We primarily use Qualys Web Application Scanning for website penetration testing.
Technical Lead at a computer software company with 501-1,000 employees
Easy-to-deploy product with good stability
Pros and Cons
- "It is a good product for website penetration testing to detect vulnerabilities."
- "The product's pricing could be better."
What is our primary use case?
What is most valuable?
It is a good product for website penetration testing to detect vulnerabilities.
What needs improvement?
The product's pricing could be better.
For how long have I used the solution?
We have been using Qualys Web Application Scanning for less than a year.
Buyer's Guide
Qualys Web Application Scanning
June 2026
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
904,836 professionals have used our research since 2012.
What do I think about the stability of the solution?
The platform has good stability.
What do I think about the scalability of the solution?
It is a scalable product.
How are customer service and support?
The technical support services are good.
How was the initial setup?
Qualys Web Application Scanning is easy to deploy.
What's my experience with pricing, setup cost, and licensing?
It is an expensive platform.
What other advice do I have?
Qualys Web Application Scanning is easy to use and deploy. I rate it a nine out of ten. However, it could be less expensive compared to other open-source tools.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Director at Benelec
Effective scanning, scalable, but scanning may result in false positives
Pros and Cons
- "The most valuable feature of Qualys Web Application Scanning is the effective scanning that can be done."
- "We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error."
What is our primary use case?
We are using Qualys Web Application Scanning for our customers. We have the expertise in the solution to provide our customers with the results.
We use the tool for scanning web applications for our clients.
What is most valuable?
The most valuable feature of Qualys Web Application Scanning is the effective scanning that can be done.
What needs improvement?
We receive false positives sometimes when using a solution that could be improved. However, the technical team provides us with the exact explanation why it was giving us that kind of error.
For how long have I used the solution?
I have been using Qualys Web Application Scanning for approximately five years.
What do I think about the stability of the solution?
The stability of Qualys Web Application Scanning could be better.
I rate the stability of Qualys Web Application Scanning an eight out of ten.
What do I think about the scalability of the solution?
Qualys Web Application Scanning has been scalable we have not had any problems in our operations.
How was the initial setup?
The initial setup of Qualys Web Application Scanning is simple for us. However, we have trained engineers that are registered. The deployment did not take very long.
What about the implementation team?
We do the migration for our customers and provide them with testing results. One person can do the implementation of the solution.
What other advice do I have?
I would recommend this solution to others.
I rate Qualys Web Application Scanning a seven out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Buyer's Guide
Qualys Web Application Scanning
June 2026
Learn what your peers think about Qualys Web Application Scanning. Get advice and tips from experienced pros sharing their opinions. Updated: June 2026.
904,836 professionals have used our research since 2012.
Lead Cyber Security engineer at a tech services company with 201-500 employees
Thorough detection, good visual interface, scalable
Pros and Cons
- "I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews."
- "When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem."
What is our primary use case?
My company works for another company called Ecolab here in Bangalore. We are an Ecolab digital center, we develop mobile application. We use Vericode and this solution for testing these web applications before going live. This includes the full testing periods and the production phase. Once it has been tested, we then get them ready to go live.
What is most valuable?
I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews.
What needs improvement?
When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem.
In the future, customer support could improve and the output report needs to be simplified for better understanding.
For how long have I used the solution?
I have been using the solution for the last 12 months.
What do I think about the scalability of the solution?
We have expanded the solution in a few areas and it was scalable. We have approximately 50 people using the solution in my organization.
How are customer service and technical support?
There is some improvement needed for the technical support.
Which solution did I use previously and why did I switch?
We have used Veracode previously and we are currently still using it.
How was the initial setup?
The installation is complex and it took approximately one month which included the customization.
What's my experience with pricing, setup cost, and licensing?
We are on an annual license for the solution and the pricing could be more affordable.
Which other solutions did I evaluate?
We are planning on moving to Veracode because we are getting better results and is easier to use than this solution.
What other advice do I have?
