In my role, I work with Qualys VMDR as part of my responsibilities managing security operations and SecOps. I am currently a CrowdStrike administrator focused on EDR management, while my colleague serves as the Qualys administrator. Along with my responsibilities as a CrowdStrike administrator and EDR admin, I also serve as SOC Lead for the Security Operation Center. In this capacity, I need to navigate through all the tools in our security architecture to obtain details about any incidents or vulnerabilities that are detected. To accomplish this, I navigate through the CSAM and VMDR to check which devices have vulnerabilities present and how they are prioritized. I also check these details through True Risk in Qualys. These are the tools and features I navigate in the Qualys VMDR dashboard or portal when I log in.

For my team, they have the use cases and necessary information readily available. Using Qualys VMDR is primarily to obtain vulnerabilities on the assets we have. Once they prioritize the vulnerabilities, I connect them with the MDM admins, which is InTune or JAMF. For Mac systems, we use JAMF, and for Windows systems, we use InTune. I function as a mediator between my Qualys team and the MDM team to get things done.

We have been using the asset tagging and reporting features in Qualys VMDR. Qualys VMDR's continuous monitoring capabilities help us respond to emergent threats by enabling my team to reach out to the security engineers whenever there is any detection of a vulnerability, informing them about it, and creating an incident. We also work through the incident response phases. We identify the vulnerability and take necessary decisions on whether we need to patch or update software on which vulnerabilities are identified. If there are vulnerabilities regarding open ports or open services, we decide to block the exposed ports.

The initial setup and onboarding process of Qualys VMDR was quite smooth. We were able to draft the SOPs from the documentation portal itself. Everything is available in the documentation, so it was not a hassle for us to get the integrations done on time.

From what I have seen and communicated with my team, True Risk is something that highlights separately. True Risk identifies which vulnerability needs patching, not solely based on the CVSS score. There could be vulnerabilities with higher CVSS scores, but it is not necessary to patch them on a priority basis. There could be others that need remediation despite having low CVSS scores. The prioritization from True Risk is what I appreciate the most.

Qualys VMDR's continuous monitoring capabilities help us respond to emergent threats by enabling my team to reach out to the security engineers whenever there is any detection of a vulnerability, informing them about it, and creating an incident. We work through the incident response phases. We identify the vulnerability and take necessary decisions on whether we need to patch or update software on which vulnerabilities are identified. If there are vulnerabilities regarding open ports or open services, we decide to block the exposed ports.

I haven't explored Qualys VMDR's vulnerability lifecycle automation yet. One of my analysts mentioned that queries lack grouping operators in Qualys VMDR.

From my experience, I would appreciate improvements in the query options in Qualys VMDR, specifically in the query-building process where I would need more features and operators. Additionally, we have been facing issues with Qualys on the cloud level. We cannot download the configuration profile from the cloud agent, and it is showing a pending action for download. During 2025, we noticed outages of Qualys a couple of times. I want to mention that there is an issue with receiving timely RCA deliveries. While this is not necessarily about the tool, it relates to support. The support has not been very responsive, and we are receiving RCAs a little delayed whenever we raise support cases or communicate with the TAMs.

Additionally, the UI has a slight latency, which I and my team have experienced. They have also reported this latency issue when navigating through different pages.

I have been working with Qualys VMDR for about one year.

During 2025, we noticed outages of Qualys a couple of times.

The support has not been very responsive, and we are receiving RCAs a little delayed whenever we raise support cases or communicate with the TAMs. I would rate the tech support of Qualys a six because of the unsatisfactory experience we have experienced.

Other than Qualys, I haven't worked on any other vulnerability management or asset management products. However, I will be getting the opportunity to work on CrowdStrike Spotlight and also on Rapid7 soon, which may help me identify certain things. I am not deployed in the role of SME right now, so I haven't explored the Qualys portal extensively. My main area is EDR, and I have explored CrowdStrike; I can provide comprehensive feedback about that product. Since we are discussing Qualys right now, I can ask my SME to join this discussion for a more detailed and proper review.

The initial setup and onboarding process of Qualys VMDR was quite smooth. We were able to draft the SOPs from the documentation portal itself. Everything is available in the documentation, so it was not a hassle for us to get the integrations done on time.

I would recommend Qualys to other organizations, but I have heard from my seniors and leadership team that there is a cost factor which differentiates Qualys from other offerings. I haven't been involved in those calls where decisions are made about acquiring products, but I have heard it is more expensive than other tools in the market.

I have some understanding about PeerSpot, and I have visited the website. PeerSpot is similar to TrustRadius. It takes reviews from customers or end users who are using the tools and technologies in the market, and then provides a total review of that tool.

My team works with the Qualys TotalCloud and True Risk Management products, and they generate reports. As for hands-on experience with Qualys technologies, I navigate through the Qualys portal, and I only use CSAM and Qualys VMDR. Apart from that, I do not perform many other tasks in Qualys. I receive reports from my teammates who work in vulnerability management. They prioritize the vulnerabilities they have detected according to the workstation and servers, then they decide what to remediate and what to patch based on the priority.

