Rapid7 vs Qualys

By UpGuard on February 6, 2017

Filed under: security, vulnerabilities, cybersecurity, Rapid7, Qualys

According to the Forbes Insights/BMC second annual IT Security and Operations Survey, 43 percent of enterprises plan on redoubling their patching and remediation efforts in 2017, citing patch automation investments as having the best ROI among security technology purchases in 2016. It's not hard to understand why: the same survey reveals that known security vulnerabilities continue to cause the majority of data breaches and security compromises. Rapid7 and Qualys are two leading cybersecurity vendors in the vulnerability management space—let's see how they stack up in this comparison.

Patching is just one aspect of vulnerability management, and many enterprise security suites utilize a combination of vulnerability analytics and reporting/assessment capabilities as part of a broader threat detection cybersecurity framework. For example, Rapid7's Nexpose analytics engine allows security professionals to prioritize the highest risk vulnerabilities for more resilient remediation efforts. 

Get the Digital Resilience eBook

Similarly, the Qualys Cloud Platform—previously known as QualyGuard—bundles an integrated enterprise suite of security and compliance tools around its battle-tested vulnerability management solution.

Rapid7

Rapid7 is arguably best known for its open source Metasploit Framework, an advanced set of tools for creating and deploying exploit code. The project was initially released in 2004 and was acquired by the company in 2009; today, Metasploit is widely regarded as the world’s leading pentesting tool. As with other products in its suite, Rapid7 offers tight integration between Metasploit and Nexpose—a common security workflow involves scanning for vulnerabilities with Nexpose followed by testing exploitations with Metasploit.

nexpose-product-hero-image.jpgThe Rapid7 Nexpose UI. Source: rapid7.com.

Additionally, Rapid7's new insightOps platform gives IT operations with centralized endpoint visibility and infrastructure analytics.

Qualys

An early player in the vulnerability management arena, Qualys now offers a comprehensive suite of consumer/SMB-focused tools, enterprise security solutions, as well as subscription-based security services. The Qualys Cloud Platform—formerly known as QualysGuard—is the company's flagship enterprise security suite. The solution offers asset discovery, network security, web application security, threat protection and compliance monitoring features under a unified management console.

qualysguard.jpgThe QualysGuard UI. Source: qualys.com.

The company also offers free tools such its Qualys BrowserCheck, AssetView Inventory Service, and Freescan vulnerability scanner, among others.

Side-by-Side Scoring: Rapid7 vs. Qualys

1. Capability Set

Both solutions are highly capable at detecting and managing critical vulnerabilities that could lead to data breaches. Rapid7 Nexpose's vulnerability management lifecycle spans discovery to mitigation, and offers adjacent tools such as Metasploit for vulnerability exploitation. The Qualys Cloud Platform offers a range of tools for detecting and prioritizing vulnerabilities and includes a live, threat intelligence feed of real-time security updates as well as asset management and cloud/web application scanning.

Rapid7 score_570.png
Qualys score_570.png


2. Ease of Use

The Qualys Cloud Platform's interface is easy enough to get a handle on but feels overmodularized due to the platform's amount of moving, interacting parts. Rapid7's clean, intuitive web interface gives it the win in this category.

Rapid7 score_570.png
Qualys score_570.png


3. Community Support

As mentioned previously, the Metasploit Framework was a popular, freely available open source project before the Rapid7 acquisition and remains so to this day. Subsequently, the project boasts a sizable body of community support resources, along with the company's robust community portal on its public website. Qualys hosts an active community website containing support forums, product training resources, and more.

Rapid7 score_4.png
Qualys score_570.png

4. Release Rate

Both platforms have seen regular releases over the years; that said, Rapid7's Nexpose (currently at version 64.) seems to have more continuity across versions. Additionally, its open source Metasploit Framework being actively maintained by the community. A full release history is available on its website. Currently at version 8.9, Qualys' vulnerability scanner has been updated updates over the years, despite several confusing rebranding and product consolidation efforts. The entire suite was recently rebundled as the Qualys Cloud Platform, though the two names are apparently interchangable.

