Sign in
Sign in
or
Create a new account
Agent Mode
Categories
Your Saved List Become a Channel Partner Sell in AWS Marketplace Amazon Web Services Home Help

Qualys TotalCloud

Qualys

Reviews from AWS customer

10 AWS reviews

External reviews

23 reviews
from

External reviews are not included in the AWS star rating for the product.

3-star reviews ( Show all reviews )

    reviewer2788209

Automated vulnerability detection has improved risk visibility but container security still needs work

  • December 15, 2025
  • Review from a verified AWS customer

What is our primary use case?

We have experience with Veracode and other SCA solutions, but I'm not interested in participating in any campaign. Other than Snyk, we use Qualys for Vulnerability Management, specifically the VMDR solution. TrueRisk Management is not what we use; it's an extension to VMDR, but what we actually use is the main module of Qualys, which is Vulnerability Management, Detection, and Response.

We are not using TrueRisk at all because we have our own framework and we use Qualys Detection Score for everything. We do use Qualys TotalCloud for continuous monitoring. The main use case with Qualys TotalCloud is that VMDR provides a direct solution for on-prem systems and it offers a similar solution for cloud infrastructure including AWS, Azure, and GCP, along with an option to scan containers and other related resources.

The features I value about using Qualys include container scanning; they did give us some requested features, but maturity-wise, they are not there yet with respect to container scanning. The solution is maybe slightly expensive, but it's not as expensive as other tools such as Wiz. Generally, Qualys is very good at detections, whether on cloud or on-prem. The agent allows deployment on both infrastructures, providing continuous monitoring of your assets, which is a key selling point for us.

What is most valuable?

The features I value about using Qualys include container scanning; they provided us with some requested features, but maturity-wise, they are not there yet with respect to container scanning.

The solution is slightly expensive, but it's not as expensive as other tools such as Wiz. Generally, Qualys is very good at detections, whether on cloud or on-prem. The agent allows deployment on both infrastructures, providing continuous monitoring of your assets, which is a key selling point for us.

Detections get updated in Qualys with a unique identifier called QID. Whenever there's new information, such as a new CVE, Qualys processes that and generates a QID. Since our agents are installed across our infrastructure, they identify vulnerabilities based on the agent information, and any new detections also get updated to a manifest that runs every four hours, checking for new vulnerabilities.

The single prioritized view of risk helps reduce the work significantly; Qualys Detection Score not only considers the basic CVSS score but also factors in threat information and the exploitability factor, which helps us prioritize effectively. We also have another separate framework we developed that we use on top of this.

What needs improvement?

The downside is only in container security, but it has not been a long time since they introduced these models. Our use cases were edge use cases, so they had to develop some features for us, but they are indeed doing a good job.

How are customer service and support?

I would rate their support a seven on a scale of one to ten. For working with the people from Qualys, I would say seven is an accurate rating.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Before switching to Qualys, we were doing everything completely manual, and we wanted a more automated solution, which prompted us to switch.

How was the initial setup?

Our experience with the setup and deployment was quite good; Qualys was supportive, and we met with them twice a week while setting up the scanners and operations.

What about the implementation team?

The setup was done by us while Qualys guided us, as they do not have access to our infrastructure for deployments.

What's my experience with pricing, setup cost, and licensing?

Regarding pricing and setup cost, it was not the most expensive. While checking tools for container scanning, we considered Wiz and a startup, but we believe having one tool for as much as possible makes tracking and monitoring easier. We had Qualys agents installed everywhere, which facilitated the shift to container scanning.

What other advice do I have?

Qualys TotalCloud does help guide remediation paths and eliminate cyber risks. I would rate this solution a seven overall.

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)

    Chukwuka Onwubolu

Has supported vulnerability detection and device inventory but needs better automation and risk prioritization

  • September 17, 2025
  • Review provided by PeerSpot

What is our primary use case?

I use Qualys TotalCloud for vulnerability as a service, vulnerability management as a service. I use it to check my devices to see if they're free from vulnerabilities, to send updates, and also as a form of inventory for the devices.

What is most valuable?

I can use Qualys TotalCloud to uninstall unwanted devices, which is great. I can also use the feature of seeing what my vulnerabilities are, a form of inventory, and knowing the criticals and the less criticals. Once you have your vulnerabilities fixed and your patches pushed out using Qualys TotalCloud, then you are able to eliminate threats and cyber risk. Qualys TotalCloud is also used to provide unified vulnerability and threat assessment across both IaaS and SaaS.

What needs improvement?

I sometimes have difficulty detecting or uninstalling certain versions of applications, which I have to do manually. More advanced features or AI could improve this process. A single prioritized view of risk is also lacking, which could enhance decision-making. Additionally, it could use improvements to perform actions without requiring manual intervention.

For how long have I used the solution?

I have been using Qualys TotalCloud for one year now.

What do I think about the stability of the solution?

It is stable. I have not had any issues with it.

How are customer service and support?

I rate the documentation they provide or the knowledge base between five to seven.

How would you rate customer service and support?

Negative

Which solution did I use previously and why did I switch?

I have done POC with Okta and CrowdStrike. Qualys TotalCloud focuses on vulnerability management and security features. Okta focuses more on identities and IAMs. CrowdStrike is more of intrusion detection and assessment.

How was the initial setup?

The application was quite easy to deploy in over 3,000 applications using Qualys TotalCloud.

What about the implementation team?

It's just me using Qualys TotalCloud. The users don't really have anything to do with it. I do all the admin side from my end.

