Qualys Response to Rapid7’s False Claims on VMDR

Type qualysblog
Reporter Shailesh Athalye
Modified 2020-04-16T18:40:25


As remote working is becoming the need of the hour, IT and Security teams are working tirelessly to ensure continuity of services and deliver on all aspects of the business. To help our customers in these challenging times, we launched a 60-day no-cost ‘Remote Endpoint Protection’ service for managing the security, vulnerabilities and patching of the remote hosts. This service immediately received a good response as the traditional enterprise security solutions deployed inside the organization’s network are ineffective in protecting these remote endpoints. At the same time, Qualys VMDR® – Vulnerability Management, Detection and Response – is going live enabling customers to discover, assess, prioritize, remediate vulnerabilities and patch them across the global hybrid-IT landscape in an integrated manner.

Unfortunately, during the same time, Rapid7 launched a campaign of false claims, without a context of the overall use-cases. We will go over each of these claims and provide a response with evidence for each.

Before we do that, let us take a step back to understand major shifts happening in IT and having an impact on changing Vulnerability Risk Management Program, as this forms the basis of the topic.

Infrastructure landscape is becoming increasingly hybrid

Organizations not just have the on-premises datacenter hosts and applications but also have cloud-based workloads and instances. IT, DevOPs teams are leveraging containerized environment, emerging technologies. As you know, today’s remote workforce is creating surge of remote endpoints and collaboration, productivity tools for IT and security teams to manage.

figure 1: graphic

Evolving Risk-based vulnerability management

Security teams need a real-time, always updated inventory of all assets and applications to have confidence in their vulnerability management program. Also, the vulnerability assessment has become more real-time. More and more organizations are doing proactive configuration assessment to stay on top of security hygiene issues.

It is becoming critical for the organizations to prioritize this laundry list of vulnerabilities on risk, not just based on CVSS or vulnerability risk, but in context of threats, mitigation factors such as asset status, configuration posture. Last but not the least, ability to respond quickly, patch vulnerabilities and take other remediation actions in a simple manner is becoming key to reduce the attack surface. Today’s security teams are looking at speeding up the response, instead of needing to put in time and cost in managing integrations, solutions.

figure 2

These two shifts are where the importance of a single unified platform comes in. Qualys has put in years of hard work to create a single cloud platform to collate enormous amount of diverse data from multiple sensors, created for hybrid environment, integrate and analyze this data in real time and present it in a contextual manner for customers to take actions on. This is where the Qualys platform differentiates itself from the competition, which has separate tools, either built in-house or acquired to perform a ‘point’ use-case such as on-prem vulnerability management, cloud vulnerability management, container security etc., and require customers to create integrations between them as the data is never unified with a context. As the Qualys platform leverages a multi-layered, hybrid architecture built with the latest technologies and years of research, we are able to support at scale 31+ million cloud agents and 3+ billion IP scan/audits. The Qualys cloud platform today has 3+ trillion datapoints indexed in Elastic clusters and are able to processes 2+ trillion security events annually. This provides a robust and reliable solution for customers to prioritize vulnerabilities from multiple sources, with a context of other security data points and assets.

figure 3: Cloud Platform Architecture

Qualys Response

Now, let’s look at Rapid7’s claims one by one against Qualys VMDR.

Claim #1: Qualys’ 1 to 5 approach to risk prioritization does not factor in an asset’s criticality to your environment, leading many customers to struggle with where to start amongst all of their “critical” vulnerabilities

While many of Qualys’ competitors rely on the CVSS scores to ascertain the current risk posture, Qualys has always supported asset-based risk criteria of the business, as well as CVSS scores, combined with environmental and temporal scores.

Where Qualys VMDR differentiates from competition is it provides true risk-based prioritization. It is achieved through following elements:

figure 4: VMDR Prioritization

  • Powerful asset tagging engine: Qualys auto-generates the tags based on various unique attributes of the assets, including criticality and keeps the tags dynamically updated for arranging assets per attributes.
  • Customizable real-time threat indicators (RTIs): Ranging from actively attacked to zero-day to wormable and more.
  • Attack surface and Asset Datapoints: Helps in seeing the context of the vulnerabilities to reduce the panic and use this as mitigation factor. For example, Customers leverage this to de-prioritize the vulnerabilities which could be mitigated by configuration settings. This helps customers leverage it to filter in vulnerabilities which could be for only running kernel/services etc.
  • Extensive attributes such as vulnerability detection, scan age etc.

