Sold by: Qualys
Deployed on AWS
Risk-Based Vulnerability Management & Patch Management
4.2
Overview
Industry leading risk-based vulnerability management solution (VMDR) & Patch Management
Highlights
- - Comprehensive risk-based vulnerability management solution - Automate patching for cloud and on-prem assets (operating systems & 100+ 3rd party applications)
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Buyer guide
Gain valuable insights from real users who purchased this product, powered by PeerSpot.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/month |
|---|---|---|
VMDR FixIT (64) | Package of 64 Hosts for VMDR FixIT | $550.00 |
VMDR FixIT (128) | Package of 128 Hosts for VMDR FixIT | $935.00 |
VMDR FixIT (256) | Package of 256 Hosts for VMDR FixIT | $1,650.00 |
VMDR FixIT (512) | Package of 512 Hosts for VMDR FixIT | $2,861.00 |
VMDR FixIT (1024) | Package of 1024 Hosts for VMDR FixIT | $4,617.00 |
VMDR FixIT (1536) | Package of 1536 Hosts for VMDR FixIT | $6,110.00 |
VMDR FixIT (2048) | Package of 2048 Hosts for VMDR FixIT | $7,455.00 |
VMDR FixIT (2560) | Package of 2560 Hosts for VMDR FixIT | $8,699.00 |
Vendor refund policy
Licensed Qualys customers should refer to their Service User Agreement (SUA) or contact their Qualys Technical Account Manager if they have questions about refund or cancellation policies which would apply to them.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Software as a Service (SaaS)
SaaS delivers cloud-based software applications directly to customers over the internet. You can access these applications through a subscription model. You will pay recurring monthly usage fees through your AWS bill, while AWS handles deployment and infrastructure management, ensuring scalability, reliability, and seamless integration with other AWS services.
Resources
Vendor resources
Support
Vendor support
https://www.qualys.com/support/ || US/Canada: +1 (866) 801-6161 (toll free) or +1 (650) 801-6161 || UK/Europe/International: +44 (0)1753 872102 || France: +33 1 41 97 35 81
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Updated weekly
By Qualys
By Rapid7
By Sophos
Sentiment is AI generated from actual customer reviews on AWS and G2
Functionality
Ease of use
Customer service
Cost effectiveness
Positive reviews
Mixed reviews
Negative reviews
AI generated from product descriptions
Vulnerability Detection
Comprehensive scanning and identification of security vulnerabilities across cloud and on-premises assets
Patch Management
Automated patching capabilities for operating systems and over 100 third-party applications
Risk-Based Assessment
Prioritization of vulnerabilities using risk-based methodology for targeted remediation
Multi-Platform Support
Detection and management capabilities spanning cloud and on-premises infrastructure
Asset Discovery
Automated identification and inventory of system assets for comprehensive security coverage
Attack Surface Mapping
Comprehensive visibility into security exposures across endpoints, cloud infrastructure, and application environments
Exposure Detection
Native and third-party telemetry aggregation for identifying vulnerabilities with high-fidelity risk context
Automated Risk Prioritization
Risk scoring mechanism that evaluates potential compromise blast radius and prioritizes remediation actions
Compliance Management
Automated discovery and enforcement of organizational security policies across hybrid environments
Integration Capabilities
Native no-code automation with over 450 integrations supporting security and ITOps tool ecosystems
Cloud Security Posture Management
Continuous scanning of cloud environments to identify assets, assess security and compliance settings, and detect potential malicious activities with integration to AWS GuardDuty and SecurityHub
Endpoint Protection
Advanced agent-based protection against malware, fileless threats, and ransomware for Windows and Linux hosts in cloud environments
Threat Detection and Response
24/7 managed detection and response service leveraging telemetry from multiple security solutions including endpoint, firewall, network, email, and identity platforms
Cloud Workload Protection
Security agents designed to protect cloud-based Windows and Linux hosts against modern cyber threats including ransomware
Network Security
Cloud edge firewall solution providing network visibility, protection, and response across public, private, and hybrid cloud environments using cloud native, virtual, and physical appliances
Standard contract
No
No
No
Customer reviews
Vaibhav Ghule
Continuous risk-based monitoring has strengthened incident response and vulnerability prioritization
Reviewed on Jan 08, 2026
Review from a verified AWS customer
What is our primary use case?
