In my role, I work with Qualys VMDR as part of my responsibilities managing security operations and SecOps. I am currently a CrowdStrike administrator focused on EDR management, while my colleague serves as the Qualys administrator. Along with my responsibilities as a CrowdStrike administrator and EDR admin, I also serve as SOC Lead for the Security Operation Center. In this capacity, I need to navigate through all the tools in our security architecture to obtain details about any incidents or vulnerabilities that are detected. To accomplish this, I navigate through the CSAM and VMDR to check which devices have vulnerabilities present and how they are prioritized. I also check these details through True Risk in Qualys. These are the tools and features I navigate in the Qualys VMDR dashboard or portal when I log in.

For my team, they have the use cases and necessary information readily available. Using Qualys VMDR is primarily to obtain vulnerabilities on the assets we have. Once they prioritize the vulnerabilities, I connect them with the MDM admins, which is InTune or JAMF. For Mac systems, we use JAMF, and for Windows systems, we use InTune. I function as a mediator between my Qualys team and the MDM team to get things done.

We have been using the asset tagging and reporting features in Qualys VMDR. Qualys VMDR's continuous monitoring capabilities help us respond to emergent threats by enabling my team to reach out to the security engineers whenever there is any detection of a vulnerability, informing them about it, and creating an incident. We also work through the incident response phases. We identify the vulnerability and take necessary decisions on whether we need to patch or update software on which vulnerabilities are identified. If there are vulnerabilities regarding open ports or open services, we decide to block the exposed ports.

The initial setup and onboarding process of Qualys VMDR was quite smooth. We were able to draft the SOPs from the documentation portal itself. Everything is available in the documentation, so it was not a hassle for us to get the integrations done on time.

From what I have seen and communicated with my team, True Risk is something that highlights separately. True Risk identifies which vulnerability needs patching, not solely based on the CVSS score. There could be vulnerabilities with higher CVSS scores, but it is not necessary to patch them on a priority basis. There could be others that need remediation despite having low CVSS scores. The prioritization from True Risk is what I appreciate the most.

Qualys VMDR's continuous monitoring capabilities help us respond to emergent threats by enabling my team to reach out to the security engineers whenever there is any detection of a vulnerability, informing them about it, and creating an incident. We work through the incident response phases. We identify the vulnerability and take necessary decisions on whether we need to patch or update software on which vulnerabilities are identified. If there are vulnerabilities regarding open ports or open services, we decide to block the exposed ports.

I haven't explored Qualys VMDR's vulnerability lifecycle automation yet. One of my analysts mentioned that queries lack grouping operators in Qualys VMDR.

From my experience, I would appreciate improvements in the query options in Qualys VMDR, specifically in the query-building process where I would need more features and operators. Additionally, we have been facing issues with Qualys on the cloud level. We cannot download the configuration profile from the cloud agent, and it is showing a pending action for download. During 2025, we noticed outages of Qualys a couple of times. I want to mention that there is an issue with receiving timely RCA deliveries. While this is not necessarily about the tool, it relates to support. The support has not been very responsive, and we are receiving RCAs a little delayed whenever we raise support cases or communicate with the TAMs.

Additionally, the UI has a slight latency, which I and my team have experienced. They have also reported this latency issue when navigating through different pages.

I have been working with Qualys VMDR for about one year.

During 2025, we noticed outages of Qualys a couple of times.

The support has not been very responsive, and we are receiving RCAs a little delayed whenever we raise support cases or communicate with the TAMs. I would rate the tech support of Qualys a six because of the unsatisfactory experience we have experienced.

Other than Qualys, I haven't worked on any other vulnerability management or asset management products. However, I will be getting the opportunity to work on CrowdStrike Spotlight and also on Rapid7 soon, which may help me identify certain things. I am not deployed in the role of SME right now, so I haven't explored the Qualys portal extensively. My main area is EDR, and I have explored CrowdStrike; I can provide comprehensive feedback about that product. Since we are discussing Qualys right now, I can ask my SME to join this discussion for a more detailed and proper review.