Qualys VMDR brings in all above elements together for customers to see true-risk, beyond just CVSS-driven risk.

Claim #2: Qualys relies solely on third party sources for threat intelligence, limiting customers’ responsiveness to potential threats

figure 5: SSL Pulse

Qualys has had a Malware and Vulnerability research lab for many years. A number of Qualys researched vulnerabilities have been nominated for awards such as RCE in exim, systemd-journald and more. With threat protect, the Qualys team has been doing research on zero-day, wormable vulnerabilities.

In addition to in-house research, Qualys integrates the threat feeds from other security research partners as well, so that customers have a comprehensive set of real-time threat indicators to leverage for prioritizing vulnerabilities. Qualys also makes its research useful for the security community. A popular example is Qualys SSL Labs, which keeps an eye on public internet and performs deep analysis of the digital certificate configurations for safe communication over internet.

Even, the CIS (Center for Internet Security) community has benefited through its MS-ISAC integration with Qualys Certificate View for continuous monitoring of digital certificates and SSL/TSL configurations. Qualys has also been authoring and contributing significantly to the CIS security hardening benchmarks for technologies such as AWS, Azure, and GCP public cloud platforms to help manage security hygiene when these technologies are utilized. Many competitive tools only use these benchmarks, however, do not contribute in the research of these security hardening guidelines.

With VMDR, customers can not only leverage but can also pick and choose from various in-house Qualys researched threat indicators as well as threat feeds coming from partners for comprehensive thread-based vulnerability prioritization, instead of relying on limited feeds from a single vendor, which you cannot pick and choose per your environment.

Claim #3: Qualys’ modular approach requires an additional cost for every additional functionality you need from the product, making it costly to take a holistic approach to your VRM program

Qualys pricing has zero hidden costs. It is a simple, subscription-based annual pricing with free access to 24×7 support service as well as to technical account managers and solution architects. The cloud-based solution makes sure that customers don’t have any console or infrastructure to deploy and/or manage, meaning no deployment services to pay for, as is the case for many on-premises solutions. Additionally, there is no cost for Qualys trainings and certifications.

figure 6: VMDR Asset-Based Pricing

As you can see from the above screenshot, the VMDR solution is based on a simple asset-based pricing and includes all the above capabilities with the biggest differentiating value being it comes with integrated workflows, for end-to-end vulnerability management.

Qualys understands that not all customer environments and requirements are the same, and customers need flexibility in regards to which capabilities to purchase. For example, a customer might not require mobile and CI/CD integrations. To cater to such cases, Qualys provides an option to purchase ‘à la carte’ integrated capabilities as well.

Claim #4: Qualys’ VMDR offering may be a start towards consolidation, but it’s not backed by tried-and-tested solutions that lead their respective markets

Qualys VMDR is an all-in-one solution that helps customers with discovering and inventorying assets and applications running in a hybrid environment and arranges assets based on business criticality and the role they play in the environment. In vulnerability and configuration management, it enables threat-based prioritization with a context of assets and configurations, and deploys patches using the same VM cloud agent without choking the VPN and bandwidth. This end-to-end native workflow helps customers eliminate the need for complex and time-consuming integrations of multiple point solutions, which mostly do not interact well due to the difference in architecture and data flows.

figure 7: VMDR - One Single Platform

The most important part of any Vulnerability Management solution is the unification of data from hybrid environment-based assets, as this collected data is further used for prioritization and remediation. As mentioned earlier, the Qualys cloud platform is built to unify the data coming from its various sensors unlike some of the competitive tools which have a separate on-premises VM solution and a separate cloud VM solution, creating issues in unifying collected data for further reporting, prioritization.

‘Best of breed’ is not separate solutions requiring integration, but a simple, end-to-end, unified solution helping customers assess vulnerabilities in a prioritized manner and remediate them through native patching, significantly reducing the ‘time-to-remediate’ (TTR).

