We are managing hundreds of AWS and several on-premises accounts using Qualys agents and scanners to provide data inputs for Qualys. We are using several of the Qualys modules, VMDR, Cloud Agents, Connectors along with Global Asset View (GAV).  GAV dynamic tagging is valuable for tracking owners of assets.   

Qualys' main function is to provide us with vulnerability management information for our end users and is a major input to our CMDB.  We rely on a combination of agents and scans to provide us with the system data.   

We are seeing more of the issues we suspected were there. Qualys is allowing us to get an overall picture of our Risk posture. It has enabled us to identify assets we did not know existed.  

However, Qualys has not enabled us to get a complete picture of our risk posture, due to our own limitations in our deployments and limitations in the Qualys back end, dashboards, UI, connector reliability, and the limitations of the Qualys Scripting Language (QSL).  

Qualys implementation requires dedicated back-end support from various teams which was not clearly explained to us or planned for. 

Cloud Agents: lots of control available and very trouble-free. It pulls all systems information, including installed software and open ports. It's very configurable to adjust impact to systems.  

Connectors: Pulls all the cloud information per account and helps to build a CMDB.  Qualys connectors do some control evaluations to help manage these accounts. 

Global Asset View (GAV): With the ability to establish dynamic tagging and perform queries GAV has become a very valuable research tool to our teams. 

Support: It's often overseas and often following a script, basically asking us to redo what we opened the case with. 

Multiple APIs: There seems to be a lack of easy onboarding into Qualys. We had to use manual inputs and some API calls to get items in place. 

Dashboard: It is very rudimentary with very little customization. The Qualys Scripting Language (QSL) works differently in different Qualys modules, so when you get it working in one area you have to modify the syntax in others.  

User account management: We often have to give users more rights than needed just to give them what they need. 

Integration with the various Qualys Modules: You can tell the UI is different based on of the different teams that created them. 

QSL syntax same in all modules

Responsiveness of some of the components: They time out, you get a blank screen, etc.

Backend updates between the various modules: You update connectors and information takes a few minutes to show in VMDR or Global Asset View

Connectors: Connectors have a throttling issue with AWS which causes them to frequently fail unless you manually run them again. 

I've used the solution for three years.

Stability is not the issue. However, the reliably of the different modules is a concern. I have never seen all of Qualys go down. 

The solution is very scalable (with a matching cost, in that, it gets expensive as you grow). 

Our CSM has awesome, however, support is often overseas at conflicting hours.  Support seems to follow scripts and forces us to go through the same scripts. Some solutions required months from Qualys to implement. 

Negative

We used Tenable.IO which we found very limited. However, in our other cloud environment, we had to use Teanble.SC with which we were able to use a Lambda function and a few API calls to make it operate very well in the cloud. 

The setup is complex in many ways, from setting up agents and connectors to trying to create dashboards that fit our needs.  

We managed the setup in-house.

Management is very concerned about the cost of using Qualys; it keeps going up as we pursue 100% deployment. 

The price is very high and escalates quickly based on the number of appliances you need. 

We evaluated Tenable.SC and Rapid7.

If you're going to deploy Qualys it is key to have someone dedicated to supporting the back end, making sure all the components are working as expected.  This is not a fire-and-forget solution. 

Using the solution, I go through the reports and advise my organization on what needs to be done and how to go about it.

I find the solution's dashboard interesting since we get a proper view to streamline our findings and assist in prioritizing the schedule for patching or any other related incidents we believe have already been worked on.

Presently, I am more of the technical part. I am allowed to just go through the details of the report, which has been very interesting. It is a struggle to be able to pull our report and to be able to do onboarding using automated tools. So basically, the aforementioned aspect of the report needs improvement.

Presently, whatever I'm working on has been quite fantastic to the best of my knowledge.

I have been using Qualys VMDR. I have been using it on my own site as a client. I am just a consultant. I work with Qualys VMDR due to my understanding of the product so that I can help my clients check one or two things that can help improve the digital infrastructure part.

