I've used other solutions in the past, but Qualys the segment. That's why we went with them.
What other advice do I have?
I rate Qualys Web Application Scanning nine out of 10. I think Web Application Scanning should integrate VMDR, a more enhanced capability that Qualys offers for enterprise vulnerability assessments. However, Qualys is way ahead of the competition on the web application front.
If you're an industrial company, you should evaluate the OT scanning capability that Qualys is about to launch. It will cover all your enterprise web applications and secure your factories as well. Qualys should be a one-stop shop meeting all your end-to-end vulnerability assessment requirements, so you don't need to buy solutions from different vendors,
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Data Specialist at CHUN SHIN LIMITED
Easy to use for detection of WAS and VM vulnerabilities
Pros and Cons
- "It is easy to use."
- "It is a very stable solution."
- "The best thing about this product is that it is really easy to use."
- "The reporting contains too many false positives."
- "The virus code updates are not frequent enough."
- "Deployment can be complicated."
- "We are researching open source software because Qualys needs to improve their reports and the documentation for the end-users in resolving scanned issues."
What is our primary use case?
We are using Qualys for vulnerability detection in our IDC (International Data Center) on our web pages and world-wide-web applications and services.
What is most valuable?
The best thing about this product is that it is really easy to use.
What needs improvement?
We are concerned with the frequency of their virus code updates and reporting that contains false positives. We do not think that the accuracy of the reporting is as good as it should be.
It would be nice if Qualys would provide a solution after analyzing the data for us so we can understand what the cause of a vulnerability is and how to fix it. It would be good enough to provide something like just a download page that describes the problem and the steps to take to resolve the vulnerability.
We are researching open source software because Qualys needs to improve their reports and the documentation for the end-users in resolving scanned issues.
Sometimes the deployment is complicated. It is not so easy to deploy and that should be simplified. Something like Zap or other open-source software is often easier to deploy.
For how long have I used the solution?
I am in the IT department in our company and we have been using Qualys for three years.
What do I think about the stability of the solution?
Qualys is a very stable solution for us. We have not had trouble with downtime.
What do I think about the scalability of the solution?
We get a license to use this application for up to a year and we file for a license every year to renew. We would need to renew this license in September of 2020, so we will need to make a decision whether we will be continuing to use Qualys as a solution.
How was the initial setup?
Sometimes the deployment is complicated. The deployment should be easier and more consistent.
What's my experience with pricing, setup cost, and licensing?
The cost of the solution should be lower. In our company now, we only have 200 employees. For us, the license fee is kind of expensive. The cost is $30,000 USD for one year to cover WAS (Web Application Security) and the VM (Virtual Machine) security. That price includes maintenance and any consulting with Qualys.
What other advice do I have?
I would recommend Qualys if the budget is not a problem. There may be other open-source solutions that could be used to perform a similar analysis.
On a scale from one to ten (where one is the worst and ten is the best), I would rate this solution as an eight-out-of-ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2026
Popular Comparisons
Checkmarx One
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
Coverity Static
Sonatype Lifecycle
OpenText Core Application Security
GitHub Advanced Security
Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between OWASP Zap and Qualys?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- What are the Top 5 cybersecurity trends in 2022?
- Which application security solutions include both vulnerability scans and quality checks?
- We're evaluating Tripwire, what else should we consider?
- Is SonarQube the best tool for static analysis?
- Why Do I Need Application Security Software?
- Which Email Security enterprise solution would you choose: Cisco Secure Email vs Forcepoint Email Security vs Barracuda Email Security Gateway?




















