A side-by-side comparison of Qualys with its main competitors. Easily compare performance across multiple categories and understand what the market is saying with independent reviews.
A side-by-side comparison of Qualys with its main competitors. Easily compare performance across multiple categories and understand what the market is saying with independent reviews.
UpGuard is an end-to-end third-party risk management platform with best-in-class time-to-value and scalability from initial implementations to beyond. UpGuard delivers powerful, integrated tools for automated third-party monitoring, in-depth risk assessment and remediation, and one-click reporting. By combining actionable insights with built-in risk management workflows, UpGuard helps organizations maintain comprehensive oversight of their supply chain security posture and equips them with the necessary tools to shut down emerging risks rapidly.
Qualys is an IT and vulnerability management platform designed to consolidate internal security data from across an enterprise, with some third-party risk management (TPRM) features. By leveraging a combination of cloud agents, network scanners, and cloud integrations, the platform discovers assets and aggregates vulnerability intelligence into a unified risk metric known as TruRisk. IT security and compliance teams use Qualys for vulnerability management, detection, and response (VMDR), as well as patch management, to lock down their own first-party digital infrastructure. However, verified user feedback indicates that the reporting functionality can be limited.
Key strengths
UpGuard excels by completing full vendor scans every 24 hours, which provides near real-time visibility into vendor security postures while seamlessly integrating native end-to-end AI-powered vendor assessment workflows. UpGuard's licensing model and efficient learning curve offer best-in-class time to value and program efficiency.
Through its Security Assessment Questionnaire (SAQ) module, the platform automates the deployment and evaluation of vendor risk assessments using custom drag-and-drop components and a pre-built library of compliance templates.
Key weaknesses
UpGuard's focus on core frameworks like ISO 27001 and NIST offers robust coverage for most security and compliance needs, though organizations requiring highly specialized or region-specific regulations may choose to augment it with dedicated GRC modules. Its strengths in cybersecurity and continuous monitoring ensure strong TPCRM capabilities, but those seeking an all-encompassing governance solution (e.g., covering environmental or privacy regulations) might benefit from additional integrations.
Some users report that the platform's interface isn't as robust as it could be. Additionally, some users have noted that the product is more expensive than competitors'.
Usability and learning curve
UpGuard offers best-in-class time to value for initial implementations. UpGuard's platform architecture is designed from the ground up to deliver a quick and shallow adoption curve. UpGuard's clean and intuitive interface ensures ease of ongoing operation and rapid pick-up from new staff members as needed.
As the platform operates as an enterprise-wide security console, initial configuration involves defining asset tags, deploying cloud agents, and establishing network scan profiles before you can segment third-party vendors from first-party assets. Teams may face a learning curve to stand up a functional vendor risk program, as they'd need to isolate vendor-specific questionnaire data from corporate vulnerability metrics.
Cyber risk data accuracy
UpGuard's real-time data refresh rate ensures up-to-date and accurate vendor security posture calculations while also allowing users to initiate scans on demand. Threat Monitoring automatically scans the open, deep, and dark web for data leaks and exposed credentials, using AI-powered analysis to reduce false positives and prioritize findings for targeted, timely remediation.
Qualys uses an inside-out data collection methodology that relies on network scanning and local asset instrumentation. The platform gathers security data via embedded cloud agents and network perimeter scans. For internal assets, this enables real-time monitoring and accurate attribution through direct machine access.
Vendor risk management features
UpGuard offers a natively integrated end-to-end workflow addressing the complete Third-party Risk Management lifecycle—from onboarding to risk management and ongoing monitoring.
Qualys focuses its third-party validation around an assessment-driven vendor risk management (VRM) lifecycle based on its SAQ module. Administrators group and tag vendors within the console and enter vendor email contacts to auto-provision external portal access. Using a drag-and-drop web wizard or a prebuilt compliance library that covers frameworks like GDPR, NIST, and ISO, security teams build and launch questionnaire campaigns. As answers and evidence are submitted, Qualys factors in question criticality weights and predefined answer values. When control gaps are surfaced, analysts manage remediation by triggering follow-up assessments or configuring multi-stage review and approval workflows.
Attack surface management features
UpGuard provides continuous attack surface monitoring, identifying exposed assets, misconfigurations, and vulnerabilities. It maps internet-facing infrastructure, detects risks like expired certificates and open ports, and prioritizes threats for remediation. Clear, actionable insights help organizations reduce exposure and strengthen their external security posture.
Qualys uses a combination of cybersecurity asset management (CSAM) and its external attack surface management (EASM) module. The platform features an outside-in asset discovery engine that takes a primary company domain and executes subdomain enumeration to uncover shadow IT, forgotten web apps, and exposed APIs.
Customer support
Known for world-class support across all tiers and customer-friendly guidance, UpGuard delivers proactive and prompt engagement to resolve customer issues quickly. Dedicated teams assist with both technical and strategic TPRM challenges.