The stability of the tool is okay. Most of the time, you need to do the updates online to be able to get off from any vulnerability. As long as you are online since it's on the cloud, it's just as software of which the update has been handled on the cloud as well.

The response time is fine. You can pull up reports without dragging or consuming bandwidth.

The scalability of the tool is okay. Scalability-wise, I rate the solution an eight out of ten. I have not been able to have the solution function at a large scale. Hence, I will be able to categorically say that everything is fantastic.

Presently on my own part, I've not been able to experience the support, but I can search the technical algorithm of which I've not yet got any reports. 

The initial setup phase has been quite interesting because of our experience when we had to use the agents on most of the endpoints, which means it was okay for us.

The solution is deployed on the cloud.

I would tell those planning to use it that it is definitely not about the technology. However, at the same time, if you have the technology, make sure you have the right person with the ability to assist you in addressing the advantages of the product.

I rate the overall product an eight out of ten.

Qualys VMDR is a vulnerability management and detection response tool. It belongs to the first generation of vulnerability assessment tools. It enables us to manually identify vulnerable keys and fix them. It is built as a cutting-edge continuous platform where we can detect and protect. With this product, we can respond to specific vulnerabilities, going beyond just using artificial intelligence features. We have implemented VMDR across our cloud, physical interfaces, endpoints, and log servers. It's a good digital product for our organization.

It has improved our organization in many ways. We needed to have a security solution that focuses on different types of things. We discussed budgeting for the cloud and the need for an alternative to taking care of malware. Additionally, we have to consider various attacks. Therefore, Qualys VMDR is a great tool that helps us improve.

The most valuable feature is automation.

Qualys VMDR is basically susceptible to false positives, and false negatives. We receive a lot of false positives in there. VMDR can be considered a complex solution, especially for enterprises with limited resources or organizations. It requires extensive knowledge as an engineer. So, when using this tool, you need to utilize other tools to remediate the false security issues.

So maybe it should also have the ability to automatically identify and address false positives. In additional features, an automated process for remediating false positives. We might be looking for new types of signatures that can help us identify and address specific issues.

I have been using Qualys VMDR for one last year. 

I would rate the stability an eight out of ten.

I would rate the scalability an eight out of ten.

It took us one month to set up.

I have seen an ROI.

The price is very reasonable, so you can definitely go with all the endpoints it offers.  

Just consider the licenses we have within VMware. They could replicate some of these features, which are used for premium customers. So, it might be useful to include those features in the subscription plans.

Overall, I would rate the solution a nine out of ten.

We use the solution for vulnerability management. It helps us identify potentially vulnerable assets. Thus, we can prioritize patching based on a risk score.

The solution is easy to use and has many essential features. I found the concept of tags the most valuable feature. It allows us to build assets from different views. We can categorize systems with tags, either automatically or manually.

The solution's cloud agent is available only for limited operating systems such as Windows and Linux. They should make it accessible for more systems like FreeBSD. Also, it would be helpful if they made it available for Cisco or Juniper routers. Additionally, its price and support could be better as well.

We have been using the solution for six years.

The solution is stable. However, it takes time to generate reports.

We have ten solution users in our organization.

The solution's technical support team replies with generic answers. The quality of the response could be better.

Neutral

The solution's initial setup process was straightforward. We just followed the documentation.

The solution is costly.

I recommend the solution to others and rate it as a eight.

We use the solution for vulnerability and policy scan. 

The product has helped us understand cybersecurity controls. 

I am impressed with the VMDR feature. 

The tool needs to improve the adding assets and report generation features. I would like to see the policy scan of offline appliances in the product's future releases. 

I have been using the product for three years. 

I would rate the product's stability a nine out of ten. 

I would rate the tool's scalability an eight out of ten. My company has 10 IT specialists using the product. 

The product's support is not very helpful. They suggest things that we already know. 

Neutral

I would rate the product's setup an eight out of ten. The tool's deployment took one to two days to complete. 

We deployed the solution in-house. 

The tool's pricing is expensive and I would rate the pricing a seven out of ten. 

I would rate the product an eight out of ten. You need to complete the training before using the product.