Avis clients sur Qualys Cloud Platform

In the firts instance we could see its operation inside a beast and we were amazed, its different configurations to make scans allows to obtain much more complete results than other programs. Qualys as a pentesting tool allows you to analyze those areas of greatest risk within your organization to remedy them. The ability to perform scans for a particular plugin is one of the features that other software should envy to Qualys. Your reports have a very detailed information that allows you to quickly identify vulnerabilities.

I have no negative comments, it has worked very well in the company and with our allies.

From my years of experience with vulnerability management solutions, Qualys is the best one in the market. First, it is really easy to set up, specially the cloud solution. In less than few hours you can start scanning your environment. Second, it's vulnerability database is constantly updated with the latest vulnerabilities. Third, it contains tons of apps that extends its capabilities (e.g. Asset management app, web application scanning, PCI compliance monitoring, etc.) ...

The price tag is not the cheapest one. Their licensing model is per IP on the scope, not per live IPs. So for example, if you have three /24 networks with one server each, you will be paying to scan 765 IPs (255*3) instead of only 3 IPs.

Agent deployment is simple. The software offers much if configured right. I dislike the add on services model.

False positives. If a later software update rectifies an older vulnerability then there is no need to show asset is vulnerable.
Vuln that shows up in Asset View is different in Vuln View.. Why?
Salesperson quit after the sale which sucked. Replacement helped but was not focused on us.

The interface is nice and clean. Free online training with labs aids in understanding the product. Easy deployment of agents on both Windows and Linux endpoints.

Configuring scans was not the easiest of tasks to perform initially. I recommend doing the free online training first before embarking with the deployment. Reporting needs to be improved especially the look and feel of the .PDF reports. Scheduling tasks I found limited as I wanted a particular scan to run 2 days out of the month and was unable to do so. Instead I had to create 2 tasks. Could not find an option to create custom usernames.

Qualys gives high-quality reports in an easy to read format. The agent has been easy to install and has not caused any issues.

We have had some instances where scan attempts ended up causing confusion or application outages when they were not designed to handle the scans.

Easy to implement, enabling sensors are not much techie.

Sometime handling false positive detection are really a tough task.

Qualysguard performs scan based on IP addresses rather than URL’s.

It easily accessible from anywhere as its as cloud based scanner.

Qualysguard supports scheduling of the scan for target system based on particular time and date and it also acknowledges and share the mail once the scan is completed.

It can also perform the scan and give vulnerabilities as per compliance standards such as PCI DSS.

Qualysguard doesn’t support scan for URL’s as we only need to provide IP address of the URL to perform the scan.

This tool might be costly for small scale organizations.

Lots of features, agent available, flexible pricing. Software as a service, so you don't need any infrastructure.

Useless unprofessional support, unable to solve any of my issues. They were closing unresolved issues. Lot of false positives. Support couldn't solve them, I got promises that it will be fixed in next release. Awful and unreliable reporting (errors on dashboards etc.). Very expensive. They're not using real cloud but couple of concentrators in different regions. Not useful for global customers. They promise they don't have access to customer data, but they request that to solve problems.

convenient web based scanning utility for our enterprise

frequently had password issues trying to use a group account

Once you get the hang of the interface, it generates results with more depth than most vulnerability assesment tools. Support is quick to respond to any queries, even during a trial period.

The interface and the amount of options is confusing, to put it mildly. There are many different steps to take and many different, seemingly similar, scan options to choose from. It takes a significant amount of time to set up.

It can scan the systems based on various unique standards like PCI DSS which other scanners by competitors doesn't have .
We can define various scanning profiles for doing vulnerability scans .
It supports scan based on IP rather than URL.
As it is a cloud based scanner it can be accessed from anywhere.
I like the feature that it has option to schedule scans in future.

It can't perform credentialed based scans for external or public facing IP’s
Does Not support URL based vulnerability scans for application.

The solution is very detailed in what information it collects. The Cloud agent runs as a service on the endpoints and references back to the cloud periodically (the interval is customizable). The GUI is very nice and they are updating things constantly. It is easy to see our Security stance from the different modules.

There is no MSI file to deploy the software via GPO! Also, for me, the assetview module shows a different number of assets than the VMDR asset tab. Why there is a difference, I don't know.

Detailed explanations and possible resolutions for vulnerabilities that are detected by the Cloud Agents.

I have used other solutions as well on the same machines and they seem to detect quite a few different vulnerabilities, it seems neither give a rather complete list, so it's a good idea to use multiple solutions from different vendors with a different focus to get a clear insight in the ones that are classified as higher risks.

The tool is feature-rich, and managing the software is easy. Scans are easy to initiate and it doesnt cause any hassle for first-timers

UI is lacklustre. Overall the tool is a bit slower in accessing compared to its competition

The platform provides pretty up to date scanning capabilities. Reporting contains direct links to available exploits.

Very out dated user interface. Reporting modules have to be purchase separately along with actual scanners

Nothing - I hate it.

Their ridiculous false positives - apparently it's a critical incompliance that certain options aren't set in the gdm config file /etc/gdm.conf.
Fair enough - if gdm was installed. A simple check that the file exists first would eliminate this and (of our 80+ compliance errors) most others. Complaining about mount options on non-existent filesystems, or that /etc/gshadow didn't match a regex - or did, I'm not sure from the report. The file has mode 0000 (so no permissions set at all).
The fix was to chown root:root /etc/gshadow*

Trust these amateurs at your own risk. If they are as incompetent as this, what are they missing?

Works well and is a trusted source. Their scanning engine gives you some level organization independence (not entirely).

It is expensive, and you have to open up your organization to their IP's or put an in-house relay server.

Detects the most vulns from a range of scanners tested.

Reporting needs to be improved. This is a flaw in all VM tools though.