When I became SOC Lead, I also got the responsibility of administrator. Additionally, I have other responsibilities where I check on my teammates to ensure they are carrying out their tasks. I play a kind of team lead role. I receive reports from them about workstation vulnerabilities, server vulnerabilities, remediation and patching plans. I also check if the cloud agent is deployed in all the assets. My teammates deploy the scanner appliances and carry out the discovery scans and network scans. In my SIEM tool, I observe a log ingestion spike when the Qualys VMDR scanner appliance is running scans. This is also something I need to manage to tune it out when there are Qualys IPs and internal IPs assigned to the Qualys VMDR scanner appliance. These are some of the tasks I carry out day to day.

Regarding the effectiveness of asset tagging in managing risk exposure, I haven't focused much in that area, but I see asset tagging as beneficial for us, similar to how we use tags in CrowdStrike. We have tags for all the different assets, which include site, cloud account, and department. It is easy for us to differentiate the assets based on those tags. Whenever we are creating groups and deploying policies or actions on those groups, we can use tags for separating them. That is the extent of my knowledge in this area for now.

We haven't utilized Qualys VMDR's integration with threat intelligence feeds in our security architecture because we have our SIEM tool, which is centralized with integrated threat intelligence from CrowdStrike.

I need to discuss the use of platform analytics in Qualys VMDR with my team to determine if they are using it. I can bring my Qualys SME into a discussion to provide feedback because he has been using Qualys for a very long time and has considerable expertise with the tool.

What improvements would I suggest for this product? From what I have heard and seen, more clarity in group operations in query-building and resolving cloud agent download issues would be beneficial. For my experience, what were the initial challenges when using this product? The cloud level issues, especially during configuration profile downloads, stand out.

I would rate this product an eight overall.

My main use cases for Qualys VMDR are for server vulnerability and missing patches.

The most helpful and useful features of Qualys VMDR are its user-friendly design.

Qualys VMDR is easy to understand and provides detailed reports.

It impacts my workflow overall, with the patch management features as it has the missing patches listed in detail, making it easier to get a comprehensive report and providing some dashboards that offer visual representation.

There were some issues later with Qualys VMDR regarding security, specifically with numerous false positive reports.

It doesn't take much time to deploy Qualys VMDR. There is a process mentioned already on the website about how to proceed with the installation, so we followed that process.

I am satisfied with the support of Qualys VMDR as they are supportive. However, there are sometimes issues where we cannot talk to customer support directly, and we have to raise tickets, which sometimes takes a lot of time to resolve issues because it goes through their own phase. We cannot change the SLA or the priority of the tickets, so that is an issue.

Our organization changed to something else due to a higher management decision, and that might be the reason for the change regarding the pricing.

We are not using any AI features with Qualys VMDR.

Overall, I would rate Qualys VMDR as good, giving it an eight.

We use Qualys VMDR for daily vulnerability management, scanning vulnerabilities, identifying vulnerabilities, reporting, creating dashboards, and the whole vulnerability management process. We also use it for patch management.

What I find valuable about Qualys VMDR is the capability of the tool and its user-friendliness. It is easy to use and provides accurate results, which is exactly what we are looking for. The prioritization of vulnerabilities has improved our remediation efforts by around thirty to thirty-five percent. The tool's integration between Patch Management and other Qualys products is also indispensable.

They can tweak their UI since the new version seems a bit jumbled up, and the old UI was more user-friendly.

I have been using Qualys VMDR for three years.

We find Qualys VMDR quite stable and have not faced any performance issues with it.

I believe the solution is scalable.

We usually get on calls with tech support, and they are very helpful. I would rate the technical support a nine out of ten.

We worked with Nessus and Rapid7 before switching to Qualys VMDR. Qualys offers better pricing and more features compared to other tools. We did not find anything particularly missing from previous tools.

The setup is straightforward and easy. We deployed scanners and agents on all our devices, configured the network, whitelisted policy scanners, and public URLs. Testing was conducted before deploying, and it went smoothly.

We had a team of five to six people involved in the deployment aspect due to the large number of assets.

Qualys VMDR helps us be compliant, and vulnerability management is a crucial part of maintaining our organization's security, significantly contributing to ROI.

Qualys offers better pricing and is feature-packed compared to other tools.

We evaluated Nessus and Rapid7 before choosing Qualys VMDR.

I would recommend getting both VMDR and the Cloud Agent to ensure comprehensive asset coverage. Understanding the network architecture is crucial to ensure no segments are missed under Qualys. Overall, I rate Qualys a nine out of ten.

We mostly use Qualys VMDR for vulnerability management and compliance practices. Every week, my team and I run automated scans that are scheduled, and we share whatever vulnerabilities are found with the infrastructure team to remediate them.

