Qualys TotalCloud

At the moment, the organization where I work, Alior Bank, is using Qualys TotalCloud , although in the past we used Nessus Professional , which we dropped about two years ago. It was Professional , not the enterprise Tenable version, just Nessus.

I have been familiar with Qualys TotalCloud  from the beginning of the implementation in our bank, which was in 2024 when we purchased it and started implementing it. I am part of the implementation and current management of Qualys TotalCloud.

Regarding Kubernetes  and containers, I don't recall if it's part of Qualys TotalCloud or a different component.

We are utilizing Azure  and GCP with Qualys TotalCloud.

Qualys TotalCloud provides unified vulnerability and threat assessment across both IAS and SaaS.

This solution provides a single prioritized view of risk, which helps reduce the work I would have to do. We are no longer based on CVSS; we are based on Qualys risk scoring, which is based on CVSS plus internal findings made by Qualys, and then assigns its own score.

The TruRisk insight feature has found a small number of assets with high vulnerability scores, though I am cautious since some information is classified.

Qualys TotalCloud has positively impacted our bank's performance, and we have definitely seen benefits after implementing this solution.

Improvements in Qualys TotalCloud could include technologies to cover compliance scanning, such as CIS benchmark scanning. It is somewhat difficult to set up Qualys TotalCloud properly for certain technologies. Additionally, while they moved to UI4, which is nicer, some parts of Qualys TotalCloud dashboards still look very old. You can switch between those interfaces and adopt them because some things are better in the new one, while others are not.

Overall, Qualys TotalCloud is a stable solution. I remember encountering a problem once, which was an issue for the whole EU2 platform and affected tenants on Qualys TotalCloud placed in EU2 areas. As I saw on the status page, it was only a problem in Europe, not in America or Asia.

Regarding technical support from Qualys, they respond, but the response time can be too long. Sometimes we need to wait weeks for solutions to simple questions.

If I had to rate Qualys support based on my experience from one to ten, I would say around six or weak seven, perhaps six plus.

It is difficult to compare the helpfulness of written explanations with other solutions as we used Nessus for a few years. We only had two or three years of experience with that support, and it was simply Nessus Professional and not Tenable Enterprise, so I could not make a comparison. However, currently we have very good support from our integrator, plus the support from Qualys itself.

Regarding deployment of Qualys TotalCloud, the installation of Cloud agents was given to administrators from each team who manage servers and workstations, including components in Azure  or GCP cloud. This was not handled by me or my team, as I work in the cybersecurity department. We manage the use of Qualys TotalCloud, but installation is up to the administrators, and we provide them support.

Currently, in the cybersecurity department, we have two people involved in the deployment of Qualys TotalCloud, along with over one hundred administrators involved in implementing and installing agents on the machines.

The deployment of Qualys TotalCloud within our organization was a continuous process. However, the installation of Cloud agents on the machines took place within two to three months, about a quarter.

The benefits we see are related to cost reductions.

For a mid-size bank like ours, the licensing cost for Qualys TotalCloud is cheap. Tenable Enterprise costs double that of Qualys TotalCloud and Rapid7. We explored those three solutions and decided to go with Qualys TotalCloud.

Qualys TotalCloud provides written explanations to help guide remediation paths and eliminate cyber risks in our organization. I would rate this review an eight overall.

I am working with Qualys TotalCloud  for vulnerability management, and the major use cases are patch management and scanning.

If I had to say something positive about the product that brings me the biggest benefit, I would say it has accurate reports, gets new update CVEs, zero-day attack detection, and is easy to manage with its GUI. Qualys TotalCloud  does provide written explanations to help guide remediation paths and thus eliminate cyber risk. When it provides written explanations with guidance to remediate a path and eliminate cyber risk, it helps in general and helps a lot. The product does have a so-called TruRisk Insights feature, but I do not have experience with it. Qualys TotalCloud for vulnerability management provides unified vulnerability and threat assessment across both IaaS  and SaaS, and I think overall it helps with security posture management. It is very good for patching vulnerabilities and getting zero-day attacks with accurate reports, not like Nessus. With Nessus, if you start to scan, it gives you many vulnerabilities, but it is not accurate and shows old vulnerabilities. If you compare it with Qualys TotalCloud, it is accurate and has updated CVEs. It saves a lot of time.

If Qualys could add some new features to Qualys TotalCloud in future releases, the results for the report and remediation should be more clear and very straightforward. Once we export the report, sometimes we do not get the correct path to patching the vulnerability.

I have been working with the product for around two years, and in general, I have been in this domain with security products for around 12 or 13 years.

Qualys TotalCloud is stable.

Regarding scalability, I would rate it seven out of ten. The reason I rate it seven points, not ten points, is that it is not that easy to manage. The problem when I manage it basically is that you need someone who has some experience to manage it, as it is not user-friendly.

The technical support from Qualys is good, to be honest.

Apart from Tenable and Qualys, I did not work with any other competitors. I only worked with these two and OpenVAS, which is an open-source solution for vulnerability assessment.

The installation of Qualys TotalCloud is very straightforward, and you can easily install the agent for Windows, Linux, and Mac.

I cannot provide information about seeing ROI with Qualys TotalCloud.

The price is very expensive, actually.

If I compare Qualys TotalCloud with other vendors, I compare it with Nessus and Tenable. If I compare Qualys TotalCloud and Tenable, I would say Qualys TotalCloud is better in terms of functionality, and Tenable is better in terms of price.

We are using Qualys TotalCloud Vulnerability Management  and web applications, enterprise solutions, plus Nessus also. For vulnerability management, we installed an agent for each machine and servers and start scanning to get the vulnerabilities.