In my role, I work with Qualys VMDR as part of my responsibilities managing security operations and SecOps. I am currently a CrowdStrike administrator focused on EDR management, while my colleague serves as the Qualys administrator. Along with my responsibilities as a CrowdStrike administrator and EDR admin, I also serve as SOC Lead for the Security Operation Center. In this capacity, I need to navigate through all the tools in our security architecture to obtain details about any incidents or vulnerabilities that are detected. To accomplish this, I navigate through the CSAM and VMDR to check which devices have vulnerabilities present and how they are prioritized. I also check these details through True Risk in Qualys. These are the tools and features I navigate in the Qualys VMDR dashboard or portal when I log in.
For my team, they have the use cases and necessary information readily available. Using Qualys VMDR is primarily to obtain vulnerabilities on the assets we have. Once they prioritize the vulnerabilities, I connect them with the MDM admins, which is InTune or JAMF. For Mac systems, we use JAMF, and for Windows systems, we use InTune. I function as a mediator between my Qualys team and the MDM team to get things done.
We have been using the asset tagging and reporting features in Qualys VMDR. Qualys VMDR's continuous monitoring capabilities help us respond to emergent threats by enabling my team to reach out to the security engineers whenever there is any detection of a vulnerability, informing them about it, and creating an incident. We also work through the incident response phases. We identify the vulnerability and take necessary decisions on whether we need to patch or update software on which vulnerabilities are identified. If there are vulnerabilities regarding open ports or open services, we decide to block the exposed ports.
The initial setup and onboarding process of Qualys VMDR was quite smooth. We were able to draft the SOPs from the documentation portal itself. Everything is available in the documentation, so it was not a hassle for us to get the integrations done on time.
What is most valuable?
From what I have seen and communicated with my team, True Risk is something that highlights separately. True Risk identifies which vulnerability needs patching, not solely based on the CVSS score. There could be vulnerabilities with higher CVSS scores, but it is not necessary to patch them on a priority basis. There could be others that need remediation despite having low CVSS scores. The prioritization from True Risk is what I appreciate the most.
Qualys VMDR's continuous monitoring capabilities help us respond to emergent threats by enabling my team to reach out to the security engineers whenever there is any detection of a vulnerability, informing them about it, and creating an incident. We work through the incident response phases. We identify the vulnerability and take necessary decisions on whether we need to patch or update software on which vulnerabilities are identified. If there are vulnerabilities regarding open ports or open services, we decide to block the exposed ports.
What needs improvement?
I haven't explored Qualys VMDR's vulnerability lifecycle automation yet. One of my analysts mentioned that queries lack grouping operators in Qualys VMDR.
From my experience, I would appreciate improvements in the query options in Qualys VMDR, specifically in the query-building process where I would need more features and operators. Additionally, we have been facing issues with Qualys on the cloud level. We cannot download the configuration profile from the cloud agent, and it is showing a pending action for download. During 2025, we noticed outages of Qualys a couple of times. I want to mention that there is an issue with receiving timely RCA deliveries. While this is not necessarily about the tool, it relates to support. The support has not been very responsive, and we are receiving RCAs a little delayed whenever we raise support cases or communicate with the TAMs.
Additionally, the UI has a slight latency, which I and my team have experienced. They have also reported this latency issue when navigating through different pages.
For how long have I used the solution?
I have been working with Qualys VMDR for about one year.
What do I think about the stability of the solution?
During 2025, we noticed outages of Qualys a couple of times.
How are customer service and support?
The support has not been very responsive, and we are receiving RCAs a little delayed whenever we raise support cases or communicate with the TAMs. I would rate the tech support of Qualys a six because of the unsatisfactory experience we have experienced.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Other than Qualys, I haven't worked on any other vulnerability management or asset management products. However, I will be getting the opportunity to work on CrowdStrike Spotlight and also on Rapid7 soon, which may help me identify certain things. I am not deployed in the role of SME right now, so I haven't explored the Qualys portal extensively. My main area is EDR, and I have explored CrowdStrike; I can provide comprehensive feedback about that product. Since we are discussing Qualys right now, I can ask my SME to join this discussion for a more detailed and proper review.