My advice to those wanting to implement this solution is if you have experience and knowledge with vulnerability management and reading through all the threats, this could be a good platform for you. If you are a new starter this solution is not a good place to start.
I rate Qualys Web Application Scanning an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Senior Software Developer at a tech vendor with 1,001-5,000 employees
Has a good progressive scan feature but the data server needs improvement
Pros and Cons
- "The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours."
- "Qualys Web Application Scanning is very stable and reliable."
- "The UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs."
What is our primary use case?
I think we have the fastest version, and they always upgrade it. I think it's the $2 or $3-a-month version. They have multiple engines inside it, but it's a site-based service. It is not on-demand, so Qualys will host it. It's the pay as you go service that is on the software-as-a-service.
We use the DAST, dynamic application scan test.
What is most valuable?
The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours.
What needs improvement?
One area that could be improved is the a data server. That's probably what I most noticed in comparison with the Rapid7. Also, the UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs. This is not good.
Additionally, you don't have a recording feature, where you can record your screen navigation. Like a macro, you want to create the full screen, and they don't provide a tool which can record your navigation and then do a replay.
In terms of what should be included in the next release, like I mentioned, just the UI, the user interface screen. Also, it would be good If they could improve and enrich the reports. These are the fundamental differences with Rapid7.
For how long have I used the solution?
I have been using Qualys Web Application Scanning for five years.
What do I think about the stability of the solution?
Qualys Web Application Scanning is very stable and reliable. But the reporting does not look that great.
What do I think about the scalability of the solution?
In terms of scalability, it is very easy to expand. It's very fast and visible.
We don't have many people working on the solution. But our applications are big applications. We are using six components in different applications.
How are customer service and technical support?
Support is very good.
How was the initial setup?
Because of tasking, the initial setup is very straightforward. We didn't have to purchase any hardware for the installation. It is task-based. The cloud provision is there. It is good. I think nowadays everyone is going with the cloud provisioning. That way you can subscribe for any number of years to use the software.
I think the initial setup took a couple of hours because there were no plugins and nothing to be installed.
What about the implementation team?
We implemented it ourselves and there was no installation expert here.
Which other solutions did I evaluate?
Yes, we are still comparing it with Rapid7. We want to first make assessments of what advantages we can get with Rapid7.
What other advice do I have?
My advice for anyone considering this solution is, "Go for it."
On a scale of one to ten, I would give Qualys Web Application Scanning a seven.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Security Consultant at Cognizant
User-friendly, good scanning analysis and reporting, and offers real-time vulnerability monitoring
Pros and Cons
- "The interface is user-friendly and easy to understand."
- "The most valuable features are scanning analysis and reporting."
- "The scanner reports a lot of false positives, which is something that needs to be improved."
What is our primary use case?
We primarily use this solution for VM scanning. We scan more than a thousand applications.
What is most valuable?
The most valuable features are scanning analysis and reporting.
This solution also provides real-time monitoring.
The interface is user-friendly and easy to understand.
What needs improvement?
The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities.
The scanner reports a lot of false positives, which is something that needs to be improved.
For how long have I used the solution?
We have been using Qualys for almost a year.
What do I think about the stability of the solution?
The stability is good.
What do I think about the scalability of the solution?
In terms of scalability, Qualys is good.
How are customer service and technical support?
I have not dealt with technical support yet because there are other people dealing with issues that arise. My understanding is that technical support is good.
Which solution did I use previously and why did I switch?
I have also used the Nexus Vulnerability Scanner and it reports fewer false positives.
How was the initial setup?
This solution was implemented before I joined the department.
What's my experience with pricing, setup cost, and licensing?
There are different options available with respect to licensing.
What other advice do I have?
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer. partner
CEO at a tech services company with 51-200 employees
Has comprehensive SSL security measurements but the price should be lowered
Pros and Cons
- "What I remember from my experience with Qualys is that the simplicity of exporting reports and the simplicity and clarity of the reports included with the product is good."