Claim #5: Qualys’ modular approach makes it harder for users to keep tabs on all of the moving parts in their VRM program, and lacks the centralization you need to understand your risk posture at a glance

The Qualys Cloud Platform has always been a single unified cloud platform with capabilities, data, modules and workflows connected to each other, bringing in all relevant data into one single cohesive dashboard. The screenshot on the right shows asset details showing IT, security, vulnerability and compliance posture in a single unified view. This view further enables customers to initiate the remediation process.

figure 8: Asset Summary

There are varied security capabilities and use-cases ranging from File Integrity Monitoring (FIM) to Indicator of Compromise (IOC) to Agent Management, requiring separate workflows, owned by separate teams in enterprises. As a mature solution, we provide dedicated access, workflows and capabilities to help each customer’s various teams with defining their specific workflows on the same platform.

As you can see below, customers can go from asset selection to vulnerability prioritization to patch deployment in a cohesive manner.

figure 9: VMDR PrioritizationEase of use and experience is just not about the modules and UI, but also about providing customers usability and the ability to embed sensors and capabilities in their own workflows, outside the tool, from the source. Below is another example of how one of the largest global banks has embedded the Qualys agent in their CI/CD workflow to manage the entire journey of asset inventory, vulnerability and configuration assessment from the source, before they go into production.

figure 10: Vulnerability Assessment in CI/CD

Another huge competitive differentiator Qualys platform provides due to its architecture and native cloud capabilities, is the ability to fully integrate and embed in many of the public cloud providers such as native integration of vulnerability assessment of hosts and containers in Azure (with partnership with Microsoft), where the deployment and assessment done by Microsoft Azure is powered by Qualys. In this case, the customer does not have to even deploy an agent or run any scans or assessment in the Qualys UI. This is done behind the scene in native Azure UI itself for customers to have seamless experience of security and vulnerability assessment.

figure 11: Azure Container Registry

This is a whole new level of ease of experience and use, going beyond just UI and dashboard improvements.

Claim #6: Qualys requires additional modules (and therefore extra costs) for functionality that comes out of the box with InsightVM, such as integration with ticketing systems for patching

Qualys’ solutions are robust and mature, and they include in-built support for multiple remediation options and for some time have included a native ticketing engine.

Qualys VMDR supports multiple remediation options, such as:

  • Continuous rule-based monitoring
  • Alerting and notifications
  • Native ticketing
  • Exception management
  • Active response in terms of patching and configuration remediation
  • Open APIs for external integration

Patch Management allows automated correlation of vulnerability and patch data, tracking of missing patches and to know what vulnerabilities the patches will fix. Patches can be deployed to the devices directly from the cloud, without impacting the organization’s VPN or bandwidth.

Qualys’ easy-to-use Exception Management tools, open-APIs for end-to-end external integrations, as well as the large number of remediation partners (BMC BladeLogic for example) who have done integrations with Qualys making no-cost remediation options available, are just a few features that make Qualys a better solution today.

figure 12: Ruleset BuilderThe native integration of the continuous and proactive rule-based monitoring options backed by real-time alerts and notifications in Qualys solutions allow customers to persistently look for potential problems and proactively address them, instead of waiting to respond to incidents after they occur.

Hence, the statement that Qualys requires additional modules for varied functionalities can be said to be shallow and devoid of any merit.

Claim #7: Measurable Progress - InsightVM is the only VRM vendor with this capability

figure 13: Dashboarding and Reporting

Qualys’ dashboarding and reporting capabilities leverage the latest technologies and microservices such as ElasticSearch to include in-built capabilities for tracking vulnerabilities and context-based trending for remediation.

The VMDR solution combines advanced analytical methods and real-world contextual factors to deliver a prioritized workflow that drives effective remediation. The unified dashboard enables you to track mean-time-to-remediate, making it way ahead of its competitors.

Moreover, various other dashboard customizations that are provided out-of-the-box, such as reopened vulnerabilities, failing misconfigurations, vulnerability age, and scan age add to the competitive edge. One can make use of the various easy-to-use widgets that are directly built into the platform, collect trend data and track progress without having to write any SQL statements or complicated queries. With just one click, Qualys enables customers to track progress and compare the burn-down rate of various security data points.

