← Vulnerability ManagementQualys VMDR

StrongStrongStrongStrong

4.4

Vendors › Vulnerability Management › Qualys VMDR

Qualys VMDR

Name: Qualys VMDR
Rating: 4.4 (1335 reviews)
Author: Qualys

Qualys

Founded 1999·US·Public

4.4

Combined score

4.3560

Gartner

4.4555

⚠

Security incident on record — Multiple brief outages reported in 2025 by users

▪ Editorial verdict

Qualys VMDR has the most pragmatic total cost of ownership in the enterprise vulnerability management category. The single agent covering VM, CSPM, and EDR reduces agent sprawl, and native patch management included in the base subscription is a genuine differentiator that Tenable and Rapid7 cannot match without additional products.

The false positive rate is a documented challenge. Up to 30% false positives noted in some reviewer environments means security teams need to budget tuning time into their operations. The query language also lacks Boolean grouping operators that power users rely on in comparable platforms.

The verdict: Qualys VMDR is right for organisations that want the most complete VM and patch management platform in one product at a competitive price. Organisations prioritising the lowest false positive rate and the most intelligent prioritisation should evaluate Tenable.

Last reviewed: May 2026

4.3560 reviews

Gartner

4.4555 reviews

PeerSpot

8.3220 reviews

Gartner MQ: Leader

Vulnerability Management assessment

PROTECTIONStrong

Asset & exposure coverage

5 / 5

Single agent covers VM, CSPM, and EDR — significant agent sprawl reduction. AWS, Azure, GCP, on-prem all covered. Scored 5 for multi-domain single-agent coverage.

Sources: Qualys VMDR documentation

Risk prioritisation

4 / 5

TruRisk scoring incorporates asset criticality and business context. Native patch management correlation is unique. Scored 4 because prioritisation sophistication is strong but slightly less mature than Tenable VPR.

Sources: Qualys TruRisk documentation

OPERATIONSStrong

Remediation workflows

5 / 5

Native patch management is the category differentiator — no third-party integration needed. Scored 5 because combined VM+patching in one subscription is unique.

Sources: Qualys VMDR documentation

ANALYTICSStrong

Vuln metrics & KPIs

4 / 5

Good metrics and compliance reporting. Scored 4 because some reviewers note false positive rates and query limitations.

Sources: Gartner reviews, G2 reviews

TRUST & ECOSYSTEMStrong

Scan performance

4 / 5

Good performance. Scored 4 because multiple brief outages in 2025 and a documented 30% false positive rate in some configurations are concerns.

Sources: G2 reviews 2025, Gartner Peer Insights

Strongest: Asset & exposure coverage

Watch out for: Scan performance

Strengths & limitations

Strengths

●Only major VM with native patch management in base subscription

●TruRisk scoring — strong risk-based prioritisation with asset criticality

●Single agent covers VM, CSPM, and EDR — reduces agent sprawl

Watch out for

●Up to 30% false positive rate — requires tuning

●Support response times criticised; outages in 2025

●Query language less flexible than Tenable

Best for

Organisations wanting VM and patch management in a single platform for compliance-heavy audits.

Not suitable for: Orgs requiring very fast scan speeds or intuitive UI

Compliance coverage

●Essential Eight

●AU Privacy Act

●SOC 2

●HIPAA

●NIST CSF

●PCI-DSS

●CMMC

●GDPR

●NIS2

●ISO 27001

●CIS Benchmarks

○DORA

Switching intelligence

Switching from

Common migration paths based on review data

Tenable (patch management need)

Also considering

Vendors typically shortlisted alongside

← Back to Vulnerability Management Compare with other Vulnerability Management vendors →

Quick facts

Pricing modelper asset/year subscription

Pricing range$199/asset/year (VMDR); enterprise custom

Free trialYes — 30 days

Min seatsNo minimum

Deployment time< 1 week

Complexity2 / 5

Pricing transparency3 / 5

AU presenceYes

IRAP assessedNo

Open sourceProprietary

Deployment

ModelsSaaS

OS supportWindows, macOS, Linux

CloudAWS, Azure, GCP

SupportPhone, Email, Dedicated CSM

Data residencyUS, EU

Company

Qualys

Founded 1999 · 2,000-3,000 employees · Public

HQ: US

$500M revenue

Certifications

FedRAMP High, SOC 2 Type II, ISO 27001, PCI-DSS

Integrations

ServiceNowJiraSplunkAWS Security HubCrowdStrikeIBM QRadar