How was the initial setup?
The initial setup and onboarding process of Qualys VMDR was quite smooth. We were able to draft the SOPs from the documentation portal itself. Everything is available in the documentation, so it was not a hassle for us to get the integrations done on time.
Which other solutions did I evaluate?
I would recommend Qualys to other organizations, but I have heard from my seniors and leadership team that there is a cost factor which differentiates Qualys from other offerings. I haven't been involved in those calls where decisions are made about acquiring products, but I have heard it is more expensive than other tools in the market.
What other advice do I have?
I have some understanding about PeerSpot, and I have visited the website. PeerSpot is similar to TrustRadius. It takes reviews from customers or end users who are using the tools and technologies in the market, and then provides a total review of that tool.
My team works with the Qualys TotalCloud and True Risk Management products, and they generate reports. As for hands-on experience with Qualys technologies, I navigate through the Qualys portal, and I only use CSAM and Qualys VMDR. Apart from that, I do not perform many other tasks in Qualys. I receive reports from my teammates who work in vulnerability management. They prioritize the vulnerabilities they have detected according to the workstation and servers, then they decide what to remediate and what to patch based on the priority.
When I became SOC Lead, I also got the responsibility of administrator. Additionally, I have other responsibilities where I check on my teammates to ensure they are carrying out their tasks. I play a kind of team lead role. I receive reports from them about workstation vulnerabilities, server vulnerabilities, remediation and patching plans. I also check if the cloud agent is deployed in all the assets. My teammates deploy the scanner appliances and carry out the discovery scans and network scans. In my SIEM tool, I observe a log ingestion spike when the Qualys VMDR scanner appliance is running scans. This is also something I need to manage to tune it out when there are Qualys IPs and internal IPs assigned to the Qualys VMDR scanner appliance. These are some of the tasks I carry out day to day.
Regarding the effectiveness of asset tagging in managing risk exposure, I haven't focused much in that area, but I see asset tagging as beneficial for us, similar to how we use tags in CrowdStrike. We have tags for all the different assets, which include site, cloud account, and department. It is easy for us to differentiate the assets based on those tags. Whenever we are creating groups and deploying policies or actions on those groups, we can use tags for separating them. That is the extent of my knowledge in this area for now.
We haven't utilized Qualys VMDR's integration with threat intelligence feeds in our security architecture because we have our SIEM tool, which is centralized with integrated threat intelligence from CrowdStrike.
I need to discuss the use of platform analytics in Qualys VMDR with my team to determine if they are using it. I can bring my Qualys SME into a discussion to provide feedback because he has been using Qualys for a very long time and has considerable expertise with the tool.
What improvements would I suggest for this product? From what I have heard and seen, more clarity in group operations in query-building and resolving cloud agent download issues would be beneficial. For my experience, what were the initial challenges when using this product? The cloud level issues, especially during configuration profile downloads, stand out.
I would rate this product an eight overall.
reviewer2753559
Reduces vulnerability exposure time and automates workflow for efficient security management
Reviewed on Sep 03, 2025
Review from a verified AWS customer
What is our primary use case?
My main use case for Qualys VMDR is to manage and remediate vulnerabilities and prioritize it based on the criticality score.
I can give a quick, specific example of how I've managed and remediated vulnerabilities using Qualys VMDR : First of all, we use it to quickly detect critical vulnerabilities in the network environment, and apart from that, we are using it to apply patches directly through integrated patch management, which reduces exposure time and human efforts.
I don't have anything else to add about my main use case or how I use Qualys VMDR at the moment.
What is most valuable?
The best features Qualys VMDR offers include built-in threat intelligence for prioritizing high-risk vulnerabilities and integrated patch management to remediate a vulnerability, providing coverage on the network level and on the OS level as well.