Claim #8: Qualys can install patches via its agents, but that is the only option for its customers

figure 14: Patch CatalogLooking at the whole claim paragraph, we are assuming that Rapid7 means that Qualys platform does not provide any other remediation capabilities other than installing patches. As previously mentioned, Qualys VMDR not only fully automates the remediation process with number of capabilities such as ticketing, alerting and notifications so that security teams are notified when vulnerabilities are discovered to take actions outside the solution, but also helps with active remediation capabilities such as patching, certificate renewal based on asset-related contextual data. With agent-based patching in VMDR, vulnerabilities and patches are automatically correlated, which speeds the remediation response. Furthermore, the ability to auto-deploy patches via the cloud provides an additional advantage.

The recently launched 'Qualys Endpoint Protection' service provides customers with the ability to manage remote endpoints through a single cloud agent thus enabling a productive, collaborative global, remote workforce.

The cloud-based VMDR solution enables:

  • Discovery of assets connecting to the internal network
  • Vulnerability Management with remote host-specific vulnerabilities for collaboration, productivity tools
  • Managing critical remote host and apps-specific security hygiene
  • One-click Patch Deployment from cloud, without impacting the VPN and bandwidth

Rapid7’s claim that Qualys only provides 'patching via agents' as the only option for remediation renders baseless, as it does provide other remediation capabilities, both active and passive.

Claim #9: Qualys’ offering lacks integrations with crucial internal network services like Active Directory and DHCP, limiting customers’ visibility into their attack surfaces

More than 70 technology solutions leverage and integrate with Qualys workflows and data flows, through easy-to-use, efficient and open XML APIs. Qualys is a long time SaaS provider and has open APIs that enable the developer community to leverage the extensibility and flexibility of the APIs to build external workflows suited for their business cases. Qualys VMDR enables automatic discovery of Windows servers with Active Directory, rule-based tagging and classification for Domain Controllers. Additionally, Qualys configuration management integrated in VMDR provides rich set of configuration controls not just for active directory but also for Microsoft Intune technology, used by customers to manage their remote endpoints. Qualys also provides elevated security for DHCP, DNS through integration with Infoblox.

Claim #10: Qualys’ RBAC capabilities have been dinged as inflexible, causing potential security risks especially in enterprise environments with large volumes of users

Being a cloud-based, multi-tenant platform, Qualys has integrated very strict and strong built in RBAC capabilities in its products. The RBAC capabilities in Qualys are restricted not only to role-based access, but they extend to the scoping rights of the user account as well.

Additionally, tag-driven user scoping for dashboarding and searching capabilities are also another built in feature for Qualys. The new VM Dashboard, launched with VMDR, uses a customizable RBAC model with Read/Modify permissions for using the unified dashboard widgets.

figure 15: User Management


There are two major shifts happening in IT and security – The IT environment is becoming increasingly hybrid and vulnerability management programs are evolving. Qualys VMDR is an all-in-one vulnerability management, detection and response solution, based on a cloud native platform with a multi-layered architecture, designed to scale for billions of security and vulnerability datapoints, required in providing risk-based context for vulnerability management. Qualys VMDR provides unified workflows for real-time asset inventory, vulnerability and configuration management, risk-based prioritization of vulnerabilities and the ability to deploy patches to fix vulnerabilities. The false claims made by Rapid7 can safely be dismissed as lacking in research and full context of customer’s end to end use-cases. During these times of an increasing remote workforce, Qualys is concentrating on helping customers address the security challenge of remote endpoints and applications and would encourage the competition to concentrate on the common enemies – attackers and vulnerabilities.

Elevate your Vulnerability Management Program with Qualys VMDR

Get a free trial of VMDR, the all-in one Vulnerability Management, Detection and Response service.

See a live demo at VMDR Live on April 21, 11am - 1pm PT.

Learn how the Remote Endpoint Protection service can help with remote endpoint security challenges end to end.

Additional Resources

About the Author

Shailesh Athalye, VP of Compliance Solutions, Qualys