 

Rapid7 score_570.png
Qualys score_570.png

5. Pricing and Support

Express versions of Nexpose and Metasploit start at $2,000 and $5,000, respectively; a full-featured PRO version starts at $15,000 per year. Its Metasploit Framework remains free and open source, 

The Qualys Cloud Platform can be deployed as an on-premise or SaaS-based offering and is sold on an annual subscription basis: $295 for small businesses to $1,995 for larger enterprises, based on number of endpoints monitored. Both vendors offer premium phone, web, and onsite support options, along with professional services for custom deployments.

Rapid7 score_4.png
Qualys

score_4.png

6. API and Extensibility

Rapid7's Nexpose only offers an XML-based API, though the Metasploit Framework comes with a REST API for building custom integrations. Similarly, Qualys only provides a non-REST, XML-based API for integrating custom applications with its security and compliance tools.

Rapid7 score_570.png
Qualys score_570.png

7. 3rd Party Integrations

Rapid7 features integrations with leading cybersecurity vendors and tools/platforms like AWS, Jenkins, ForeScout, Splunk, Okta, and VMware, among others. Qualys Cloud Platform provides integrations with ServiceNow and Splunk, along with BMC, ForeScout, to name a few.

Rapid7 score_570.png
Qualys score_5.png

8. Companies that Use It

Rapid7's customer list reads like a who's who of leading global enterprises: Adobe, Amazon.com, Microsoft, Ingram Micro, and Johnson & Johnson, to name a few. Not to be outdone, Qualys claims over 60% of the Forbes Global 50 as its customer base, with companies like Cisco, DuPont, Microsoft, Sabre, and Sony Network Entertainment using its products.

Rapid7 score_570.png
Qualys score_570.png

9. Learning Curve

Rapid7 Nexpose's intuitive web interface makes getting up to speed with the platform a relatively trivial affair; Similarly, Qualys' easy-to-use web interface make it accessible to novices, though Nexpose has a somewhat flatter learning curve.

Rapid7 score_5.png
Qualys score_5.png

10. CSTAR

Qualys' strong CSTAR score of 882 falls short due to a couple of security flaws, namely lack of DMARC and disabled DNSSEC. Rapid7's average 650 CSTAR score is a result of various security gaps including server information leakage, lack of secure cookies, missing DMARC/DNSSEC, and more.

Rapid7

Screen Shot 2017-02-05 at 8.16.10 PM.png

Qualys

Screen Shot 2017-02-05 at 8.13.35 PM.png


Scoreboard and Summary

  Rapid7 Qualys
Capability Set score_570.png score_570.png
Ease of Use score_570.png score_570.png
Community Support score_570.png score_570.png
Release Rate score_570.png score_570.png
Pricing and Support score_570.png score_570.png
API and Extensibility score_570.png score_570.png
3rd Party Integrations score_570.png score_570.png
Companies that Use It score_570.png score_570.png
Learning Curve score_570.png score_570.png
CSTAR

Screen Shot 2017-02-05 at 8.16.10 PM.png

Screen Shot 2017-02-05 at 8.13.35 PM.png

Total  4.8 out of 5  4.3 out of 5

 

Both the Qualys Cloud Platform and Rapid7 Nexpose are comprehensive enterprise cybersecurity suites with competent vulnerability management capabilities. For those interested in exploitation testing as part of a broader set of security assessment activities, Rapid7's popular, open source Metasploit Framework coupled with Nexpose is hard to beat. Enterprises heavy on the IT operations management (ITOM) side of affairs may find Qualys Cloud Platform a better fit, as it offers features such as IT asset management and discovery on top of vulnerability management.

Free eBooks on DevOps and Security

More Articles

Datadog vs. New Relic

Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues.

 

 

Cisco vs. FireEye for Continuous Security

Who provides better continuous security: the world's largest maker of networking equipment or the first cybersecurity firm certified by the U.S. Department of Homeland Security?

Read Article >

AlienVault vs. Tenable for Continuous Security

As perimeter-based cyber protection falls to the wayside, a new breed of continuous security solutions are emerging that combine traditional endpoint protection with newer technologies like security information and event management (SIEM) and crowdsourced threat intelligence.

Read Article 

 

The World's First Cyber Resilience Platform

Whether your infrastructure is traditional, virtualized, or totally in the cloud, UpGuard provides the crucial visibility and validation necessary to ensure that IT environments are secured and optimized for consistent, quality software and services delivery.

See how it works at UpGuard.com