The initial setup and onboarding process of Qualys VMDR was quite smooth. We were able to draft the SOPs from the documentation portal itself. Everything is available in the documentation, so it was not a hassle for us to get the integrations done on time.

I would recommend Qualys to other organizations, but I have heard from my seniors and leadership team that there is a cost factor which differentiates Qualys from other offerings. I haven't been involved in those calls where decisions are made about acquiring products, but I have heard it is more expensive than other tools in the market.

I have some understanding about PeerSpot, and I have visited the website. PeerSpot is similar to TrustRadius. It takes reviews from customers or end users who are using the tools and technologies in the market, and then provides a total review of that tool.

My team works with the Qualys TotalCloud and True Risk Management products, and they generate reports. As for hands-on experience with Qualys technologies, I navigate through the Qualys portal, and I only use CSAM and Qualys VMDR. Apart from that, I do not perform many other tasks in Qualys. I receive reports from my teammates who work in vulnerability management. They prioritize the vulnerabilities they have detected according to the workstation and servers, then they decide what to remediate and what to patch based on the priority.

When I became SOC Lead, I also got the responsibility of administrator. Additionally, I have other responsibilities where I check on my teammates to ensure they are carrying out their tasks. I play a kind of team lead role. I receive reports from them about workstation vulnerabilities, server vulnerabilities, remediation and patching plans. I also check if the cloud agent is deployed in all the assets. My teammates deploy the scanner appliances and carry out the discovery scans and network scans. In my SIEM tool, I observe a log ingestion spike when the Qualys VMDR scanner appliance is running scans. This is also something I need to manage to tune it out when there are Qualys IPs and internal IPs assigned to the Qualys VMDR scanner appliance. These are some of the tasks I carry out day to day.

Regarding the effectiveness of asset tagging in managing risk exposure, I haven't focused much in that area, but I see asset tagging as beneficial for us, similar to how we use tags in CrowdStrike. We have tags for all the different assets, which include site, cloud account, and department. It is easy for us to differentiate the assets based on those tags. Whenever we are creating groups and deploying policies or actions on those groups, we can use tags for separating them. That is the extent of my knowledge in this area for now.

We haven't utilized Qualys VMDR's integration with threat intelligence feeds in our security architecture because we have our SIEM tool, which is centralized with integrated threat intelligence from CrowdStrike.

I need to discuss the use of platform analytics in Qualys VMDR with my team to determine if they are using it. I can bring my Qualys SME into a discussion to provide feedback because he has been using Qualys for a very long time and has considerable expertise with the tool.

What improvements would I suggest for this product? From what I have heard and seen, more clarity in group operations in query-building and resolving cloud agent download issues would be beneficial. For my experience, what were the initial challenges when using this product? The cloud level issues, especially during configuration profile downloads, stand out.

I would rate this product an eight overall.

My main use cases for Qualys VMDR are for server vulnerability and missing patches.

The most helpful and useful features of Qualys VMDR are its user-friendly design.

Qualys VMDR is easy to understand and provides detailed reports.

It impacts my workflow overall, with the patch management features as it has the missing patches listed in detail, making it easier to get a comprehensive report and providing some dashboards that offer visual representation.

There were some issues later with Qualys VMDR regarding security, specifically with numerous false positive reports.

It doesn't take much time to deploy Qualys VMDR. There is a process mentioned already on the website about how to proceed with the installation, so we followed that process.

I am satisfied with the support of Qualys VMDR as they are supportive. However, there are sometimes issues where we cannot talk to customer support directly, and we have to raise tickets, which sometimes takes a lot of time to resolve issues because it goes through their own phase. We cannot change the SLA or the priority of the tickets, so that is an issue.

Our organization changed to something else due to a higher management decision, and that might be the reason for the change regarding the pricing.

We are not using any AI features with Qualys VMDR.

