We are managing hundreds of AWS and several on-premises accounts using Qualys agents and scanners to provide data inputs for Qualys. We are using several of the Qualys modules, VMDR, Cloud Agents, Connectors along with Global Asset View (GAV).  GAV dynamic tagging is valuable for tracking owners of assets.   

Qualys' main function is to provide us with vulnerability management information for our end users and is a major input to our CMDB.  We rely on a combination of agents and scans to provide us with the system data.   

We are seeing more of the issues we suspected were there. Qualys is allowing us to get an overall picture of our Risk posture. It has enabled us to identify assets we did not know existed.  

However, Qualys has not enabled us to get a complete picture of our risk posture, due to our own limitations in our deployments and limitations in the Qualys back end, dashboards, UI, connector reliability, and the limitations of the Qualys Scripting Language (QSL).  

Qualys implementation requires dedicated back-end support from various teams which was not clearly explained to us or planned for. 

Cloud Agents: lots of control available and very trouble-free. It pulls all systems information, including installed software and open ports. It's very configurable to adjust impact to systems.  

Connectors: Pulls all the cloud information per account and helps to build a CMDB.  Qualys connectors do some control evaluations to help manage these accounts. 

Global Asset View (GAV): With the ability to establish dynamic tagging and perform queries GAV has become a very valuable research tool to our teams. 

Support: It's often overseas and often following a script, basically asking us to redo what we opened the case with. 

Multiple APIs: There seems to be a lack of easy onboarding into Qualys. We had to use manual inputs and some API calls to get items in place. 

Dashboard: It is very rudimentary with very little customization. The Qualys Scripting Language (QSL) works differently in different Qualys modules, so when you get it working in one area you have to modify the syntax in others.  

User account management: We often have to give users more rights than needed just to give them what they need. 

Integration with the various Qualys Modules: You can tell the UI is different based on of the different teams that created them. 

QSL syntax same in all modules

Responsiveness of some of the components: They time out, you get a blank screen, etc.

Backend updates between the various modules: You update connectors and information takes a few minutes to show in VMDR or Global Asset View

Connectors: Connectors have a throttling issue with AWS which causes them to frequently fail unless you manually run them again. 

I've used the solution for three years.

Stability is not the issue. However, the reliably of the different modules is a concern. I have never seen all of Qualys go down. 

The solution is very scalable (with a matching cost, in that, it gets expensive as you grow). 

Our CSM has awesome, however, support is often overseas at conflicting hours.  Support seems to follow scripts and forces us to go through the same scripts. Some solutions required months from Qualys to implement. 

Negative

We used Tenable.IO which we found very limited. However, in our other cloud environment, we had to use Teanble.SC with which we were able to use a Lambda function and a few API calls to make it operate very well in the cloud. 

The setup is complex in many ways, from setting up agents and connectors to trying to create dashboards that fit our needs.  

We managed the setup in-house.

Management is very concerned about the cost of using Qualys; it keeps going up as we pursue 100% deployment. 

The price is very high and escalates quickly based on the number of appliances you need. 

We evaluated Tenable.SC and Rapid7.

If you're going to deploy Qualys it is key to have someone dedicated to supporting the back end, making sure all the components are working as expected.  This is not a fire-and-forget solution.