Qualys VMDR has positively impacted my organization by reducing vulnerability exposure time through faster detection and patching, and it has improved compliance reporting with accurate and up-to-date data. It also lowered manual effort for the security team by automating workflow.
One specific outcome I can share is that it has decreased by 30%.
What needs improvement?
One area where Qualys VMDR can be improved is the missing feature for deploying agents for over 1,000 assets, as we need to do it manually. Qualys doesn't have its own tool to deploy the agents all at once, so we need to use third-party tools such as BigFix or something else to deploy the agents, which is my main concern and should be fixed by the Qualys team.
That is the main thing I would like to see changed, and apart from that, everything is good.
For how long have I used the solution?
I have been using Qualys VMDR for the past one year.
What was my experience with deployment of the solution?
We directly purchased Qualys VMDR from Qualys, not through the AWS Marketplace .
What do I think about the stability of the solution?
Sometimes we are facing downtime, but it is very rare, occurring once in a blue moon.
Qualys VMDR is stable.
What do I think about the scalability of the solution?
Qualys VMDR's scalability is good, and the customer support is good, but sometimes the customer support occasionally delays in response more than expected.
How are customer service and support?
Qualys VMDR's scalability is good, and the customer support is good, but sometimes the customer support occasionally delays in response more than expected. I would rate the customer support an eight.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We didn't use any solution before Qualys.
How was the initial setup?
My experience with pricing, setup cost, and licensing shows that we can consider both time and money saved.
The detail I can share is that it is around 30 to 40%.
What was our ROI?
One specific outcome or metric I can share is that it has decreased by 30%.
What's my experience with pricing, setup cost, and licensing?
My experience with pricing, setup cost, and licensing shows that we can consider both time and money saved.
Which other solutions did I evaluate?
Before choosing Qualys VMDR, we didn't evaluate any other options.
What other advice do I have?
I would advise others looking into using Qualys VMDR to make sure that Qualys is compatible with your network, and please ensure that all the configurations are in place before proceeding.
I wasn't offered any gift card or incentive for this review.
On a scale of 1-10, I rate Qualys VMDR a 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Nabanita Roy
Strong report clarity and efficient deployment but customer support needs faster resolution
Reviewed on May 22, 2025
Review provided by PeerSpot
What is our primary use case?
My main use cases for Qualys VMDR are for server vulnerability and missing patches.
What is most valuable?
The most helpful and useful features of Qualys VMDR are its user-friendly design.
Qualys VMDR is easy to understand and provides detailed reports.
It impacts my workflow overall, with the patch management features as it has the missing patches listed in detail, making it easier to get a comprehensive report and providing some dashboards that offer visual representation.
What needs improvement?
There were some issues later with Qualys VMDR regarding security, specifically with numerous false positive reports.
What was my experience with deployment of the solution?
It doesn't take much time to deploy Qualys VMDR. There is a process mentioned already on the website about how to proceed with the installation, so we followed that process.
How are customer service and support?
I am satisfied with the support of Qualys VMDR as they are supportive. However, there are sometimes issues where we cannot talk to customer support directly, and we have to raise tickets, which sometimes takes a lot of time to resolve issues because it goes through their own phase. We cannot change the SLA or the priority of the tickets, so that is an issue.
How would you rate customer service and support?
Positive
Which other solutions did I evaluate?
Our organization changed to something else due to a higher management decision, and that might be the reason for the change regarding the pricing.
What other advice do I have?
We are not using any AI features with Qualys VMDR.
Overall, I would rate Qualys VMDR as good, giving it an eight.
reviewer2588394
User-friendliness and effective prioritization improve remediation efforts
Reviewed on Mar 05, 2025
Review provided by PeerSpot
What is our primary use case?
We use Qualys VMDR for daily vulnerability management, scanning vulnerabilities, identifying vulnerabilities, reporting, creating dashboards, and the whole vulnerability management process. We also use it for patch management.
What is most valuable?
