Comparing the top vulnerability management tools

Expert Ed Tittel compares how the top-rated vulnerability management tools measure up against each other so you can select the right one for your organization.

Vulnerability management tools include the ability to detect and identify assets in an IT infrastructure, detect vulnerabilities, provide descriptions of vulnerabilities as well as links to patches and other forms of remediation, and generate a host of reports -- all from a central console. Early vulnerability management tools didn't include automation and were run manually on a scheduled basis, or as needed when a security issue arose. Today, the best procedure is to scan continuously -- or at least daily -- and remediate as you go. Although it's important to compare vendor products at the core feature level, organizations must also take into account additional security-related capabilities that provide more robust and comprehensive offerings.

This article compares vulnerability management tools and features from several leading vendors: Beyond Security, Critical Watch, Core Security, Qualys, Rapid7, SAINT, Tenable Network Security and Tripwire. Read on to find out how the products measure up.

A brief look at the contenders

Beyond Security's Automated Vulnerability Detection System (AVDS) product comes as either an on-premises appliance or cloud-based offering; the cloud solution scans external IP addresses and websites. Critical Watch offers the FusionVM suite of appliances and a software as a service-based vulnerability management product, as well as a blended solution. Core Insight by Core Security has its own scanning engine, but also works with third-party scanners -- Qualys, Tenable, Tripwire and others -- to provide a comprehensive view of vulnerabilities across a network.

Qualys was the first in the field to offer vulnerability management tools from the cloud. The vulnerability management product in the Qualys Cloud Suite comes in Enterprise Edition, Express Edition -- for midsize businesses -- and Express Lite Edition -- for small businesses. Rapid7 Nexpose for vulnerability management is integrated with Metasploit for exploiting vulnerabilities to help determine priorities and for testing purposes. Customers can choose an on-premises appliance or a cloud-based service for perimeter scanning.

The SAINT Security Suite is available as a standalone software package or as a preconfigured hardware appliance. Tenable Network Security provides Nessus, one of the most widely deployed vulnerability management tools. It's available as software -- for consumers -- a preconfigured virtual machine, a preconfigured hardware appliance and as a cloud service. Finally, Tripwire offers three vulnerability management products: SecureScan (a free scanner), PureCloud and IP360 (appliance).

Beyond the core features

More comprehensive vulnerability management tools may include the ability to continuously monitor an environment, to "pen test", or penetration test, identified vulnerabilities for validation, as well as scan the internal network and network perimeter -- to name just a few.

Tripwire IP360 is an enterprise-class security risk management system aimed at large, distributed networks. It integrates vulnerability and risk management into an organization's business processes and IT systems, such as SIEM, IDS/IPS and other security products. Tripwire PureCloud is also geared toward enterprises and offers network perimeter scanning and continuous monitoring, as well as reporting and analytics geared for auditing and risk assessments.

All vendors in this article offer a variety of capabilities beyond the core feature set of a vulnerability management tools product.

Qualys excels at assessing cloud-based perimeter devices, including the identification of endpoint devices with Internet access. The addition of appliances behind firewalls provides continuous monitoring of internal assets as well. One neat feature of Qualys Cloud Suite is its ability to create an interactive network map that shows both perimeter and internal devices. The product also includes malware detection that relies on a continually updated, zero-day database.

Core Security is another full-featured vulnerability management product designed for complex environments. It offers a few unique features, such as the ability to work with third-party scanners and provide a unified view of vulnerabilities. It also provides attack path modeling, in which a network's topology is mapped to show how attackers can exploit vulnerabilities across an infrastructure and access assets. Penetration testing is available through its Core Impact product.

Tenable and Rapid7 also include pen testing in their products. Rapid7 integrates Nexpose with Metasploit to enable users to simulate attacks and exploit vulnerabilities to more accurately prioritize risks. Rapid7 also provides incident detection and response capabilities.

Vulnerability signature updates

Tripwire's Adaptive Threat Protection network, and the Qualys Vulnerability Research Team and Qualys Vulnerability and Malware Research Labs, keep those companies' respective products updated in real time. Qualys updates its vulnerability database everyday as new vulnerabilities emerge.

Critical Watch uses ACI Platform, its security intelligence solution, to keep FusionVM update to date. Beyond Security's main source of information is SecuriTeam, a vulnerability knowledge base managed by the company itself.

Ease of use

All of the featured vulnerability management tools are relatively easy to install and customize; the hardware appliances, for example, can be up and running within minutes. These products also provide intuitive interfaces with dashboard views, checkbox features and preconfigured policies and reports.

