Qualys and Kenna’s relationship is complicated. Several years ago the two companies were partners until Qualys tried to clone Kenna. Now, to hear Qualys talk, you don’t need Kenna anymore if you have Qualys. So let’s look into Qualys vs Kenna in regards to that claim.
Different business models
First things first: Kenna isn’t in the vulnerability scanning business. Kenna relies on importing data from vulnerability scanners and enriching the data.
Qualys’ main product is its cloud-based vulnerability scanner. But since Qualys hasn’t managed to vanquish Tenable and emerge as the undisputed market leader, Qualys has designs on the rest of the security market. One of the first places they expanded was into the analytics space that Kenna dominates.
But while Qualys built a large and complex vulnerability scanning product, with its other products, Qualys has taken something other than a premium approach. Instead, they’ve taken the 80/20 approach, building the product that has the 20% of the functionality they think 80% of the user base wants, then sell the cut-down product at a discounted price.
That means Qualys didn’t clone Kenna. Qualys imagined what a Kenna Lite or Kenna Express would look like, and cloned that. They built some of that functionality into their Assetview product, which it includes in any Qualys subscription. The vulnerability intelligence portion went into a second product, called Threat Protection, which is a 40% upcharge over what you’re paying for the main product.
Kenna vs Qualys Assetview
In the mid 2010s, a lot of analysts were saying Kenna was worth the price even if you only used it to search your Qualys data. Having used Qualys in a Fortune 20 company when it was nothing more than a vulnerability scanner that spat out results in PDF or CSV format, I completely understand why analysts at that time would say that. When you’re scanning tens of thousands of machines, PDFs are worthless. CSVs aren’t much better since Excel only lets you look at the first two million rows of the CSV.
To do a good job of analyzing Qualys data in CSV format at mid-decade, you really needed a Linux box with the standard text-handling Unix tools. Having Python and various Python-based CSV tools would have been better. But finding a vulnerability analyst with good Unix skills is difficult. It was cheaper and easier to buy Kenna, which let you search the data with Elasticsearch, and save your most useful queries as widgets.
Qualys Assetview cloned that functionality. It, too, uses Elasticsearch. The queries are a little different because the Qualys database is a little different, but if you can write a query in one, you can in the other. Assetview lets you build widgets and dashboards and even import and export them.
If you only used Kenna to search your Qualys data, then Qualys is mostly right. Certain searches, like closed vulnerabilities, aren’t implemented in Assetview yet. But if you need to know how many Windows 2008R2 servers you have, that’s easy. If you need to know how many machines have a certain vulnerability, that’s easy.
Kenna vs Qualys Threat Protection
But if you only used Kenna to search, I’d say you weren’t using the product right. The main reason to buy Kenna is risk prioritization. Any vulnerability analyst worth their salt will tell you infrastructure can’t and won’t patch everything. But you can get them to work on 5, 10, or 20 things. Kenna excels at helping you figure out which 5, 10, or 20 things to ask for so you don’t waste your requests.
Both products will give you a list of a dozen or two things that are hurting you the most. Both of them will tell you if a vulnerability is being exploited in active attacks. But while Kenna gets outside sources for that information, Qualys relies on its own threat intelligence. That’s not Qualys’ specialty. Qualys does a a better job at it than you might expect, but Kenna usually reacts more quickly to changes in the threat landscape than Qualys does. Qualys usually gets the information, but Kenna gets it faster.
The place where Kenna excels is in risk scoring. Kenna assigns a numeric score to every asset and every vulnerability. If you’ve been scanning your networks and don’t know where to start when it comes to remediation, Kenna really helps with that. Chase the highest scores. Qualys omitted that functionality.
As someone who’s used both products, I can tell you I can live without Qualys Threat Protection. Kenna, on the other hand, lets me do analysis that used to take me a week in about 30 minutes.
If Qualys were to add similar scoring to Threat Protection, Kenna would be in trouble. But as long as Qualys doesn’t do that, Qualys vs Kenna is no contest.