If I speak about some negative sides of Qualys TotalCloud, I think the negative side is the license. It accounts for approximately 30 percent of the concerns.

Qualys TotalCloud  provides container security, vulnerability management, posture management, and more.

Qualys TotalCloud  saves about a third of resources. Qualys TotalCloud provides written explanations to guide remediation paths and eliminate cyber risk, and I appreciate the written explanation and the visualization of attack paths.

Qualys TotalCloud provides unified vulnerability and threat assessment for IaaS  and SaaS. Qualys TotalCloud provides a single prioritized view of risk, which helps reduce my workload by not having to combine multiple sources.

In my opinion, what can be improved in Qualys TotalCloud includes pricing and container scanning.

I started working with Qualys TotalCloud approximately one year ago.

I assess Qualys TotalCloud as stable, and I would rate it an 8, with 10 being the best.

I would rate Qualys TotalCloud a 7 for scalability on a scale from 1 to 10.

I would rate the technical support for Qualys TotalCloud about a 7 on a scale from 1 to 10.

It is easy to deploy Qualys TotalCloud.

Qualys TotalCloud is on the pricier side, and I would rate the pricing around an 8 on a scale from 1 to 10.

I compare Qualys TotalCloud with other solutions and other vendors as a good contender, though I acknowledge there are differences. In comparison with other vendors, including Microsoft, Qualys TotalCloud holds its own but presents distinct features.

I do use the TruRisk Insight feature with Qualys TotalCloud. I assess the comprehensiveness and the range of risks found with TruRisk Insights as adequate.

The TruRisk Insights feature has found a small number of assets with high vulnerability scores. The effect of TruRisk Insights on security posture is significant, as it provides better awareness and focus on critical risks.

I would recommend this product to other users, and my advice would include doing a proof of concept to see if it fits their needs. I would rate this product an 8 overall.

I use Qualys TotalCloud  for cloud security posture management across AWS  and Google Cloud . I use this tool for compliance and other purposes. I scan AWS  and Azure  for S3  buckets, security groups, unencrypted databases, and generally for IAM  roles. It helps in terms of securing the data. I also use CIS benchmarks as a standard for hardening cloud posture management. Qualys TotalCloud  helps to ensure I am enforcing the CIS benchmarks automatically.

For the TrueRisk insights, it provides context-aware prioritization of findings, asset criticality, risk trends, and real-time exposures of risk parameters. It ensures I can make informed decisions with higher management.

FlexScan helps me run targeted, on-demand cloud security checks instead of waiting for full scheduled scans. It allows for immediate results on risky configurations or vulnerabilities after major configuration changes. I use it to validate checks post-scan.

TrueRisk Eliminates helps in lowering risks from the organization's context by comparing with global standards. Though not used extensively, it aids in reducing exposure ratings or ensuring compliance.

One of the valuable features of Qualys TotalCloud is its recurring scanning patterns, which detect misconfigurations, risky configurations, and weak IAM  policies. The tool automates the maintenance of CIS benchmarks at scale, which is very useful. Qualys TotalCloud serves as a single-point tool integrating various modules such as VM and policy compliance and security, providing a holistic view of my security posture.

Qualys TotalCloud provides threat intelligence feeds or threat integration, enabling me to mix data with other modules to identify recurring vulnerabilities or threats I face in my organization.

From a downside perspective, the UI is not user-friendly and feels dated compared to other tools like Prisma Cloud. The navigation is difficult in terms of understanding risk relationships. Attack path analysis is another area needing improvement. It struggles to predict how attackers may move through phases. Automating remediation could also be improved, as many tasks remain manual. The lack of data load speed sometimes leads to system lags. Customizing reports based on business standards is cumbersome. Pricing is high compared to competitors.

Installation could be simplified with fewer integration issues. Documentation focused on detailed user cases with if and else scenarios would be beneficial.

I have been using Qualys TotalCloud for the past four years with different organizations. I have been with two organizations in the past four years and have been using it at both.

It happens not very often, but sometimes it does occur. In terms of stability, I could say Qualys TotalCloud operates at 95% of the time, and the rest 5% depends on how I manage it.

From a scalability standpoint, I could say it is 90% scalable. The remaining 10% presents a challenge that Qualys could address.

From a technical support perspective, those individuals are competent enough to provide information regarding the product. They offer level one support initially, escalating as needed. I rate them four out of five because they respond quickly if issues are marked as high priority. I would give them 8.5.

I used Prisma Cloud previously. Prisma Cloud has better navigation and UI compared to Qualys TotalCloud. However, I have taken a whole package of Qualys and tend to use it.

In terms of installation, it could be simplified compared to other tools due to its packaging and tooling. A lack of specific help articles and integration issues are present. From a security standpoint, it is good but requires time.

For one of the organizations, I partnered with Qualys as a team since I have large projects. They assisted with a global rollout.

Pricing compared to competitor tools is high. My costs depend on asset subscriptions. Pricing remains constant regardless of asset utilization, whereas other tools employ a credit system.

Prisma Cloud and similar tools have slight variations in flow but follow the same frameworks. Prisma Cloud offers user-friendly navigation that is better than Qualys TotalCloud.

From a technical support perspective, those individuals are competent enough to provide information regarding the product feel. They provide level one support first to understand better. If they cannot resolve the issue, they can escalate it to the next level and come on a call. However, it does not make sense for them to escalate if it is a medium or low priority issue; they address those according to their SLAs. From another perspective, there could be some downsides. In my opinion, this is the best tool. My overall review rating for Qualys TotalCloud is 8.