Qualys provides 24/7/365 support that's included with all active subscriptions. Technical assistance is delivered via ticketing, where issues are submitted through a customer portal.
Workflow automation
UpGuard's AI-powered Security Profile automatically identifies risks and control gaps, then generates contextualized, point-in-time assessment reports in minutes. It also provides a pre-configured (and adjustable) set of controls for two leading security frameworks: ISO 27001:2022 and NIST CSF 2.0. Custom notifications simplify tracking of critical events and prompting of important follow-up actions. The platform also facilitates automatic vendor tiering, labeling, and custom attributes based on questionnaire responses for faster vendor onboarding and improved TPRM scalability.
The platform's built-in automation streamlines your incident response and accelerates threat mitigation. With a native API, teams can export high-fidelity indicators of compromise (IOC) into existing security dashboards. This enables security teams to sync external intelligence with internal security information and event management (SIEM) platforms, or trigger automated defensive plays inside your security operations center (SOC).
Artificial intelligence features
UpGuard’s AI-powered platform streamlines the entire vendor assessment process. AI evidence analysis combined with automated scanning immediately uncovers control gaps and risks. Each finding is accompanied by transparent, traceable citations so security teams can quickly verify sources and take action. AI-generated risk assessment reports, which are typically produced in under a minute, help organizations rapidly communicate risks with stakeholders. This results in faster decision-making, more accurate and consistent reporting, and significantly reduced manual workloads.
Qualys drives its automation with an agentic AI framework embedded in its risk operations center (ROC). This vulnerability infrastructure relies on goal-directed agents to autonomously reason over risk data and accelerate remediation.
API and integrations
UpGuard provides a well-documented API enabling custom integrations, webhooks, and automation across common security and GRC tools. Its extensibility is straightforward, designed for rapid deployment and minimal setup friction. UpGuard also connects with over 4,000+ apps through a dedicated Zapier integration. Streamlines remediation and monitoring by natively integrating with Jira, Service Now, and Slack.
The platform uses API connectivity with a marketplace to export vulnerability data and asset intelligence to your defensive infrastructure. It connects natively across enterprise software categories, supporting SIEM systems like Splunk, IBM QRadar, and Microsoft Azure Sentinel. It also supports ServiceNow and Jira.
Purchasing & licensing transparency
UpGuard offers a freemium package for monitoring up to 5 vendors. Also provides free access to an AI-powered vendor questionnaire management tool, Trust Exchange. Pricing starts at USD 1,750 / month. A 14-day free trial for paid plans is also available.
Qualys doesn't make its pricing, plan details, or licensing information publicly available. It also doesn't publish any information about a free plan. You can trial certain products for free for 30 days.
Customers
Major customers include The New York Stock Exchange (ICE), Morningstar, TDK, PagerDuty, Hopin, and IAG. To learn more, read UpGuard's customer stories.
Notable customers include Ameritas, Associated British Foods, Aberdeen, and Cisco. Qualys positions itself as the ideal solution for businesses of all sizes and the public sector.
G2 rating Accurate as of March 2025
4.5, based on 383 reviews. Named a G2 Market Leader for Third Party & Supplier Risk Management Software.
Qualys doesn’t make its pricing or subscription plan details publicly available. You’d need to contact the platform’s team via its website to receive pricing. The platform offers a free, 30-day trial for some of its products.
Here’s an overview of Qualys’s plans and services:
No free plan
Qualys doesn’t make any information available about a free plan.
Free trial
Qualys allows you to trial several products for 30 days. To start a free trial, you’d need to complete a standard form on the Qualys website.
No plan information
Qualys doesn’t make any of its plan information publicly available.
No plan information
Qualys doesn’t make any of its plan information publicly available.
Add-ons and additional costs
The following additional features and services could increase costs:
Professional services: Implementation and complex integrations may incur additional costs.
How does Qualys’s pricing compare to its competitors?
UpGuard
UpGuard’s pricing starts at USD 1,750 per month. The platform maximizes value by offering out-of-the-box workflows supporting the entire TPRM lifecycle—saving users from having to purchase additional tools to fill TPRM workflow gaps.
It offers a free plan that lets you monitor up to five vendors, with access to assessment and remediation workflows. UpGuard’s Trust Exchange tool, which streamlines vendor questionnaires and trust management, is also free.
Detectify has three plans: Surface Monitoring, Application Scanning, and API Scanning. Surface Monitoring allows you to test all assets across your attack surface and costs around $345 per month, Application Scanning enables you to scan your web applications for around $100 per month, and API Scanning allows you to scan your APIs for around $100 per month.
Wiz doesn’t make its pricing publicly available. However, its website does state that licensing is modular and scales with active developers, log ingestion, or sensors.