- "The pricing does not seem to be competitive."
- "The pricing of Qualys is quite expensive in comparison with the other products in this category that are offering pretty much the same thing."
What is our primary use case?
For some projects, we will need to use this on-premises. It depends on the confidentiality of our project. For other projects, we will also be deploying on the cloud or maybe a hybrid solution as well.
We are looking forward to having a relationship as a partner with this company and maybe one or two others. We are not just a customer. We have a bunch of freelancers that we are working with in three different companies in Slovenia, Australia, and other countries. We are looking for solutions to make our testing and security checks more affordable.
What is most valuable?
I am not the person who is actually directly testing this. One of the other people from our team is doing that. But I was involved in the selection of what we products we should compare based on available features, demos, and how products appear to meet our needs. What I remember from my experience with Qualys is that the simplicity of exporting reports and the simplicity and clarity of the reports included with the product is good. The website was also well-designed and easy to navigate. The SSL security measurements that the product offers seem comprehensive. But I can not say, at this preliminary phase, that I specifically think this or that from Qualys is the most valuable. It is intriguing enough to make our shortlist and POC efforts.
What needs improvement?
Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.
For how long have I used the solution?
We are in the process of analyzing several products over several months in this category for comparison and proof of concept.
How are customer service and technical support?
We have not yet had to contact technical support for any reason.
How was the initial setup?
I don't have information at this moment because we are in the process of discovery and we have not fully deployed. We do have a test deployment running.
What's my experience with pricing, setup cost, and licensing?
The pricing of Qualys is quite expensive in comparison with the other products in this category that are offering pretty much the same thing. Pricing is one area of the product that can be improved. At this stage of our discovery, we only know the initial cost is high.
Which other solutions did I evaluate?
We were testing a lot of products. We were looking for a good product for our needs and for the needs of our customers to scan vulnerabilities. Qualys was one of the products we chose to do further testing with. The testing with data is still continuing and is a process. As we are in the process of discovery now, we cannot exactly qualify our experience with the product.
What other advice do I have?
On a scale from one to ten where one is the worst ten is the best, I would rate Qualys as a seven at this point. It is difficult to rate Qualys — or even products from other companies — as better than this because we are hearing the same thing from all the product manufacturers before we went into testing. But based on the references from other users about Qualys, our current level of experience, the pricing as we know it and the services that are offered for free, Qualys is a seven.
What we have mostly found at this point is that you can't just install a free trial version of a product and get a complete impression immediately. With some products like Qualys or others in the category, the pricing may not be completely right because there are hidden costs. It could be one solution is not quick to deploy and that seems to make it difficult but in actual use, it is easier than everything else. Some products will be easy to set up and after 10 days of trying to work with it, I might be disappointed because of what I committed to.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Lead Security Architect at a financial services firm with 501-1,000 employees
Puts our services in compliance and minimizes our risk for exposure
Pros and Cons
- "With our vulnerabilities under control, it's putting our services in compliance and minimizing our risk for exposure."
- "The solution needs to adjust its pricing. They should make it more affordable."
How has it helped my organization?
With our vulnerabilities under control, it puts our services in compliance and minimizes our risk for exposure.
What is most valuable?
The vulnerability scanning and patching features are the most valuable parts of the solution.
What needs improvement?
The solution needs to adjust its pricing. They should make it more affordable.
For how long have I used the solution?
I've been using the solution for over five years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The cloud service makes the solution very scalable. We have about ten users right now, however we don't intend to increase usage at this time.
How are customer service and technical support?
Technical support is excellent. I would rate it ten out of ten.
Which solution did I use previously and why did I switch?
We've never used a different solution.
How was the initial setup?
The initial setup was straightforward. Deployment took about two weeks.
What about the implementation team?
Our internal team handled the implementation.
Which other solutions did I evaluate?
We did not evaluate other options before choosing Qualys.
What other advice do I have?
We are using the cloud deployment model.
