Keeping your modern IT environment secure requires comprehensive visibility and coverage of your assets, an advanced understanding of the attacker mindset, and frictionless workflows for remediating vulnerability risk.
Dive deeper into 10 ways Rapid7 InsightVM, our leading vulnerability risk management (VRM) solution, is better equipped than Qualys to handle today's vulnerability risk management challenges:
Rapid7 InsightVM, our leading vulnerability risk management (VRM) solution, assesses and prioritizes risk based on potential impact to your unique organization and what attackers are actively doing in the wild. The Real Risk score accounts for the business criticality of an asset and factors in CVSS, malware and exploit exposure (via Metasploit and Exploit DB), exploitability, and vulnerability age to determine a granular, 1-1,000 score. This earned us the highest possible score in the criteria of Vulnerability Enumeration and Risk-Based Prioritization in the 2019 Forrester Wave™.
Qualys’ 1 to 5 approach to risk prioritization does not factor in an asset’s criticality to your environment, leading many customers to struggle with where to start amongst all of their “critical” vulnerabilities—sound familiar? Additionally, access to threat intelligence feeds (a capability that comes out of the box with InsightVM) requires an additional cost with Qualys.
Security research is core to Rapid7—both as a vendor and as a member of the security community. Rapid7 is a CVE Naming Authority (CNA) with MITRE and continues to invest in open data research projects for all. We augment third party research with our own learnings of the attacker mindset to better equip customers within InsightVM:
Qualys is not a CNA, and relies predominantly on third party sources for threat intelligence; in other words, its solutions aren’t fortified with robust in-house research data.
No nickel-and-diming here. InsightVM is priced based on the number of assets in your environment, and offers full, comprehensive functionality at no additional cost. Plus, the more assets you secure, the more the price per asset drops.
Here are just some of the features and capabilities included in InsightVM that often come at an extra charge with other vulnerability risk management vendors:
Qualys’ modular approach requires an additional cost for every additional functionality you need from the product, making it costly to take a holistic approach to your VRM program.
Don’t just take it from us—The Total Economic Impact™ Of Rapid7 InsightVM, a November 2019 commissioned study conducted by Forrester Consulting on behalf of Rapid7, found that customers who switched from other VRM vendors to InsightVM saw a 342% return on investment over three years, along with a significant decrease in cybersecurity incidents and spend.
Vulnerability risk management is the cornerstone of every security program, but adapting to the evolving threat landscape requires solutions to work together for threat detection and response, application security, automation, and more. Rapid7’s Insight cloud offers a simple, unified way to do exactly that.
Let's take our Insight Agent as an example: With a shared agent between InsightVM and InsightIDR—a Leader in the 2020 Gartner Magic Quadrant for Security Information and Event Management (SIEM)—our customers get a holistic view of assets and the users behind them. To extend your risk protection to the application layer, customers can go beyond application discovery in InsightVM to test and remediate with InsightAppSec, the highest rated DAST solution by an independent research firm three years in a row. Rapid7 was the only full stack vulnerability risk management vendor to be evaluated for its application security capabilities.
Qualys’ VMDR offering may be a start towards consolidation, but it’s not backed by tried-and-tested solutions that lead their respective markets. Plus, this “all-in-one” approach still requires customers to purchase add-on modules for container scanning, cloud assessment, integration with ServiceNow, and more. (Spoiler alert: These features come at no additional cost with InsightVM).
We know that as a security professional, you probably don’t have all that much free time to toggle between screens and dig through fragmented UIs just to get the information you need. We often hear from InsightVM customers that its ease of setup and use saves valuable time and effort, even translating to a 33% reduction in investigation efforts according to Forrester’s Total Economic Impact™ study. One cybersecurity consultant in the finance industry has stated, "Rapid7 InsightVM was very easy to setup in our environment. Using the software was very user friendly," when comparing InsightVM to their previous VRM solution.
This is made possible through features like Live Dashboards, which offer highly flexible, up-to-date views of your VRM operations that can be customized for various stakeholders across your organization.
Qualys’ modular approach makes it harder for users to keep tabs on all of the moving parts in their VRM program, and lacks the centralization you need to understand your risk posture at a glance.
Identifying and prioritizing risk are essential steps, but remediation is where you make tangible impact on your risk posture. InsightVM is designed to facilitate and ease this process by identifying individual remediation steps that will reduce the most risk globally, and integrating into technical teams’ existing workflows. Forrester’s Total Economic Impact™ study found that customers who switch to InsightVM from other VRM tools experience a 60% reduction in patching efforts. How, you ask?
Remediation Projects enable you to assign and track remediation duties in real time, and integrate into ticketing systems like Atlassian Jira and ServiceNow ITSM—read: no more lengthy spreadsheets and back-and-forth email tag.
Once again, Qualys requires additional modules (and therefore extra costs) for functionality that comes out of the box with InsightVM, such as integration with ticketing systems for patching.
InsightVM enables you to make measurable progress and effectively communicate that progress to executive stakeholders. With Goals and SLAs, you can track your efforts against key metrics and KPIs that help demonstrate your team’s value to the security of your organization. The results from Goals and SLAs can then be presented in a number of pre-built and customizable reports, or visualized via Live Dashboards. InsightVM is the only VRM vendor with this capability.
In addition to the streamlining provided by Remediation Projects, InsightVM integrates with patch management tools like BigFix and Microsoft SCCM to expedite the most tedious parts of your remediation process and work with the tools your IT operations team is likely already used to. Automation-Assisted Patching lets you take this one step further by automatically applying patches in a matter of minutes, rather than hours or days. This gives you back the time and resources to be more productive and focus on the more strategic aspects of your security strategy.
Qualys requires the additional purchase of a Patch Management module, and its agent only supports Windows patches.
That said, we know that not every vulnerability can be remediated: With Automated Containment, you can decrease exposure from vulnerabilities by automatically implementing temporary (or permanent) compensating controls via your Network Access Control (NAC) systems, Firewalls, and Endpoint Detection and Response tools; these can act as both stopgaps or long term solutions to reduce exposure.
InsightVM is also designed to maximize impact with the other parts of your security stack—our partner ecosystem includes 60+ technology integrations for InsightVM alone. Not to mention, InsightVM also features an open, RESTful API that allows you to automate and unify virtually any aspects of your vulnerability risk management process. This helped InsightVM achieve the highest possible scores for its extensibility and Partner Ecosystem in The Forrester Wave™: Vulnerability Risk Management, Q4 2019.
Qualys’ offering lacks integrations with crucial internal network services like Active Directory and DHCP, limiting customers’ visibility into their attack surfaces.
InsightVM offers granular, easy-to-set-up role based access control (RBAC) for different types of users across your IT and security teams—in addition to pre-built roles, you can create custom ones with varying permissions related to sites, asset groups, ticketing, reporting, and more.
Qualys’ RBAC capabilities have been dinged as inflexible, causing potential security risks especially in enterprise environments with large volumes of users.