GigaOm has unveiled its third-annual Radar for Continuous Vulnerability Management featuring Qualys. In this Report, GigaOm provides a detailed analysis of the value and progression of vulnerability management (VM) capabilities to help organizations build the best security and vulnerability management program to meet their needs, now and into the future.

The 2023 Report shifts its focus to continuous VM for traditional areas of coverage, with the addition of new modern requirements that support public cloud resources and IT / DevOps workflows.

What GigaOm Radar Says About Qualys

The headline of this post gives away the results, so let’s clarify exactly what GigaOm Radar said about Qualys and then describe some of their evaluation processes.

From the GigaOm Radar: “Qualys is a well-established player in the vulnerability management field, offers vulnerability management, detection, and response (VMDR), a risk-based solution for managing vulnerabilities and misconfigurations. With the recent upgrades to VMDR 2.0 with its TruRisk capability, the platform has undergone significant upgrades, providing a range of SaaS-delivered features to effectively measure and reduce cyber risk.”

And, “The VMDR platform’s infrastructure scanning capabilities are robust…. VMDR’s automation capability is worth noting, especially as it relates to patching…The VMDR solution is able to deploy patches to endpoints automatically, significantly reducing the labor required during remediation activities for most organizations.”

“Also noteworthy in this space is the continued yet steady pace at which vendors maintain and develop features for this solution set… while only one vendor demonstrated Outperformer characteristics.”

We’re pleased to announce that only Qualys occupies the Outperformer’s pole position in the GigaOm Radar!

GigaOm Radar for Continuous Vulnerability Management

The GigaOm Radar below plots the positions of all the vendors in the Report based on critical technical capabilities and features that support the needs of the modern attack surface. Vendors in the concentric ring closest to the center are judged to be of higher overall value. The arrow projects each solution’s evolution over the next 12 to 18 months. Note the projection for Qualys VMDR: aiming close and straight for the center bullseye!

Continuous VM Criteria and Metrics in GigaOm Radar

Qualys and competitors serve large enterprises and SMB companies, but GigaOm Radar’s key criteria for evaluating continuous VM are especially important to large, distributed organizations. The seven areas of evaluation criteria for the GigaOm Radar are:

• Application Security Testing – Assessing and reporting on the security level of an application moving through the DevOps lifecycle.
• Infrastructure Vulnerability Scanning – Identifying security weaknesses in physical and virtual systems and software.
• Software Composition Analysis – Identifying potentially vulnerable open-source software used in first-party custom applications in the process of evaluating security, license compliance, and code quality.
• Infrastructure-as-Code (IaC) Review – Assessing the quality and safety of code used to automatically provision and manage infrastructure.
• Aggregation of Vulnerability Data Sets – Simplifying the analysis and remediation of enterprise vulnerabilities by automatically grouping similar or identical vulnerabilities discovered in different scans.
• Automation of Workflows – Accelerating enterprise vulnerability discovery, analysis, and remediation by removing some or all the human elements from the VM process.
• AI-Assisted Risk Calculation – Accelerating the calculation of risks to enterprise systems and data using machine learning and other AI techniques.

GigaOm Radar tapped Qualys with three “Exceptional” key criteria rankings: Infrastructure Vulnerability Scanning, Aggregation of Vulnerability Data Sets, and AI-Assisted Risk Calculation. Qualys earned “Capable” rankings for the other key criteria.

“GigaOm’s shift in approach to continuous VM is a smart move,” says Pinkesh Shah, Chief Product Officer at Qualys. “Everyone’s moving to the cloud, and many organizations need to secure complex hybrid environments. The new evaluation criteria give users a real-world handle on hot button requirements unmet by legacy tools – it’s why we’ve built all this functionality into VMDR 2.0.”

GigaOm Radar’s evaluation applied four metrics to the seven key criteria for each vendor’s solution. Evaluation metrics include:

• End-to-End Coverage – Comprehensive applicability of continuous VM to all physical and virtual systems and software in a large modern enterprise environment.
• Interoperability – Seamless ability to automatically assess the security of all physical and virtual assets, including automatic ingestion of operational data from multiple tools across the enterprise for modern analytics and workflows.
• Licensing & Support – Clear, simple processes for licensing and support – particularly in ephemeral cloud environments.
• Scalability – Ability for continuous VM to address sudden increases in virtual infrastructure, applications, and workloads for massive, even global requirements.

