Questioning Qualys?

1. Risk-Based Prioritization

Rapid7 InsightVM, our leading vulnerability risk management (VRM) solution, assesses and prioritizes risk based on potential impact to your unique organization and what attackers are actively doing in the wild. The Real Risk score accounts for the business criticality of an asset and factors in CVSS, malware and exploit exposure (via Metasploit and Exploit DB), exploitability, and vulnerability age to determine a granular, 1-1,000 score. This earned us the highest possible score in the criteria of Vulnerability Enumeration and Risk-Based Prioritization in the 2019 Forrester Wave™.

Qualys’ 1 to 5 approach to risk prioritization does not factor in an asset’s criticality to your environment, leading many customers to struggle with where to start amongst all of their “critical” vulnerabilities—sound familiar? Additionally, access to threat intelligence feeds (a capability that comes out of the box with InsightVM) requires an additional cost with Qualys.

Learn more about how Rapid7 and Qualys’ prioritization strategies stack up >

2. Research at the Core

Security research is core to Rapid7—both as a vendor and as a member of the security community. Rapid7 is a CVE Naming Authority (CNA) with MITRE and continues to invest in open data research projects for all. We augment third party research with our own learnings of the attacker mindset to better equip customers within InsightVM:

• Attack Surface Monitoring with Project Sonar scans the public internet to automatically identify all of your externally-facing, internet connected assets, including ones you may not have previously known about. Rapid7 is the only VRM vendor with this capability.
• Integrated Threat Feeds are informed by attacker behaviors observed in our Project Heisenberg honeypot network.
• Our dedicated threat researchers and integration with Metasploit for vulnerability validation accelerates the discovery and coverage of zero-days and other low-notice exploits.
• Ongoing research on the SSL certificate ecosystem enables us to identify weak or untrusted certs across your assets.

Qualys is not a CNA, and relies predominantly on third party sources for threat intelligence; in other words, its solutions aren’t fortified with robust in-house research data.

3. Simple Pricing

starting at

$22/asset*

See what's included

No nickel-and-diming here. InsightVM is priced based on the number of assets in your environment, and offers full, comprehensive functionality at no additional cost. Plus, the more assets you secure, the more the price per asset drops.

Here are just some of the features and capabilities included in InsightVM that often come at an extra charge with other vulnerability risk management vendors:

• Threat feeds that are correlated to your assets
• Flexible dashboards that don’t require add-on services
• Compliance scanning and policy assessment

Qualys’ modular approach requires an additional cost for every additional functionality you need from the product, making it costly to take a holistic approach to your VRM program.

Don’t just take it from us—The Total Economic Impact™ Of Rapid7 InsightVM, a November 2019 commissioned study conducted by Forrester Consulting on behalf of Rapid7, found that customers who switched from other VRM vendors to InsightVM saw a 342% return on investment over three years, along with a significant decrease in cybersecurity incidents and spend.

4. Best-of-Breed Across the Board

Vulnerability risk management is the cornerstone of every security program, but adapting to the evolving threat landscape requires solutions to work together for threat detection and response, application security, automation, and more. Rapid7’s Insight cloud offers a simple, unified way to do exactly that.

Let's take our Insight Agent as an example: With a shared agent between InsightVM and InsightIDR—a Leader in the 2020 Gartner Magic Quadrant for Security Information and Event Management (SIEM)—our customers get a holistic view of assets and the users behind them. To extend your risk protection to the application layer, customers can go beyond application discovery in InsightVM to test and remediate with InsightAppSec, the highest rated DAST solution by an independent research firm three years in a row. Rapid7 was the only full stack vulnerability risk management vendor to be evaluated for its application security capabilities.

Qualys’ VMDR offering may be a start towards consolidation, but it’s not backed by tried-and-tested solutions that lead their respective markets. Plus, this “all-in-one” approach still requires customers to purchase add-on modules for security configuration assessment, integration with ServiceNow, and more. (Spoiler alert: These features come at no additional cost with InsightVM).

5. Ease of Experience

We know that as a security professional, you probably don’t have all that much free time to toggle between screens and dig through fragmented UIs just to get the information you need. We often hear from InsightVM customers that its ease of setup and use saves valuable time and effort, even translating to a 33% reduction in investigation efforts according to Forrester’s Total Economic Impact™ study. One cybersecurity consultant in the finance industry has stated, "Rapid7 InsightVM was very easy to setup in our environment. Using the software was very user friendly," when comparing InsightVM to their previous VRM solution.

This is made possible through features like Live Dashboards, which offer highly flexible, up-to-date views of your VRM operations that can be customized for various stakeholders across your organization.

Qualys’ modular approach makes it harder for users to keep tabs on all of the moving parts in their VRM program, and lacks the centralization you need to understand your risk posture at a glance.