I would recommend other users to use Qualys Application Scanning for application security. If you're serious about security you need a service or a solution that does continuous scanning of your application and infrastructure. There are always vulnerabilities being introduced.
I would rate the solution eight out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Consultant at a tech services company with 1,001-5,000 employees
Enables us to identify vulnerability levels and to enforce security credentials
Pros and Cons
- "The most valuable feature is that we are able to scan the services and put credentials like a user ID password, and we can verify the vulnerability level."
- "It should have better automatic reporting."
- "They should improve the performance of the security scanning. It should have better performance."
What is our primary use case?
My primary use case of this solution is to audit the security level of my customer's internet. We offer this as a service.
What is most valuable?
The most valuable feature is that we are able to scan the services and put credentials like a user ID password. We can verify the vulnerability level.
What needs improvement?
They should improve the performance of the security scanning. It should have better performance.
For how long have I used the solution?
I have been using Qualys for fifteen years.
What do I think about the stability of the solution?
The stability is very good.
What do I think about the scalability of the solution?
The scalability is very good. It is very easy to expand this solution. We scan on an IP address basis. We have credit for 250 IP addresses, and we are free to use it in our user environment, or on the cloud.
We have around twenty users using this solution.
How are customer service and technical support?
Their technical support is good. We don't use them frequently because we offer that service.
Which solution did I use previously and why did I switch?
I also checked Rapid7 for internal scanning. I picked Qualys for a specific use. It's a SaaS service. We use it to audit the security level of my customer's internet.
How was the initial setup?
The initial setup is straightforward. A deployment that we did last week took four hours in order to launch it.
What about the implementation team?
I am an integrator. I work for an integration company. I do the deployments.
What's my experience with pricing, setup cost, and licensing?
Our licensing costs are on a yearly basis. We buy a group of IP addresses we can scan on a yearly basis.
What other advice do I have?
I would advise someone considering this product is to find a solution that is easy to use. We use this solution because we need to.
I would rate it an eight out of ten. Not a ten because the reporting needs improvement. It should have better automatic reporting.
Disclosure: My company has a business relationship with this vendor other than being a customer. Reseller.
Assistant Manager - Cyber & Cloud Security at a financial services firm with 1,001-5,000 employees
It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard
Pros and Cons
- "It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard. Usually, you have to purchase separate tools."
- "The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected."
What is our primary use case?
The demo was mainly centered around vulnerability management. We were looking to find a tool which is able to do vulnerability management for internal assets and web applications which face the Internet and are exposed on it. We want a platform which can do vulnerability assessment for internal assets and also for assets which are published on the internet.
I did this demo for three to six months.
How has it helped my organization?
It gave us an idea of what lay in our network, and the vulnerabilities in it. Most IT admins are not aware of what is happening on the network. It was able to advise them of what's happening on the network. They could see the web-based applications and where attacks on the outside were coming from.
On the dashboard, you can see vulnerabilities that you have, as they are increasing or reducing over periods of time.
What is most valuable?
It combines both web application vulnerability management and internal vulnerability management on one platform and dashboard. Usually, you have to purchase separate tools.
What needs improvement?
The area of false positives could be improved. There are quite a number of false positives as compared to other solutions. They could probably fine tune the algorithm to be able to reduce the number of false positives being detected.
Going forward, I would like it to scan for given vulnerabilities and add-ons, then confirm whether it is an actual threat or not without the false positives.
For how long have I used the solution?
Trial/evaluations only.
What do I think about the stability of the solution?
It is a stable product, once it is implemented.
We haven't had any major errors or bugs. It runs quite well.
What do I think about the scalability of the solution?
The plans can be installed internally on the infrastructure or be used with a cloud-base scenario. If you have a cloud structure, the scalability is almost unlimited because it all depends on the number of assets that you want to manage. This can be done without any major configuration changes. In terms of scalability, Qualys has handled it quite well.
How is customer service and technical support?