Qualys VMDR provides a real-time response and reporting feature, which is excellent. It allows us to see real-time graphs and reports for every asset, server, and more, which is very user-friendly.

Our clients have given good feedback, and they are satisfied with the tool. We use it daily to fix vulnerabilities by connecting with infrastructure to remediate. The feedback from the client side is very good.

Regarding improvement, compliance features haven't been utilized much. I anticipate more benefits in this area in the future. Integrating other teams, such as GRV, with Qualys would be very beneficial.

Additionally, if AI features were integrated, it could enhance the capabilities significantly.

I have been using Qualys VMDR for about six months. I started working in vulnerability management with my company in the SOC.

I haven't experienced any downtime during my working hours. However, there might be times when it could go down. I would rate stability around 8.5 or nine out of ten.

Qualys VMDR can handle scalability, although increasing the inventory can raise the licensing costs. However, it can escalate and adapt to many needs if required.

Customer support is satisfactory. When reaching out via email, they reply quickly. I would rate their customer support eight out of ten.

I have used another vendor for a different client, which is Rapid7. However, I found Rapid7 not as user-friendly as Qualys. The console is less user-friendly, and running sample templates or scans is more complex compared to Qualys.

I am not aware of the exact pricing, as it comes as an MSP model from the client. However, I have a notion that Qualys might be more expensive than Rapid7.

I have evaluated Rapid7 along with Qualys. In a rating out of five, I would give Qualys four and Rapid7 two, as Rapid7 is more complex and not as user-friendly.

I would recommend Qualys VMDR to others comparing it with other VM tools, due to its valuable features, including real-time responses and detailed reporting.

Overall, I would rate Qualys eight out of ten. With potential improvements and AI integration, it could offer even more.

The primary use case of Qualys VMDR was to monitor around two hundred users, servers, and VMs weekly. We needed to ensure that all vulnerabilities were tracked and addressed. Our users were mainly developers using various applications, and we needed to ensure compliance with client requirements. The goal was to keep our systems up-to-date and secure.

Before using Qualys VMDR, we used OpenVAS, an open-source solution. It was challenging to find a direct solution for vulnerabilities.

With Qualys VMDR, it became simple to understand the severity of issues and prioritize fixes. We could ensure our top management was satisfied, knowing issues were visible and addressed.

It allowed us to divide tasks easily among teammates, significantly improving efficiency. We saw a return on investment in time, money, and resources.

Qualys VMDR offers a one-stop solution for monitoring and reporting. The UI is straightforward and user-friendly, and even beginners can master it in a day.

It allows for simplicity in understanding issues and generating reports for clear visibility. The benefits of task division among teammates and the ability to work together without delays were significant.

Qualys VMDR identifies vulnerabilities and suggests fixes. However, it does not automate patching unless the patch management module is purchased separately.

Automating features could reduce manual efforts and make the process less lengthy. Integration of AI could enhance benefits, especially in handling false positives.

I have used the solution for around three years.

We did not experience any bugs, glitches, or downtime. I would rate the stability a nine out of ten.

Scalability depends on the license and the number of assets being monitored. I would rate the scalability an eight out of ten.

The technical support provided by Qualys is pretty good, and I would rate it an eight out of ten.

Before Qualys VMDR, we used Greenhorn’s OpenVAS. It was open-source, but it offered no direct solutions. Reports were only available with scheduled scans, which made immediate issue resolution difficult.

The initial setup was straightforward. The deployment was up and running in a day with assistance from the support team.

Only one person was involved in implementing Qualys VMDR.

We saw a return on investment through significant savings in time, money, and resources. The solution allowed for efficient task management among team members.

For smaller enterprises, the pricing is on the pricier side. However, for larger enterprises, it's considered okay. I would rate the pricing between seven to eight out of ten.

We previously used OpenVAS.

Overall, the solution is highly rated because of its simplicity and efficiency. I would rate it a nine out of ten.

We use it for vulnerability management and report generation mostly. I am trying to solve the issue wherein the stakeholders can get automated vulnerability reports to their mailbox.

Using this product, we now have a vulnerability management cycle wherein VMDR plays a major role. It has greatly increased the capability on the detection aspect of the vulnerability and improved our scope and visibility on all other endpoints.

I like the automated report generation and vulnerability report generation.

I don't have any improvement requests on top of my mind right now. The response time of technical support takes a while.

It's been more than two years now.

I would rate the stability as nine out of ten. It's quite stable.

The solution is scalable.

My rating for the technical support for Qualys is six out of ten. The response time takes a while.

I personally didn't use a different solution before Qualys.

Although I was not present during the initial deployment process, it's pretty straightforward. It's just an agent installation, which automatically connects it to the cloud platform, so the implementation won't take as long.

I would recommend Qualys VMDR to the other stakeholders because it already has its place in the market, and it's very reliable.

I'd rate the solution eight out of ten.