Continuous security and vulnerability detection—both Tenable and Qualys have built industry-leading suites around these two cybersecurity disciplines. The latter in particular serves as a focal point for both vendors, with Tenable.sc, formerly called Tenable SecurityCenter, and Qualys Enterprise going head-to-head for the top slot in the vulnerability management category. Let's see how the two stack up in this comparison.
Though it's become quite fashionable lately to declare perimeter security "dead", the truth of the matter is that firewalls and endpoint security mechanisms remain crucial components of enterprise security. However, they should never stand as lone sentries between the enterprise's IT assets and cyber attackers.
The continuous security required for protecting against today's cyberattacks is provided by a myriad of tools and platforms working in conjunction:
- vulnerability detection,
- compliance monitoring,
- security information event management systems (SIEM) / log management system, smart / next-generation firewalls (NGFW),
- and more.
Tenable and Qualys both offer integrated security platforms built around vulnerability detection, layering on additional security mechanisms like malware detection, security analytics, and anomaly detection. There are many similarities and overlaps in functionality. Both vulnerability management solutions have functionality for vulnerability scanning and support detailed security risk analysis.
When it comes to specific advantages of each of these tools, Tenable stands out as an audit tool for known hosts as well as a reliable catch-all toolkit for black-box testing. It works equally well across the entire organization or deployed in just a single department of, say, a large corporation.
Qualys has unique advantages of its own, including high quality of support, as well as ease of use and admin. From a price perspective, Qualys is also more affordable, and this is often the deciding difference for smaller organizations.
Tenable
Perhaps best known for its free (for personal use) Tenable Nessus vulnerability scanner, Tenable.sc, formerly called SecurityCenter, offers vulnerability management and security analytics—viewed/managed with a series of pre-built, highly customizable dashboards and reports.
Tenable.sc Continuous View (CV) adds additional features for continuous visibility, advanced analytics, real-time metrics, and continuous compliance, among others. Tenable.sc is great at handling network sweeps and vulnerability scans, as well as network and host auditing, including NIST, CIS, and DoD audit policies.
Depending on the organization, Tenable can be bulky, especially for smaller organizations. This lack of easy, step-wise scaling can be a drawback, opening the door to other, smaller solutions for the range of cybersecurity and vulnerability scanning requirements.
That said, Tenable is often regarded as a giant of the industry, able to go toe to toe against other notable vulnerability management providers like Rapid7 and BeyondTrust. Many shops rely on Tenable tools, which include Tenable.sc, Tenable.io, and Nessus Professional. Penetration testing becomes easier with a tool as powerful as this, and Tenable’s toolset can catch a lot of problems and vulnerabilities that your team might easily miss.
Qualys
Founded in 1999, Qualys is an established name in enterprise security, with a full range of freemium solutions, continuous security platforms, and subscription-based security services. Its flagship platform is the aptly-named Qualys Enterprise, formerly known as QualysGuard.
Qualys Enterprise is essentially a continuous security suite of tools for vulnerability management, asset discovery, network security, web app security, threat protection, and compliance monitoring. Qualys receives top billing for its performance in vulnerability scanning. Qualys has extremely high accuracy, often superior to competing tools, at surfacing vulnerabilities. Users also benefit from the Qualys’s strong performance at scanning and tracking vulnerabilities automatically, with little to no user intervention.
This makes it easy to add endpoints to your inventory and have Qualys protect your endpoints for you. Qualys maps out the vulnerability level and criticality so that your security team can prioritize in order to address your most critical vulnerabilities ahead of the rest.
Despite its many features and positives, Qualys also comes with potential drawbacks, chief among which are intermittent slow scans when scanning endpoints, as well as false positives.
Side-by-Side Scoring: Tenable vs. Qualys
1. Capability Set
Both Tenable.sc CV and Qualys Enterprise were designed to be comprehensive continuous security solutions, and both certainly excel in this regard. Qualys Enterprise's asset management capabilities and cloud/web app security features, in particular, are worth noting, while Tenable.sc CV's Nessus vulnerability scanner and advanced security analytics are the platform's strong points.
Tenable’s set of capabilities provides the ability to handle all your vulnerability management in one place. It combines maximum endpoint visibility with broad scanning types and support for numerous compliance standards. Tenable makes it easy to plan and set up your scans, with user groups allowing coordination between teams in your organization.
Where Tenable.sc is optimized for real-time, continuous assessment of your security posture managed on-premises, Qualys brings cloud management and the consolidation of compliance and security solutions in order to lower your total cost of ownership (TCO). It has a clear UI and brings a modular approach with its suite of fully integrated security apps.