Technical support was quite responsive and effective. If engaged on email, they got back to us on time.
How was the initial setup?
When setting up the solution, it was quite a challenge when trying to set up the internal VM. The guides were not able to give all the scenarios one might encounter when installing the product. At some point, we became stuck, not knowing what to do next.
Work closely with your network administrator. The challenge for us was when trying to connect the virtual machine to the cloud on Qualys, ensuring the firewall policy and rules are in line with the communication passing through without being dropped anywhere.
What about the implementation team?
Support was helpful during implementation. They also referred us to a third-party vendor who we could work with as a partner.
What's my experience with pricing, setup cost, and licensing?
Licensing was based on the number of assets that you want to scan on your network. You can also do licensing on subscription. On subscription, it is easier and more flexible. You tell Qualys that you want to move from the 1000 to 2000 band or the 3000 or 5000 band, then they will give you the quotation for it. Once you pay for it, applying the licensing is quite easy and effective.
Pricing was reasonable and competitive. It was not too far above the other products.
Which other solutions did I evaluate?
We have been evaluating the following: Rapid7, Tenable.io, Tenable SecurityCenter, and Acunetix for web applications.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Delivery Manager at a tech vendor with 1,001-5,000 employees
We can do scanning and submit reports straight to customers when there are new vulnerabilities
Pros and Cons
- "We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not."
- "In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us."
What is our primary use case?
We use it for external connection testing whenever we have a customer who utilizes post scanning tools for their main message. From the scanner's perspective, we use the scanner results to do manual testing.
How has it helped my organization?
We are looking for automation in our scanning activities or projects, because manual won't work. So, automation is required for us. As a result, using the Qualys scanner result is helpful for us.
What is most valuable?
We are using scanners and the PCI model. We do PCI scanning because we are a PCI vendor. We are using the tool to do the scanning on whatever the latest vulnerabilities there are, and Qualys is always providing us updates. We can do scanning and submit reports straight to the customers when there are new vulnerabilities, then tell them whether they are affected or not.
What needs improvement?
In terms of the Policy Compliance model which they currently have, not all the platforms are being covered. If they could improve on the Policy Compliance model, since there are policies which are benchmarked against it, this will be helpful for us.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
It has been stable.
What do I think about the scalability of the solution?
It is good and scalable.
How are customer service and technical support?
Technical support is responsive.
Which solution did I use previously and why did I switch?
We were and still are using webMethods Professional. We use both in tandem to do manual testing. That is our process of doing things.
How was the initial setup?
We use the cloud instances for our setups. We have one setup, and it is on the cloud, so it is not complex. Actually, we don't have to do any set up.
We have applications located in our different offices, and so far there set up has not been a challenge.
What's my experience with pricing, setup cost, and licensing?
Qualys has an IT-based licensing based on a yearly license, which is a good way of handling it. However, in some cases, when we do the PCI scanning, the host will not like the scanning and we lose the IT license. So, this could be improved.
What other advice do I have?
It is a very much stable. If you have a good amount of calender-based activities, it is good for defining frequency. You can define the calendar internally, then you can do your scanning. Though, it has some triaging features which should finally be fixed.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Updated: June 2026
Popular Comparisons
Checkmarx One
CrowdStrike Falcon Cloud Security
PortSwigger Burp Suite Professional
Coverity Static
Sonatype Lifecycle
OpenText Core Application Security
GitHub Advanced Security
Buyer's Guide
Download our free Qualys Web Application Scanning Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between OWASP Zap and Qualys?
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- What are the Top 5 cybersecurity trends in 2022?
- Which application security solutions include both vulnerability scans and quality checks?
- We're evaluating Tripwire, what else should we consider?
- Is SonarQube the best tool for static analysis?
- Why Do I Need Application Security Software?
- Which Email Security enterprise solution would you choose: Cisco Secure Email vs Forcepoint Email Security vs Barracuda Email Security Gateway?



