What I find valuable about Qualys VMDR is the capability of the tool and its user-friendliness. It is easy to use and provides accurate results, which is exactly what we are looking for. The prioritization of vulnerabilities has improved our remediation efforts by around thirty to thirty-five percent. The tool's integration between Patch Management and other Qualys products is also indispensable.
What needs improvement?
They can tweak their UI since the new version seems a bit jumbled up, and the old UI was more user-friendly.
For how long have I used the solution?
I have been using Qualys VMDR for three years.
What do I think about the stability of the solution?
We find Qualys VMDR quite stable and have not faced any performance issues with it.
What do I think about the scalability of the solution?
I believe the solution is scalable.
How are customer service and support?
We usually get on calls with tech support, and they are very helpful. I would rate the technical support a nine out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We worked with Nessus and Rapid7 before switching to Qualys VMDR. Qualys offers better pricing and more features compared to other tools. We did not find anything particularly missing from previous tools.
How was the initial setup?
The setup is straightforward and easy. We deployed scanners and agents on all our devices, configured the network, whitelisted policy scanners, and public URLs. Testing was conducted before deploying, and it went smoothly.
What about the implementation team?
We had a team of five to six people involved in the deployment aspect due to the large number of assets.
What was our ROI?
Qualys VMDR helps us be compliant, and vulnerability management is a crucial part of maintaining our organization's security, significantly contributing to ROI.
What's my experience with pricing, setup cost, and licensing?
Qualys offers better pricing and is feature-packed compared to other tools.
Which other solutions did I evaluate?
We evaluated Nessus and Rapid7 before choosing Qualys VMDR.
What other advice do I have?
I would recommend getting both VMDR and the Cloud Agent to ensure comprehensive asset coverage. Understanding the network architecture is crucial to ensure no segments are missed under Qualys. Overall, I rate Qualys a nine out of ten.
Ankesh Raj
Real-time responses and reporting streamline vulnerability management
Reviewed on Dec 04, 2024
Review provided by PeerSpot
What is our primary use case?
We mostly use Qualys VMDR for vulnerability management and compliance practices. Every week, my team and I run automated scans that are scheduled, and we share whatever vulnerabilities are found with the infrastructure team to remediate them.
What is most valuable?
Qualys VMDR provides a real-time response and reporting feature, which is excellent. It allows us to see real-time graphs and reports for every asset, server, and more, which is very user-friendly.
Our clients have given good feedback, and they are satisfied with the tool. We use it daily to fix vulnerabilities by connecting with infrastructure to remediate. The feedback from the client side is very good.
What needs improvement?
Regarding improvement, compliance features haven't been utilized much. I anticipate more benefits in this area in the future. Integrating other teams, such as GRV, with Qualys would be very beneficial.
Additionally, if AI features were integrated, it could enhance the capabilities significantly.
For how long have I used the solution?
I have been using Qualys VMDR for about six months. I started working in vulnerability management with my company in the SOC.
What do I think about the stability of the solution?
I haven't experienced any downtime during my working hours. However, there might be times when it could go down. I would rate stability around 8.5 or nine out of ten.
What do I think about the scalability of the solution?
Qualys VMDR can handle scalability, although increasing the inventory can raise the licensing costs. However, it can escalate and adapt to many needs if required.
How are customer service and support?
Customer support is satisfactory. When reaching out via email, they reply quickly. I would rate their customer support eight out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have used another vendor for a different client, which is Rapid7. However, I found Rapid7 not as user-friendly as Qualys. The console is less user-friendly, and running sample templates or scans is more complex compared to Qualys.
What's my experience with pricing, setup cost, and licensing?
I am not aware of the exact pricing, as it comes as an MSP model from the client. However, I have a notion that Qualys might be more expensive than Rapid7.
Which other solutions did I evaluate?
I have evaluated Rapid7 along with Qualys. In a rating out of five, I would give Qualys four and Rapid7 two, as Rapid7 is more complex and not as user-friendly.
What other advice do I have?
I would recommend Qualys VMDR to others comparing it with other VM tools, due to its valuable features, including real-time responses and detailed reporting.
Overall, I would rate Qualys eight out of ten. With potential improvements and AI integration, it could offer even more.