2. Ease of Use
Tenable's offering features a streamlined HTML5 interface and intuitive, user-friendly navigation elements—a vast improvement from its previous Flash-based implementation. Similarly, Qualys Enterprise's web-based interface is easy to get up to speed with but can feel somewhat over modularized due to the amount of moving, interacting parts in the solution suite.
Tenable is quick to implement and comes with defaults that make sense out of the box. This adds significantly to the product’s ease of use, allowing teams to quickly assess vulnerabilities, see which systems are affected, and plan remediation. Tenable’s graphical representations of your environment are among the best in the industry, with progress tracking to show the vulnerabilities you’ve patched over time. Tenable’s VPR rating offers additional vulnerability prioritization over that represented by CVSS ratings, making it easier to zero in on the vulnerabilities your team must tackle first.
Qualys is very easy to use, with efficient performance for any network. You can easily deploy it in the cloud, while, for businesses in locations with strict data sovereignty requirements, the on-premises Qualys Private Cloud Platform is just as easy to deploy.
3. Security Rating
UpGuard's Vendor Risk platform is used by hundreds of companies to automatically monitor their third-party vendors. We ran a quick surface scan on both Tenable and Qualys and found them in a similar security position. Both companies have similar risks which include:
- DNS being susceptible to man-in-the-middle attacks
- Potential for emails to be fraudulently sent from their domain
- Increased susceptibility to man-in-the-middle attacks
Qualys has a higher risk of domain hijacking, as they do not use domain registry protection. This gives Tenable a slight edge and a slightly higher rating.
Domain hijacking is one of the subtle forms of cyberattack that can, nonetheless, have wide-ranging effects on a business. Attackers can abuse privileges on the domain and impose financial or reputational damages on the organization.
With Upguard’s Vendor Risk Platform, you can automatically monitor and rate vendors’ security performance. You can automate security questionnaires and monitor vendors using our instant vendor search. The platform lets you track changes in the security performance of your vendors over time. Along with vendor security ratings, you also have access to industry benchmarks to better understand vendor performance.
4. Community Support
Qualys hosts an active community off its corporate website, as does Tenable—in this case, the latter takes the cake for its robust discussion forum. Additionally, Nessus—originally an open-source project—commands a legion of loyal followers as one of the most popular and capable vulnerability scanners.
The Tenable Community Forum is a good place to interact with the community and search for Tenable knowledge on all possible topics. You can also ask the community a new question in case you are running into issues with Tenable and your team can’t troubleshoot them.
You can read Tenable Docs in the Tenable Documentation Center. This has docs for Tenable.sc as well as Tenable.io (the cloud version of Tenable.sc), Nessus, and related products.
Qualys has multiple online communities, each one dedicated to a specific area of Qualys functionality. These include:
- Vulnerability Management
- Policy Compliance
- PCI Compliance
- Web App Scanning
- Web App Firewall
- Continuous Monitoring
- Security Assessment Questionnaire
- Threat Protection
- Asset Inventory
The Qualys Community discussion site hosts discussion on topics ranging from asset management to web app security and the Qualys developer API. The wide range of resources means that you can get help or insights for solving even challenging hurdles that might arise in your Qualys implementation.
5. Release Rate
Tenable.sc is currently on version 5.13.0 and has been undergoing regular releases since its inception. Nessus (currently at version 8.10.0)—at one point considered the most popular vulnerability scanner in the world, ahead of pen testing alternatives like Nexpose, InsightVm and Metasploit — was launched in 1998 and sees full version updates roughly every 2 years. Qualys' vulnerability scanner and cloud-based security platform have also undergone regular updates over the years, despite several confusing rebranding and product consolidation efforts.
Tenable has seen significant innovations over the last few years. In addition to the rebranding of Tenable SecurityCenter to Tenable.sc in November 2018, there have been a series of innovations in the product. These include integration with Tenable Lumin to enable advanced cyber exposure analytics and visualization. The latest release of Tenable, Tenable.sc 5.13.0, added the ability to synchronize data from Tenable.sc to Lumin for analysis, as well as numerous bug fixes for issues like lost scan chunks when the scanner they were on crashed.
In its latest releases, versions 3.0 (Qualys Cloud Platform) and 10.0 (Qualys Cloud Suite), Qualys added a new, game-changing VMDR (Vulnerability Management, Detection, and Response) solution. This integrated tool enables vulnerability remediation prioritized based on context, along with comprehensive visibility.