Overall, I would rate Qualys VMDR as good, giving it an eight.

We use Qualys VMDR for daily vulnerability management, scanning vulnerabilities, identifying vulnerabilities, reporting, creating dashboards, and the whole vulnerability management process. We also use it for patch management.

What I find valuable about Qualys VMDR is the capability of the tool and its user-friendliness. It is easy to use and provides accurate results, which is exactly what we are looking for. The prioritization of vulnerabilities has improved our remediation efforts by around thirty to thirty-five percent. The tool's integration between Patch Management and other Qualys products is also indispensable.

They can tweak their UI since the new version seems a bit jumbled up, and the old UI was more user-friendly.

I have been using Qualys VMDR for three years.

We find Qualys VMDR quite stable and have not faced any performance issues with it.

I believe the solution is scalable.

We usually get on calls with tech support, and they are very helpful. I would rate the technical support a nine out of ten.

We worked with Nessus and Rapid7 before switching to Qualys VMDR. Qualys offers better pricing and more features compared to other tools. We did not find anything particularly missing from previous tools.

The setup is straightforward and easy. We deployed scanners and agents on all our devices, configured the network, whitelisted policy scanners, and public URLs. Testing was conducted before deploying, and it went smoothly.

We had a team of five to six people involved in the deployment aspect due to the large number of assets.

Qualys VMDR helps us be compliant, and vulnerability management is a crucial part of maintaining our organization's security, significantly contributing to ROI.

Qualys offers better pricing and is feature-packed compared to other tools.

We evaluated Nessus and Rapid7 before choosing Qualys VMDR.

I would recommend getting both VMDR and the Cloud Agent to ensure comprehensive asset coverage. Understanding the network architecture is crucial to ensure no segments are missed under Qualys. Overall, I rate Qualys a nine out of ten.

We mostly use Qualys VMDR for vulnerability management and compliance practices. Every week, my team and I run automated scans that are scheduled, and we share whatever vulnerabilities are found with the infrastructure team to remediate them.

Qualys VMDR provides a real-time response and reporting feature, which is excellent. It allows us to see real-time graphs and reports for every asset, server, and more, which is very user-friendly.

Our clients have given good feedback, and they are satisfied with the tool. We use it daily to fix vulnerabilities by connecting with infrastructure to remediate. The feedback from the client side is very good.

Regarding improvement, compliance features haven't been utilized much. I anticipate more benefits in this area in the future. Integrating other teams, such as GRV, with Qualys would be very beneficial.

Additionally, if AI features were integrated, it could enhance the capabilities significantly.

I have been using Qualys VMDR for about six months. I started working in vulnerability management with my company in the SOC.

I haven't experienced any downtime during my working hours. However, there might be times when it could go down. I would rate stability around 8.5 or nine out of ten.

Qualys VMDR can handle scalability, although increasing the inventory can raise the licensing costs. However, it can escalate and adapt to many needs if required.

Customer support is satisfactory. When reaching out via email, they reply quickly. I would rate their customer support eight out of ten.

I have used another vendor for a different client, which is Rapid7. However, I found Rapid7 not as user-friendly as Qualys. The console is less user-friendly, and running sample templates or scans is more complex compared to Qualys.

I am not aware of the exact pricing, as it comes as an MSP model from the client. However, I have a notion that Qualys might be more expensive than Rapid7.

I have evaluated Rapid7 along with Qualys. In a rating out of five, I would give Qualys four and Rapid7 two, as Rapid7 is more complex and not as user-friendly.

I would recommend Qualys VMDR to others comparing it with other VM tools, due to its valuable features, including real-time responses and detailed reporting.

Overall, I would rate Qualys eight out of ten. With potential improvements and AI integration, it could offer even more.

The primary use case of Qualys VMDR was to monitor around two hundred users, servers, and VMs weekly. We needed to ensure that all vulnerabilities were tracked and addressed. Our users were mainly developers using various applications, and we needed to ensure compliance with client requirements. The goal was to keep our systems up-to-date and secure.

Before using Qualys VMDR, we used OpenVAS, an open-source solution. It was challenging to find a direct solution for vulnerabilities.

With Qualys VMDR, it became simple to understand the severity of issues and prioritize fixes. We could ensure our top management was satisfied, knowing issues were visible and addressed.

It allowed us to divide tasks easily among teammates, significantly improving efficiency. We saw a return on investment in time, money, and resources.

Qualys VMDR offers a one-stop solution for monitoring and reporting. The UI is straightforward and user-friendly, and even beginners can master it in a day.

It allows for simplicity in understanding issues and generating reports for clear visibility. The benefits of task division among teammates and the ability to work together without delays were significant.

Qualys VMDR identifies vulnerabilities and suggests fixes. However, it does not automate patching unless the patch management module is purchased separately.

Automating features could reduce manual efforts and make the process less lengthy. Integration of AI could enhance benefits, especially in handling false positives.

I have used the solution for around three years.

We did not experience any bugs, glitches, or downtime. I would rate the stability a nine out of ten.

Scalability depends on the license and the number of assets being monitored. I would rate the scalability an eight out of ten.

The technical support provided by Qualys is pretty good, and I would rate it an eight out of ten.

Before Qualys VMDR, we used Greenhorn’s OpenVAS. It was open-source, but it offered no direct solutions. Reports were only available with scheduled scans, which made immediate issue resolution difficult.

The initial setup was straightforward. The deployment was up and running in a day with assistance from the support team.

Only one person was involved in implementing Qualys VMDR.

We saw a return on investment through significant savings in time, money, and resources. The solution allowed for efficient task management among team members.

For smaller enterprises, the pricing is on the pricier side. However, for larger enterprises, it's considered okay. I would rate the pricing between seven to eight out of ten.

We previously used OpenVAS.

Overall, the solution is highly rated because of its simplicity and efficiency. I would rate it a nine out of ten.

We use it for vulnerability management and report generation mostly. I am trying to solve the issue wherein the stakeholders can get automated vulnerability reports to their mailbox.

Using this product, we now have a vulnerability management cycle wherein VMDR plays a major role. It has greatly increased the capability on the detection aspect of the vulnerability and improved our scope and visibility on all other endpoints.

I like the automated report generation and vulnerability report generation.

I don't have any improvement requests on top of my mind right now. The response time of technical support takes a while.

It's been more than two years now.

I would rate the stability as nine out of ten. It's quite stable.

The solution is scalable.

My rating for the technical support for Qualys is six out of ten. The response time takes a while.

I personally didn't use a different solution before Qualys.

Although I was not present during the initial deployment process, it's pretty straightforward. It's just an agent installation, which automatically connects it to the cloud platform, so the implementation won't take as long.

I would recommend Qualys VMDR to the other stakeholders because it already has its place in the market, and it's very reliable.

I'd rate the solution eight out of ten.

The use cases would be for scanning purposes, for identifying assets, identifying and viewing assets, and setting up scan schedules. I use it primarily as a vulnerability management and scanning tool.

When you have everything in one place, the job is very easy. Qualys VMDR having a Russian nesting doll sort of environment does take a steep learning curve, but having everything in one place is quite neat.

The most valuable feature is the asset view where I can find individual assets and take a deeper dive into their information gathering section, potential vulnerabilities, and confirmed vulnerabilities. I also value the scheduling of scans and reports as per the desired timeframes.

The reporting section needs improvement as running reports can take several hours. A more intuitive way to configure reports settings to reduce run time would be helpful. Improvements are needed for sorting QIDs and findings during the reporting section without downloading the entire report.

Additionally, there is a need to address the issue of retaining report sections when they exceed one or two GBs. For asset management, adding a notification for unscanned assets or those missing CVE ratings would help.

I have been using it for close to three and a half to four years now.

There are rarely any stability issues. Discrepancies are usually anticipated due to the downtime and maintenance window provided in advance. It's a technological tool, and random anomalies may happen, but they are manageable.

Qualys offers one of the best scalability capabilities for large-scale deployments. Its tools and solutions work effectively with large corporations. VMDR helps club multiple vulnerabilities into one QID, which assists with remediation cycles.

Customer support is fast, although there can be a lot of back and forth. However, the overall service is satisfactory and of great quality.

I have used Nessus and Burp Suite, however, Burp Suite isn't in close proximity with Qualys for scanning purposes. Microsoft Defender offers some advantages with real-time, agent-based scanning that consumes fewer resources.

The initial setup was quite simple and straightforward. Setting up Qualys was fairly easy with clear documentation and guidance.

I am not familiar with the pricing side as I am not a part of that aspect. However, it is on the higher side, but it provides large-scale scalability for vulnerability management.

I have evaluated Nessus and Microsoft Defender for vulnerability management.

Users should go through the training offered by Qualys for all VMDR modules and take an introductory call on how to use and schedule tasks. Setting up one thing at a time and testing the desired results before moving on is advised.

I'd rate the solution eight out of ten.

The primary use case for Qualys VMDR is for infrastructure vulnerability management. It assists devices, including all infrastructure devices like serverless network devices and development environments.

The solution has improved the organization significantly because it helps in assessing and prioritizing risk. Based on the results from Qualys, I can prioritize remediations with the remediation teams, thereby reducing the volume of vulnerabilities.

The most valuable feature is the QID part, especially of CentralList, which makes it easy to assess new critical vulnerabilities. It saves a lot in assessing and prioritizing risks to the organization.

Support could be improved since the response can be slow. There is always room for improvement to align with the latest content and technologies.

I have used the solution for three years.

The solution is stable. Anytime there is downtime or maintenance, Qualys ensures that we are well-informed with priority communications.

Scalability would be rated nine or nine point five out of ten. We have high satisfaction with this aspect.

Technical support response can sometimes be slow, leading to a rating of eight or nine out of ten.

I previously used a different tool. I switched to Qualys as it didn't have the same feature set.

The initial setup was straightforward. Deployment took two to three days.

The deployment was done by a different team, so I do not have specific details about the implementation team size.

I have used RapidSky before Qualys.

I would recommend Qualys VMDR because it ensures comprehensive coverage, including aspects like vulnerability management and PCI, providing good inputs and improvements over time.

I'd rate the solution nine out of ten.

We use continuous monitoring to schedule scans for all the applications in our organization. We create a parent tag and sub-tags for each application and schedule scans based on our requirements, such as every alternate day, weekly, or monthly. This helps us identify vulnerabilities in the web applications, especially those that are public-facing.

Since implementing Qualys, we have seen a reduction in the time required to scan applications, as it automates the process. This efficiency is one of the key improvements we have noticed. Additionally, the tool is effective compared to others, particularly for automated scans.

In Qualys VMDR, there are multiple valuable features such as Continuous Monitoring, SFU Connector, and WebVPN. Continuous monitoring is a crucial feature that we use more frequently.

There are scenarios where a vulnerability is reported once yet not in subsequent scans, even if we have not fixed it. Sometimes, Qualys is unable to crawl certain URLs due to unspecified issues. Additionally, the report download option occasionally has problems.

I have been using Qualys for two years.

I would rate the stability as nine out of ten, indicating no significant issues with stability.

The scalability of Qualys is rated as eight to nine out of ten, and there are no problems with scalability.

The customer support system could be improved. While they respond, it takes them two to three days to address a concern, which is an issue. Overall, I would rate customer service as five or six.

The setup process was not within my involvement, as it was part of the project I had joined and it was already set up.

I recommend Qualys VMDR as it effectively reduces the time required for vulnerability management and operates well with fewer people.

I'd rate the solution seven out of ten.