What was our ROI?

The return on investment I've seen in the past year with Qualys TotalCloud is quite significant, around 10% to 20%.

What's my experience with pricing, setup cost, and licensing?

Qualys TotalCloud's pricing is fair. It is not expensive and is affordable.

What other advice do I have?

Cloud security posture changes with time when using Qualys TotalCloud. It depends on how early you detect threats and fix them. Qualys TotalCloud doesn't provide a single prioritized view of risk. The product does what it says it's going to do, so I recommend it. I rate Qualys TotalCloud six out of ten.

    Vishvanath Mulgund

Covers internet-facing VMs and gives priority-based results, but can be enhanced for AI-related risks

  • October 29, 2024
  • Review provided by PeerSpot

What is our primary use case?

Within Qualys TotalCloud, we have implemented Cloud Security Posture Management (CSPM). It helps us manage the security portion of all our cloud subscriptions. From a configuration compliance standpoint, we have been using CSPM within Qualys TotalCloud.

How has it helped my organization?

I manage the risk aspect in my organization. The biggest issue that we had was from the compliance perspective. We did not have visibility into the security portion of all the subscriptions that were introduced. We were not quite sure of our security posture. We wanted insights and visibility. We also wanted a single pane of the glass that would summarize the posture of all the subscriptions that are hosted. Qualys TotalCloud fits the bills and gives us visibility into the security portion of all our subscriptions that have been rolled out. It gives us what we need.

Compliance is the first step. If you do not know what your security posture is, you cannot align your remediation activities. We now know what our security posture is. It has helped us improve the adoption of newer technologies. Previously, we did not have visibility into what our security posture is or what we are lacking. Qualys TotalCloud has given us insights into what we should prioritize. We plan our remediation activities or remediation budget accordingly. It helped us align our remediation activities.

We have a monthly vulnerability scan. We are leveraging that feature as well. From the vulnerability standpoint, it provides unified vulnerability and threat assessment across both IaaS and SaaS.

It helps to identify any gaps. It does a security posture scan of all our subscriptions and helps us to identify the gaps and prioritize fixing those. It gives us priority-based results. For instance, if it gives us ten findings, it tells us which one we should prioritize. It gives us that view. From that perspective, it has helped prioritize our security remediation activities.

We have enabled TruRisk, but the Risk Operation Center or ROC that was introduced recently is a bit more comprehensive. That would give us a better picture. Overall, Qualys TotalCloud gives us a high-level understanding of what the risks are and also gives us the TruRisk value for each of those vulnerability findings. Previously, we used to depend on the QDS value, but now we can also leverage the TruRisk value. It does help us to give us an insight from this perspective.

This single, prioritized view of risk helps reduce the work. Previously, when we used to share reports with the IT team, we would have thousands of vulnerabilities. They had a difficult time deciding which one should be prioritized. With TruRisk, we can set a filter to prioritize the findings with a TruRisk value in the range of 800 to 1,000. It has definitely helped us to prioritize our remediation activities. I do not have the metrics, but it has substantially reduced the remediation timeline. There is probably a 10% to 20% reduction.

What is most valuable?

One of the most valuable features of Qualys TotalCloud is FlexScan, which is specifically for internet-facing VMs. We found this feature to be very useful. It was a key differentiator for us.

What needs improvement?

An area for improvement would be to focus on risks related to AI, such as large language models and potential data leakage. That is the only area for improvement. Qualys is already moving in the right direction, and its offerings are quite exhaustive and cohesive.

For how long have I used the solution?

We have been using Qualys TotalCloud for around two years. Our overall engagement with Qualys products has been for more than ten years.

What do I think about the stability of the solution?

The stability of the solution is quite good. I would rate it an eight out of ten for stability.

What do I think about the scalability of the solution?

The solution is definitely scalable. I would rate it an eight out of ten for scalability.

We are a global organization with multiple departments. There are about 3,000 people on the team, but only 15 to 20 of them work on cloud solutions.

How are customer service and support?

We have the required support and documentation. Customizing it as per our environment took some time, but from a support perspective, we have the required support from Qualys.

Their support is quite good. I would rate them an eight out of ten. I am satisfied with their response time and knowledge.

How would you rate customer service and support?

Positive

How was the initial setup?

It is quite easy. The UI is quite easy to understand and easy to implement.

The implementation process involved subscribing to TotalCloud and onboarding the inventory onto the cloud. With the CSPM module, we scanned our assets. In the end, we set up a schedule for scanning and reporting. Overall, it was straightforward.

It is a cloud solution. It does not require any maintenance from our end.

What's my experience with pricing, setup cost, and licensing?

I am not sure about the pricing. From what I understand, it is a bit on the higher side, but I do not have the exact numbers.

What other advice do I have?

I would definitely recommend Qualys TotalCloud. Qualys is at the top of the game. They are trying to upscale as per the current demands and requirements. From that perspective, I would recommend this solution.

We are exploring modules like Cloud Detection and Response (CDR) and infrastructure as code. We are evaluating these features, but we are not quite sure about implementing them.

Apart from this, at the Qualys 2024 conference we had in Mumbai, they introduced a new product called ROC or Risk Operations Center. That is something we would like to leverage. We are evaluating it. We are already using TruRisk, but ROC offers something beyond that.

Overall, I would rate Qualys TotalCloud a seven out of ten. It is comprehensive, but they can give some kind of loyalty-based program for customers.

showing 1 - 3