Qualys earned “Exceptional” rankings for End-to-End Coverage, Interoperability, and Scalability. GigaOm ranked Licensing and support as “Capable.”

“Comparing and judging capabilities of 11 different continuous VM solutions was no simple task,” says Chris Ray, an analyst at GigaOm. “The results earned by Qualys make it one of the strongest performers for continuous VM – especially for large enterprises that depend on accurate, reliable protection from modern cyber risks.”

Qualys VMDR Features Ranked by GigaOm Radar

Qualys VMDR customers are long familiar with its award-winning continuous discovery capabilities. If you’re just becoming familiar with VMDR, here is a short list of capabilities that served as a best-practice framework for the GigaOm Radar evaluation.

Asset Management

• Asset Discovery
• Asset Categorization and Normalization
• Enriched Asset Information
• CMDB Synchronization

Vulnerability Management

• Vulnerability Management
• Configuration Assessment
• Certificate Assessment
• ITSM Tool Integration
• Qualys TruRisk
• Qualys Flow
• Custom Assessment & Remediation
• Additional Assessment Add-Ons – Includes Mobile Device Vulnerability and misconfiguration Assessment, Cloud Security Assessment, and Container Security Assessment

Threat Detection & Prioritization

• Continuous Monitoring
• Threat Protection

Response

• Patch Detection
• Patch Management via Qualys Cloud Agents
• Patch Management for Mobile Devices
• Container Runtime Security
• Certificate Renewal

Diverse Sensors

• Qualys Sensors with unprecedented scalability and flexibility

Other Integrated Qualys Cloud App Add-on

• Endpoint Detection & Response
• Web Application Scanning
• Policy Compliance
• PCI Compliance
• File Integrity Monitoring
• Security Assessment Questionnaire Ons
• Out-of-Band Configuration Assessment

Why Qualys Customers Choose VMDR

Children’s Mercy Kansas City is a leading pediatric care center in the US that has 8,200 employees and more than 40,000 IT assets. With VMDR, they cut their total number of vulnerabilities by 85% within 18 months using the solution’s prioritization feature for remediation, according to Ravi Monga, Director of Cybersecurity.

Monga says the key driver was keeping the protected health information (PHI) of patients and families safe and ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA).

“Thanks to Qualys, our priorities for remediation aren’t subjective any longer. We can make clear, data-driven decisions about what to target first,” says Monga.

London-based University of Westminster enjoyed similar results with VMDR. It supports more than 19,000 students and has about 6,500 digital assets with the usual heterogeneity intrinsic to an educational institution. “Mobile devices make up a significant portion of our estate: they account for 45% of all our endpoints,” says Thierry Helaitre, Head of IT Development.

The University of Westminster’s reasons for choosing Qualys included a complete, real-time view of vulnerabilities across all on-premises and cloud assets and significant remediation capabilities, including:

• Accelerate patching for more than 5,000 assets through a single pane of glass.
• Reduce average time to remediate vulnerabilities from weeks to days, cutting the risk of zero-day attacks.
• Cut the average number of vulnerabilities per device by up to 93%, shrinking the attack surface for ransomware threats.

“Through our partnership with Qualys, we’re gaining the fine-grained, real-time insights we need to protect students, colleges, schools, and employees across the University of Westminster,” says Delaitre.

Get the GigaOm Report Today

With this compelling intro, there’s but one thing left to do:

Download the GigaOm Radar, Read Its Insights, and Take Action With Qualys VMDR!

After you read the GigaOm Radar, we invite you to Try VMDR for Free and experience all these benefits in your own environment. And, if your organization is already using VMDR, you have permission to pat yourself on the back and say, “Well done!”

P.S. We invite you to join our webinar on Oct 10, 2023, with GigaOm describing the Radar findings in more detail. Register here