Try For Free


Qualys vs. Tenable vs. Rapid7…and the Remediation ‘Missing Link’

Patch Management Vulnerability Remediation

Securing your environment under today’s working conditions is a growing challenge. There are so many moving parts: multiple OSes and configurations both locally and in the cloud, portable devices, IoT–and all come with updates you have to continuously seek out and download. 

Spotting vulnerabilities is a major part of this challenge. According to the SANS 2020 IT Cybersecurity Spending report, the leading drivers of cybersecurity spending are regulatory compliance (69.4%) and reducing incidents and breaches (59.1%). This proves too many companies are still taking a reactive, rather than a proactive, approach to security, often waiting until only after a serious breach has occurred to invest. With one 2019 estimate putting the average cost of a breach at $3.92M worldwide, this is a headache worth avoiding if you can, not to mention the operational hassle and impact on your reputation.

Still, you know your team can’t do it all by themselves. That’s why you should consider adding vulnerability assessment tools to your mix.

What Can a Vulnerability Assessment Offer?

The U.S. National Institute of Standards and Technology (NIST) explains that vulnerability scanners not only keep track of hosts and attributes but also help “identify outdated software versions, missing patches, and misconfigurations, and validate compliance with or deviations from an organization’s security policy.” In other words, they’re doing some of the heavy lifting for you, rounding up relevant vulnerability data, updates, and alerts so you don’t have to.

Even if these solutions are lacking in some key areas, today’s vulnerability assessment tools really do take a lot of the work off your shoulders.

The Forrester Wave™: Vulnerability Risk Management, Q4 2019 report recently tagged three tools as “Industry Leaders”: Qualys VMDR, Tenable Nessus, and Rapid7 InsightVM. Let’s compare the pros and cons of each and then explore one essential area where none of these tools can fully protect you.

VMDR (Qualys)

Entering the market in 2000, Qualys Vulnerability Management, Detection and Response (VMDR) was one of the earliest contenders in the vulnerability detection arena, and their experience shows. Their product has evolved over the years, and today they promise a powerful, integrated, cloud-based tool suite with “instantaneous, global visibility.”  But does it deliver?

  • VMDR: The Basics
    • Platforms: Windows, Linux/Unix, BSD, Apple Mac OS
    • Scan Coverage: servers, network devices, peripherals, workstations (any device with an IP address)
    • Pricing: Free trial; enterprise VMDR from $6,368 ($199 per asset, minimum 32 assets)
  • VMDR Pros

    • Early player in the vulnerability arena
    • Customizable data displays
    • Very good breadth of protection
    • Strong automation features, minimal user intervention required
  • VMDR Cons
    • Steep learning curve, less useable “out of the box”
    • Numerous suspected/false positives
    • Limited daily API requests for each price point
    • Increased cost for scans over a network vs. agent scans
    • Not as competitive on price 

Nessus (Tenable)

Tenable was probably the earliest contender among the three tools mentioned here, making its debut in 1998 as a free security scanner. Today, Nessus offers a cloud-based vulnerability analysis platform that promises to help you translate “technical data into business insights.” How well does it stack up?

  • Nessus: The Basics
    • Platforms: Windows, Mac OS X, OpenBD, FreeBSD, and others.
    • Scan Coverage: Apps of all sizes, network devices, mobile devices
    • Pricing: Free trial, free “Nessus Essentials” home version for up to 16 IPs; Nessus Pro (commercial) from $3,000/year
  • Nessus Pros
    • Agent-based, threat-focused scanning strategy
    • Good source of useful information
    • Flexible solution with good, thorough product training 
    • Competitive pricing 
  • Nessus Cons
    • More old-school, less attractive UI
    • Requires specialist expertise, experienced security team
    • Requires manual checking and verification of results
    • Confusing array of cloud vs. on-premises options

InsightVM (Rapid7)

Rapid7 made a name for itself in the security world in 2009 by buying Metasploit Project. Now, with InsightVM, the next generation of its on-premises solution Nexpose, Rapid7 promises an integrated platform that claims to help you “act at the moment of impact.” But does it give you all the data you need to act?

  • InsightVM: The Basics
    • Platforms: Windows/Linux
    • Scan Coverage: Web applications, databases, operating systems, network hardware
    • Pricing: Free 30-day trial; annual licensing fee from $11,264+ ($22/asset, minimum 512 assets);
  • InsightVM Pros
    • Simple set-up and implementation, real-time updates
    • Integrates easily with Rapid7’s own Metasploit platform to test exploits
    • Fast ramp-up, easy learning curve 
    • Clear prioritization of vulnerabilities to aid in remediation
  • InsightVM Cons
    • Dashboards don’t always provide a user-friendly interface
    • Tends to offer more false positives
    • Often inflexible and complex queries and filtering 
    • Missing features for reporting, e.g., customizations and ad hoc data reporting

Can You Spot the Missing Link? Hint: Remediation

All of these vulnerability assessment tools are good products, used by big names across multiple industries. 

But they’ve all been very slow on the uptake for patching and vulnerability remediation. Without fully integrated patching, these tools are spotting vulnerabilities, then dumping the work on your plate. That’s hardly fair. 

These companies do know their solutions aren’t getting the job done, and both Qualys and Rapid7 have recently made moves toward introducing a built-in patch solution. But this implementation is not as sophisticated as it needs to be to make a dent in your IT workload.

Building a Total Solution

Part of the problem is expecting a one-size-fits-all security solution to do it all. Vulnerability scanning is just one piece of the puzzle. What’s more important is what happens after you spot those critical vulnerabilities. It just makes sense to also have the means to remediate those vulnerabilities. 

JetPatch works hand in hand with all of the abovementioned products and can seamlessly integrate with your chosen tool to help you close the cyber gaps by providing an intelligent, end-to-end automated, workflow across your different IT environments.

Choosing a vulnerability assessment tool is a big decision, and part of that decision is understanding where these products fall short. By bringing all vulnerability reporting together in a unified dashboard with intelligent vulnerability remediation, JetPatch closes the gaps when it comes to securing your entire organization.

Yair Regev
Yair is the CTO & VP R&D @ JetPatch. He has more than 20 years of experience in cybersecurity, networking and R&D management.
schedule demoORlearn more
Start Patching the Right Way
Free Trial