6. Pricing and Support
As a SaaS-based offering, Qualys Enterprise is sold on an annual subscription basis; pricing in the past has ranged from $295 for small businesses to $1,995 for larger enterprises, depending on the number of endpoints monitored. Tenable.sc costs upwards of $20,000 plus annual maintenance—a considerable investment for budget-conscious organizations.
Both vendors offer premium phone, web, and onsite support options, as well as a range of professional services to boot. If you have a support plan, you can get technical assistance from Tenable’s Technical Support Engineers. A Technical Support Guide is available to help you navigate the process. If you have purchased or subscribed to Tenable.sc, Tenable.io, as well as Tenable.sc Continuous View, you get an included Advanced Support plan.
Qualys offers free support to all customers. Qualys customers get free telephone support, which gives access to Qualys Security Engineers for solving any network security problems.
In addition, you can also get online support from Qualys. This is in the form of online technical assistance, as well as self-service documentation and troubleshooting materials.
7. API and Extensibility
The Qualys API is a non-REST, XML-based interface for integrating custom applications with Qualys Cloud security and compliance solutions. In contrast, Tenable.sc provides a more modern REST API for integrating with other applications or hooking scripting interactions into the Tenable.sc server.
The Tenable API uses JSON format and is developed using open standards. This means that you can use any programming language you want for interacting with the API. The ubiquity of JSON usage should make it easier for teams that want to integrate Tenable.sc into their web applications or other software, as well as system administrators who want to automate certain workflows.
The Qualys API is just as robust and powerful as the Tenable one, and this will enable your team to automate Qualys workflows. The API allows you to accomplish tasks like:
- launch VM scans
- launch compliance scans
- configure scans
- manage assets
- launch reports
- manage reports
- download reports
8. 3rd Party Integrations
Both solutions feature a broad range of 3rd party integrations and technology partners. Qualys integrates with ServiceNow, BMC, ForeScout, and Splunk, among others, while Tenable's myriad of integrations—including vendors like Cisco, Salesforce. and Airwatch—allow customers to get the most out of their security platform investments. Tenable has created a vast Cyber Exposure ecosystem, in partnership with numerous Security and IT Operations organizations. This ecosystem enables customers to get a broad set of cyber exposure datasets in order to analyze and reduce their risk.
Qualys has integrations with public cloud providers to ensure visibility and security compliance of your cloud and hybrid IT deployments. These include native integrations with the major cloud providers, in particular, AWS, Google Cloud, and Microsoft Azure.
In addition, Qualys offers a free cloud-based service, Qualys CloudView, that lets you view and aggregate, on one control panel, all the information about your assets across different cloud providers.
9. Companies that Use It
Both security solutions are in use by many of the world's most prominent enterprises. Tenable purportedly has more than one million users and over 20,000 enterprise customers worldwide, including the U.S. Department of Defense, Deloitte, Visa, BMW, Adidas, and Microsoft. According to Qualys, more than 60% of the Forbes Global 50 rely on its continuous security solutions, including the likes of Cisco, DuPont, Microsoft, Sabre, and Sony Network Entertainment.
As their impressive customer lists show, if you are a large enterprise, either of these products should be able to meet your needs. It also pays to see what current and past customers say about their experience. For Tenable, customers like Sentara Healthcare, and others, have found that the Predictive Prioritization features in Tenable.sc and Tenable.io can vastly improve your ability to solve the most imminent cyber threats first.
Meanwhile, Qualys customers like that Qualys scales better, and your organization can add or remove IP addresses easily as required. The SaaS model Qualys provides, with pay-as-you-go options, makes it more flexible, whether you are a large Fortune 500 corporation or a small team.
10. Learning Curve
Both continuous security platforms are relatively easy to learn, largely due to the solutions' streamlined web interfaces and detailed product documentation. For product learning and training, Tenable customers have free access to the 24/7, online, Tenable University. The self-serve courses provide comprehensive knowledge for Tenable’s entire product catalog, including Tenable.sc, Tenable.io, and Nessus. Topics range from Vulnerability Assessment to Auditing.
Read our full post on vulnerability assessment.
Not to be outdone, Qualys also offers a comprehensive suite of free, self-paced training courses. Like Tenable, Qualys offers instructor-led certification courses that allow security engineers to get certified on different topics. Certification courses available from Qualys range from PCI Compliance to Qualys API Fundamentals.
Scoreboard and Summary
Both Qualys Enterprise and Tenable.sc offer continuous cyber protection through an array of layered security tools and services. Qualys sports some impressive asset management capabilities, while Tenable offers advanced security analytics and an industry-leading vulnerability scanner. That said, Tenable can be a challenge for small to mid-range organizations to acquire; as such, budget-sensitive firms will certainly find Qualys more manageable from a cost perspective.