Qualys pitches its cloud offering as a lightweight product that is easy to use and that runs nonintrusively without any software overhead.

Beyond Security's AVDS appliance is also easy to deploy and use. Beyond Security products don't have as many bells and whistles as competitors, which is a plus for smaller organizations that need reliable scanning results and quick risk assessments.

Core Insight's products do a great job whittling down long lists of vulnerabilities -- which can reach into the thousands and even millions in large environments -- to those that must be remediated.

Support for cloud and mobile

Most vulnerability scanners can discover a variety of endpoints within a network, but mobile devices, cloud assets and virtual machines often present a challenge. Tenable Nessus can be deployed with endpoint agents, which allow for offline scanning and the collection of scan results when a mobile device reconnects to the corporate network. The agents also allow Nessus to scan the devices for malware.

Rapid7 Nexpose provides mobile device discovery and assessment, as well as discovery connections for virtual and cloud assets.

Tripwire can discover any mobile device that connects to wired or wireless networks. It also provides an automated workflow in which an administrator defines rules for device categorization across physical and virtual locations.

Enterprise features

An important feature for vulnerability management tools is automated trouble ticket and workflow creation, which ensure appropriate personnel are notified of critical vulnerabilities. Qualys, with the help of the BMC BladeLogic product, provides ticketing and workflow creation. Qualys also offers policy compliance scanning and Web application security. Tripwire provides automated workflows as well.

Critical Watch and SAINT also provide enterprise-grade ticketing. In addition, SAINT Security Suite's scan results can be imported into IBM's QRadar SIEM platform, and SAINT is compatible with Cisco FireSIGHT Management Center --formerly Sourcefire -- for analysis and flag correlation. SAINT offers the ability to deploy multiple scanners to support large enterprises or use distributed scanning with load-balanced scans, and provides remediation ticketing.

In addition to vulnerability management, Tenable offers continuous monitoring, risk management and network behavior analysis.

Pricing and licensing

Software-only vulnerability management tools may incur an initial purchase cost and an annual renewal fee, or are available as subscriptions. Tenable offers Nessus Professional software as an annual subscription for $2,160, which includes daily vulnerability updates for a single Nessus scanner, downloadable compliance and audit files, software updates and a virtual appliance.

Pricing for preconfigured appliances varies greatly. Core Security charges about $10,000 per appliance, upwards of $70,000 for the virtual machine -- with up to 1,000 assets -- and adds about 20% for an annual support contract. The SAINT Security Suite preconfigured hardware appliance costs about $13,000, and the Rapid7 Nexpose physical appliance with management software starts around $14,000. The Tripwire preconfigured IP360 appliance starts at around $20,000.

Cloud-hosted services, such as those offered by Beyond Security and Qualys, are sold as an annual subscription. Beyond Security licensing is based on active IPs, which lets you scan any number of IPs but pay for only those in use. Qualys pricing is based on the number of IP addresses, scanners and agents. At the low end, for example, a small business customer could subscribe to Qualys Express Lite for less than $1,000 per year. Qualys Express pricing climbs to over $2,500 per year, at a minimum, and includes tiered pricing for various environments.

Tenable offers Nessus Manager -- on-premises appliance -- and Nessus Cloud as subscriptions, with identical pricing. A subscription that covers up to 128 hosts/agents, for example, costs just under $3,000 per year; the cost rises to about $4,800 per year for up to 256 host/agents.


Qualys' free support includes phone, email and Web support 24/7, and customers are assigned a technical account manager. Scanners deployed behind firewalls are managed remotely by Qualys staff. The company also offers free product training.

Rapid7 offers 24-hour service-level agreements and support via phone and email, as well as 24-hour incident response time. Customers can purchase a Super Support plan to work with an assigned account manager, get escalated priority, risk mitigation and more.

The other companies provide free phone and email support during typical business hours, as well as online knowledge bases. Core Security customers can take Web-based training sessions for free and receive free product upgrades. SAINT customers get free software support, with a four-hour response time, and free hardware maintenance.


Overall, Core Security, Qualys and Tripwire offer the most comprehensive vulnerability management products, with Core Security being the most expensive -- but you get what you pay for in this case. Large organizations should interview vendors and select one that has proven experience with similar-sized and -populated deployments.

Midsize organizations may get the best product for their buck with Qualys, Beyond Security, Rapid7 and SAINT. Small organizations should look to Qualys (Express or Express Lite), SAINT and Beyond Security.

Next Steps

In part one of this series, learn about the basics of vulnerability management tools

In part two of this series, read about the business case for vulnerability management

In part three of this series, discover the criteria for buying vulnerability management tools

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing