We just raised a $30M Series A: Read our story

Qualys Web Application Scanning OverviewUNIXBusinessApplication

Qualys Web Application Scanning is #9 ranked solution in AST tools and #12 ranked solution in application security tools. IT Central Station users give Qualys Web Application Scanning an average rating of 8 out of 10. Qualys Web Application Scanning is most commonly compared to OWASP Zap:Qualys Web Application Scanning vs OWASP Zap. The top industry researching this solution are professionals from a computer software company, accounting for 31% of all views.
What is Qualys Web Application Scanning?
Qualys Web Application Scanning (WAS) is a cloud service that provides automated crawling and testing of custom web applications to identify vulnerabilities including cross-site scripting (XSS) and SQL injection. The automated service enables regular testing that produces consistent results, reduces false positives, and easily scales to secure a large number of websites. Proactively scans websites for malware infections, sending alerts to website owners to help prevent black listing and brand reputation damage.

Qualys Web Application Scanning is also known as Qualys WAS.

Buyer's Guide

Download the Application Security Buyer's Guide including reviews and more. Updated: November 2021

Qualys Web Application Scanning Customers
BskyB, Cartagena, ClearPoint Learning Systems, Connect Group, du, Fortrex Technologies, HBOR, HDI, Highlights for Children, The Lithuanian State Enterprise Centre of Registers, City of Miami Beach, Microsoft, MidlandHR, MSCI Inc., Northern Arizona University, Ofgem, Olympus Europa, PhoneFactor, RTL Nederland, ThousandEyes, VGZ Organisatie B.V.
Qualys Web Application Scanning Video

Pricing Advice

What users are saying about Qualys Web Application Scanning pricing:
  • "The product is expensive, at least initially, in comparison to other products in this category."
  • "The cost is $30,000 USD for one year to cover WAS (Web Application Security) and the VM (Virtual Machine) security in a company with 200 employees."
  • "We are on an annual license for the solution and the pricing could be more affordable."
  • "There are different options available with respect to licensing."

Qualys Web Application Scanning Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
GV
CEO at a tech services company with 51-200 employees
Real User
Top 20
Has comprehensive SSL security measurements but the price should be lowered

Pros and Cons

  • "The simplicity of exporting reports and the simplicity and clarity of the reports included with the product are good."
  • "The pricing does not seem to be competitive."

What is our primary use case?

For some projects, we will need to use this on-premises. It depends on the confidentiality of our project. For other projects, we will also be deploying on the cloud or maybe a hybrid solution as well.  

We are looking forward to having a relationship as a partner with this company and maybe one or two others. We are not just a customer. We have a bunch of freelancers that we are working with in three different companies in Slovenia, Australia, and other countries. We are looking for solutions to make our testing and security checks more affordable.  

What is most valuable?

I am not the person who is actually directly testing this. One of the other people from our team is doing that. But I was involved in the selection of what we products we should compare based on available features, demos, and how products appear to meet our needs. What I remember from my experience with Qualys is that the simplicity of exporting reports and the simplicity and clarity of the reports included with the product is good. The website was also well-designed and easy to navigate. The SSL security measurements that the product offers seem comprehensive. But I can not say, at this preliminary phase, that I specifically think this or that from Qualys is the most valuable. It is intriguing enough to make our shortlist and POC efforts.  

What needs improvement?

Knowing we are in an early phase of discovery and comparison, it is impossible to know exactly what features may need improvement. Some seem to be interesting, on the other hand. The only thing that is in need of improvement from my perspective at this point is pricing in comparison to other, similar products.   

For how long have I used the solution?

We are in the process of analyzing several products over several months in this category for comparison and proof of concept.  

How are customer service and technical support?

We have not yet had to contact technical support for any reason.  

How was the initial setup?

I don't have information at this moment because we are in the process of discovery and we have not fully deployed. We do have a test deployment running.  

What's my experience with pricing, setup cost, and licensing?

The pricing of Qualys is quite expensive in comparison with the other products in this category that are offering pretty much the same thing. Pricing is one area of the product that can be improved. At this stage of our discovery, we only know the initial cost is high.  

Which other solutions did I evaluate?

We were testing a lot of products. We were looking for a good product for our needs and for the needs of our customers to scan vulnerabilities. Qualys was one of the products we chose to do further testing with. The testing with data is still continuing and is a process. As we are in the process of discovery now, we cannot exactly qualify our experience with the product.  

What other advice do I have?

On a scale from one to ten where one is the worst ten is the best, I would rate Qualys as a seven at this point. It is difficult to rate Qualys — or even products from other companies — as better than this because we are hearing the same thing from all the product manufacturers before we went into testing. But based on the references from other users about Qualys, our current level of experience, the pricing as we know it and the services that are offered for free, Qualys is a seven.  

What we have mostly found at this point is that you can't just install a free trial version of a product and get a complete impression immediately. With some products like Qualys or others in the category, the pricing may not be completely right because there are hidden costs. It could be one solution is not quick to deploy and that seems to make it difficult but in actual use, it is easier than everything else. Some products will be easy to set up and after 10 days of trying to work with it, I might be disappointed because of what I committed to.  

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PK
Senior Software Developer at a tech vendor with 1,001-5,000 employees
Real User
Has a good progressive scan feature but the data server needs improvement

Pros and Cons

  • "The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours."
  • "The UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs."

What is our primary use case?

I think we have the fastest version, and they always upgrade it. I think it's the $2 or $3-a-month version. They have multiple engines inside it, but it's a site-based service. It is not on-demand, so Qualys will host it. It's the pay as you go service that is on the software-as-a-service. 

We use the DAST, dynamic application scan test.

What is most valuable?

The feature that I have found most valuable is the progressive scan. It is good. It's done in 24 hours.

What needs improvement?

One area that could be improved is the a data server. That's probably what I most noticed in comparison with the Rapid7. Also, the UI is not user-friendly and you don't have a yearly reporting facility where you can slice and dice in different jobs. This is not good. 

Additionally, you don't have a recording feature, where you can record your screen navigation. Like a macro, you want to create the full screen, and they don't provide a tool which can record your navigation and then do a replay.

In terms of what should be included in the next release, like I mentioned, just the UI, the user interface screen. Also, it would be good If they could improve and enrich the reports. These are the fundamental differences with Rapid7.

For how long have I used the solution?

I have been using Qualys Web Application Scanning for five years.

What do I think about the stability of the solution?

Qualys Web Application Scanning is very stable and reliable. But the reporting does not look that great.

What do I think about the scalability of the solution?

In terms of scalability, it is very easy to expand. It's very fast and visible.

We don't have many people working on the solution. But our applications are big applications. We are using six components in different applications.

How are customer service and technical support?

Support is very good.

How was the initial setup?

Because of tasking, the initial setup is very straightforward. We didn't have to purchase any hardware for the installation. It is task-based. The cloud provision is there. It is good. I think nowadays everyone is going with the cloud provisioning. That way you can subscribe for any number of years to use the software. 

I think the initial setup took a couple of hours because there were no plugins and nothing to be installed.

What about the implementation team?

We implemented it ourselves and there was no installation expert here.

Which other solutions did I evaluate?

Yes, we are still comparing it with Rapid7. We want to first make assessments of what advantages we can get with Rapid7.

What other advice do I have?

My advice for anyone considering this solution is, "Go for it." 

On a scale of one to ten, I would give Qualys Web Application Scanning a seven.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Find out what your peers are saying about Qualys, Veracode, Acunetix and others in Application Security. Updated: November 2021.
552,695 professionals have used our research since 2012.
HJ
Data Specialist at CHUN SHIN LIMITED
Real User
Top 20
Easy to use for detection of WAS and VM vulnerabilities

Pros and Cons

  • "It is easy to use."
  • "It is a very stable solution."
  • "The reporting contains too many false positives."
  • "The virus code updates are not frequent enough."
  • "Deployment can be complicated."

What is our primary use case?

We are using Qualys for vulnerability detection in our IDC (International Data Center) on our web pages and world-wide-web applications and services.  

What is most valuable?

The best thing about this product is that it is really easy to use.  

What needs improvement?

We are concerned with the frequency of their virus code updates and reporting that contains false positives. We do not think that the accuracy of the reporting is as good as it should be.  

It would be nice if Qualys would provide a solution after analyzing the data for us so we can understand what the cause of a vulnerability is and how to fix it. It would be good enough to provide something like just a download page that describes the problem and the steps to take to resolve the vulnerability.  

We are researching open source software because Qualys needs to improve their reports and the documentation for the end-users in resolving scanned issues.  

Sometimes the deployment is complicated. It is not so easy to deploy and that should be simplified. Something like Zap or other open-source software is often easier to deploy.  

For how long have I used the solution?

I am in the IT department in our company and we have been using Qualys for three years.  

What do I think about the stability of the solution?

Qualys is a very stable solution for us. We have not had trouble with downtime.   

What do I think about the scalability of the solution?

We get a license to use this application for up to a year and we file for a license every year to renew. We would need to renew this license in September of 2020, so we will need to make a decision whether we will be continuing to use Qualys as a solution.  

How was the initial setup?

Sometimes the deployment is complicated. The deployment should be easier and more consistent.  

What's my experience with pricing, setup cost, and licensing?

The cost of the solution should be lower. In our company now, we only have 200 employees. For us, the license fee is kind of expensive. The cost is $30,000 USD for one year to cover WAS (Web Application Security) and the VM (Virtual Machine) security. That price includes maintenance and any consulting with Qualys.  

What other advice do I have?

I would recommend Qualys if the budget is not a problem. There may be other open-source solutions that could be used to perform a similar analysis.   

On a scale from one to ten (where one is the worst and ten is the best), I would rate this solution as an eight-out-of-ten.  

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
NagarajSheshachalam
Lead Cyber Security engineer at a tech services company with 201-500 employees
Real User
Top 5
Thorough detection, good visual interface, scalable

Pros and Cons

  • "I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews."
  • "When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem."

What is our primary use case?

My company works for another company called Ecolab here in Bangalore. We are an Ecolab digital center, we develop mobile application. We use Vericode and this solution for testing these web applications before going live. This includes the full testing periods and the production phase. Once it has been tested, we then get them ready to go live.

What is most valuable?

I have found the detection of vulnerabilities tool thorough with good results and the graphical display output to be wonderful and full of colors. It allows many types of outputs, such as bar and chart previews.

What needs improvement?

When comparing this solution to Veracode, Veracode has good interactive features and gives a clear understanding of what the vulnerabilities are, which error line of the vulnerability is on and what can be done. It gives interactive features, whereas this solution does not give a clear understanding of where or how to fix the problem.

In the future, customer support could improve and the output report needs to be simplified for better understanding.

For how long have I used the solution?

I have been using the solution for the last 12 months.

What do I think about the scalability of the solution?

We have expanded the solution in a few areas and it was scalable. We have approximately 50 people using the solution in my organization.

How are customer service and technical support?

There is some improvement needed for the technical support.

Which solution did I use previously and why did I switch?

We have used Veracode previously and we are currently still using it.

How was the initial setup?

The installation is complex and it took approximately one month which included the customization.

What's my experience with pricing, setup cost, and licensing?

We are on an annual license for the solution and the pricing could be more affordable.

Which other solutions did I evaluate?

We are planning on moving to Veracode because we are getting better results and is easier to use than this solution.

What other advice do I have?

My advice to those wanting to implement this solution is if you have experience and knowledge with vulnerability management and reading through all the threats, this could be a good platform for you. If you are a new starter this solution is not a good place to start.

I rate Qualys Web Application Scanning an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
SA
Security Analyst at a tech services company with 10,001+ employees
Real User
Top 20
User-friendly, good scanning analysis and reporting, and offers real-time vulnerability monitoring

Pros and Cons

  • "The interface is user-friendly and easy to understand."
  • "The scanner reports a lot of false positives, which is something that needs to be improved."

What is our primary use case?

We primarily use this solution for VM scanning. We scan more than a thousand applications.

What is most valuable?

The most valuable features are scanning analysis and reporting.

This solution also provides real-time monitoring.

The interface is user-friendly and easy to understand.

What needs improvement?

The reporting needs to be improved because there are a lot of search parameters, and at the end of the day, the reports are so large that it is very difficult for us to go through each and every point to analyze the vulnerabilities.

The scanner reports a lot of false positives, which is something that needs to be improved.

For how long have I used the solution?

We have been using Qualys for almost a year.

What do I think about the stability of the solution?

The stability is good.

What do I think about the scalability of the solution?

In terms of scalability, Qualys is good.

How are customer service and technical support?

I have not dealt with technical support yet because there are other people dealing with issues that arise. My understanding is that technical support is good.

Which solution did I use previously and why did I switch?

I have also used the Nexus Vulnerability Scanner and it reports fewer false positives.

How was the initial setup?

This solution was implemented before I joined the department.

What's my experience with pricing, setup cost, and licensing?

There are different options available with respect to licensing.

What other advice do I have?

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
Buyer's Guide
Download our free Application Security Report and find out what your peers are saying about Qualys, Veracode, Acunetix, and more!