In response to the Forbes Insights/BMC second annual IT Safety and Operations Survey, 43 % of enterprises plan on redoubling their patching and remediation efforts in 2017, citing patch automation investments as having the very best ROI amongst safety know-how purchases in 2016. It is not onerous to know why: the identical survey reveals that identified safety vulnerabilities proceed to trigger the vast majority of information breaches and safety compromises. Rapid7 and Qualys are two main cybersecurity distributors within the vulnerability administration area—let’s have a look at how they stack up on this comparability.
Patching is only one side of vulnerability administration, and plenty of enterprise safety suites make the most of a mix of vulnerability analytics and reporting/evaluation capabilities as a part of a broader risk detection cybersecurity framework. For instance, Rapid7’s Nexpose analytics engine permits safety professionals to prioritize the very best threat vulnerabilities for extra resilient remediation efforts.Â
Equally, the Qualys Cloud Platform—beforehand often known as QualyGuard—bundles an built-in enterprise suite of safety and compliance instruments round its battle-tested vulnerability administration answer.
Rapid7
Rapid7 is arguably greatest identified for its open supply Metasploit Framework, a complicated set of instruments for creating and deploying exploit code. The venture was initially launched in 2004 and was acquired by the corporate in 2009; right now, Metasploit is broadly considered the world’s main pentesting software. As with different merchandise in its suite, Rapid7 gives tight integration between Metasploit and Nexpose—a typical safety workflow entails scanning for vulnerabilities with Nexpose adopted by testing exploitations with Metasploit.
The Rapid7 Nexpose UI. Supply: rapid7.com.
Moreover, Rapid7’s new insightOps platform provides IT operations with centralized endpoint visibility and infrastructure analytics.
Qualys
An early participant within the vulnerability administration area, Qualys now gives a complete suite of client/SMB-focused instruments, enterprise safety options, in addition to subscription-based safety providers. The Qualys Cloud Platform—previously often known as QualysGuard—is the corporate’s flagship enterprise safety suite. The answer gives asset discovery, community safety, internet software safety, cyber risk safety and compliance monitoring options below a unified administration console.
The QualysGuard UI. Supply: qualys.com.
The corporate additionally gives free instruments such its Qualys BrowserCheck, AssetView Stock Service, and Freescan vulnerability scanner, amongst others.
Facet-by-Facet Scoring: Rapid7Â vs. Qualys1. Functionality Set
Each options are extremely succesful at detecting and managing important vulnerabilities that might result in information breaches. Rapid7 Nexpose’s vulnerability administration lifecycle spans discovery to mitigation, and gives adjoining instruments reminiscent of Metasploit for vulnerability exploitation. The Qualys Cloud Platform gives a spread of instruments for detecting and prioritizing vulnerabilities and features a stay, risk intelligence feed of real-time safety updates in addition to asset administration and cloud/internet software scanning.
2. Ease of Use
The Qualys Cloud Platform’s interface is straightforward sufficient to get a deal with on however feels over-modularized as a result of platform’s quantity of shifting, interacting elements. Rapid7’s clear, intuitive internet interface provides it the win on this class.
3. Neighborhood Assist
As talked about beforehand, the Metasploit Framework was a preferred, freely obtainable open supply venture earlier than the Rapid7 acquisition and stays so to this present day. Subsequently, the venture boasts a large physique of neighborhood help sources, together with the corporate’s strong neighborhood portal on its public web site. Qualys hosts an lively neighborhood web site containing help boards, product coaching sources, and extra.
4. Launch Charge
Each platforms have seen common releases over time; that mentioned, Rapid7’s Nexpose (at present at model 64.) appears to have extra continuity throughout variations. Moreover, its open supply Metasploit Framework being actively maintained by the neighborhood. A full launch historical past is accessible on its web site. At the moment at model 8.9, Qualys’ vulnerability scanner has been up to date updates over time, regardless of a number of complicated rebranding and product consolidation efforts. All the suite was lately rebundled because the Qualys Cloud Platform, although the 2 names are apparently interchangeable.
5. Pricing and Assist
Categorical variations of Nexpose and Metasploit begin at $2,000 and $5,000, respectively; a full-featured PRO model begins at $15,000 per yr. Its Metasploit Framework stays free and open supply,Â
The Qualys Cloud Platform could be deployed as an on-premise or SaaS-based providing and is offered on an annual subscription foundation: $295 for small companies to $1,995 for bigger enterprises, based mostly on variety of endpoints monitored. Each distributors supply premium cellphone, internet, and onsite help choices, together with skilled providers for customized deployments.
6. API and Extensibility
Rapid7’s Nexpose solely gives an XML-based API, although the Metasploit Framework comes with a REST API for constructing customized integrations. Equally, Qualys solely supplies a non-REST, XML-based API for integrating customized purposes with its safety and compliance instruments.
7. third Celebration Integrations
Rapid7 options integrations with main cybersecurity distributors and instruments/platforms like AWS, Jenkins, ForeScout, Splunk, Okta, and VMware, amongst others. Qualys Cloud Platform supplies integrations with ServiceNow and Splunk, together with BMC, ForeScout, to call just a few.
8. Corporations that Use It
Rapid7’s buyer record reads like a who’s who of main world enterprises: Adobe, Amazon.com, Microsoft, Ingram Micro, and Johnson & Johnson, to call just a few. To not be outdone, Qualys claims over 60% of the Forbes World 50 as its buyer base, with firms like Cisco, DuPont, Microsoft, Sabre, and Sony Community Leisure utilizing its merchandise.
9. Studying Curve
Rapid7 Nexpose’s intuitive internet interface makes getting up to the mark with the platform a comparatively trivial affair; Equally, Qualys’ easy-to-use internet interface make it accessible to novices, although Nexpose has a considerably flatter studying curve.
10. Safety Score
Qualys’ sturdy safety score of 808 falls brief due to some of safety flaws, specifically lack of DMARC. Rapid7’s common safety score of 703 is a results of numerous safety gaps together with lack of safe cookies, lacking DNSSEC, and extra.
Scoreboard and Abstract
Â
Rapid7
Qualys
Functionality set
5/5
5/5Â
Ease of use
5/5Â
4/5Â
Neighborhood help
5/5Â
4/5Â
Launch fee
5/5Â
4/5Â
Pricing and help
4/5Â
4/5Â
API and extensibility
4/5Â
4/5Â
third get together integrations
5/5Â
5/5Â
Corporations that use it
5/5Â
5/5Â
Studying curve
5/5Â
4/5
Safety score
703
808
Whole
4.7/5
4.4/5
Each the Qualys Cloud Platform and Rapid7 Nexpose are complete enterprise cybersecurity suites with competent vulnerability administration capabilities. For these concerned with exploitation testing as a part of a broader set of safety evaluation actions, Rapid7’s widespread, open supply Metasploit Framework coupled with Nexpose is difficult to beat. Enterprises heavy on the IT operations administration (ITOM) facet of affairs could discover Qualys Cloud Platform a greater match, because it gives options reminiscent of IT asset administration and discovery on high of vulnerability administration.
